Network managers should make a list and check it twice

With Black Friday just around the corner, here are some tips to make sure your site remains up and running.

it checklist 1
Credit: Thinkstock
Make sure it is a holly jolly time of the year

As IT Ops teams prepare for the holiday season, which in retail is the busiest time of the year for web traffic, the team at BigPanda, along with other vendors, have prepared a checklist of the key factors IT Ops teams need to consider to ensure their IT infrastructure is ready.

Retailers such as the Gap do more than 30% of their yearly sales within the short time frame of holiday shopping. Online and mobile sales are continuing to increase year over year. According to the National Retail Federation, 84% of retailers expect to see online site conversion rates increase, followed by average daily site traffic at 71%.

Utilize an IT monitoring platform
Credit: Thinkstock
Utilize an IT monitoring platform

This will reduce risk and find structure in unstructured patterns of noisy data. The big thing that happens during the holiday season is the number of customers goes up dramatically. Being prepared for what will be a massive fluctuation and load on systems is really key.

Change auto scale algorithms for the cloud infrastructure
Credit: Thinkstock
Change auto scale algorithms for the cloud infrastructure

IT Ops teams may go from what might be nominal state throughout the year to extremely noisy. These spikes can cause what is known as alert storms. The IT Ops teams that get overwhelmed by the amount of data coming out of the systems at this time can get relief by using an IT correlation platform that makes sense of that data and sorts it so that teams can take action.

Change auto monitoring thresholds
Credit: Thinkstock
Change auto monitoring thresholds

Evaluate monitoring tools and integrations to correlate what is happening across those monitoring tools and consolidate them into groups, making it easier for the IT teams that have to look at the data.

Review monitoring metrics
Credit: Thinkstock
Review monitoring metrics

There may be some human processes to alter. Work with developers to test applications for stability. They may need additional support to accommodate peak season.

Security testing
Credit: Thinkstock
Security testing

Ensure necessary changes are made because the potential for unanticipated load or exposure to hackers is a real threat. Use a unified search capability that allows for retrospective and future planning.

“They need to rigorously test their business continuity across applications ahead of the big days, as well as the underlying technology that supports IT resilience. You don't want the first time you have to try and recover in minutes for real to be in the heat of the shopping day!  Seconds count in online sales," said Rob Strechay, vice president of Product, Zerto.

Ways to prevent outages
Credit: Thinkstock
Ways to prevent outages

Know what your critical services are and how to keep them up with a bulletproof plan around them. For instance, if Amazon checkout goes down – you need a disaster-recovery plan for this. But if the recommendation engine has problems, this could be bad but it is not at the same level of critical service.

DR plan in place
Credit: Thinkstock
Have a disaster-recovery plan ready

A good disaster-recovery plan should categorize applications according to their business criticality, have clearly defined recovery point objectives (RPO) for each, and should be tested multiple times before and during the buying season. This level of planning can help companies avoid lost revenue and customer experience problems associated with extended outages, says Chuck Dubuque, vice president of product and solution marketing at Tintri.

Revalidate your DDoS mitigation strategies
Credit: Thinkstock
Revalidate your DDoS mitigation strategies

Review and revalidate your approach to mitigation Distributed Denial of Services (DDoS) attacks, says the Denim Group. Unfortunately, DDoS attacks have become increasingly simple to set up and have become even more difficult to defend against. The October DDoS attack against Dyn, a managed DNS provider, sent 10x to 20x the amount of traffic to Dyn servers, denying them the ability to provide DNS service to some of the top companies on the Internet. We suggest you revalidate your DDoS mitigation infrastructure, review plans for response should you encounter a DDoS attack, and update your plans based upon the more sophisticated recent DDoS attacks that have occurred.

Confirm your phishing resiliency
Credit: Thinkstock
Confirm your phishing resiliency

The holiday season will likely see new and as-yet-unimagined phishing attacks against both your co-workers and your customers. Phishing remains a preferred attack vector by fraudsters and will remain so for the holiday season. Although there will always be some subset of people who will click on links on phishing emails, reaffirming your internal and external resiliency with some last-minute training and awareness might be able to prevent some damage of sophisticated spearfishing attacks.

Scan against your Web attack surface
Credit: Thinkstock
Scan against your web attack surface

In a perfect world, you would be able to run an automated vulnerability scan before the latest round of functionality hit the web, prior to the holiday freeze. We suggest you run an automated application vulnerability scanner against your Internet-facing applications one more time to see if any last-second functionality might have introduced a nasty SQL injection or XSS flaw that is straightforward for attackers to identify and exploit. Although you will likely be in a holiday freeze, scary application vulnerabilities are worth addressing as they provide an increasingly preferred path of approach for fraudsters.

Change passwords or add two-factor authentication
Credit: Thinkstock
Change passwords or add two-factor authentication

You may want to change passwords to certain internal accounts that have the most sensitive function as you go into the next two months. Off-premises accounts, such as the company’s Twitter or Facebook account, are candidates for passwords, too. Consider implementing two-factor authentication for these accounts and monitor logins more closely for social media sites to make it harder for attackers to successfully takeover accounts with simple username/password combinations.

Review incident plans and conduct key player briefing
Credit: Thinkstock
Review incident plans and conduct key player briefing

In case everything else fails, you should always have a well thought out incident response (IR) plan ready to carry you through a near-death breach experience. Dust off your IR plan, conduct a “key player IR” briefing to remind these folks of their roles. Also, Todd Renaud, CIO at Conn’s, suggests “you reach out to key vendors to remind them this is your busiest season” and they should be available and answer their phones should an incident occur. It won’t hurt to have IR plans fresh in everyone’s memory during this crazy season.