How Website Security Gets Breached: 3 Common Errors and 3 Basic Fixes

June 7, 2017 • Published Categories PCI 101 Tags , ,

The bad guys don’t care what—or how much of it—you sell online.

Today’s e-commerce businesses are in hackers’ cross hairs for many reasons, not the least of which is their ease of access. With the Internet as their gateway, every single e-commerce business is an easy target, should they allow themselves to be.

A recently-published Foregenix blog post got me thinking just how important it is for every e-commerce business to understand and proactively address its website security posture. This has taken on added importance in the United States, with the shift to EMV creating increased fraud activity in the e-commerce world.

In its many breach investigations, Foregenix has found that e-commerce firms commonly make one or more of these three errors:

  1. Insecure user access
    • Web-based administration access is located on the default URL or an alternative that can be easily guessed
    • The log-in page is left publicly accessible
    • User credentials are shared among multiple people
    • User credentials are provided to third parties and left inactive when no longer required
    • No password management policy, including no consideration to password complexity or rotation
    • No policy of least privilege for user access, or no user management policy at all
  2. Poor administrative procedures
    • Error pages returning useful information to attackers
    • Unused default applications are left available, for example RSS feeds or file upload functionality
  3. No formal security monitoring and maintenance procedures
    • Not patching and maintaining an up-to-date environment
    • No vulnerability testing
    • Lack of appropriate log files
    • Lack of intrusion detection systems, such as File Integrity Monitoring, Web Application Firewall, etc.
    • No monitoring of log files or intrusion detection systems

The need to focus on your website security is clear.

When you look at this information and factor in the 2017 Verizon DBIR on data breaches, the need to focus on website security is evident. Verizon puts a lot of focus on explaining increased attacks on web applications/web servers. There is a critical need to test web applications for vulnerabilities, as well as to implement a robust web application firewall.

Even with additional layers of website security, the human element is still sinking a lot of organizations in this regard. Every recent study I’ve seen shows that well over 85% of investigated breach incidents involve a phishing attack as a starting point.

Don’t let your site be the hacker’s low-hanging fruit.

Here are three tips for keeping your e-commerce business from becoming the hacker’s low-hanging fruit:

  1. Outline consistent security guidelines to developers and any third-party service providers. Make sure these guidelines include managing remote access to the production environment. Integrated Software Vendors (ISVs) are often unfamiliar with PCI requirements and may not realize how much risk to the security of the data their involvement represents.
  2. Engage with a trusted source(s) for the proper testing of web applications and the implementation of a robust web application firewall.
  3. Know that the human element is key. Security awareness shouldn’t be viewed as a check-the-box process. Instead, implement a process for awareness that tests and tracks employee knowledge about the most common attacks involving phishing, etc.

Click here to see more PCI Compliance Guide posts about website security!