The growing hacking threat to e-commerce websites, part 2
In the first part of my article, I briefly revised attackers’ motivations to compromise your website. In this part, I will discuss how websites get hacked, how you can prevent it and what to do in case of a website compromise.
As this article is mainly written for small e-business owners, I will omit technical details about web hacking techniques, and will focus instead on the general security mistakes that lead to vulnerabilities, which are then exploited by hackers.
One of the oldest and simplest problems is default or weak passwords used to access admin interfaces of web applications. Another related and very widespread problem is default admin panel location, such as “/wp-admin/” or “/administrator/” which facilitate a lot hacking of your website even with one simple XSS vulnerability. Password reuse is also a very common and dangerous practice. Avoid default admin panel location, and select strong and unique passwords so that these risks are avoided.
Another very common problem is old and outdated software. Make sure that if you are using an open source CMS such as Joomla, WordPress or osCommerce it’s up to date as well as all of its modules and plugins. Today, the biggest danger comes from numerous plugins that usually have plenty of vulnerabilities.
Be careful when you are using a third-party customized code on your website that is not trusted by a large community of other users. I have seen many examples of quite secure websites being compromised because they installed “Simple Online Poll v0.1” coded by a friend or unexperienced trainee. Usually the majority of web vulnerabilities are hidden in the in-house code, as it was not reviewed and tested by millions of users and security researchers as, for example, the core source code of Joomla was.
Another important point to mention is proper access control. Don’t share your passwords and other credentials with people who do not necessary need to have them, otherwise once they are compromised your website will follow. It is always better to limit access to your admin panels from specific IP addresses or at least from sub-networks (in case you don’t have a fixed IP). Make sure that, on your web server, file permissions are correct and other users (if any) cannot read your files.
Needless to say, the security of any web hosting service where your website is located is also important. Don’t try to save money on it, as such “economy” may ruin your business. When selecting your hosting company, pay attention to what the company’s reputation is, the client support it offers (it should have a competent security team ready to react rapidly on security incidents) and if it has a daily backup plan.
Backup is an essential point, as sometimes you may notice intrusion days, weeks or even months after it actually happens. I personally saw customers who were backdoored during several years so, it’s very important to have a “clean” copy of your website without a backdoor in its source code. Proper backup of access logs is vital for security investigators during the incident forensics process. Last but not least, make sure that all of the software used by your hosting company is regularly updated otherwise any measure taken by you will be useless.
How to deal with a security breach
If you notice that your website has been hacked, the most important thing to do is keep calm and avoid panic. First of all, immediately notify your web hosting company about the incident and temporarily shut down your website. Immediately change all of your passwords (FTP, cPanel, MySQL, SSH, etc) and make sure that no additional accounts were added to the system.
Now, when the hackers have been cut from your website, start the investigation process. First of all, copy access logs to secure local storage – they will help in the future to determine how hackers got in and to trace the attackers.
It is very important to understand if the attack against your website was targeted or not. If you understand the motivation of the attackers you will be able to predict what they did (or at least what they aimed to do) and start an investigation from the right point. Contact a local security company or a local CERT to get competent advisers and assistance in the forensics process. Your web hosting company should also be able to help you by analyzing logs and abnormal activities around your website. As soon as you can reconstruct an image of the security incident you should take the following steps:
1. Once you know how your website was compromised, make sure that the vulnerability or weakness hackers used to get in is properly patched. Also, make sure that you have followed all of my earlier recommendations. Only after this step is completed should you run your website online again, otherwise you risk facing a second compromise.
2. If your customers’ personal data was compromised, notify them and ask them to change all of their passwords as soon as possible. Assure them that you are taking the incident very seriously, an investigation is in progress and that you will do your best to ensure that it will never happen again. It is much better for your reputation (and your customers’ security) to honestly notify them about the incident rather than trying to cover it up. But don’t make a public show from the incident: sometimes that’s exactly what the hackers want to do to harm your business reputation. In many cases, a personal notification to each concerned customer is enough. There is no need to send a massive notification to everyone if only a couple of customers’ accounts were compromised (just make sure that you are not mistaken about the scope of the incident!).
3. Depending on what legislation your country has about cybercrime, you may wish to deposit a criminal complaint against the attackers even if they are hidden behind a chain of proxy servers. It’s the job of law enforcement agencies and security companies specialized in digital forensics to identify and prosecute the hackers. However, don’t be too optimistic as, due to a lack of inter-government collaboration and different laws in almost every country, many of these crimes remain forever unsolved. Nevertheless, it may bring results and at the very least will demonstrate to your customers that you take their security seriously.