The Cybercriminal fraternity doesn’t care about your change freeze

Halloween is over, the clocks have gone back so it must be time to dust off the baubles and lock down your network ready for biggest online sales event of the year, otherwise known as Black Friday. It is easy to understand why applying a “change freeze” to the E-Commerce infrastructure, over one of the busiest periods in the retail year, seems like a solid and sensible approach. Why would you want to allow for possible interruption of sales during such a commercially critical time? The answer is the Cybercriminal. To the hacker community, change freezes are an open invitation to attempt to do their worst.

Stopping any changes to your network means accepting any unknown critical vulnerabilities that may be present and will remain unfixed for the two to three months of shopping madness.

Many organisations decide that in addition to the change freeze, it is a good idea to relax some of security controls in an attempt to speed up access for the hundreds of customers straining the bandwidth and waiting for pages to respond so that they can complete their transactions.

While it is probably too much of a business risk to expect online businesses to ditch their change freeze policy completely, it could be amended to include some simple cybersecurity steps to try and mitigate any critical vulnerabilities that could be present.

Before implementing the freeze it would be a sensible move to complete a vulnerability scan and also ideally, a full penetration test before the freeze date. Then time can be allotted to fix anything highlighted as critical before the hackers decide to help themselves to an early Christmas present.