Simple Steps To Secure Your Online Store

Date aired: September 12, 2018

During this webinar, we'll discuss some basic security concepts for your online store that include what tools you'll need to remain PCI compliant and keeping your data safe.

Victor Santoyo

Account Executive

Victor is an Account Executive for Sucuri. A technology enthusiast focused on expanding his knowledge of online security. When away from the keyboard, going out for long runs or watching sports with his family.

Questions & Answers

Question #1: Should I have HTTPS/SSL if I use a third-party payment processor like Paypal (hosted page)?

Answer: Absolutely! Google is coming down harder on sites not transmitting over HTTPS, even if you take contact information, like names and emails.

In addition, there is a positive ranking benefit to moving to HTTPS, along with the other extended benefits of your audience knowing that they are safe to navigate and send info through your site.

Question #2: What if we're a small team and aren't capable of having a data protection officer?

Answer: Talk to the team and see who’s willing to take on more tasks. If someone is already designated to address security concerns, talk to them about ensuring you’re already practicing these principles.

If you don’t have knowledge internally, then I would recommend reaching out to a third-party vendor who are professionals in this field. Allow them to become an extension of your team.

Question #3: What's the best way to communicate to my client, if I'm the webmaster, about using certain plugins? Like WordPress plugins?

Answer: Be upfront with them. Let them know that while that plugin or extension seems really cool, it hasn’t been updated in over six months so it poses a high security risk for their site.

The more you continue to push the urgency around security and the reason you’re saying “no” to certain requests or features, the more they’ll realize that you’re ultimately doing this in their best interest.

Question #4: Will you always need backups as part of your disaster recovery?

Answer: YES. In fact, you should also back up your backups as well. I had a case this week where a gentleman was dealing with a compromise across 60 sites within the same hosting account. He was looking for some affordable work-arounds and I offered the idea of rolling back to backups.

He actually had already done this through the backups offered through his host but it turned out that the backups were corrupted as well.

So it’s important to not only have backups but also test them to ensure they’re working. Keeping them offsite (cloud, USB, local storage) is also highly recommended.

Question #5: Do I need a special type of SSL certificate for my ecommerce shop, and can you recommend a provider?

Answer: Not really. Most SSL certificates operate under the same encryption standard. You might see some Extended Validated SSLs out there (EV SSLs) that showcase the business name within the green bar but it doesn’t necessarily add to the encryption methods needed to protect the data in transit.

LetsEncrypt is a good free alternative if you’ve got the time to deploy and keep up with the 90-day regeneration process.

Question #6: Is it important in terms of being PCI compliant to have the security solution also certified? Does anyone check for these?

Answer: If you mean whether it’s important that the vendor themselves are PCI compliant (like ourselves, we’re a certified Level 1 PCI provider), it certainly can be. Different QSAs or auditors may require this documentation to ensure that all aspects of your business are compliant. If you’d like a copy of our AOC, just email us at info@sucuri.net.

Question #7: Can we get some examples of ecommerce sites using your protection services?

Answer: Sure, please see sucuri.net/customers/.

See all Questions & Answers

Expand

Transcript

Name: Victor Santoyo - Title: Account Executive

Thank you, Val, as always. Well my name is Victor. As Val mentioned, I'm an account executive for Sucuri. We're going to talk on a number of things today and one of the few takeaways that I'm hoping everyone has an opportunity to absorb is first, the ability reduce your attack surface for your E-commerce site, best practices for protecting the cardholder data that you're likely taking in, as well as making sure that you have a proper disaster recovery plan set up for your website.

Now in terms of who these types of topics are for, well, for the most part this webinar will be catering to self-hosted stores. So if you're deploying some type of content management system such as Magento or WooCommerce or WordPress as an example, you're going to probably take a lot of takeaways from this at every stage of webinar, but having said that, if you are also utilizing an online presence through other means like a closed platform for example, there are probably good practices as well that will be good for your entire organization as a whole.

Now typically when we do these webinars, we always like to provide some insight into who we are before we talk about what we do. So one thing to note is if you've seen a couple of our webinars before, I've done some in the past so just to give you more additional insight into sort of my day-to-day life. My last webinar, I touched on the fact that I had brought in two new kittens. That's who they were back in April. To give you insight who they are now, they are there on the left hand side. For those cat lovers, that I'm pleasantly surprised how big they're getting. Any insight that you have to share with me on that, by all means hit me on Twitter for that.

