Feelter blog

by: Smadar Landau

Rite Aid’s recent data breach revealing that, for 10 weeks at the beginning of 2017 cybercriminals had access to sensitive customer financial and credit card information, highlights in no uncertain terms the ongoing vulnerability of Internet-connected company computers. It also highlighted the need for continued penetration testing of company web sites.

Penetration testing – either manual or automated methods – determines how easy it is to hack a specific web site. It is a pro-active security service intended to simulate an attack, but with the added dynamic of actually hacking a site, utilizing the same techniques and tools a real hacker would, exposing security weaknesses and issues before any criminal can gain access for real.

In addition to technical weaknesses and security gaps, a penetration test can also highlight human errors, weak passwords, and - a problem often associated with growing companies which need to continually add to their enterprise-wide computing infrastructures - legacy computers that still contain older, previously compromised security functions.

In checking if hackers are able to access an account, penetration testing first discerns the type of data that criminals may want – such as stored passwords and credit card details - and also the actual web site vulnerabilities, such as encryption deficiencies.

Information is either given to the simulation attackers or not. It might be given to them as a way of moving the simulation process forward or to ensure they are focusing on the correct security concerns. Or it is not given to them to ensure the simulation is a mirror of a real hacker attack.

One of the most important factors of penetration testing is following up with any discovered security gaps revealed in a resulting vulnerability report. However, often used interchangeably, and confusingly, a separate vulnerability assessment is different from penetration testing.

While a vulnerability assessment analyzes host computers trying to find out the most likely places an attack will occur, such as with patch management or system administration process security, an actual attack is not attempted. A penetration test meanwhile does actually simulate a hacker attack on the system, utilizing the same means available to hackers in an effort to breach the security wall. While they are separate animals, a penetration test may actually conclude a vulnerability assessment as a way to confirm all possible gaps have been plugged.

While most companies would certainly have to employ a third-party cyber security expert to perform either a penetration test or vulnerability assessment, preventative security measures that can be employed immediately include either a two- or three-step authentication process, that could include a personal security question that needs to be answered and some sort or verification code that can be sent to a pre-authorized email address or texted to a phone.

The bottom line is that in eCommerce the relationship between an online retailer and customer is based on trust. The consumer trusts the retailer to look after their credit card and other financial details and take whatever means necessary to maintain the security of that information. A data hack can destroy that trust in an instant and destroy a retailer’s reputation. Far better then to endure the extra expense and added work in scheduling additional, and possibly regular, penetration tests than to risk a data breach and a broken consumer-retailer relationship.

 by: Smadar Landau