Blog · 15 Nov 2017

How to deal with a Black Friday/Cyber Monday cyber attack

Black Friday and Cyber Monday are hotspots for two things ' shopping and cyber crime. Here's how to make sure your retail business doesn't suffer from an attack.

Head of ethical hacking AMEA

Unfortunately, cyber criminals know how important these days are and will do whatever they can to either disrupt your operations or extort you for a ransom to get yourself back online.

Your concern about the likelihood and consequence of a cyber attack on Black Friday and/or Cyber Monday is directly related to how prepared you are. If you are unprepared for such an attack, you should fear the worst. If you are prepared, the consequences can be mitigated.

If you’re not prepared, you’ll encounter three likely consequences:

Critical services (payment platforms, back-end databases, web servers etc.) could become unavailable. As a consequence, your customers won’t be able to use your services while they’re offline. In that instance, it’s very likely that customers will take their business to another provider.

You could lose the opportunity to collect vitally important analytics data. Retailers use the surge in traffic and sales over Black Friday and Cyber Monday to split test, analyse, and predict future strategies. A cyber attack could stop you from gathering this vital data, and so can have a long-term, detrimental impact on your business strategy.

Both your and your customers’ data could be stolen or ransomed. Ransomware locks you out of your data, creating a denial of service, until you pay a fee to recover. As cyber criminals understand the value to you of staying online over your busy sales period, these ransoms can be extremely high. There is also no guarantee that paying the ransom will retrieve your data, or that collecting a ransom is the criminals’ target. Recent ransomware can has been shown to exfiltrate your data whilst it is encrypted. This means that while you are dealing with the unavailable service, your customer data, intellectual property, payment information and more could be stolen.

All of this happening would be a worst-case scenario. But if you fail to prepare, then you shouldn’t be surprised when any of these scenarios play out.  

Mitigate your risk — even if you can’t escape the inevitable

So, what about if you are prepared? Well, to answer that, I have to start with a caveat: no matter how prepared you are, you’re never 100 per cent secure. Something can, and often will, get through your defence (there are no patches for zero-day vulnerabilities, for example). However, by being prepared, you can vastly reduce the impact of an attack.

The downtime you experience will be minimised, or avoided altogether, because your incident response will kick in. Any high-value targets/assets you identified beforehand and adequately protected will get back online as fast as possible. If it’s your web server that gets hit, but you’ve prepared well, this will come back online fast and minimise disruption to your business.

How to prepare

What does it take to prepare? Again, I suggest you need three things:

1. A robust backup strategy.

You can do everything right in terms of cyber-security preparation, and still experience a major attack. Therefore, you need to make sure your time to recovery (from infection to getting back online) is as short as possible. The only way to guarantee this is with a robust and tested backup strategy. Taking time to understand and backup your key assets will be invaluable in the event of an attack. In addition to having a backup strategy, you should also have a tested disaster recovery plan that explicitly describes how you’ will recover from attacks during busy times.

2. An understanding of your attack surface (how exposed you are to an attack).

Know your IT estate, your legacy estate and how everything’s connected, and prioritise what you really need to run your business.

3. A sensible patch-management process.

Every computer that was attacked by WannaCry and NotPetya would have been immune, had they been updated. Both attacks were preventable. I know that it’s easier to say, ‘patch your stuff’ than it is to actually patch your stuff. I get it. This is not necessarily easy stuff, since your legacy infrastructure, critical technology, and important software is often reliant on an unpatched system. Couple that with years of poorly documented architecture, mergers and acquisitions, and changes in infrastructure leadership and you have a very hard problem to unravel. Patching randomly is no good; you must make sure you know how every device fits into the wider system. Your challenge is recognising that the risks demand thorough asset and patch management early enough to put the resources in place to wrangle control.

Attacks such as WannaCry and NotPetya are all great examples of mistakes that we should learn from. Some cyber crime is targeted, and 0-day attacks (vulnerabilities in systems/applications that have never been seen before) do happen. But the vast majority of attacks are based on well-known vulnerabilities, which are preventable through patching. Getting hit by an attack like this is the result of poor preparation, poor risk management and poor patch management — and therefore avoidable.

To make sure you’re prepared for whatever attacks Black Friday/Cyber Monday throw at you, read our latest cyber-security report, ‘The cyber security journey — from denial to opportunity’.