Pulled pork sandwiches are an auto order for me at any restaurants. If you're a restaurateur, by all means hit me up as well. Would love to taste whatever you have. And this is my fifth Sucuri webinar. It took me by surprise when I got that nugget the other day. I think I'm the first to hit five. Ideally, hopefully I'm the first to hit ten, too. We'll see about that.

So, why we're here. A lot of what we've seen in terms of emphasis going into now the later part of 2018, it's more about addressing a lot of risk when it comes to your online presence, and in specific a lot of online stores that are collecting all kinds of data. With GDPR coming into place into the later part of May and June earlier this year, that became a higher priority of a topic, and I thought maybe addressing data and E-commerce as whole might be of benefit, and especially as we go into 2019 where a lot of these attacks are targeting E- commerce shops are definitely growing in scale.

Now, one of the first things you sort of have to do when it comes to evaluating what type of security measures one should take, is first analyzing and essentially reducing your attack surface. What does that mean? Well, it's essentially evaluating your exposure. What do you have? And how available is it? And what type of upkeep are you keeping with the kind of components and software you're using to run your online store?

So, first things first, when you talk about any extensions or plugins that you're using, do you absolutely need it? I think sometimes we get a little bit click-happy in terms of going and seeing new features or new forms or integrations, and we start installing things left and right. But when it comes to basically owning up to the responsibility of making sure that all of our visitors and consumers and clients are safe when visiting our site, we have to be a bit more hard line in understanding, are we using what we absolutely need?

Beyond that, we have to also understand what happens if a vulnerability is disclosed. So, what happens when something does happen with an open- sourced platform? Whether it's a Magento specific disclosure or a plugin against WordPress that's been recently found with some new tactic that's being exploited. What are we doing? What actions are we taking? Are we even aware? Do we have some type of insight into let's say, a feed or blog that provides that type of information? Note, we do provide some updates on our blog about important security disclosures. So just having this ability into that is going to be another thing upon understanding your attack surface as a whole and making sure you can help reduce that risk.

The next thing to understand is of course what developers are doing in terms of prioritizing security measures. When we do understand what components we absolutely need, are we seeing that the developers are updating it frequently? Or are we installing something that hasn't been updated or touched in about eight months? So understanding of course the quality of the component or the extension or plugin that you're using is just as crucial, because we want to make sure that the people that essentially we're working with, you know, as we install new themes and plugins, we're depending on these authors to continue to upkeep the software so that our sites are running not only functionally, but safely. So making sure that they are keeping up-to-date with at least recent updates and auditing their own code, seeing of course that there are a lot of downloads to begin with meaning of course it's trusted among a large base. I'd rather have the plugin that's downloaded 20,000 times versus the one that's only been downloaded 20 times. So, just a bit of a nugget there for you as well.

And mentioning of course, do you have a plan when these updates are released? This sort of touches on the second question, what happens if vulnerability is disclosed? So you have insight into knowing, okay, great, there is a new security disclosure, and great, developer has pushed out a new update. Well, do we have a plan in place to either automate or delegate the task to someone internally to ensure that those updates are applied? And not just applied, but of course you also want to ensure those updates, when made, don't cause any disruption in the operation of the site, so you want to look after bugs or anything like that. So even from just a security standpoint, you also want to make sure the tools you're using are working properly.

Now, those are some of the key aspects. So, sort of the notes I hit on with theories about making sure you're leveraging a lot of core functionality, you know, things that are made for WordPress or for Magento or anything like that, versus some weird third-party tool that's on some website that might have been torrented somewhere just because maybe you were trying to cut costs. If the third-party is an option make sure that whatever you do download, as I mentioned, has a reputable source, so, a lot of downloads, high ratings, recently updated, those are the kinds of things you want to look for. And as well, making sure you that the ones you do end up keeping and using on an ongoing basis continue to be reliable, secure and supported.

