There are many questions and curiosities when it comes to cybersecurity services for online shops and other types of online businesses. What exact services should you look for? How are they provided? What do you get at the completion of the provided services? How the results should help you?
Without pretending to give complete answers to all questions, we intend to detail in the following lines the vision implemented in our projects and how we contribute to the consolidation of online shops’ cybersecurity.
Regardless of the particular chosen service, for Hidden Process there is no such thing as standard security services. This is the reason why all of our projects begin by analysing the specificity of the carried out activity. This initial step involves:
- understanding the business strategy and its directions (e.g. increasing online sales, international expansion);
- inventorying the assets needing protection (e.g. customers and employee lists, login credentials, bank accounts of customers, intellectual property, trade secrets – how you determine which products to sell at which prices);
- assessing the organizational chart of the company: how many people have access to the sensitive assets, who are they, what kind of access do they have, is the access monitored?
- assessing the external services of the company: server/cloud services, etc.
All the information gather in the initial step help us to understand the characteristics that make the business different from all other businesses and, afterwards, to identify and evaluate the threats, vulnerabilities and their consequences.
Our activity is based on two types of services that organizations may choose from or that we may combine depending on the particular objectives established together with the organization:
Vulnerability assessment and Penetration testing
The most important difference between those two services is that the vulnerability assessment involves scanning the web application to provide the organisation with a list of public vulnerabilities, while the penetration testing focuses on simulating cyber attacks to gain access. Therefore, in case of penetration tests, the vulnerabilities are validated and the risks may be evaluate.
The vulnerability assessment is the ideal method for the organisations with a medium to high security level, whose purpose is only to maintain its security level by continuous vulnerability assessments.
The results of any security assessment are comprised in a report. For efficiency purposes, our reports are not just for IT teams, but also for the management. A web application’s security is a concern that should be understand first and foremost by the management so as to be reflected in the organization’s strategies and the risk exposure to be controlled and minimized on a medium to long term.
Typically, the security reports provided by Hidden Process comprise several parts, as follows:
- general presentation of the web application’s security;
- presentation of the identified risks from the highest to the lowest and identification of the specific level of acceptable risk;
- technical and non technical description and related explanations for every vulnerability;
- specific proposals and suggestion for improvement of the security level and its alignment with the developing objectives of the organisation.
Penetration tests include a analyse of the risks to determine whether these are high, medium or low. This analyse is the result of the ratio between the magnitude of potential consequences and the likelihood that they will occur.
Some criteria that contributes to the estimation of the magnitude and likelihood of occurring are:
- Historical data (such as historical data of incidents);
- replacement costs;
- legal impact;
- lost of sales and customers;
- the criticality of the information assets involved;
- negative consequences for goodwill and reputation.
Depending on the level of the risk, a certain treatment shall be proposed: (i) risk reduction – the risk is reduced through combinations of manual and automated procedures that deal with the threat before the vulnerabilities are exploited; (ii) risk avoidance – certain activities that lead to the incident could be eliminated; (iii) risk retention – threats that have an acceptable level of risk may be retained and keep under observation.
Last but not least, after the risk treatment is implemented, a new security assessment is necessary to be sure that all threats were correspondingly treated and no new threats appeared during the process of treatment. Thus, a security package which include an additional assessment after the threats have been remedied, shall be recommended.