This is the last post in our series on E-commerce Security:
Today, let’s expand on some of the suggestions made during a webinar I hosted recently about steps you can take to secure your online store.
So far in this series, we have touched on how to identify potential risks and how to defend against threats via WAF technologies. As well, we discussed how to implement valid SSL certificates. The last question to consider is:
What happens when the worst case scenario occurs?
The worst is likely to happen to anybody, whether you’re an e-commerce site, a mid-market agency, or a small, local business. Having an effective and clear Disaster Recovery Plan (DRP) is a must as you establish a proper web security strategy.
Let’s remember something:
Website security is about risk reduction, not risk elimination – and risk will never be zero.
There might be a circumstance where you forget to reset a weak password or remove software no longer needed which may result in missing a future security patch. Either of these scenarios can cause a compromise, so if (rather when) this happens, let’s be ready and not have to run out like the house caught on fire.
Having a Disaster Recovery Plan
What should be included in a good Disaster Recovery Plan (DRP)?
We are going to dive into four actions that are part of a continuous workflow. These are the core to what a Disaster Recovery Plan should be built on.
One thing to note is the flywheel nature of this diagram. It is designed to highlight the continuous efforts needed to order to remain current with your preventive efforts.
Let’s look at the first action needed for this wheel to start moving – Response.
We need to respond to the malicious event by removing malware and other indications of compromise from the online store.
All major content management systems (CMS) platforms have eCommerce plugins. Here are some free guides that can be used if you have the dedicated time or resources to respond to a security incident:
- How to clean a hacked Magento website – There are sections specific to e-commerce in this guide.
- How to clean a hacked website
- How to clean a hacked WordPress website
- How to clean a hacked Joomla! website
- How to clean a hacked Drupal website
The other option is to have the number or email to an emergency contact; a preferred vendor for remediation services so you can act quickly.
Once you have the right person completing the remediation process for you, we need to recover the website from the incident. This will include a few key components to do based on what you faced:
If any data was at risk, notify your customers. This is particularly important if you’re a business operating in the EU where an organization must report a data breach within 72 hours, according to Article 33 of the General Data Protection Regulation (GDPR).
We all know the consequences of a ransomware attack. If this type of attack happened to you, having an offsite backup copy is essential to your data protection strategy that still keeps working in case of disaster.
Sucuri offers offsite backups for situations just like this or in the event that malware has corrupted your files beyond repair.
Discuss with your security vendor how to identify the areas for improvement. They are better equipped to offer insight into what can be done. This is a direct lead-in to our next task.
Once you have recovered on the customer and business side, it’s time to review your internal processes. Use the insight a security professional has offered to help continue hardening and minimize the risk your web application faces on a daily basis.
This can include answering the following questions:
- How did the attacker gain access?
- Where & when did they gain access?
- What software did you or your security vendor identify in the server?
- Do you need this software?
- Is your SSL certificate up to date and valid?
- How long ago did you update your passwords?
- Do you have a list of all access?
- Which directories have improper read/write access?
The more you know about what you have, the better decisions you can make for the next action.
First, conduct a review of the actions you or your IT department need to take to continue fortifying your security posture. Next, ensure you take on those actions as quickly as possible. You can base all further actions on the following tips:
- Restrict global access to your site via GET or POST methods to minimize exposure.
- Update directories to ensure the read/write access is properly set.
- Update or remove outdated software/themes/extensions.
- Reset your passwords immediately if you suspect they were compromised or if they are older than 30 days.
In addition, if you’re actively using a Web Application Firewall (WAF), review your existing configuration to identify potential adjustments to be made. This will also be part of your Review stage where you can check if someone whitelisted more IPs than necessary or allowed more access than recommended.
Remember that even though WAFs help in meeting several Payment Card Industry Data Security Standards (PCI DSS), they are not a silver bullet solution. There are other factors that can impact your business, especially the human factor.
Fred Muldowney-Brooks, Director of Risk Services & Solutions for Northbridge Financial Corporation, once said:
“After a crisis, 1 in 4 businesses will never reopen. Proper business continuity and disaster planning can help other small businesses avoid the same fate. It begins with asking yourself: ‘if I were to experience a loss tomorrow, what would I do?”
This is why it’s critical to plan for the worst. To summarize, your ideal gameplan should be to follow these guidelines for creating a quality DRP:
- Know who to contact to remediate your website immediately if compromised.
- Recover your website by informing your customers in a timely fashion.
- Execute backups if needed.
- Review your existing security strategy to identify improvements.
- Make changes to continue to minimize exposure.
Whether you’re an enterprise corporation or a local photographer, these threats come upon all of us equally. Therefore, we should all be equally aware of the risks and the efforts needed to minimize them. If you are looking for more content on e-commerce security, we have created a handy email course for you.
Update: Read our new PCI Compliance guide.
Update: We have just released a Magento security guide. Check it out!