Tuesday, 24 March 2020

8 simple ways your ecommerce store can avoid the cybersecurity fate of Nutribullet

Share


Another day, another hack!

Nutribullet, the blender and easy blended smoothie company, was hacked and their ecommerce online shopping store was injected with malicious code not once, not twice, but three times in the last 30 days! The malicious code helped hackers literally swipe away the credit cards numbers of Nutribullet customers.

Application security is seldom considered during the ideation phase unless the development team has previously been hacked and survived to tell the tale. But it's also true that it's never too late to secure your ecommerce store.

In fact, smart and fast-growing ecommerce stores who outperform their peers usually share this common trait: they consistently grow sales and build their brand by turning their security standards into a key differentiator and selling point.

E-commerce sales hitting trillions of dollars alone in 2019 makes it a very lucrative market for malicious hackers group like Magecart whose sole purpose is to steal credit card information.

Why should ecommerce & online shopping stores worry about application security?

Simply put, it helps to avoid massive costs to your business when you do get hacked AND it helps your customers trust you more. We both know what increased customer trust means for our businesses, right?


To put that in perspective, here are some staggering numbers for you from IBM.
  • The average total cost of a data breach is $3.9 million global & $8.2 million in the United States.
  • Time to identify and contain a breach is 279 days!
  • Cost per lost record is $150.
If hacked, a single data breach event could potentially put your business under and can result in many ghastly outcomes for you:
  • Your business will have a hard time bouncing back up
  • Customers leave because of breach of trust
  • Loss of revenue
  • Brand reputation takes a hit
  • Spending more on AppSec and marketing 
  • PR and legal costs go up
Your probability of being severely disrupted when you're hacked goes down significantly if you follow the following tips. You will be able to conduct many of these activities within your current team. For some you will need an AppSec and penetration testing partner like Audacix.

The primary reason you should consider an external AppSec partner is that your development team needs to focus on your ecommerce product. Your developers will save a lot of time (and therefore save you money) if they're helped with targeted recommendations that help them fix your security vulnerabilities as they are found.

So how can your ecommerce or online shopping store avoid being hacked?

Tip 1: Conduct a thorough cybersecurity risk assessment

Has your business done this in the last 2 years? Cybersecurity risk assessment is a good way to know your current position and where you want to be in terms of security. It's like trying to have a fit body, it's important to measure body stats before starting out and determine what your end goal is.

A cybersecurity risk assessment is about understanding, managing, controlling and mitigating cybersecurity across your organization. It is a crucial part of any organisation's risk management strategy and data protection efforts.

Tip 2: Create a cyber incident response plan & practice it

An idiot with a plan can beat a genius without a plan.
Warren Buffet
Think of your cyber incident response team like a team of firemen. They know how to put out a fire when there is one, and they know how to help you build the safeguards that help you minimise the chances of a fire happening altogether.

What is your plan if you get hit by a virus or malware? What will you do if it's a DDoS attack disrupting your operations by overloading your web server?

You should be armed with the right tools and processes to deal with these scenarios quickly. You should practice it periodically within your organisation like a fire drill to stay updated and not panic when under a cyber attack.

Tip 3: Educate your software team about how and where you're likely to be attacked



Developers build beautiful, fast, functional apps but they're generally not aware about shortcomings of an app from security's point of view. Educating your team of developers to fortify the areas where you're most likely to get attacked is a logical solution.

We offer your developers a training portal as part of all our AppSec and penetration testing subscriptions. This training will help your devs build at least foundational knowledge of how how to build secure applications and make them more security-self-sufficient developers in the process.

Tip 4: Lock down your HTTP security headers to make it hard for hackers

The easiest and quickest way to check how many of these seven HTTP headers your web application uses adequately is by using the CyberChief.ai HTTP header analysis service. Simply enter your web app’s login page and in less than 2 seconds you will be will have a complete analysis of the HTTP headers that are already configured properly, and those that need more work.

The best part is that Cyber Chief’s recommendations spell out in detail where your developers can configure these HTTP headers in your application. It will also explain what directives and keywords should be used maximise the security that each HTTP header can offer.

There are usually zero compelling reasons to pay hundreds or even thousands of dollars fancy SSL certificates from brand-name SSL certificate vendors. A free SSL certificate from services like LetsEncrypt or Cloudflare will be more than adequate for most cloud applications.

Tip 5: Strengthen your password policy & implement two-factor-authentication (2FA)

Are you using a password named after your favourite quote, philosopher, celebrity, kid's birthdate?
You can go check online the strength of your password. These services calculate how long will it take for a hacker to steal it.

Remember, DO NOT enter your real password in these services. Also, there are a number of password lists publicly available like this, if the admin passwords to your ecommerce store are on that list, change them now.

Your business is as safe as your password, you need to implement robust password policies which contains a combination of numbers, special characters, alphabets and must be longer than 8 characters.

2FA allows you a second line of the defence in the event that your team and/or customers click phishing emails and are tricked into giving up their login credentials. In short, 2FA makes your business more robust and secure by minimising the extent of a breach when a hacker does get past your defences.

There are 2FA apps like Google Authenticator, which can be installed on your mobile phone. It has a unique code which changes every minute making life difficult for a hacker.

Audacix is also a RSA partner and our AppSec team can recommend the most appropriate 2FA systems depending on whether you want an open-source solution or something that's more enterprise-grade.

Tip 6: Encrypt stored data and data in transit, especially customer data

If you want to protect your digital assets and customers' data, it must be encrypted. This is a non-negotiable for all ecommerce businesses.

Data like login credentials of a user, credit card details, other sensitive information must be encrypted using TLS when in transit i.e exchange of data between two locations. The drives where you store your data should also be encrypted using strong protocols.

Don't make the same mistake Facebook did, it stored millions of Instagram users' passwords in plain text format. Your development process needs to pick up when something like this happens and alert the right people to fix it.

Tip 7: Conduct thorough grey-box penetration testing

Are you working super hard to grow your ecommerce store every single day? Well so are the hackers trying to break into your online store! Penetration testing means getting into the shoes of malicious hackers and trying to figure out how to bypass all the security defences without alerting anyone.

Conducting grey-box penetration tests provides an outsider perspective on your security and exposes your weaknesses before real hackers do.

An external AppSec partner like Audacix does exactly that plus has an on-demand vulnerability scanner for you and your team with monthly AppSec subscription plans.

Tip 8: Build security into your ecommerce app development cycle


Integrating the best security practices in your app development cycle helps you ensure that your developers are not leaving open big, wide windows for hackers to exploit your vulnerabilities.

Some of our ecommerce AppSec and penetration testing clients have noticed hacking attempts within minutes of pushing new code to production.

No app is perfect, not even relatively simple ecommerce applications built on Magento, Drupal, Joomla or Shopify Plus. So you'll agree that it is common sense and makes utter financial sense to build processes into your development cycle that help to pick up at least the most obvious vulnerabilities.

Mammoth ecommerce stores like Amazon might be able to survive these attacks but can your ecommerce store do the same? If your instant answer is NOT Yes, let's have a quick chat to discuss your needs.
SaaS Brief