Best practices for protecting e-commerce sites

Online stores have always attracted intruders: this is the source of credit card data (now almost irrelevant); user data; data on orders and market trends (customer demand); traffic source; manipulation with discount coupons, etc. E-commerce site can be attacked by attackers in the "free hunt" (non-targeted attack), and commissioned by unscrupulous competitors. Recently, various kinds of DoS / DDoS attacks are popular, both for putting a competitor out of action, and as a tool for blackmail.

In this topic, I will describe the best practices for the protection of e-commerce sites.
')

Basic attack vectors

There are quite a lot of attack vectors on the web application; they can be divided into direct and indirect.

Direct - when an attack is directed at a web application:

• Exploitation of web vulnerabilities (CMS, plugins, themes, modules, service scripts).
• Brutefors authorization forms (admin panel, user data).
• DDoS / DoS / full browser stack.
• All sorts of fraud operations, race condition, etc.

Indirect - when related services are used to attack an online store:

• Exploiting web server vulnerabilities.
• Brutfors utility services (ftp / ssh).
• Theft of technical personnel credentials (Trojans, interception in WiFi networks, social engineering).
• Theft of credentials of personnel contracting organizations - web-studios, content managers, seo-specialists, technical support (Trojans, interception in WiFi networks, social engineering).
• Detection of vulnerabilities in adjacent infrastructure (for example, through “neighbors” on hosting with incorrect rights set).
• Hacking a hosting provider (a rare case, but this happens).

Hosting

First you need to choose a reliable hosting provider. Many leading market players have specialized offers for online stores. It is important that your hosting provider maintains regular backups; led comprehensive action logs; monitored network activity. Also one of the important factors is the system of notifications about abnormal actions on the account, possible infection of the site, etc. Technical support (usually within the framework of the tariff) must notify of the violation and provide at least minimal instructions (or a reference to the knowledge base) about the methods of solving the problem and assist in solving it. The best solution would be to use VPS / VDS hosting.

CMS

If possible, use a secure e-commerce platform. It must support a complex authentication system (2F, OTP, etc.), the possibility of restricting the administrative zone, etc.

CMS itself, its plugins, modules, etc. must be current versions. The best option CMS - the possibility of auto-update (especially for critical vulnerabilities). An important factor should be the native use of the WAF / anomaly detector / out-of-box blocker, or an additional module or plugin.

An additional advantage will be the use of various kinds of mechanisms for checking and sanitizing data, frameworks or libraries such as HTML Purifier in CMS.

SSL / TLS

Use a secure connection - encrypt the communication channel between the site and the client browser to transfer information. Nowadays, the use of TLS (Transport Layer Security - transport level security), which by habit many people still call SSL (Secure Sockets Layer - the level of secure sockets), is relevant.

It is important to use the latest (current) versions of cryptographic protocols for proper data protection.

A good practice would be to use HSTS (HTTP Strict-Transport-Security) - a mechanism that activates a forced secure connection over HTTPS. This security policy allows you to immediately establish a secure connection, instead of using HTTP. The mechanism uses a special HTTP Strict-Transport-Security header to switch a user who has logged in via HTTP to an HTTPS server.

Data

Do not store sensitive data. No CVV codes, now is not the beginning of zero. Moreover, the PCI DSS standard prohibits this directly: elements such as CVV2 (Card Verification Value 2 - the authentication code of the Visa payment system card) and CVC2 (the same code of the MasterCard payment system) are critical authentication data, and therefore cannot be stored.

If you have to store something - minimize the amount of stored data and, if possible, use encryption. This concerns mainly PD processing of a general category - name, address, order, etc.

Password policy

Require the use of strong passwords - alphanumeric combinations of different register, the use of special characters, the limitation of the minimum password length. Thus, the client will be more reliably protected from the actions of intruders. Often, the issue of usability (conversion, failures) is at the forefront and allows users to use any passwords - this is bad practice, you need to use complex combinations to protect user data.

The password policy of technical personnel (site administrators) should be even stricter - in addition to the more stringent requirements for generating a password, it is necessary to carry out regular procedures for changing passwords, for example, once a month.

After the contract work, it is necessary to remove unused accounts. It is also necessary to change passwords after the dismissal of key employees.

Antifraud

The use of a system of warnings and alerts of suspicious activity is a set of operations from a single IP, a change in delivery details, and many other factors, usually highly specialized in one or another field of online trading. Here you can apply hold / purity check and so on.

A good practice would be to use 3-D Secure, MasterCard SecureCode, J / Secure and SafeKey. Abroad, AVS (Address Verification System) is often used.

Protective mechanisms

A good solution would be to use proactive AntiDDoS, IDS, IPS and WAF mechanisms to protect against the exploitation of network architecture, services and applications.

These systems are able to detect and prevent the majority of detected (signature) attacks, but they are not a panacea. A complex of measures and analytical work on the analysis of anomalies / detection of malicious activity are needed.

An important fact is the competent and customized configuration of these systems.

PCI DSS

Comply with PCI DSS requirements and routine checks.

PCI DSS (Payment Card Industry Data Security Standard) is the data security standard for the payment card industry. The standard is developed by international payment systems Visa and MasterCard. Any organization that plans to receive and process bank card data on its website must comply with PCI DSS requirements.

The standard is a set of 12 detailed requirements for the security of data on payment card holders, which are transmitted, stored and processed in the information infrastructures of organizations. The adoption of appropriate measures to ensure compliance with the requirements of the standard implies an integrated approach to ensuring the information security of payment card data.

Security audit

The online store, as the main trading tool, should work stably and smoothly. It is possible to ensure these conditions only by paying proper attention to the security of the resource, namely, such a procedure as a site security audit.

The regulatory procedure (for example, once a quarter) of conducting an information system security audit makes it possible to assess the maturity of the IS management system and identify vulnerabilities for their prompt elimination. One of the main steps is to conduct external Blackbox penetration testing.

A comprehensive site security audit is required to meet the requirements of 6.3, 6.5, 6.6, 11.3.2 of the PCI DSS standard.

The companies that work only with a payment gateway and do not accept customers' bank cards on their data are only the requirements of the risk gateway department of the payment gateway (PC) and the requirements for conducting an audit are not as strict as in the PCI DSS standard, but even in this case work to identify possible vulnerabilities of the e-commerce site.

Patch management

It is necessary to maintain the relevance of the used components of the information system - both the CMS version and its components, and everything else - the server OS version and modules, etc.

The importance of updates and their timely installation is obvious to maintain an adequate level of information security.

Testing updates in a dev-environment will be a good practice. Before upgrading production, some updates may contain or introduce errors, including those containing critical vulnerabilities.

Backup

Important parameters are the backup scheme and scheduling. It is necessary to conduct regular backups of both incremental and differential types. Periodically check the relevance and operability of current backups, ensure their safe and secure storage, outside the contour of the backup object.

Staff awareness

It is necessary to instruct personnel and contractors on existing threats to information security. One of the important factors will be the explanation of the main socio-technical vectors of attack and methods of manipulation .

Conclusion

Resource security is a continuous process that allows you to protect e-commerce from the majority of existing threats, including the following actions:

• site security audit and monitoring;
• immediate reaction to the identified problems and their fixation;
• verification of elimination of identified problems;
• carrying out routine maintenance.

Only with an integrated approach to resource security, your clients and their data will be safe, minimizing the likelihood of resource compromise and the resulting financial and reputational risks.