Pulse Connect Secure – Critical 0-DAY Vulnerability

Pulse Connect Secure – Critical 0-DAY Vulnerability

Vulnerability Title:

Pulse Secure Pulse Connect Secure: CVE-2021-22893: Pulse Connect Secure RCE Vulnerability (SA44784)

Vulnerability Description:

An authentication by-pass vulnerability that can allow an unauthenticated user to perform remote arbitrary file execution on the Pulse Connect Secure gateway was discovered.

This vulnerability has a critical CVSS score and poses a significant risk to your deployment.

CVE CVSS Score (V3.1) Summary Product Affected
CVE-2021-22893 10 Critical

3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Vulnerability in Pulse Connect Secure allows a remote unauthenticated attacker to execute arbitrary code via unspecified vectors PCS 9.0R3 and Higher

Solution:

The solution for these vulnerabilities is to upgrade the Pulse Connect Secure server software version to the 9.1R.11.4. We will update the advisory once the timelines are available.

If the PCS/PPS version is installed: Then deploy this version (or later) to resolve the issue: Expected Release Notes (if any)
Pulse Connect Secure 9.1RX TBD TBD
Pulse Connect Secure 9.0RX TBD TBD

Workaround:

CVE-2021-22893 can be mitigated by importing the Workaround-2104.xml file.

Impact:

XML File disables the following features under PCS appliance.

  • Windows File Share Browser
  • Pulse Secure Collaboration

Note:  XML file is the zipped format, please unzip and then import the XML file.

Pulse Connect Secure – Critical 0-DAY Vulnerability

Customers can download and import the file under the following location:

Go to Maintenance > Import/Export > Import XML. Import the file.

  • This disables the Pulse Collaboration.
  • If there is a load balancer in front of the PCS, this may affect the Load Balancer.
  • If your load balancer is using round robin or using HealthCheck.cgi or advanced healthcheck.cgi, it will not be affected.

Disable the Windows File Browser:

  • Navigate to User > User Role > Click Default Option >> Click on General
  • Under the Access Feature, make sure the “Files, Window” option is not checked.
  • Go to Users > User Roles
  • Click on each role in turn and ensure under the Access Feature of each role, the File, Windows option is not enabled.

NOTE: When you apply the upcoming release fix, please remove the workaround with the following steps:

  • Importing the attached file remove-workaround-2104.xml (found in the same download location as the Workaround-2104.xml Download (Download Center at https://my.pulsesecure.net))
  • Restore the previous settings for “Files, Windows”

This vulnerability is only affecting 9.0r3 and higher (i.e. versions below 9.0r3 are NOT affected), so the XML patch is not required.


Telecom

Infrastructure Penetration Testing

Scope

A telecommunication company wanted to check their external network cybersecurity and 2x/24 subnets were penetrated. Black box penetration test was performed on the external network.

Finding

  1. Cisco Adaptive Security Appliance Remote Code Execution and Denial of Service Vulnerability (cisco-sa-20180129-asa1)
  2. EOL/Obsolete Software: Apache HTTP Server 2.2.x
  3. SSLv3 Padding Oracle Attack Information Disclosure Vulnerability (POODLE)
  4. Apache HTTP Server Prior to 2.4.25 Multiple Vulnerabilities
  5. Apache HTTP Server HttpOnly Cookie Information Disclosure Vulnerability
  6. PHP Versions Prior to 5.2.12 Multiple Vulnerabilities
  7. SSL/TLS Server supports TLSv1.0
  8. HTTP TRACE / TRACK Methods Enabled

Time frame

  • 15 working days
  • 12 days network penetration
  • 3 days vulnerabilities & remediation
  • report preparation

Steps performed

  • Layer 2/3 attacks
  • Vlan hopping
  • Arp cache poisoning
  • Switch weaknesses
  • IP redirections
  • Session hijacking & replay
  • Network hash passing
  • DHCP/DNS weaknesses
  • Various OS weaknesses
  • Advanced attacks
  • Protocol fuzzing
  • Cryptographic weaknesses
  • Buffer overflow
  • Zero-day


Education

Web Application Penetration Testing

Scope

The purpose of the test was to discover security vulnerabilities, which could lead to intellectual and financial damage to the school and its clients. The test was performed in a Grey Box manner following OWASP methodology and simulated a malicious user with partial knowledge regarding the system functionality. We have tested the platform using three accounts with different accesses – student account, parent account and an admin one.

