Automated attacks against SME e-commerce websites are relatively easy to instigate, offer good revenue opportunities and access to data held on larger websites. With this attractive proposition, SMEs should be aware that hackers don’t just target eBay, Target and shoe retailer Office-sized businesses, they are a serious threat to the under-defended SME e-commerce outfits.
The majority of the attacks against SMEs remain undetected today because of the highly sophisticated nature of attacks, as well as the low level of security awareness among victims. Not many hackers have the necessary skills, time and resources to launch targeted attacks against the biggest players in the e-commerce industry, therefore they prefer to compromise dozens of small and medium online stores each day.
In untargeted attacks, hackers focus on quantity, rather than quality. A customer record from an online store may generate a penny, while a thousand records can easily generate at least £10 (or more, depending on the data’s “quality” and “completeness”).
Interestingly, hackers will aim to compromise the weakest link in any security perimeter, and an SME website or web server may present an easy route to much larger targets. After all, it’s much easier to compromise an SME website and try to reuse passwords, rather than attacking front-end of PayPal to get access to an account there [the final target].
Some simple measures should be part of every e-commerce website’s security policy:
1. Password Control
Default, reused or weak passwords used to access admin interfaces of web applications present a security risk. Another related and very widespread problem is default admin panel location, such as “/wp-admin/” or “/administrator/” which facilitates the hacking of a website even with one simple XSS (Cross-Site Scripting) vulnerability.
2. Keep Software Updated
When using an open source CMS such as Joomla, WordPress or osCommerce, ensure that it’s up to date as well as all of its modules and plugins. Care should be taken when using third-party customised code website that is not trusted by a large community of other users. I have seen many examples of relatively secure websites being compromised because they installed “Simple Online Poll v0.1” coded by a friend or inexperienced developer.
3. Stay On Top Of Access Control
Limit access to admin panels from specific IP addresses or at least from sub-networks (in case you don’t have a fixed IP). Make sure that, on your web server, file permissions are correct and other users (if any) cannot read your files.
4. Hosting With Security Experience
A web hosting company should have a competent security team ready to react rapidly on any breaches, a daily backup plan, and commitment to regularly update software.
Dealing With A Security Breach
If you are hacked, notify your web hosting company and temporarily shut down your website. Change all passwords and copy access logs to secure local storage. The logs will help to trace hacker and determine how they accessed your website.
It is very important to understand if the attack against your website was targeted or not. Contact a local security company or a local CERT (Computer Emergency Response Team) for help with computer forensics process. Your web hosting company should also be able to help you by analysing logs and abnormal activities around your website. As soon as reconstruct an image of the security incident you should take the following steps:
1. Fix The Hole
Once you know how your website was compromised, patch the vulnerability or weakness hackers used to get in.
2. Inform Relevant Customers
If your customers’ personal data was compromised, notify affected customers and ask them to change all of their passwords as soon as possible.
3. Report The Hack
You may wish to make a criminal complaint against the attackers even if they are hidden behind a chain of proxy servers. However, don’t be too optimistic as, due to a lack of inter-government collaboration and different country laws, many of these crimes remain open.
4. Put Vulnerability Testing In Place
Consider having your website tested by an external security company or expert. SMBs probably don’t need to invest in costly on-site penetration testing consultancy services. An alternative is on-demand penetration testing, which provides automated scanning of a website combined with penetration tester expertise. Two good guides giving advice on the selection of security assessment vendors/providers are written by Alexander Michael: “You may think you have never been hacked… you just have not realised it yet” and Viktor Polic: “The quest for weak links in information security”.