Now, that's just of course maintaining visibility over that, but from a proactive standpoint, those measures aren't going to necessarily block threats or minimize risk or exposure. They help give you insight, doesn't necessarily help you from defending against those threats. So, what should one do when protecting your online store? Well, first things first of course is just establishing importance of having secure payments processed through your site. The last thing we want is our clients complaining that they think that their credit card information was stolen through our website. That gets into a lot of other things, so to ensure the integrity and the trust of your consumers, we want to sort of go through this checklist of things so that we know that we're doing our best and more importantly, if you've probably caught on by now, is making sure that you're also compliant with all the regulations that are out there to make sure that data is safe. PCI DSS, GDPR.

So, I'll go through this list briefly, but a lot of it does seem common sense, but you would be surprised by how many times people neglect to answer one of these questions.

First thing of course is what type of information are we collecting? So just understanding the inventory of the data that we're asking of people to enter into our website. Credit cards, passwords, names, addresses, ZIP codes. Anything that could identify someone personally are the type of information we need to know that we are collecting.

Who has access to this information? And who should? Two different questions, right? Because we do have let's say, system admins should have access to this data, does not necessarily mean that the front clerk wouldn't just as easily be able to access that, when they realistically don't have any reason to. So, also understanding who has that access and establishing roles within your team as well is important.

If someone does access the information, whether they were supposed to or not, are those events recorded? So that way if something happens you have some type of history that we can backtrack against, and then better understand what happened and when.

Now, in terms of of course the active processing of payment, are ensuring that the data is protected in transit? Or in other words, are we using a valid SSL Certificate on the site. And one thing we want to make sure of is of course it's a valid certificate. Don't try to use self-signed certificates, browsers are likely not to trust them and of course you're not going to be entrusted with the green padlock there, which of course if it's not there and you're asking for payment or information, people are a bit more conscious these days and they'll -

... information, people are a bit more conscious these days in knowing, well, Padlock's not there. It's asking for info. I don't know if I should really submit this info here. Are you monitoring that data probably, so knowing exactly where the data is, how long are you storing it for. These are just some of the questions. At what level does your business fall with specific to PCI Compliance. Are you level one, a level two provider? What specific things you have to do to ensure you maintain that compliance. That's a different conversation but just something to make sure that you have some insight into. And are any change at the site being logged as well?

Now, this isn't data specific but any change at the site, i.e. to the files, database, your DNS, anything that is a missed step along that workflow could potentially result in a data breach which is why it's important to know. So if there are change to the site that allow of open access, let's say global write access to all of your files, that's a pretty risky proposition. And then knowing when those changes were made and allows to revert back to either a backup of some sort, so it gives us time to fix the problem.

Now, this is important because part of those requirements within and more specific to PCI is understanding the intent of the what, the who, where, and when of people accessing your data resources. It's really important. We're sharing a lot of information these days online. It's really easy for us to save our info through our mobile browser and it auto-fills and boom, it take a half a second process. Think about that we're sending information on the web. So it's really important that also we maintain a really good understanding of all access points when it comes to data.

Now, what data are we talking about in specific? I mentioned what data are we ... as a business are you taking care of but what data are you responsible for, period? Well, it does depend on what regulations you're expecting to follow. Now, this is a topic I approached via webinar and blog before. But under GDPR, the one thing to know is that personal data essentially means any bit of information that can identify me. So whether that's my location, whether that is my sex, whether that is my address, phone number, anything that can identify me is something that has a ... as a business, I need to make sure that I'm properly securing that data.

Now, under PCI, a bit more specific. We're talking about cardholder data, so your account number and your expiration date, and the code on the back of your card, things of that nature. So that's a bit more specific in scope. But GDPR is a bit more broad. So if you are running a business and you do feel like you have to fall within GDPR guidelines, then let's be sure that you are making sure ... that you are knowing what type of data is being accessed or submitted all across your online presence.

How do we protect that cardholder data or payment data in general? Well, a couple ways to go about that. And again, I'll go briefly into sort of the things that you need to do. But I mentioned this just now, PCI is bit more specific in scope because it's just one piece of information that I have as an individual. But if the information that I have in terms of my account number is breached meaning I have a PCI breach, that does automatically mean I'm in breach on your GDPR. And if you're aware about GDPR breaches and those consequences, you know the fines are heavy. And so you don't want to be at risk of bottoming out the business just because you didn't properly essentially dot the I's and cross your T's.