Conclusions

A successful penetration test was achieved, and High vulnerabilities were discovered on the web application for all three authentication levels, which have to be remediated immediately. User’s account has a Broken authentication mechanism, an attacker can view the functionalities of the admin account and view higher privilege user’s information. Admin account can be hijacked because of the excessive session timeout and it is possible to compromise user’s account by brute forcing the account because of missing account lockout policy.

Time frame

  • 10 working days
  • 7 days penetration of the WEB app
  • 3 days vulnerabilities & remediation
  • report preparation

Steps performed

  • Information gathering
  • Configuration and deployment management testing
  • Identity management testing
  • Authentication and authorization testing
  • Session management testing
  • Input validation testing
  • Error handling
  • Cryptography
  • Business logic testing
  • Client side testing


Finance & Banking

Mobile Application Penetration Testing

Scope

Digital bank mobile application with Android and iOS versions were penetrated. The test was performed in a GreyBox manner and simulated a malicious user with partial knowledge regarding the system functionality.

Conclusions

It was observed that there is no input validation in both Android and iOS versions. Attacks, based on this vulnerability, could be performed on the application. Although, no matter that it is not following proper input validation, due to MVC framework there is no successful exploitation. In iOS Application it was observed that the application is storing the transactions data in plain text format in local storage. It was also discovered that application snapshots are enabled.

Time frame

  • 13 working days
  • 5 days penetration of Android version
  • 5 days penetration of iOS version
  • 3 dayс vulnarebilities & remediation report preparation

Steps performed

  • Architecture, design and threat modelling
  • Data storage and privacy
  • Cryptography verification
  • Authentication and session management
  • Network communication
  • Environmental interaction
  • Code quality and build settings
  • Resiliency against reverse engineering


Security awareness issues for remote workers

Work from home is not a new phenomenon in today’s digital world, but this month it has become a necessity for many more people.
The pandemic situation around the world forced a number of employers to send their employees home. The challenges begin with maintaining our productivity at home conditions to assuring our cybersecurity which is threatened by our remote access. But how do we become an easier target by working from home using our personal devices?
Here are two different aspects – our own security as a user and the risk we pose for our organization, on the other hand. The end-user impact is dependent on the Security Awareness of the person. When we know the basic cybersecurity principles including:

  • Passwords & Strong Authentication
  • Incident Response
  • Awareness of Phishing scams (emails, attached files, fake websites)
  • Awareness of Secure Data Processing and Storage
  • Password securing & encryption of confidential information

 

then the risk is much lower.

On the other hand, in case the person is an employee in a company who is required to work remotely, then he might be a potential risk for the company.

In that case, it’s up to the company how well they secured their information.

SCENARIO 1

The employee is using a personal laptop or a corporate one, but without the presence of Security Policies, Active Directory with specific technical limitations for the systems, Encrypted Communication, Network Traffic Monitoring, Phishing prevention solution, Malware Protection, Up-to-date software, Network Segmentation and etc. In that case, we consider the risk as High.

SCENARIO 2

The company has in place some security measures. There is a VPN communication to the office environment, where the information is held in a secure and well-segmented place in the network. Employees are using corporate laptops, part of the Active Directory with the appropriate security measures. Passwords for VPN communication and other portals are not auto-saved. The risk here is Medium due to the lower possibility for the user’s computer to be compromised and the low impact from potential attack, due to the system being disconnected from the VPN when not used. Of course, if you spot something strange better get disconnected until you figure out if everything is fine.

SCENARIO 3

All of the above in Scenario 1 is applied. The risk for both the employee and the employer might be considered Low.

In case our system is well-protected our security can be considered equal with the one in the office.

Can we expect an increase in specific types of attacks?
Unfortunately during the past days, there was pandemic with Phishing attacks, together with the one for Corona. Malicious hackers rely on the fact that everybody is opening all kinds of COVID-19 related information without looking in the email headers or in the legitimacy of the website. Panic is catching everybody unprepared. There is even a map which is providing infection rates around the world, but behind the map a Malware is waiting to steal your passwords
(www.Corona-Virus-MapDOTcom).

Many phishing emails promise the latest news on the topic but are aiming for your identity instead.

