Like physical security in a successful retailer, website security is a critical part of any successful eCommerce business. However, a great number of websites do not yet do the basics well enough to deter criminals - and so they become victims of cybercrime - an expensive, massively disrupting and painful experience for the victim business.
Don't be a victim. Get proactive and keep it simple.
These 3 simple steps will drastically improve any eCommerce website's security:
Multi-factor Authentication for Admin Accounts.
Proactively Monitor for Threats.
Web Application Firewall.
Let's dig into the top 3 simple steps to understand a bit more:
1. Multi-Factor Authentication for ALL Admin Accounts.
According to our forensic investigation partner, Foregenix, Multi-factor Authentication is one of the simple security controls a website can put in place to significantly improve their security posture. It's not a silver bullet, but goes a LONG way towards securing a website by making it much harder for criminals to gain admin access.
As a sub-point to this, there should be ZERO shared accounts. And as a second sub-point - remove any inactive Admin Accounts.
2. Proactively Monitor for Threats.
While this can be sorted out simply, it's important to know what to look for. These are the kinds of security data points that an eCommerce site should be proactively monitoring:
Malware - is the site showing any external signs of malware infection? Knowing which malware scanner to use is a challenge - we recommend ThreatView as the most comprehensive malware scanner available. Their speciality is eCommerce and they stay ahead of the market by the sheer number of investigations the Foregenix team does - often on sites that have been infected with new malware, which then get "fingerprinted" and added to ThreatView to detect at scale around the world. Nobody else in the industry is close to being as proactive as ThreatView in this regard.
And it is available free - sign up for a free account here:
Application Security Issues, like:
Patching Status - quickly identify if your website is missing any critical security patches - and then understand the implications of the missing patch. ThreatView's free account will tell you what your website's patching status is.
Exposed Admin Login Pages - it is still a fairly common issue that admin login pages are left in a default location, which makes it really easy to find and to launch a brute force attack.
Known exploits against your website platform and what to do about them.
Information leaks and HTTP Header Security issues.
Site Reputation Status - always important to see how your site is viewed by the major search engines. Warning signs can help you the proactively prevent your site getting blacklisted and destroying all that SEO magic you've taken years to curate.
Monitoring 3rd Party Scripts running on your site. Digital Skimming Malware is the most prevalent malware targeting eCommerce sites and has been causing a major problem for the last few years. As a result, the PCI Security Standards Council has introduced PCI DSS requirement 6.4.3 for eCommerce sites to monitor their sites for 3rd party scripts - to identify when a digital skimmer is loaded onto a checkout process to steal payment data. ThreatView does this well and may also integrate with your PCI DSS Self Assessment Questionnaire provider to help you to automatically remain compliant with this fairly challenging requirement.
File Change Monitoring - another PCI DSS Requirement is to ensure all admin changes are logged, particularly important for the checkout process.
3. Web Application Firewall
Many eCommerce website owners and developers are familiar with web application firewalls like:
- Cloudflare
- Imperva
- FGX-Web
- Amazon
- Fastly
- And many others...
While WAFs are great at stopping the "normal" internet attacks (DDoS etc), they can (in some cases) also provide a very useful "virtual patching" service. We all know that sometimes it is a major (and expensive and sometimes slow) deal to get a new patch deployed to a website. Some of the more advanced WAFs can provide a "virtual patch" to keep your website secure while you figure out your patching/upgrade plan. The good news is that this doesn't necessarily cost too much to implement - and can often come with other benefits, such as CDN capability etc.
Recommendations:
The top 3 steps outlined above can be addressed quickly and simply using technology.
Multi-Factor Authentication - there are a few really good - and free - technologies available. We'd recommend using something like Google Authenticator or Authy. Instructions on how to implement Multi-Factor Authentication (also known as 2FA) can be found with a few simple searches. Please implement this ASAP.
Monitoring for Threats. Developed to help small to medium sized business stay safe, ThreatView Advanced (launch price of $59/month) packs in market-leading threat detection, intrusion detection, as well as PCI DSS Compliance support for a few very challenging aspects of PCI DSS for eCommerce merchants. We keep our Threat Detection capabilities ahead of the market by the sheer number of forensic investigations that we and our partners, Foregenix, do - often on sites that have been infected with new malware, which then get "fingerprinted" and added to ThreatView to detect at scale around the world. No other solution in the industry is close to being as proactive as ThreatView in this regard. ThreatView is available as a free service (YES) here - this provides a regular "external" monitoring service to a website - using the latest threat detection capabilities. Or - you can sign up to the comprehensive Advanced solution - which provides the PCI DSS Compliance support, Intrusion threat detection, file change monitoring and much more.
Web Application Firewall - our recommendation is to use Cloudflare or Fastly. But make sure that you are using at a minimum, these plans to get the appropriate levels of protection: 1. Cloudflare Business Plan: https://www.cloudflare.com/plans/business/ 2. Fastly - Starter security tier: https://www.fastly.com/pricing Our FGX-Web technology can also offer a tailored WAF and CDN service, which does provide a more specialised and personalised level of protection and support as opposed to Cloudflare and Fastly. On the counter, the Cloudflare and Fastly infrastructure supports globally distributed businesses better.
Our base recommendation is for you to know what you are dealing with regarding security - get yourself a free ThreatView account as a minimum to understand where your weaknesses are in relation to the latest threats in the industry.
留言