BOT Masters Are Preparing For The Holidays — Are You? A Holiday Cyber Checklist

By Neetu Singh, Radware

Automated bots are both a best friend and a business hazard for online retailers. This is especially true during peak times such as holiday seasons when bots are used not only by businesses to track the price changes at competitors, but also by criminals to exploit the power of automation with malicious intent.

What matters is that website owners can tell the good bots from the bad. For e-commerce sites and online marketplaces, it is beneficial for businesses to permit search engine bots or price comparison bots, as they help bring in shoppers looking for good deals on desired products and gifts. On the other hand, it is crucial for e-commerce enterprises to detect and block malicious bots that perform harmful activities, which can damage their brand in many ways.

The following security best practices are essential in protecting businesses and customers not only during the upcoming holiday sales season but also year-round:

1. Promote awareness of cyber security best practices. Many attacks and data breaches are caused by poor security practices. Begin by educating employees about how they can be exploited by phishing attacks and similar social engineering tactics used to undercut security measures and gain unauthorized access to confidential business and customer data. Importantly, users should be given a mechanism for reporting phishing attempts, which gives companies a way of gauging employee awareness.
    
2. Use a ‘zero trust’ architecture, which promotes a ‘trust nothing, verify everything’ approach to grant and control access to crucial systems used by employees and affiliates. In practice, this means that employees’ privileges should be minimized as much as possible, giving them only the access they require to do their jobs.
    
3. Educate customers about phishing campaigns that hijack brand names. They should also be wary about providing their personal or payment data as well as verifying that they are visiting a certain site and not a cunning lookalike.
    
4. Audit all third-party software to ensure it requires authentication, is fully patched, and is secure from known vulnerabilities — even if internal software and systems have already been audited and strengthened.
    
5. Limit the collection of personally Identifiable Information (PII). PII is a goldmine for fraudsters who use this information to carry out account takeover attacks or sell it on dark websites and forums. Collecting only limited customer data needed for business reasons can prevent harmful, large-scale data breaches and their resulting impact.
    
6. Proactively comply with PCI Security Standard Council requirements to make sure that customers are adequately protected. PCI-DSS provides an annual compliance attestation as part of its security framework.
    
7. Consider using specialized bot mitigation technology to combat increasingly sophisticated cybercrimes and fraud committed using bots as well as to minimize the impact of malicious bots on e-commerce systems.
    
8. Leverage dedicated bot management solutions to analyze the intent of every visitor and allow only genuine visitors into a website and app. This prevents bad bots from carrying out attacks, including application denial of service (DoS), account takeover, spamming, scalping, scraping, cart abandonment, denial of inventory, and ad fraud.

How Should Retailers Assess Bot Management Systems?

A good bot management solution can stop even the most sophisticated bot attacks. Selection of the best solution requires careful evaluation. Make sure the solution:  

• Distinguishes Good Bots From The Bad

The rise of highly sophisticated, humanlike bots requires advanced techniques in detection and response. An effective bot management solution will allow good bots, such as search engine crawlers and legitimate price comparison bots (which provide crucial visibility for e-commerce firms to increase visitors and sales) while detecting and blocking all malicious ones. Check whether the bot management solution can block all the OWASP-listed automated web application threats.

• Quickly Adapts To New Threats

Bots are constantly evolving and so should a bot management solution. Check if the bot solution has self-optimizing capabilities to adapt and defend against evolving threats. Also, look for detection capabilities that are informed by the vendor’s global bot intelligence database so that attacks on any user immediately train the system to extend protection for every user.

• Detects Multigenerational Bots

The ability to detect and mitigate all types of bots is crucial. Check if the bot management solution can detect and block bad bots, ranging from basic first-generation script bots to sophisticated humanlike fourth-generation bots.

• Offers Sophisticated Automated Response

A bot management solution must have the ability to offer multiple response mechanisms to various types of bot traffic to suit specific business needs. Some solutions, for example, can even feed fake pricing data to price scraping bots deployed by competitors to prevent the systematic gathering of pricing strategies used by e-commerce firms.

• Provides Deployment Flexibility And Waf Integration

Can the solution integrate and work with a business’s existing digital infrastructure to suit its need and seamlessly deploy without any infrastructure changes in structure and an application security stack? Look for a bot management vendor that also provides a cloud-based WAF solution, which can be effectively integrated and managed from a unified dashboard. Such a solution provides superior visibility, reporting, and the ability to quickly respond to attacks while eliminating security silos and reducing operational costs.

• Minimizes False Positives

Accurately detecting and blocking sophisticated bad bots with human-like behavior while allowing genuine visitors through is crucial in a bot management system. Look for a solution that ensures minimal false positives (humans being mistaken for bots) for an optimal user experience while maintaining a stringent security posture against malicious traffic.

• Includes An Intuitive Dashboard And SIEM Integration

A dashboard with granular real-time reporting capabilities that provides optimal visibility is essential to a bot management solution. Check to see if the solution is easy-to-understand to understand reports and if it can be integrated with SIEM and analytics tools for comprehensive insight and effective control.

• Ensures Ease Of Doing Business

Top bot management solutions ensure a smooth and frustration-free user experience. Repeated CAPTCHA pages or block pages not only hinder the buying process but also frustrate customers and cause them to shop elsewhere. The newest friction-free bot mitigation techniques such as blockchain-based challenges and responses make for a superior customer experience. Completely seamless to legitimate users, they impose exponentially increasing computing challenges on botmasters’ machines to deter them from attacking and force them to move on to less-protected targets.

• Addresses Data Protection And Regulatory Compliance

Data is among the most valuable assets for any organization. Check if the bot management solution is compliant with regulations, such as the GDPR and CCPA, which impacts the handling of data at rest and data in transit.

How Vulnerable Is Your Business?

In addition to the recommendations listed above, online retailers would be well advised to analyze their vulnerability to bot attacks. Click here to calculate how much bad bots are costing your business.

About The Author

Neetu Singh is a cybersecurity solution lead with Radware. In her role, she specializes in application security and threat intelligence, working closely with Radware's product and threat research teams. Neetu has diverse domain expertise across many industry sectors, including banking, financial services, insurance (BFSI), and travel. Here she has led marketing initiatives, partnerships, collaborations, and campaigns for enterprise and SMB markets. She frequently writes about cloud trends, industry 4.0, and SMAC (social, mobile, analytics, and cloud) among other topics. Neetu holds an MBA in marketing from NMIMS University in Mumbai.