Every company has different critical information points, but in general, those are:

  • Spaces for file sharing (sharepoints, file transfer servers)
  • Knowledge bases
  • CRM Systems
  • ERP Systems
  • Payroll and HR Systems
  • Financial and Accounting Software
  • Databases with corporate and user data
  • Email Servers

Each one of those points should be well isolated in the network and well protected, by use of secure authentication methods (where possible with Multi-Factor Authentication in place), different user groups with access rights, encryption of the information, presence of logs and more.

The more secure the system is, the smaller the risk and the impact on the company.

What measures and technical solutions can an individual take, in order to improve the security? What should the company do?

The user can do a few simple, but effective steps:

  • Keep all passwords in Password Management software (KeePass, Password Safe, Keeper, Last Pass and more).
  • To protect all sensitive information by use of encrypted storage (hard drive, portable hard drive, USB Flash Drive). This can be achieved with BitLocker or VeraCrypt/TrueCrypt and others.
  • To carefully inspect the origin of the emails and to analyze if the domain in the hyperlink is correct, before visiting the website.
  • To be careful when opening attached files, if not sure of the sender’s legitimacy.
  • To use 2nd factor of authentication where possible.
  • To lock his computer when not active.
  • To get better awareness by watching the “Security Awareness” trainings in the company, if such are present.

The company, on the other hand, should often assess the security of the assets and to implement all measures (at least), described in Scenario 1 above. It is a company’s responsibility that the employee is aware of the risks, how to process data in a secure way and what to do in case of an incident. It is the employee’s responsibility to follow the procedures and policies of the company.

Shall we share confidential information and what is the best way to do it?

The situation with the Coronavirus is providing us with the opportunity to get to know our families better. But it is also teaching us how to be modern and use the technologies from the current century.

Working from home doesn’t mean that confidential information should not be shared.

Nowadays there are secure means for remote connection and communication over VPN, secure methods to transfer files over SFTP, remote control to the systems through the Active Directory, DLP solutions to prevent data leakage and more. We can also use encrypted containers when data is to be transferred securely (VeraCrypt), we can send encrypted emails using S/MIME, Office 365 Message Encryption and more.

It is important for the password to be transferred over an alternative communications channel. Many companies might also realize that “working from home” is not so scary and this could lead to optimization of the working time, fewer expenses, in the long run, fewer CO2 emissions, optimization of office space and more benefits.

By looking in the company structure, which is the most risky group of employees?

Based on our experience usually, those are:

  • Customer Support / Call Center staff – due to the high amount of people they communicate with, the large number of emails transferred, frequent work with attached files and more.
  • Sales Representatives – due to the frequent communication with clients and frequent emails.
  • Finance and Accounting – due to the financial information they possess.
  • Management – due to the confidential information they have on the systems. CEO Fraud is often used, when a malicious user tries to spoof a message so that it appears to be from high management. In that case, employees are usually in a hurry to provide the necessary information, without realizing that there is a malicious hacker behind the email, or they leak their credentials, by visiting a link in the email.

Be aware, not scared. Your cybersecurity matters.


Risks from a cyber attack

Lately, a lot of people ask me about the risks from a cyber attack, and should they worry about being a victim of a malicious hacker attack. In this paper I will present some of the most commonly used attacks and how they could affect you.


One of the oldest but still one of the most commonly used techniques is SQL Injection. It uses a vulnerable form or other field in a web application that directly communicates with the database. Attack is performed by injecting SQL code into queries sent to the database. In case of invalid filtering of the input, the database executes the SQL statement and provides the hacker with the ability to retrieve, replace, or delete all data. This attack could affect any web application / site that works with a database and is incorrectly configured. The attack could seriously harm you, especially in the context of the new GDPR requirements. If your information is leaked publicly and is not protected by encryption methods or other mechanisms, hackers can access sensitive information, accounts, passwords, and more. This type of attack can be detected by running a web application security test, and security can be achieved by correcting the programming code or using security products for protection (IPS, WAF, etc.).

Attacks through social engineering and malware are common. Probably everyone has encountered emails that ask the victim to visit a fake copy of a legitimate website to enter our authentication data or open an app without knowing its origin. Typically, by opening the attachment, we install malware on our machine, which in most cases gives the attacker access to our system or the ability to track our activity (including passwords used). It can often happen that our machine is used as a pivot point from which an attack to other systems is launched. Using email is just one of the options for doing this type of attack. The risk consists of loss of access to accounts, malicious use of financial assets, and complete compromise of our personal information. Protection is made by better awareness of how to detect similar attacks and by using security solutions (including anti-virus software).

