Tuesday, March 24, 2020

8 simple ways your ecommerce store can avoid the cybersecurity fate of Nutribullet

Another day, another hack!

Nutribullet, the blender and easy blended smoothie company, was hacked and their ecommerce online shopping store was injected with malicious code not once, not twice, but three times in 30 days! The malicious code helped hackers literally swipe away the credit cards numbers of Nutribullet customers.

Application security is seldom considered during the ideation phase unless the development team has previously been hacked and survived to tell the tale. But it's also true that it's never too late to secure your ecommerce store.

In fact, smart and fast-growing ecommerce stores who outperform their peers usually share this common trait: they consistently grow sales and build their brand by turning their security standards into a key differentiator and selling point.

E-commerce sales hitting trillions of dollars back in 2019 makes it a very lucrative market for malicious hackers group like Magecart whose main purpose is to steal credit card information.

They also prey on ecommerce store owners who are complancent about their security posture. This makes it a lot easier for even moderately skilled hackers to successfully breach poorly secured ecommerce stores.

Why should ecommerce & online shopping stores worry about application security?

Simply put, it helps to avoid massive costs to your business when you do get hacked AND it helps your customers trust you more. We both know what increased customer trust means for our businesses, right?

When they trust you more, they will buy more from you.

To put that in perspective, here are some staggering numbers for you from IBM.
  • The average total cost of a data breach is $3.9 million global & $8.2 million in the United States.
  • Time to identify and contain a breach is 279 days!
  • Cost per lost record is $150.
If hacked, a single data breach event could potentially put your business under and can result in many ghastly outcomes for you:
  • Your business will have a hard time bouncing back up
  • Customers leave because of breach of trust
  • Loss of revenue
  • Brand reputation takes a hit
  • Spending more on AppSec and marketing 
  • PR and legal costs go up
Your probability of being severely disrupted when you're hacked goes down significantly if you follow the following tips. You will be able to conduct many of these activities within your current team. For some you will need an AppSec and penetration testing partner like Audacix.

The primary reason you should consider an external AppSec partner is that your development team needs to focus on your ecommerce product. Your developers will save a lot of time (and therefore save you money) if they're helped with targeted recommendations that help them fix your security vulnerabilities as they are found.

So how can your ecommerce or online shopping store avoid being hacked?

Tip 1: Conduct a thorough cybersecurity risk assessment

Has your business done this in the last 2 years? Cybersecurity risk assessment is a good way to know your current position and where you want to be in terms of security. It's like trying to have a fit body, it's important to measure body stats before starting out and determine what your end goal is.

A cybersecurity risk assessment is about understanding, managing, controlling and mitigating cybersecurity across your organization. It is a crucial part of any organisation's risk management strategy and data protection efforts.

You can take advantage of our amazingly priced ecommerce application security assessment service to get a baseline of the current cybersecurity resilience of your Magento, Shopify Plus, Woocommerce, Wordpress ecommerce store.

Tip 2: Create a cyber incident response plan & practice it

An idiot with a plan can beat a genius without a plan.
Warren Buffet
Think of your cyber incident response team like a team of firemen. They know how to put out a fire when there is one, and they know how to help you build the safeguards that help you minimise the chances of a fire happening altogether.

What is your plan if you get hit by a virus or malware? What will you do if it's a DDoS attack disrupting your operations by overloading your web server?

You should be armed with the right tools and processes to deal with these scenarios quickly. You should practice it periodically within your organisation like a fire drill to stay updated and not panic when under a cyber attack.

Tip 3: Educate your software team about how and where you're likely to be attacked

Developers build beautiful, fast, functional apps but they're generally not aware about shortcomings of an app from security's point of view. Educating your team of developers to fortify the areas where you're most likely to get attacked is a logical solution.

One way to improve your ecommerce store security is to train your software developers. This training will help your devs build at least foundational knowledge of how how to build secure applications and make them more security-self-sufficient in the process.

But then how do you know if they are actually following the secure coding concepts that they were trained on? Unless you were a application security expert yourself, it would quite difficult (or expensive) for you to work out if the training you paid for was ACTUALLY successful in improving the security of your ecommerce store.

