Fundamentals of Website Security for Online Retailers

Introduction

Today, huge amounts of customer-related data are being collected by businesses. This is done for various reasons, ultimately to achieve greater engagement and business growth. What if this data falls into the wrong hands? Can this data be used to leverage malicious activity? The answer is, yes. The below article will throw light on the possible weaknesses and the preventive measures to tackle the issues pertaining to website security.
Nowadays almost all business has become digital, customers have started to prefer online websites for shopping. This has become a full grown mature business model for most of the organizations. There are a few reasons for this:

• Ease of usage for the customers




• Online tracking of orders





• Evaluate price difference without going to the market.




• Cash on delivery

All these features come at a cost. The customer trusts the vendor with the below things:

• Personal information: Name, Mobile no, Email ID, Date of birth, Address, etc.




• Payment information: Card number, CVV, Name on card, Expiry date, ATM Pin, etc.

What will happen if this data gets leaked? The attacker can misuse the card details for personal gains. This makes two things important for the retailers:

• Business to run in profit




• Web Security

Basics of website security

Website security should be a preventive measure. Security needs to be a part of the project from the starting. This will ensure that the risk is getting identified early rather than afterward. It may go unidentified afterward, as the website becomes large.

Best Security Practices governing website security

1. Include security in the starting of the project
Security should be a part of the project team right from the starting of the project. If there is an architecture level weakness in the website, it has to be identified and fixed. If this is identified later, the whole process needs to be performed again. What if the website was made using a vulnerable version of PHP and it gets identified later?
2. Conduct security training for developers
It needs to be made sure that the developers have the basic security knowledge. Developers should know the basics of input validation, error handling, default configurations, etc. This will ensure that the foundation is correct and other security vulnerabilities can be worked on.
3. Penetration testing (In-house/third party)
Once the website is up and ready, get a penetration test done. A penetration test can be done by an in-house security team as well as a third party. It is left to the choice of the retailer on which way to go. The retailers may choose to conduct a black box test or a white box test.

Application & Implementation in e-commerce business

Server setup
Server set up is the core of the website. If the server gets compromised, this may affect the confidentiality, integrity, and availability of the web application. A few things that the IT team at the retailers’ end can ensure:

• Have a different server for both application and DataBase: If the application gets compromised, this will provide an extra layer of security to the data. This also buys time for the security team to act and mitigate the data loss.




• Remove the default configuration from the server: Is your web application server remotely connected to the internet? If yes, change it. Default username and passwords are next things to change. Remove default services running on the server.





• Enable logging and alert configuration. This will help in identifying the mischief and will log the changes.

Access to servers
Who all have access to the server? It needs to be ensured that not all people in the development team have access to the application server. The duties and accesses need to be managed and reviewed at fixed intervals. Access should be granted on a need basis and with minimum rights.
High availability
What if one server goes down? This will affect three things:

• Loss of customer confidence




• Loss of business





• Reputational loss

Make sure that the servers are set up in high availability mode. If one fails, the other will kick in. The servers have to be placed in different locations and networks so that they are also protected physically.
DataBase usage and integrity
On festive seasons and sales, the customers’ visits will increase. Make sure that the DB is strong enough to handle the heavy usage. Create DB replications and shadow DBs as per the trends and business analysis.

Risks

DDoS (Distributed denial of service)
The attackers may send a bogus request to the websites making it unavailable to the legitimate users. This is the biggest threat to a website. The resources will get exhausted as the utilization increases. The risk is more as this can be launched by freeware tools as well. If the website is not robust, it might cause permanent damage.
Hacking attempts
The hackers can launch specially crafted attacks for the website in order to gain access or data from it (Here's a resource that will navigate you through cyber security attacks). It is not possible for the conventional IPS/IDS and firewall devices to detect this traffic. The network devices are able to detect and deny the layer 3 traffic, but this request is genuine and is at layer 7. The website needs to be smart enough to filter the request.
Disgruntled employees
An underpaid employee, an employee on notice period, etc., are potentially disgruntled employees. They might try to cause damage to the website or DB before leaving. Ensure that these cases are dealt with care and the access rights are revoked right away if not necessary.

How to detect and eradicate attacks on business?

Monitoring
Monitor the application and servers 24x7 for critical aspects:

• Is the load increase on server expected?




• Server health check





• Monitor server alerts




• Web request monitoring

This kind of setup will ensure on-time attack detection. There should be a SOC (Security Operations Center) to monitor the web applications. If the organization is small and cannot afford a SOC, the job can be outsourced to a third party and regular checks and reports can be requested.
DDOS mitigation
Setup a DDOS protection solution in the architecture. The traffic will be routed to the scrubbing centers and the bogus traffic will be dropped before it hits the web server. There is a full cloud solution offered by companies that can filter the web traffic, these are called CDN or content delivery networks (here's some resource to help you navigate through the types of cloud services).
WAF
Web application firewalls are special firewalls which have the capability to detect and block the layer 7 traffic. It has specific rules to detect the attack patterns and can be customized as per the need. This is offered as both a box and cloud-based solution. The best solutions are expensive but very effective. Network firewalls have a module of web application firewalls but that is not as customizable. It can still block the attacks launched from known tools and script kiddies. The art of using a WAF is the customization of the rules as per the application requirement.
BEC (Business email compromise)
The cases of business email compromise are increasing day by day. Attackers may try to get into the organization by using social engineering attacks on company employees. Once the attacker is inside, lateral movement and persistence start. Some of the employees have access to the application servers and DB and that is the gold mine. They try to compromise the systems so as to have easy access to servers. Ensure that the employees are aware of the phishing scenarios and the basic security of the system.

Latest developments in web security for retailers

Mobile security
Customers have shifted to the use of mobile applications more often than not. The architecture of a mobile application is different from a web application; hence, it requires a different security angle. Let’s discuss a few scenarios:

• CASE 1: What if there are two applications of the same name on the internet. One from a genuine store and the other freely hosted on the internet. The user can be tricked to install a fake version of the application and gather the user’s data.




• CASE 2: Business might miss the penetration testing of mobile applications. Get it accessed by a third party. There will be different applications for iOS, Android, and Windows. Make sure that all are safe and integrated.

Conclusion

For Retailers: Ensure that adequate compliance checks are followed. Application tests to be conducted on yearly basis, or after a major change. Include mobile application architecture in the test plan. Get the risk assessment done and make sure that the observations are acted upon.
For Security team: Beware of the latest attack trends and application security measures. The security relies on you and your experience. Make sure that the team is properly trained to handle incidents if any.
For End Users: It’s your data at the end of the day. Make sure that you are vigilant about what you submit, where you submit it and why you need to submit it. Be aware of what you install on your phone. Retailers should make sure that the customers are aware of basic security. Users should pay attention to the advisories and announcements and adhere to it.
Get an in-depth understanding of security practices - Sign up for a course now!