Ransomware attacks are part of our everyday life. The attacker manages to encrypt the information of our systems, usually requiring a ransom to decrypt it. These types of attacks are difficult to prevent, and are usually dictated by people’s poor awareness of how to recognize similar attacks. It is extremely important to always back up the information in order for it to be easily restored. In the event that we become a victim of such an attack and we do not have a backup, our salvation is to turn to specialists to look for part of the encryption key in the system memory immediately after the attack is detected or to attempt to search for a key , published on the Internet by another victim.

DDoS – In these attacks, the purpose of hackers is not to steal information, but to make your systems inaccessible to your customers, thus stopping your business from running. They are usually done by overflowing the resources of your systems with unnecessary traffic or requests. Fortunately, there are affordable market solutions that provide a high level of protection against such attacks. Free solutions are also available for companies with few systems that are not critical.

MITM (Man In The Middle) – Man-In-The-Middle attacks typically occur when data is not transferred in encrypted form. Most often, they are conducted by publicly accessible networks, the purpose of hackers being to capture traffic with sensitive information, including usernames and passwords. Often, such attacks are performed to falsifie invoices and make a payment to the hacker’s bank account instead of the legitimate provider. In order to prevent such attacks, it is necessary to use encryption mechanisms in the transmission of information and, in GDPR aspect it is a good practice to encrypt the information even when it is stored in databases, log files, backups, transfer to file servers, sending email communication, working with web applications, and more.


Another serious problem is the use of weak authentication policies. Most people use the same passwords for most websites they visit. If any of the websites are compromised and hackers get access to the passwords in your site, they will also have your password for all other websites. On the other hand, people often use easy-to-guess passwords, which allows them to be easily broken using brute-force and dictionary attacks. This is quite dangerous in corporate conditions, as it could provide malicious users with access to ERP, CRM, HR, CMS, MAP, PIM, and other systems. Fortunately, solutions are available that allow us to easily create and manage complex passwords for access to various systems.


Cybersecurity for E-commerce

Best practices to protect your E-commerce business

What is the danger in the E-commerce sector?

The last few years were critical for many companies in the E-commerce sector, due to the high amount of cyber attacks and emerging threats. Study of Business Insider shows that for the period of one year at least 16 separate security breaches have occurred at large retailers. Many of them are due to security flaws in payment systems. Recent report by shape Security showed that many people that log in to a retailer’s E-commerce site are hackers using stolen data. This is the highest percentage of any sector. Some of the largest retailers like Adidas, Macy’s, Best Buy, Forever 21 and others have been affected.

Large amounts of compromised data is being sold on “dark web”, including databases with personal data, credit card numbers and confidential corporate data, used by the competitors.  Another issue in the sector is being caused by the high amount of IoT devices, which allow more and better ICMP and DDOS attacks to be crafted. Many vulnerabilities are caused due to input validation errors, client side gaps, vulnerabilities in database servers or network related vulnerabilities.

It is very important for an E-commerce organization to provide layered security infrastructure, as well as to perform regular assessments in order to check the security of their systems, networks, web and mobile applications and employees.

GDPR and other law requirements provide a strong challenge for most organizations, operating with personal data.

In the white paper we will observe the following topics:

  • Some of the issues that you can face.
  • Famous attacks in the sector.
  • Protection mechanisms.
  • Basic security measures.


Some of the issues that you can face

CLIENT THREATS

  • Active or malicious content.

Active content is usually software that enables content to be provided on a Web site.  In terms of E-commerce, it is used by shopping cart software in order to place items in the shopping cart of the consumer and to calculate other costs for that purchase.  Malicious hackers often use a Trojan horse, or a software program that seems legit, but has an unethical purpose.

Frequently used types of active content include Java applets, which are used by the E-commerce sites to perform different processes that might otherwise cause congestion on a company server. However, they can also leave a user’s computer open to security threats. The scripting language JavaScript is used in a similar manner to Java applets. The user must initiate it for the script to begin, therefore if a user feels there is something wrong with the site, they can leave it without having any damage. ActiveX controls are commonly found on gaming sites and since they cannot be stopped once executed, they can also pose various security threats to a user’s computer if used by hackers.

