OPPORTUNITIES, THREATS AND SECURITY

STRATEGIES FOR ONLINE BUSINESS

OPPORTUNITIES, THRE ATS AND SECURIT Y STR ATEGIES FOR ONLINE BUSINESS
Table of Contents

01 Today, Every Business

is an Online Business

02 Attackers Know They

Can Do Damage

03 Impacts of Attack
and Outage

04 Common Types of Attack

Targeting Online Business

05 Four Critical Steps

for Protection

06 About Radware
Online Business Protection

O P P O R T U N I T I E S , T H R E AT S A N D S E C U R I T Y S T R AT E G I E S F O R O N L I N E B U S I N E S S 2
01
Whether you are a Fortune 500 ecommerce
company or a mid-sized organization delivering
B2B services in a Software-as-a-Service model,
one fact is undeniable: you rely on the Internet
and many network-based services to operate.
You are an online business.

Today, Every Business The notion of the ‘online business’ was born in the mid-to-late 1990’s
largely as brick-and-mortar stores took to the new platform of the

is an Online Business World Wide Web. In 1999, the online sales of products sold through
physical stores totaled approximately $20 billion, or nearly two-
thirds of all sales on the Web. Yet, a year prior, eBay became an early
darling of the financial world when its stock climbed 163% in its first
day of trading, largely paving the way for a new wave of ecommerce
companies. Today, ecommerce sales in the U.S. alone are over $335
billion, and are projected to increase to $523 billion by 20201.

Soon, the notion of the online business would expand to those

leveraging the Internet as not just an order taking system, but an actual
delivery platform. Application Service Providers (ASP) would emerge
and largely evolve into today’s Software-as-a-Service. IDC estimates
that by 2018, 27.8% of the worldwide enterprise applications market
will be SaaS-based, generating $50.8B in revenue.

The motivations for creating new businesses online and shifting

existing businesses to online models are clear. According to a
recent study2, companies that support their own online business
channels enjoy nearly 20% higher profits than those that do not. In
addition, online business models offer greater scale and flexibility
to keep pace with shifting demands in products and services.

OPPORTUNITIES, THRE ATS AND SECURIT Y STR ATEGIES FOR ONLINE BUSINESS 3
02
It should come as no surprise that, across the board, there
is an increase in the frequency and complexity of cyber
security threats targeting online businesses. Each year,
Radware compiles its Global Application & Network Security
Report, which chronicles the changes seen by IT and
security professionals to the threat landscape. This report
also highlights that those businesses typically thought

Attackers Know They of in the online business realm (financial services, retail/
ecommerce, online gaming, media/entertainment) remain

Can Do Damage among the most frequently attacked organizations.

The reasons behind the frequency of attacks against these industries

is simple...these targets have a lot at risk and also represent large
attack surfaces.

As evidence of the increased sophistication of attack, consider that

over 50% of attacks Radware mitigates on behalf of customers
include more than five attack vectors. Advanced application attacks
and “smoke screen” attacks that use DDoS attacks to mask other
tactics are becoming commonplace. Attacks leveraging encrypted
traffic as an attack vector are on the rise, further challenging many
of the cyber security solutions currently in place. Bots, crawlers and
spammers crowd web assets, using new techniques to disguise
malicious traffic, and zero day attacks swiftly exploit newly-
discovered vulnerabilities.

The points of potential target, or ‘attack surface’ of online business

also expand and evolve in ways that challenge security teams’ ability
to provide protection. Cloud migration and DevOps are IT trends
that are creating a proliferation of new applications, code changes to
existing applications and hybrid environments hosting applications, all
of which create complexity in managing security controls.

OPPORTUNITIES, THRE ATS AND SECURIT Y STR ATEGIES FOR ONLINE BUSINESS 4
03
Businesses of all sizes across a wide number
of verticals now generate significant sales
online, increasing their risk and exposure
from outages and breach. Unfortunately,
malicious actors understand this and target
online businesses with this in mind. By and
Impacts of Attack large, their efforts are successful in causing
issues. According to the Radware 2015-
and Outage 2016 Global Application & Network Security
Report, 62% of those attacked suffered
downtime or degradation.
According to this same report, organizations now see more tangible
financial impact from cyber-attacks. Over two-thirds (69%) of
organizations say attacks cause revenue, customer, partner, and
productivity loss (up from 45% last year). In our 2014 findings,
respondents cited reputation loss and revenue loss as top business
concerns vis-à-vis cyberattacks. This illustrates a shift in concerns
related to cyber-attacks—that is, worrying less about reputation
loss and more about serving customers and ensuring service level
agreements (SLAs).

