Website NightmaresIn June of 2021, a hacker stole data on 700 million LinkedIn users by exploiting the website’s API and using a data scraping technique. The information included emails, mobile numbers, geolocation records, genders, and other social media details. In June of 2020, the Magento e-commerce platform was hacked with cybercriminals targeting over 2,000 Magento online stores and stealing online payment information on tens of thousands of customers. Other victims of website attacks involving techniques like Magecart and e-skimming include Macy’s, Ticketmaster, British Airways, and Smith & Wesson.
Sadly, these types of hacks aren’t all that difficult to pull off. According to a 2020 report from Forrester Research, web applications account for 35% of the most common attack vectors. Vulnerable websites tools like JavaScript, website security misconfigurations, and insecure third- and fourth-party website code easily enable threat actors to use script attacks, SQL injections, malicious code insertions, and cross-site scripting (XSS), among other things, to steal information on users. And much of this information is highly valuable to the criminal element. Information on a single credit card with a pin can sell from $15 to $1000. Payment processing services, like PayPal credentials can go for anywhere from a couple of dollars to $1,700 each. While a single phone number isn’t all that valuable, a phone number combined with a name, address, data of birth, and an account username can be worth $20 per person. A cybercriminal could earn a few thousand dollars in just a couple of hours with basic e-skimming attacks.
But your customers aren’t the only victims in this horror story. When an e-skimming breach hits the news, businesses can suffer significant reputation loss. The government isn’t going to let you off the hook either. Regulatory fines are a common occurrence. For example, regulators in the UK fined Ticketmaster £1.25m (approximately 1.7 million in U.S. dollars) because the company’s website operators failed to notice and halt a Magecart attack that lasted three months and resulted in the theft of data on nine million customers.
And then there is the dreaded Google Blacklisting. Google regularly marks tens of thousands of websites as ‘suspicious’ daily due to malware embedded on the website. Do you really want your customers to type your website URL, only to get the Google message “This site may harm your computer.”?
Ok, I get it. I am ready to become a website security evangelist. Show me the way!We recommend you start with these 10 steps:
1. Move Security to the “Left”No. We’re not making a political statement here. On the software development lifecycle (SDLC) continuum, historically, security was an afterthought—i.e., it happened after a website or application had been created or cobbled together from a variety of different third- and fourth-party code and applications. Security needs to happen at the beginning of and throughout the website and application development process. And just in case you still need convincing, it is considerably more costly to patch bugs and fix issues later in the development lifecycle. An ounce of prevention is still worth a pound of cure!
2. Know Thyself. Identify & DetectThe maxim from the ancient Greek oracle temple at Delphi is inherently appropriate here. It is critical for your business to know what web assets you own and the type of data they hold. You should also engage in some regular “web and system psychotherapy” by conducting some deep-dive scans to reveal intrusions, behavioral anomalies, and unknown threats.
3. Spies Like Us. Ongoing Monitoring & InspectionBe vigilant in your ongoing and automated inspection and monitoring of your web assets and JavaScript code. Use a purpose-built solution to make you aware of any unauthorized script activity.
4. Patch early and patch often (and keep your software updated for goodness sake!)The 2020 Magento breach mentioned previously happened because 2,000 online store owners failed to migrate their online website operations from Magento 1 to Magento 2. Updates and patches happen for a reason, folks. If you receive a notice that one of your website’s applications has issued an update, then take some time and install the update!
5. Engage in meaningful relationships. Be selective with third-party scriptsThird- and fourth-party scripts and open-source or insecure JavaScript-based web applications are your worst nightmare, since it is unlikely they were built with security in mind. Remember the Ticketmaster and British Airways hacks we mentioned above? Those occurred as the result of an insecure JavaScript-based app called Feedify that was added to these corporate websites.
6. Add a little extra policing. Implement Content Security PoliciesContent security policies (CSP) add some extra security that can detect and mitigate some types of attacks, such as XSS and data injections. Configure your web server to enable CSP. You can also define your own CSP using meta tags within the HTML page.