Here's a couple of guidelines in terms of protecting cardholder data. It's quite a bit so that's why it's a good thing we always like to share these presentations so you can sort of store it and read it through later. But I'll go through some of the key ones so you have a better understanding of what the intent here and what we're looking to accomplish.

The second one I think is the one that's really important one I try to hammer home all the time which is providing access to the data only to those intended to access it. So it's something I touched on earlier, right? Sysadmins or data protection officers may have access to certain parts of the data that they need. Front clerks, marketing managers may not and so we want to make sure that the access to that data is only issued to those who absolutely need it.

Talking to this again on monitoring your access to those systems and to the data itself, right? Who accesses what, when, and where? Making sure that you have permission changes audited and then so that if you can identify unauthorized personnel that made those changes, whether it's malicious in intent or accidental. Depending on how large the organization is, making sure you have a workflow that then alerts to a designated data protection officer. This is a new role this year that people are generating in response to a lot of the new security measures taken in terms of protecting data. So whether it is a DPO or another sysadmin or administrator of some type so that they are alerted in the event that there is a potential problem. Anything that does seem suspicious, they should know about.

Wherever it is that you're keeping your data, should absolutely remain encrypted, okay. Meaning it shouldn't be readable to anyone that just goes and grabs it. Encryption is going to be a big key and encryption is one of the things you have to hit in terms of making sure you are compliant with both sets of regulations, right?

From here, we also want to touch on in the event that something goes wrong. Now, I know. We're here, we think your business won't get touched. You're small, who would want to hurt you? Ultimately, those types of factors don't play in the security landscape now because a website that may have just gone deployed and gone live yesterday may get hacked today. Just as likely as a site that's been on for 20 years and never seen a problem and all of a sudden, boom, they get hacked.

So who you are, how big you are, are not going to be things that you should weigh in terms of whether or not you should prepare for the worst. Very likely, you're going to face an incident at some point no matter how big or small you are.

So what should we do? What type of plan do we come up with in the event that the worst occurs? It's not about if, it's more about when. This is a pinwheel that I sort of modified by looking online, that I really gravitated toward because I think it really does sort of simplify it for you as either the business owner or the webmaster in terms of making sure you do have the proper procedures in place to respond in the events of an incident.

So first things first, response. The site's hacked, you're concerned about a breach. You have to make sure then in that case you're responding. What does that mean? Well, if you're hacked, that means you got to get it cleaned up. So whether that is you've already generated steps to have someone internally taking care of the hack or whether you don't have a team or personnel for that, then you reach an outside vendor. You have their number, you have someone in contact that you reach out to and say, "Hey, my site's been hacked. I need help." The sooner, of course, you can ... the sooner you have a plan like this in place, the less time goes by when you need to discover this person in the event that you do need to lean on a third-party vendor. So responding to and making sure you get the immediate issue cleaned up and then making whatever analysis or audits are necessary to sort of making sure you get the information you need to know what happened.

Recovery. Recovery here sort of is a byproduct of your response. But recovery as well means making sure that you are getting up and making clear transparency available to your base about an issue. If you're trying to comply with GDPR, you should know that you have to alert to a potential breach within 72 hours of notice. So making sure that part of that recovery process is brand recovery as well so being forthright and quick will pay a lot of dividends versus disguising a breach and uncovering that six months later. So you hear a lot of that in the news lately.

Recovery as well, that could be understanding that you do have a response plan in place. Suppose the [inaudible 00:20:33] was clean but then it corrupted a lot of the core files or custom modifications you made beyond repair. If you have a backup in place, then you can recover the files and database that way as well.

Review. Review is a bit more post instance and making sure that we understand okay, what happened, what files are modified. Were all the proper touchpoints in place in terms of access? Whom had it? I touched on the idea of a plugin that may all of a sudden have incidentally generated global write access meaning anybody can just make modifications where they see fit, understanding where the issues lie or essentially where the improvements need to be are really important.