Attacks aren’t just about outage or breach. Performance degradation

caused by attacks are a growing problem. According to recent
studies, 40% of customers now will wait 3 seconds or less before
moving on to a competitor site, meaning the impact of performance
loss is extremely tangible for online businesses.

OPPORTUNITIES, THRE ATS AND SECURIT Y STR ATEGIES FOR ONLINE BUSINESS 5
 As cyber threats continue to grow in size, they not only pose
security risks but create unnecessary costs that go into

According to recent processing unwanted data. Processing bad traffic into data
centers or cloud hosting environments can result in significant
studies, 40% of customers cost, especially to online businesses with large scale networks.

will wait 3 seconds or less Conversely, dropping malicious activity at the border can avoid
these unnecessary operational costs and improve overall

before moving on to a operational efficiencies. By building strong security controls at all

levels of the infrastructure, security teams can provide tools for
competitor site. infrastructure and operations teams to process only legitimate
traffic and also ensure that investments are based solely on
business-related traffic.

OPPORTUNITIES, THRE ATS AND SECURIT Y STR ATEGIES FOR ONLINE BUSINESS 6
04
In a recent report, Forrester Research 3
highlights four major threats to online
business, all of which Radware can address
(unplanned downtime, performance issues,
transactional fraud, DDoS attacks).

Common Types  Availability Attacks (including distributed denial of service)

For decades, information security has focused on the ‘security triad’

of Attack Targeting
of confidentiality, integrity and availability. In many cases, investments
in information security have focused much more on the first two
of these principles much more than the third. However, as more
Online Business critical aspects of business operations shift towards online models,
availability becomes an equal tenant to the others. Attackers have
become adept at exploiting remaining deficiencies however, largely
through distributed denial of service (DDoS) attacks. DDoS attacks are
consistently among the most frequently experienced attacks.

 Transaction Fraud
Online transaction fraud costs an estimated $3.5 billion annually4.
Much of this activity is attributed to the theft of consumer credit
card information breached by application attacks that exploit online
business applications. The impacts of transaction fraud also extend
beyond the immediate transactions. Consumers consistently say that
if their sensitive data is breached, they will likely no longer conduct
business with that merchant. A common set of attacks references
with regard to transaction fraud are those tracked by the Open
Web Application Security Project as part of their OWASP Top 10
list. Among those, SQL Injection consistently ranks as a top threat
targeting illegitimate access to applications and backend databases.

OPPORTUNITIES, THRE ATS AND SECURIT Y STR ATEGIES FOR ONLINE BUSINESS 7
 Encrypted Attacks  Dynamic Content and CDN-based Attacks
In the same way, SSL and encryption protect the integrity of As online businesses mature and build global web properties,
legitimate communications, they equally effectively obfuscate they often turn to Content Delivery Network (CDN) providers to
many attributes of traffic used to determine if it malicious versus support site performance. CDNs provide a particularly insidious
legitimate. Identifying attack traffic within encrypted traffic flows cover for bad actors as they cannot be blocked by origin servers
is akin to finding a needle in a haystack...in the dark. Most cyber as accepting transactions and requests from their IPs is the
security solutions struggle to identify potentially malicious traffic basis for use of their content distribution capabilities. Malicious
from encrypted traffic sources and isolate that traffic for further actors have made an art form out of spoofing IP addresses to
analysis (and potential mitigation). not only obfuscate their identity but also to possibly masquerade
as seemingly legitimate users based on geolocation or positive
The other major advantage that SSL attacks offer to attackers reputational information about IP addresses they are able to
is the ability to put significant computing stress on network and compromise. Dynamic content attacks further exploit CDN-based
application infrastructures they target. The process of decrypting protection by overloading origin servers with requests for non-
and re-encrypting SSL traffic increases the requirements of cached content that the CDN nodes simply pass along.
processing the traffic, in many cases beyond the functional
performance of devices used for attack mitigation.