Graphics, plug-ins for various browsers, and e-mails with files attached can also infect the user.

  • Server-side masquerading

Masquerading makes a user to believe that the entity he is communicating with is a different entity. Example would be if a user tries to log into a computer system across the internet but instead gets redirected to another computer that claims to be the legit one. This is usually an active attack in which the masquerader issues response in order to trick the user about its identity.

COMMUNICATION CHANNEL THREATS

  • Confidentiality threats

In terms of Confidentiality, Information should not be accessible to an unauthorized person. It should not be possible for information to be intercepted during the transmission. An attack against confidentiality might include Injection, Unauthorized access, Sensitive data exposure, Packet sniffing, Password attacks, Port scanning, Dumpster diving, Keylogger, Phishing attacks and more.

  • Integrity threats

When we talk about integrity, Information should not be altered or changed during its transmission over the network, in storage or during processing. Attacks related to integrity might include, but are not limited to Data tampering, Broken Access Control, data diddling, Salami attacks, MITM, Session hijacking and more.

  • Availability threats

Information should be available wherever and whenever it is required within a specified time window. In terms of availability, common attacks are DoS, DDoS, SYN flood, Electrical power attacks, Server room environment attacks and others.

SERVER THREATS

  • Web-server threats

In terms of web security there are advanced hacking techniques, causing a lot of damage. However, some of the common methods to attack a web server are URL interpretation, Session hijacking, HTML injection, SQL injection, Website defacement, Directory traversal, Misconfiguration attacks and more.

  • Common gateway interface threats

A common gateway interface (CGI) takes care for the transfer of information from a web-server to another program or database. CGI and the corresponsive programs provide active content to web pages. Because CGIs are programs, they present a security threat if not used properly. Just like web-servers, CGI scripts can be configured to run with high privileges. Defective or malicious CGIs with free access to system resources might call privileged base system programs to delete files, disable the system, or read confidential consumer information, including usernames and passwords.

  • Password hacking

People understand that good password security is crucial for protecting sensitive systems and data, however many of them struggle to apply good security policies and systems are regularly compromised via breached user accounts.

Users should use strong passwords that are not easily guessed. A good password would be more than 12 characters in length, using upper and lower case letters, and with special characters in use.

However, hackers use many methods in order to compromise a user’s password, different than stealing it straight from the database or guessing it.

Some of the most famous methods are:

1. Dictionary attack – it uses a simple file containing words.
2. Brute force attack – it tries every possible combination.
3. Rainbow table attack – it uses a list of pre-computed hashes.
4. Phishing –it uses a fake website or login form to trick the user.
5. Social engineering – it relies on person’s unawareness.
6. Malware – mostly key loggers or screen scraper are used.
7. Offline cracking – password cracker is used to crack hashes.
8. Shoulder surfing – passwords are being entered by members of the staff.
9. Spidering – it uses a custom built corporate related word list.
10. Guess – it relies on predictability of the user.


Famous attacks in the sector

MALWARE

Malware is malicious software, developed by malicious hackers to gain access or cause damage to a computer system or network, often without the knowledge of the affected user.
Malware is often called ‘computer virus’, although there are big differences between these types of malicious software.

Magento and other E-commerce platforms are particularly vulnerable to widespread malware infections due to their prevalence in the market. Malware can perform an extremely wide range of activities. It can use your computer as part of a botnet in order to launch DDOS attacks, steal credit card numbers or sensitive account information from the users of your website. A famous malware, intended to target Magento sites, had the functionality to extract credit card information and store it in images so that the attacker could easily access it without raising any alarms.

SQL, XSS

SQL Injection (SQLi) is an injection attack in which an attacker executes malicious SQL statements with variable payload in order to get access to a web application’s database server (also known as a Relational Database Management System – RDBMS). SQL Injection is one of the oldest and most dangerous web application attacks and could affect any website or web application that makes use of an SQL-based database.

Cross-Site Scripting (XSS) attacks are also a type of injection, but they use malicious scripts which are injected into trusted websites. An attacker can use XSS to send a malicious script to trick an unsuspecting user. Some browsers cannot recognize the malicious script and will execute it, affecting the user.

