Ecommerce Security – Address concerns before the holidays hit
According to the 2015 Trustwave Global Security Report, 64% of retail industry breaches were ecommerce. On top of that, we predict that the rollout of Chip and Pin technology would likely result in increased ecommerce security breaches. The holiday season is prime time for malicious activities making it incredibly important to include security in your holiday planning. But what should you focus on? The Trustwave report identified the major contributing factors to ecommerce exploitations in 2014. Here are the top four factors, and some notes on addressing them.
1. Weak remote access security
Do a Penetration test – A penetration test uses a combination of automated testing and experienced testers to try to exploit your code and application. You can use a penetration test to examine the strength of your remote access security and identify any gaps that exist. Once you know there are issues, fixing them is the easy part – just leave yourself enough time before busy season hits.
2. Weak passwords
We recommend that administrative personnel use two-factor authentication and encrypted communications. It’s also important to make sure that administration pages are inaccessible to the outside world and have strong passwords. Leading up to the holidays it is a good idea to do a thorough audit of the access list and limit access to essential personnel.
3. Weak Input Validation
Run a vulnerability scan – A vulnerability scan proactively identifies weaknesses in your network including those in the OWASP Top Ten Vulnerabilities. These scans can help you identify and issues with your input validation (and they also satisfy some of your PCI compliance requirements).
4. Unpatched vulnerabilities
Patch your environment – make sure your infrastructure, application and operating system are patched and up to date. We typically recommend the final patch date to be about a month before your busy season hits (unless an emergency patch is released). Freeze all patches after this date, although there may be exceptions. Make sure you have a process in place to assess any patches that are released after your freeze date – make sure your team can quickly determine if action needs to be taken. We know that some applications have restrictions on which servers can be patched, so be sure that any servers that cannot be patched are not accessible to the internet and are protected by other controls like firewalls.
Learn how leading retailers keep their sites performing under peak load, including details on how you can:
- Prepare your infrastructure
- Optimize your commerce application
- Manage your marketing
This guide is designed to help mid-sized retailers prepare for peak season by examining their infrastructure capability, application capacity and marketing campaign processes. Each of these elements is key to understanding how well your web store will perform during the holidays.