OPPORTUNITIES, THRE ATS AND SECURIT Y STR ATEGIES FOR ONLINE BUSINESS 8
05
A growing array of threats poses serious
risk to data confidentiality, transactional
integrity and platform availability. Below are
four important steps that can help online
businesses focus on the threats most
commonly targeting these industries.
Four Critical Steps
for Protection  Address the Availability Threat
For online businesses, downtime means lost revenue and
productivity, making it critical to protect against availability threats,
such as DDoS. By and large, there is no longer any debate over the
ideal security architecture for providing protection from the wide
array of threat vectors related to denial of service attacks. Leading
analysts agree that the best solution is hybrid attack protection, a
combination of on premise and cloud-based mitigation technology
that delivers immediate mitigation of non-volumetric attacks with
the availability of additional mitigation resources in the event an
attack threatens to saturate the internet pipe of the attack victim.

 Guard Against Advanced Bots

Any business that conducts a high volume of online transactions
can be a target of bots that exhaust application resources,
illegitimately scrape sensitive information from websites and seek
vulnerabilities by abusing application logic. To protect applications
from advanced bots, operators need more advanced technologies
that can track and precisely detect malicious end-user devices
regardless of the source IP address. Device fingerprinting generally
uses dozens of device characteristics in a unique way to identify

OPPORTUNITIES, THRE ATS AND SECURIT Y STR ATEGIES FOR ONLINE BUSINESS 9
and distinguish it from all others. Using this proprietary tracking,  Plan for Migration to the Cloud
a company can generate device reputational profiles that include If your organization hasn’t already started to shift its IT and
historical behavioral information to aid in the detection and application environment to the cloud, chances are it soon
mitigation of threats. will. According to recent studies5, over 88% of enterprises
are leveraging public cloud resources. While the benefits
 Protect Customers from Fraud are obvious, sometimes the security implications are not.
Protecting online business platforms from fraudulent activity has
Adoption of cloud (both public and private clouds) creates
short-term and long-term benefits in terms of transactions and
distributed network and application environments that
customer retention. Since many attacks that lead to transactional
complicate management and orchestration of security policies.
fraud target application logic vulnerabilities, advanced web
Additionally, reliance on a variety of cloud hosting providers
application firewall (WAF) technologies should be a critical part
creates inconsistency of levels of security being provided to
of protection strategies. In looking for a WAF that can address
various applications. By leveraging technologies that deliver
more advanced threats, ensure they provide full protection from
coordinated policy management across hybrid environments
the OWASP Top 10 threats, use positive and negative security
and establish a strong baseline of protection, organizations
models to keep up with quickly evolving attacks, and minimize
can progress down the path of cloud migration without
manual policy tuning through automation.
compromising their security posture.

10 OPPORTUNITIES, THRE ATS AND SECURIT Y STR ATEGIES FOR ONLINE BUSINESS
06
To support online business protection,
Radware offers a hybrid solution that
integrates on premise, real-time attack
detection and mitigation with on-demand
cloud-based protection to block volumetric
attacks. The solution includes all the
About Radware Online different technologies needed, including
DDoS protection, behavioral analysis,
Business Protection IPS, encrypted attack protection and web
application firewall (WAF).
Radware’s Online Business Protection solution ensures the
integrity and availability of your network-based business by
providing protection from today’s advanced cyber-security attacks.
The solution helps business and IT executives reduce the risk of
lost revenue, customer churn, employee and partner productivity
by protecting networks and applications from threats to availability
and data breach.

To learn more about Radware’s solutions for Online Business

Protection, visit www.Radware.com.

1 https://www.internetretailer.com/2016/01/29/online-sales-will-reach-523-billion-2020-us
2 http://ecommerce-news.internetretailer.com/retailing/Average-Profit-Margin
3 https://www.forrester.com/report/Seven+Steps+To+Protect+Your+eCommerce+Website+In+2016/-/E-RES128006
4 http://www.pymnts.com/news/2015/2014-fraud-spike-cost-u-s-retailers-32-billion/
5 http://www.rightscale.com/blog/cloud-industry-insights/cloud-computing-trends-2015-state-cloud-survey

OPPORTUNITIES, THRE ATS AND SECURIT Y STR ATEGIES FOR ONLINE BUSINESS 11