VULNERABILITIES DUE TO INPUT VALIDATIONS

The most common web application security weakness is the failure to properly validate input coming from the client or the environment before using it. Most of the web application vulnerabilities are due to input validations, such as SQL injection, cross site scripting (XSS), interpreter injection, locale/Unicode attacks, buffer overflows and file system attacks. Data from an external entity or client should be carefully inspected, as there is a high chance that the data is modified by an attacker.

LOG INJECTION

Log files can be used by an attacker to inject malicious content or forge log entries if there is a vulnerability which allows unvalidated user input to be written in the logs.

Log injection vulnerabilities occur when the data comes from an untrusted source or the data is written to an application or system log file.
Log files are typically used by the applications to store a history of events or transactions which could be later reviewed. Logs could also be used for statistics gathering, or debugging. Depending on the application’s functionality, log files could either be reviewed manually or with the help of automated tool that automatically reads logs and searches for trending information or important events.

Log files might get corrupted if an attacker can supply data to the application that is subsequently logged verbatim.

MISSING XML VALIDATION

XML Injection is present when a malicious user tries to inject an XML doc to the application. If the XML parser fails to contextually validate data, the attack will know that there is a present vulnerability. E-commerce platforms are often being affected by XML Validation vulnerability.

BAD BOTS

Bots have many names – crawlers, spiders, Internet robots, web bots and more. They are frequently used to perform repetitive jobs and simple tasks, like indexing a search engine. However they often come as part of a malware. They are used to gain full control over a computer system. Some of them have the functionality to infect the host and connect back to a CNC (command and control) central server(s), which could be used to control a network of compromised computers and hosts.

  • Fraud – Bots can prevent your legit users from purchasing items by sending many purchasing requests for an item in order to make it appear out of stock for your clients. They can also list your items for sale in other sites at a lower price. Bots could also be used to attempt to brute-force the credentials of your consumers. In case of a successful login they can also resell the information to a third party. In case that someone is able to use the credit card of your clients, that could ruin the trust among them.
  • Price Scraping – Price scrapping is a technique used to crawl an online store for its prices along with product catalogue information, with the help of bots. It is often used by competitors in order to steal the dynamic pricing of a website, which is extremely important in the E-commerce platforms. The reason for this is that many consumer-buying decisions and revenue forecasts rely on the real-time dynamic pricing. Such hacking methods would allow the competitors to set prices lower than baseline prices in the marketplace and therefore attract more consumers.
  • Analytics – Bots can have a high impact on the analytics of your selling campaign, by imitating human behavior. Many of them use scripting code like JavaScript, which is also the mechanism most analytics tools are using to bounce rate, conversion rate, count page views and more. Such attacks could convince you to spend more money on advertising, compromise your metrics and lower your conversion rate.

PHISHING

Hackers may try to attack your E-commerce business by launching phishing campaigns. For the purpose they might craft fake emails, phone calls and SMS messages. Hackers can also inject malicious JavaScript snippets to checkout pages in popular E-commerce platforms like Magento, Woo Commerce, PrestaShop and others. Many merchants use PayPal as a payment method, which means that if PayPal account gets suspended it will limit the consumer’s ability to purchase new items. That makes merchants to consider important if they receive an email claiming to suspend their account due to malicious or unusual activity. If they lack security awareness, merchants may follow a fake page link and according to the instructions provide their login credentials. They can also download, complete and submit invoices, bills and proposals in the form of attachments, which will provide the cybercriminal with their user names and passwords and full access to the merchant’s PayPal account. The attachment could also auto-install malicious software on the victim’s computer.

PAYMENT

E-commerce transactions offer the banking industry a great opportunity, but they also present risks and security threats. From management and technical point of view, Information security is crucial aspect for any efficient and effective Payment transaction activities in Internet. In the E-commerce sector money transactions require a coordinated setup of algorithm and technical solutions.

Nowadays in the payment industry an important security measure is the so called EMV, which stands for Europay, MasterCard, and Visa. It presents a global standard for inter-operation of chip cards, ATMs and POS terminals for authenticating credit and debit card transactions. Chip cards are the successor of the previously used magnetic strip cards. The chip however does not affect online payments, due to the fact that the buyer is required to manually enter the card details. The benefit is that it is much harder for the hackers to clone the card when such chip is present.
In terms of mobile payment security, the fingerprint feature provides a good layer of security, as it expects the physical presence of the person to authenticate. Biometric identification is much harder to be bypassed than the traditional account credentials.

