Three cybersecurity mistakes and how to avoid them this holiday season

For consumers, December brings boxes tied up in string, long lines for the season’s best deals and lots of wrapping paper, bows and bags.

While the pandemic has the holidays looking a bit different in 2020, consumers are still anticipated to spend an average of nearly $1,000 each on gifts and holiday items like food and decorations. The sprawling lines snaking around stores after Thanksgiving have been replaced with an increased wave of traffic on retailers’ websites with the ongoing pandemic pushing most people to shop online.

As shoppers look to grab the perfect gifts, threat actors will look to take advantage of retail organizations who are in a rush to capitalize on the increase in web traffic. Last year, retailers saw a 20% uptick in cyberattacks during the holiday season compared to 2018.

With the entire holiday season now basically one extended Cyber Monday, it’s important for retailers to arm themselves with knowledge on how to keep themselves and their shoppers safe with proper web application and infrastructure controls. IT teams at retail organizations are already under an abundant amount of stress trying to stretch bandwidth to keep websites up and running – they don’t need to be worried about a cyberattack, too. 

Below are some of the most common cybersecurity mistakes retailers can make during this unique pandemic holiday shopping season, and how they can avoid them.  

Mistake: Failing to enforce best password practices 

Cyber adversaries no longer stare at lines of code and penetrate perimeter defenses an organization has put in place — they simply just log in. This applies to attacks on consumers as well as the retailer’s employees and IT staff. Left to their own devices, most employees will pick a simple password, which they use on other websites, and that they can easily remember.

The problem with this is that hackers can take advantage of the millions of leaked credentials being sold on the dark web. If an adversary uses credential stuffing or password spraying campaigns, an individual can be at a heightened risk of being compromised. Even retail organizations with the best-built perimeters won’t be able to prevent the attack since the enemy would already be inside the network. 

The fix: Implementing multi-factor authentication everywhere

Retail organizations must realize that multi-factor authentication (MFA) is the lowest-hanging fruit for protecting against hackers who are intent on using stolen, legitimate credentials. MFA requires users to take an extra step to verify their identity beyond a simple username and password using something the user knows (such as a text code or security question), something they have (such as a smartphone or tablet) or something they are (such as a face or fingerprint scan). 

Mistake: Continuing to solely rely on a virtual private network (VPN)

During the initial transition to remote work, IT staff leaned on VPNs to allow employees to work securely. While a VPN is better than no security measures at all, it comes with its own risk – namely that it gives secure access to the entire network. For privileged users such as IT administrators, which increasingly includes outsourced IT, managed services providers, and other third parties, the risk increases exponentially should their credentials be used to access sensitive information and systems on the broader network over a VPN.  

The fix: Establish least privilege and control privilege elevation 

Attackers will typically aim to compromise privileged users like IT administrators or third parties in order to carry out their attacks because their credentials come with extra entitlements and access. Therefore, organizations should adopt a least privilege approach that only grants just enough access, just-in-time to get a task done. No more, no less.

This also requires privilege elevation in order to gain access to sensitive resources such as customer addresses and financial information. By getting rid of the VPN and using a comprehensive privileged access management (PAM) solution to enforce least privilege with granular access policies, the rest of the network is unavailable and protected outside of the scope of the task being performed. 

In addition, retailers should also govern privilege elevation by implementing access requests and approval workflows. By doing this, the organization can gain insight into who approved access and the context associated with a request. 

Mistake: Leaving security as an afterthought in the DevOps pipeline 

As retail organizations adopt DevOps practices to improve agility, incorporating privileged access management into the pipeline can become increasingly complex. Traditional methods of securing developer environments involve manual interventions and restrictive controls that slow down DevOps teams. Further complicating the issue is the fact that applications, virtual machines, services and workloads running in the cloud also have their own machine identities, which also need to be protected and have their own entitlements and privileges.

The Fix: Go beyond simple application-to-application password management (AAPM)

PAM solutions that support modern application-to-application password management (AAPM) approaches can help DevOps teams at retail organizations secure all identities - both human and non-human. Methods such as secure shell (SSH) keys, ephemeral tokens and delegated machine credentials can seamlessly and automatically incorporate PAM into the DevOps pipeline, further arming an organization’s defenses as they innovate. 

Andy Smith is cybersecurity evangelist at Centrify.