Online shopping has always attracted intruders: it is a source of credit card data (now almost irrelevant); user data; data about orders and market trends (consumer demand); a traffic source; manipulation with the discount coupons, etc. An e-commerce site may be attacked as intruders in “free hunting” (non-targeted attack) and by the request of unfair competition. Recently are popular different kinds of DoS/DDoS attacks, as to disable a competitor and as a tool for blackmail.
In this topic, I will describe best practices for the protection of e-commerce sites.
The main vectors of attack
There are quite a lot of vectors of attack on a web application, conditionally its can be divided into direct and indirect.
Direct — when the attack is directed at the web application:
•Exploitation of web vulnerabilities (CMS, plugins, themes, modules, service scripts).
•Brute force authentication (admin panel, user data).
•DDoS/DoS/full browser stack.
•Different kinds of fraud operations, race condition, etc.
Indirect — when adjacent services are used for attack the online store:
•Exploitation of web server vulnerabilities.
•Brute force of auxiliary services (ftp/ssh).
•Theft of credentials of the technical staff (Trojans, interception in WiFi networks, social engineering).
•Theft of credentials contractors staff — a web Studio, content managers, SEO professionals, technical support (Trojans, interception in WiFi networks, social engineering).
•Identification of vulnerabilities of interconnected infrastructure (e.g., via “neighbors” on hosting with incorrect rights).
•Hacking the hosting provider (rare, but happens).
Hosting
The first step is to choose a reliable hosting provider. Many of the leading players in the market have special offers for online stores. It is important that your hosting provider support regular backup; carried comprehensive action logs; performed monitoring of network activity. Also one of the important factors is the system of notifications about anomalous activity on the account, possible infection of the website etc. Technical support (usually within the tariff) must give notice of the violation and provide at least minimal instructions (or a link to the knowledge base) about the methods of solving problems and to assist in its decision. The best solution is to use VPS/VDS-hosting.
CMS
If possible, use a safe e-commerce platform. It must support a complex authentication system (2F, OTP, etc.), the ability to limit of administrative area, etc.
The CMS itself, its plugins, modules etc. should be the newest versions. The best option CMS — the ability to auto-update (especially for critical vulnerabilities). An important factor should be the native use of the WAF/detector of anomalies/blocker of attacks out of the box or as an additional module or plugin.
An additional advantage is a use in CMS of various verification mechanisms and sanitizing data, frameworks or libraries of type HTML Purifier.
SSL/TLS
Use secure connection — encrypt the communication channel between the site and the client browser to transfer information. In our time, is the actual use of TLS (Transport Layer Security), which is a habit many still called SSL (Secure Sockets Layer).
It is important to use the latest version of cryptographic protocols for proper data protection.
An excellent practice would be to use HSTS (HTTP Strict-Transport-Security) – the mechanism that activates the forced secure connection via HTTPS. This security policy allows to immediately set a secure connection, instead of using HTTP. The mechanism uses a special header HTTP Strict-Transport-Security to switch user, who came over HTTP to HTTPS-server.
Data
Do not store critical data. No CVV codes now is not the beginning of zero. Moreover, the PCI DSS standard expressly prohibits: such elements as the CVV2 (Card Verification Value 2 – code authentication of the card of payment system Visa) and CVC2 code (the same code of payment system MasterCard) are critical authentication data, and therefore cannot be stored.
If something has to be stored — minimize the amount of stored data and use encryption whenever possible. This concerns mainly the processing of the personal data of general category – name, address, order, etc.
Password policy
Require the use of strong passwords – alphanumeric combinations of various register, the use of special characters, limitation of the minimum password length. Thus, the client will be better protected from malicious actions. Often the question of usability (conversion, failure) put at the forefront and allows users to use any password — this is bad practice, it is necessary to use complex combinations to protect user data.
Password policy of technical staff (site administrators) should be even stricter — in addition to more severe requirements to generate a password necessary to carry out maintenance procedures on changing passwords, for example, once a month.
After carrying out contract work you must delete the unused accounts. You also need to change the passwords after the dismissal of key employees.
Anti-Fraud
Using a system of warnings and alerts on suspicious activity — many operations with the same IP, change the details of delivery and many other factors, usually highly specialized in one or another sphere of online trading. Here can be used hold/check the purity of the transaction and so on.
A good practice would be to use 3-D Secure, MasterCard SecureCode, J/Secure and SafeKey. Abroad often use the AVS (Address Verification System).
Protective mechanisms
A good solution would be preventive use AntiDDoS, IDS, IPS and WAF mechanisms to protect against vulnerability exploits of network architecture, services and applications.
These systems are able to detect and prevent most of detected (signature-based) attacks but are not a panacea. Required a set of measures and analytical work on the analysis of anomalies/detect malicious activity.
An important fact is competent and customized configuration of these systems.
PCI DSS
Adherence to the PCI DSS requirements and operational checks.
PCI DSS (Payment Card Industry Data Security Standard) — data security standard payment card industry. The standard was developed by international payment systems Visa and MasterCard. Any organization planning to accept and process credit card data on their website must comply with PCI DSS requirements.
The standard is a set of 12 detailed requirements for the security of data on the holders of payment cards, which are transferred, stored and processed in the information infrastructures of organizations. The adoption of appropriate measures to ensure compliance with the requirements of the standard involves a comprehensive approach to information security of payment card data.
Security audit
Online store as the main tool of the trade, needs a stable and smooth to operate. To provide these conditions is possible only with due attention to the safety of the resource, namely this procedure such as security audit of the site.
Routine procedure (for example, every quarter) of the security audit of the information system allows to assess the maturity of information security management system and to identify vulnerabilities for their timely elimination. One of the main stages —carrying out an external Blackbox penetration testing.
A comprehensive audit of site security necessary to compliance the requirements of 6.3, 6.5, 6.6, 11.3.2 PCI DSS.
The companies working only with the payment gateway and do not receive on their customer’s bank card data are apply the requirements payment gateway risk department (HRC) and audit requirements are not as rigid as in the PCI DSS, but in this case it is necessary to carry out work to identify possible vulnerabilities e-commerce website.
Patch management
It is necessary to maintain the relevance of the used components of the information system — as CMS and its components, and all the rest — versions of server operating systems and modules, etc.
The importance of timely updates and their installation is obvious to maintain an appropriate level of information security.
Good practice will be testing updates in dev-environment before upgrading production, some updates may contain or make mistakes, including critical vulnerabilities.
Backup
Important parameters are the backup scheme and planning. It is necessary to carry out regular backups, both incremental and differential type. Periodically review the relevance and efficiency of the current backups, to ensure their reliable and safe storage outside the contour of a reserved object.
Staff awareness
It is necessary to carry out the coaching staff and contractors on existing threats to information security. One of the important factors is the explanation of the main socio-technical vectors of attack and methods of manipulation.
Conclusion
Safety resource – is continuous process, allowing protecting e-commerce from most existing threats, including the following:
•the site security audit and monitoring;
•an immediate response to the identified problems and their fixation;
•verification of resolve identified problems;
•carrying out routine maintenance.
Only a comprehensive approach to security resource of your customers and their data will be safe, reducing to the minimum the probability of compromise of the resource, and the resulting financial and reputational risks.
This text is a translation of the article “Лучшие практики защиты e-commerce сайтов” published by @LukaSafonov on habrahabr.ru.
About the CleanTalk service
CleanTalk is a cloud service to protect websites from spam bots. CleanTalk uses protection methods that are invisible to the visitors of the website. This allows you to abandon the methods of protection that require the user to prove that he is a human (captcha, question-answer etc.).