For the merchants it is a good practice the PCI DSS standard certification to be complied.
Some of the benefits that PCI-DSS provides are:

  • Peace of mind – The first benefit that comes along with PCI DSS compliance is the fact that you get increased peace of mind.
  • Better customer relationships – PCI DSS provides an undisputed advantage in the maintenance of customer relationships.
  • Universal principles – PCI DSS is designed to be able to apply to any company which processes and stores customer payment card data, by obligating the company to follow 12 criteria across six security areas.

In order to provide multi-currency and cross-border transactions most merchants prefer to use e-wallets and mobile payments. When choosing a provider for the above it is important to choose one with a secure infrastructure to mitigate the aforementioned issues.

DDOS

A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. DDoS attacks achieve effectiveness by utilizing multiple compromised computer systems as sources of attack traffic. Online stores are especially vulnerable to those attacks especially during discount periods, like Black Friday. However, there are easy to implement measures, to protect against such type of attacks.

ICMP

Ping requests are used to test the network connection between two computer systems by measuring the round-trip time from when an ICMP echo request is sent to when an ICMP echo reply is received. They could also be used for malicious purpose in order to overload a target network with data packets.

For launching ping flood attack, knowledge of the remote IP is a must. Attacks can be grouped in three main categories, depending on how the remote IP address is resolved.

  • A router disclosed ping flood.
  • A targeted local disclosed ping flood.
  • A blind ping flood.

MITM

Man-in-the-middle attack is a common type of cybersecurity attack that allows attackers to eavesdrop on the communication between two targets. Hackers can use a variety of ways to conduct such attack, like IP spoofing, DNS spoofing, HTTPS spoofing, SSL hijacking, Email hijacking, Wi-Fi eavesdropping or Stealing browser cookies. In case of a website using HTTPS it is important to note that in specific circumstances the attacker might be able to strip the secure layer and force the web server to present an HTTP version of the website, therefore exposing the user credentials to such attacks.

THEFT

E-commerce has not been able to achieve its full potential yet, due to the media news and frequent warnings about threats and risks related to the online transactions. Many people lack security awareness and are still afraid to perform online transactions due to the fear that someone might steal their money. Instead consumers should use online stores which prove to use trusted payment methods and follow all security requirements to reduce the risk.

VULNERABILITY IN IPS

The purpose of intrusion prevention systems is to identify and block any type of malicious activity as well as to provide quality log and report information about the malicious activity. IPS devices by default are secure, except in the following conditions:

  • Under estimation of security capabilities, including information gathering, logging, detection, and prevention.
  • Non-defined Management policies.
  • Focus on Performance rather than security.

VULNERABILITIES IN FIREWALL

Firewalls are usually important assets of every network security infrastructure. Their job is to restrict the inbound do outbound access and vice versa to specific IP addresses and networks. Firewall vulnerability might be caused because of an error made during firewall design, implementation, or configuration that can be exploited to attack the trusted network behind the firewall. Some common firewall vulnerabilities and misconfigurations include:

  • Allowed ICMP traffic.
  • Blocking traffic, instead of dropping it.
  • Lack of port restriction.
  • Unrestricted access to specific IPs and networks.
  • Unnecessarily open TCP and UDP ports.


Protection mechanisms

PENETRATION TESTING

Penetration testing tools simulate real-world attack scenarios to discover and exploit security gaps that could lead to stolen records, compromised credentials, intellectual property, personally identifiable information (PII), cardholder data, personal, protected health information, data ransom, or other harmful business outcomes.

Pen Testing can be accomplished either through manual or automated processes. Tests can be divided in a few categories. Depending on the scope, they could be targeted towards:

  • Network equipment – Servers, Network endpoints, Wireless networks, Network security devices, Mobile devices.
  • Software applications and the code behind it (including Web, Mobile or Desktop applications).

Vulnerability analysis, also known as vulnerability assessment, is the process of identification and classification of security holes (vulnerabilities) in a computer, network, or communications’ infrastructure. In addition, vulnerability analysis can forecast the effectiveness of the proposed countermeasures and evaluate their actual effectiveness after they are put into use. They are usually conducted using mainly automated tools. Unlike the penetration testing, vulnerability assessment does not try to exploit the identified vulnerabilities in order to prove their truthfulness and impact on the business.