Then the last step, of course, as part of that is mitigation. So okay, we understand what happened. We understand what we need to improve. So are these tasks that we handle internally? Do we need to reach out to someone else? Did we identify that we had really bad data visibility so there're a lot of companies out there that do a lot in terms of data analysis and auditing to alert you to issues? So these are the types of steps in place that you have.

And it's a pinwheel because remember, this isn't a static state of things. These things are always changing. All the improvements you made yesterday in response and then pushing those improvements through won't necessarily mean that you won't get hacked again. And so when you do get hacked again, you continue this process all over again. You respond, you recover, review, and mitigate. So it's simple in nature and the more you sort of put this to practice across your team, it's going to be really easy for you to identify deficiencies even on a day to day basis.

So I want to leave before I wrap up on this particular note. After a crisis, and this was something a director from North Bridge Financial wrote. After a crisis, one in four business will never reopen. And that's a pretty high percentage, right? 25% of business do not reopen. So having a proper business continuity and having a disaster plan in place can help small business avoid fate. It ultimately begins with asking yourself if I were to experience a loss tomorrow, what would I do. And you don't want to get caught answering that question with I don't know or I'm not sure. That's really the principle behind having this disaster recovery plan. Because if at worst you do face a crisis or incident, you do know what to do. You know exactly who to talk to and who to reach out to and get it done.

So just to sort of to hit it in more plain text, know whom to contact to remediate immediately if you do face a compromise, recover by, of course, informing your customers in a timely fashion. If, of course, you have to be sure to do so, of course, that will pay a lot of dividend in your brand and customers feel like, okay, well, they're very forthcoming and that was a quick response out of them knowing how quickly I got that response out. Execute backups if need be. Review your existing strategy to identify improvements. And, of course, make those changes once you do identify them to continue to minimize your risk and minimize your exposure.

Notice our word minimize, you're not eliminating it. Risk will never be zero in this space and the best you can do is always just have a plan in place that ensure that we're doing all we can to get that as close to zero as possible. Okay. So there's a lot more detail in which how to properly transcribe a disaster recovery plan with specific questions you'll be asked internally ...

... As a recovery plan with specific questions gonna be asked internally. I actually will be putting out a blog post soon in the coming weeks about exactly what you can do to provide a very thorough disaster recovery plan across the team so everyone's on the same page. And you can find that blog post on this link here, blog.sucuri.net.

Of course if you do end up choosing to use us as a service to help facilitate these needs in terms of being proactive, and having the ability over your site, one thing we do want to make sure that we're clear about, of course is that we're also committed to the protection of your data as well. So when GDPR came into effect, something to make known of course is that we were compliant for those that don't know. We made several upgrades to our products, our workflows to make sure that, well, you know, we supported the proper data practices internally, and if you do need a data processing addendum to keep on record, just email us at GDPR@sucuri.net as well for any questions or concerns you may have.

Beyond that, time for questions, I hope to have all the answers you need, but otherwise Val, let me know what we have.

See Full Transcript

Expand

Similar Past Webinars

In the website security community, our name is known for fast site hack cleanup and responsible vulnerability disclosure. As thought leaders in website security, we are committed to sharing what we know. Follow our concise and helpful website security guides and tutorials so you can learn how to clean and secure your website.

Webinar - Preventing Cross-Site Contamination for Beginners

Cross-site contamination happens when one hacked site infects other sites on a shared server. This webinar is for beginners and web professionals to understand cross-site contamination and how to prevent it.....

Webinar - Fire Chat: Reactive and Proactive Protection for Web Agencies

In this fire chat, we're looking to find answers to some of the questions web agencies have been asking us for years, in hopes of shedding more light into how you, as an agency, need to respond to security threats your customers face.....

Webinar - Security for Web Agencies

Website security is challenging, especially with a large network of sites. We want to help you understand how you can create a security plan and reduce the risk of a hack or security incident. In this session Dana covers the implications of a security breach and why security should be important to your agency. Dana shows you a tiered approach to we....

Webinar - Beginner's Guide to CDN's

All content is not created equally. Reducing the time it takes for each piece of data to travel from the host server to the client will provide lower latency and a more optimized user experience. Ultimately, this helps avoid dropoffs in users as a result of extended load times.....