Cyber-proof Your Online Business For Cyber Monday
It’s almost Cyber Monday again. According to studies, 77% of online retailers said their sales increased substantially on Cyber Monday so this is a great opportunity to increase sales. However, Cyber Monday may have adverse effects too. One of the biggest threats to modern e-Commerce has been cybercrime and it is almost guaranteed most online retailers might experience at least an attempt at some sort of cyber incursion.
As the time marches on, cybercrime rates are rising and are expected to keep rising. These data breaches can certainly lead to potential hazards such as loss of customer data or identity theft. The e-Commerce retailers are unable to intercept every possible threat but there are some pre-emptive actions which online businesses can take in order to make their online stores almost hacker-proof.
In general there are three types of attacks: passive, active and offline. In order to secure their online store, retailers must secure their infrastructure against all of these.
These three attack types can be described as follows:
1) Passive attack attempts to learn or make use of information from the system. However, it does not compromise the system integrity.
2) Active attack attempts to compromise the system integrity by altering its resources.
3) Social Engineering attempts to manipulate people in order to disclose confidential information or performing actions which compromise the security.
Usually, a successful cybercrime includes some sort of combination of these three attacks. So it is important to make sure that online retailers can defend themselves against all of these three.
Hackers are often refer to their hacks by the name “exploit”. This is due to the fact that in order to perform an attack, there must be vulnerabilities in the system which hacker can make use of.
In order to find such a weakness or vulnerability, hackers must perform various actions in order to learn information about the system. This is where passive attacks come into play. In the Internet there are various pieces of information (such as domain names) which are always available for the general public. These pieces of information include often things like phone numbers, public e-mail addresses or physical addresses. The main rule of thumb here is: what your customer can see, so can hackers.
However, there are vital pieces of information which are visible only to people who know something about computer security and which you can prevent the hackers from seeing. These pieces of information include things like server software versions. Hackers are usually scanning websites with various tools in order to find these vital details. The good news is you can and should hide them. As an example, many standard pieces of e-Commerce software include a special “README” file. This file is quite often available for the open Internet (if one knows where to look) and as such, should be deleted before the e-Commerce store goes live. For specifications, please refer to your e-Commerce software documentation.
Active attacks attempt to compromise the system integrity using a known weakness. Often the knowledge of this weakness is gained using passive attacks so this is the reason why preventing passive attacks is vital. However, if your system got compromised through a passive attack, there are actions you can take in order to prevent active attack from happening.
First of all, always keep all your software up to date. One of the most common reasons why online stores get compromised is the fact that they are running old servers and old version of the e-Commerce software. These often include vulnerabilities which can be easily exploited.
Second, operate a secure password policy. In most of the modern pieces of e-Commerce software the passwords are encrypted but this does not mean that they could not be compromised. Even if the hackers get encrypted password, they can still break it under certain conditions. Most commonly hackers have ready-made password lists which include often millions of most commonly used passwords. This is to say; after hackers get the encrypted passwords they can simply feed it to password cracker and get the real password.
A strong password has 12 characters at minimum. In addition, it includes numbers, symbols, capital and lower-case letters. It should not be a “dictionary” word or rely on obvious substitutions where one letter is replaced by a number. The best way to operate a strong password policy is to use common sense. Password should be memorable and strong at the same time.
However, a strong password policy is not just about password length. One good example of this is re-using passwords. Obvious to say, passwords should never be re-used because doing so compromises the password on many levels. If hackers get re-used password on one place they can use it to attack another target easily.
Another common method to prevent active attacks from happening is installing Web Application Firewalls, Intrusion Detection Systems and Malware scanners. For details about these, it is best to refer back to hosting provider, or if e-Commerce software is self-hosted, to technical specialist.
Offline Attacks and Social Engineering
Offline attacks are often mostly ignored attacks and the online retailers are ignoring them on their own peril. There is a valid reason why offline attacks are also called “Social Engineering”. This is due to the fact that offline attacks often aim to use psychological manipulation in order to make them to perform actions or disclose information which compromises the system. Most often we are talking about confidence tricks here but other types of offline attacks do exist.
Most common types of social engineering include dumpster diving, tailgating, pretexting, quid pro quo attacks and baiting. The most common factor for all of these attacks is that they are based on assumption that a human error is the weakness which exposes the system.
Needless to say, effective countermeasures can be applied against all of these attacks. The best way to do so is to establish a framework of trust and security protocols for handling sensitive information. In addition, periodic (and unannounced) tests should be performed in order to make sure that the staff is vigilant all the times. The staff should be also trained in these security protocols. As an example, in order to prevent tailgating, it is crucial that employees must be trained to identify other employees and if identity cannot be verified, refuse access to tailgater.
The IT industry (especially Technical Support) has an acronym “PEBKAC” (Problem Exists Between Keyboard And Chair) and this acronym certainly applies also to Cyber Security. This is why the Social Engineering attacks are so common: the cyber-crooks are seeking profit and if Social Engineering is profitable, the Social Engineering attacks become more common. This is a good fact to keep in mind when planning and applying Cyber Security strategy.
Few Final Words
As the e-Commerce industry grows, the cyber-crooks will increasingly target online retailers and e-Commerce companies. The attacks have become increasingly sophisticated and due to this reason it is important to stay constantly vigilant.
If you require insurance for your business then contact Insure 24-7 today for a competitive quote tailored to your needs.