Vulnerability assessment aims to:

  • Define and classify network or system resources and assign relative levels of importance to the resources.
  • Identify potential threats to each resource and develop a strategy to deal with the most serious potential problems first.
  • Define and implement ways to minimize the consequences if an attack occurs.

NETWORK FIREWALLS

Firewall is a must in large corporations, as usually complex solutions are in place to protect their extensive networks. Firewalls can be configured to prevent access to certain websites (like social media or sites for online gambling) or they can be configured to prevent employees from sending certain types of files or emails or they can be caught when transmitting sensitive data outside of the company network.

Their second purpose is to prevent outside users from accessing systems inside the network. A company might choose to implement a single file sharing server on the network and restrict all other computers. Extensive and complex configurations require strict handling and they need to be maintained by highly trained Network Security specialists.

WAF

A web application firewall (WAF) applies a set of rules to an HTTP communication. It is referred to as firewall that protects web applications. It relies on rules that cover common web application attacks such as SQL injection, cross-site scripting (XSS) and more. In comparison with the proxies, which are used to protect clients, WAFs could be considered as reverse proxies, used to protect servers. WAFs may come in the form of an appliance, server plug-in, or filter, and may be customized to a specific application. As well as the network firewall, WAF also requires serious customization and needs to be maintained as the application is modified.

IPS/IDS DEVICES

Intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) are among the most sophisticated network security devices in use today. Their job is to carefully inspect network packets, block the ones with malicious content and alert administrators about attack attempts. These systems’ logs contain valuable information about attack types, network threats, targeted devices, and more. IPS logs should be extracted and carefully analyzed to prevent future attack attempts.

SIEM AND SOC

A SIEM (Security Information and Event Management) is a technology which provides network security visibility by indicating suspicious and non-legitimate activity through predefined rules and correlation intelligence. SIEM solutions allow security analysts to investigate suspected threats.  They collect and normalize logs in order to be tested against a set of correlation rules that when triggered are expected to create events which could be later analyzed by security analysts.

A SOC (Security Operations Centre) encompasses the People, Processes, as well as Technology involved in protectively-monitoring a network. SOC team is a centralized unit of security analysts and other security experts that deals with security issues, using a variety of tools. They are responsible to react to security incidents and actively research known or 0-day threats. One of the main tools used by security analysts is a SIEM.


Basic security measures

  • Encryption – One of the most important methods to provide security is by converting readable into encoded text, especially for end-to-end protection of data transmitted across networks.
  • Digital signature – Those are electronic “fingerprints” in the form of a coded message. The digital signature securely associates a signer with a document in a recorded transaction using PKI.
  • Security certificates – SSL Certificates digitally bind a cryptographic key to an organization’s details. After installation on a web server it activates the padlock and the https protocol to provide secure connections. Typically, SSL or TLS is used to secure data transfers, logins and credit card transactions.

  • MFA – It uses several different factors to verify a person’s identity and authenticate them to access specific software, system or the residing data. MFA systems use two or more ways to authenticate individuals.
  • SSO – A user authenticates him at the beginning of their work using a master sign-on. In case that they require to authenticate into another system or software, the SSO solution logs in on their behalf.

  • Create and maintain a secure network and systems
  • Implement strong access control mechanisms
  • Protect cardholder data
  • Maintain a vulnerability management program
  • Regularly monitor and test the security of networks
  • Maintain an information security policy and procedures

  • Card holder’s digital wallet – Digital wallets provide card holders with a secure and convenient way to store and use their payment cards without the need of carrying their physical cards. A digital wallet is a device or system which stores digitized versions of payment cards.
  • Merchant software – Merchant application is a comprehensive system used to help merchants, retailers and distributors improve their business performance.
  • Payment gateway server – A payment gateway is a merchant service provided by an E-commerce application service provider, used to authorize credit card or direct payments processing for e-businesses and online retailers.


Conclusion

Good security measures are just as important about the functionality capabilities of every E-commerce platform. A cyber attack could ruin the trust among your consumers, could lead to stolen credentials or financial and legal consequences. There are many security solutions on the market which could be implemented – some of them more expensive than others. However, a critical and uncompromising approach is required in order to choose the most adapted expertise for the cyber safety and security of your organization.