One way to overcome this conundrum is to invest in a vulnerability scanning tool that is built to help sofware developers. By doing this you have the power to provide your developers on-the-job security training, which they can build into your online shopping store.

Tip 4: Lock down your HTTP security headers to make it hard for hackers

The easiest and quickest way to check how many of these seven HTTP headers your web application uses adequately is by using the CyberChief.ai HTTP header analysis service. Simply enter your web app’s login page and in less than 2 seconds you will be will have a complete analysis of the HTTP headers that are already configured properly, and those that need more work.

The best part is that Cyber Chief’s recommendations spell out in detail where your developers can configure these HTTP headers in your application. It will also explain what directives and keywords should be used maximise the security that each HTTP header can offer.

There are usually zero compelling reasons to pay hundreds or even thousands of dollars fancy SSL certificates from brand-name SSL certificate vendors. A free SSL certificate from services like LetsEncrypt or Cloudflare will be more than adequate for most cloud applications.

Tip 5: Strengthen your password policy & implement two-factor-authentication (2FA)

Are you using a password named after your favourite quote, philosopher, celebrity, kid's birthdate?
You can go check online the strength of your password. These services calculate how long will it take for a hacker to steal it.

Remember, DO NOT enter your real password in these services. Also, there are a number of password lists publicly available like this, if the admin passwords to your ecommerce store are on that list, change them now.

Your business is as safe as your password, you need to implement robust password policies which contains a combination of numbers, special characters, alphabets and must be longer than 8 characters.

2FA allows you a second line of the defence in the event that your team and/or customers click phishing emails and are tricked into giving up their login credentials. In short, 2FA makes your business more robust and secure by minimising the extent of a breach when a hacker does get past your defences.

There are 2FA apps like Google Authenticator, which can be installed on your mobile phone. It has a unique code which changes every minute making life difficult for a hacker.

Audacix is also a RSA partner and our AppSec team can recommend the most appropriate 2FA systems depending on whether you want an open-source solution or something that's more enterprise-grade.

Tip 6: Encrypt stored data and data in transit, especially customer data

If you want to protect your digital assets and customers' data, it must be encrypted. This is a non-negotiable for all ecommerce businesses.

Data like login credentials of a user, credit card details, other sensitive information must be encrypted using TLS when in transit i.e exchange of data between two locations. The drives where you store your data should also be encrypted using strong protocols.

Don't make the same mistake Facebook did, it stored millions of Instagram users' passwords in plain text format. Your development process needs to pick up when something like this happens and alert the right people to fix it.

Tip 7: Conduct thorough grey-box penetration testing

Are you working super hard to grow your ecommerce store every single day? Well so are the hackers trying to break into your online store! Penetration testing means getting into the shoes of malicious hackers and trying to figure out how to bypass all the security defences without alerting anyone.

Conducting grey-box penetration tests provides an outsider perspective on your security and exposes your weaknesses before real hackers do.

However, when selecting an external ecommerce store security partner, make sure that you get not only a manual penetration testing service, but also access to an on-demand, self-service vulnerability scanner. Your team will then be able to conduct vulnerability scans before and after manual penetration tests to validate that the security vulnerabilities have not reappeared.

Tip 8: Build security into your ecommerce app development cycle

Integrating the software security best practices in your app development cycle helps you ensure that your developers are not leaving open big, wide windows for hackers to exploit your vulnerabilities.

Some of our ecommerce penetration testing clients have noticed hacking attempts within minutes of pushing new code to production.

No app is perfect, not even relatively simple ecommerce applications built on Magento, Drupal, Joomla or Shopify Plus. So you'll agree that it is common sense and makes utter financial sense to build processes into your development cycle that help to pick up at least the most obvious vulnerabilities.

Mammoth ecommerce stores like Amazon might be able to survive these attacks but can your ecommerce store do the same? If your instant answer is NOT Yes, let's have a quick chat to discuss your needs.
SaaS Brief