7. Avoid the drama. Compartmentalize your web applicationsSecurity professionals advise you to split your front-end applications up into smaller components, such as public, authenticated, and admin, and to deploy these parts in a separate origin (e.g., https://admin.websitename.com). This can help reduce client-side vulnerabilities by limiting the exposure across the application.
8. Eek! Cover up. Don’t expose all your data!If you have some sensitive merchant data that no one needs to see, then make sure you store this data in a unique metafield. Also, if you’re using something like GitHub, remember to keep your API keys hidden from public view and access.
9. Certify yourself. Use an SSL Certificate for all websitesSSL certificates are a protocol for encrypting Internet traffic and verifying server identity. In a nutshell, they are basic website-security 101. They enable website authentication and make SSL/TSL encryption possible. They also enable the website to have an HTTPS web address. Many browsers have started tagging websites without an SSL certificate as “not secure.” While an SSL certificate and HTTPS address does not guarantee a website is secure (since SSL certificates are easy to obtain and a malicious threat actor could create a fake or malicious website with an HTTPS address), having that HTTPS web address and encrypting any customer data being sent over the internet, does make customers more trustworthy of your site.
10. Never give up. Never surrender! (i.e. Stay vigilant)Cybercriminals don’t give up and neither should you. Make sure to dedicate regular efforts to inspection, monitoring, and patching.
Sadly, these types of hacks aren’t all that difficult to pull off. According to a 2020 report from Forrester Research, web applications account for 35% of the most common attack vectors. Vulnerable websites tools like JavaScript, website security misconfigurations, and insecure third- and fourth-party website code easily enable threat actors to use script attacks, SQL injections, malicious code insertions, and cross-site scripting (XSS), among other things, to steal information on users. And much of this information is highly valuable to the criminal element. Information on a single credit card with a pin can sell from $15 to $1000. Payment processing services, like PayPal credentials can go for anywhere from a couple of dollars to $1,700 each. While a single phone number isn’t all that valuable, a phone number combined with a name, address, data of birth, and an account username can be worth $20 per person. A cybercriminal could earn a few thousand dollars in just a couple of hours with basic e-skimming attacks.
But your customers aren’t the only victims in this horror story. When an e-skimming breach hits the news, businesses can suffer significant reputation loss. The government isn’t going to let you off the hook either. Regulatory fines are a common occurrence. For example, regulators in the UK fined Ticketmaster £1.25m (approximately 1.7 million in U.S. dollars) because the company’s website operators failed to notice and halt a Magecart attack that lasted three months and resulted in the theft of data on nine million customers.
And then there is the dreaded Google Blacklisting. Google regularly marks tens of thousands of websites as ‘suspicious’ daily due to malware embedded on the website. Do you really want your customers to type your website URL, only to get the Google message “This site may harm your computer.”?
Ok, I get it. I am ready to become a website security evangelist. Show me the way!We recommend you start with these 10 steps:
1. Move Security to the “Left”No. We’re not making a political statement here. On the software development lifecycle (SDLC) continuum, historically, security was an afterthought—i.e., it happened after a website or application had been created or cobbled together from a variety of different third- and fourth-party code and applications. Security needs to happen at the beginning of and throughout the website and application development process. And just in case you still need convincing, it is considerably more costly to patch bugs and fix issues later in the development lifecycle. An ounce of prevention is still worth a pound of cure!
2. Know Thyself. Identify & DetectThe maxim from the ancient Greek oracle temple at Delphi is inherently appropriate here. It is critical for your business to know what web assets you own and the type of data they hold. You should also engage in some regular “web and system psychotherapy” by conducting some deep-dive scans to reveal intrusions, behavioral anomalies, and unknown threats.
3. Spies Like Us. Ongoing Monitoring & InspectionBe vigilant in your ongoing and automated inspection and monitoring of your web assets and JavaScript code. Use a purpose-built solution to make you aware of any unauthorized script activity.
4. Patch early and patch often (and keep your software updated for goodness sake!)The 2020 Magento breach mentioned previously happened because 2,000 online store owners failed to migrate their online website operations from Magento 1 to Magento 2. Updates and patches happen for a reason, folks. If you receive a notice that one of your website’s applications has issued an update, then take some time and install the update!
5. Engage in meaningful relationships. Be selective with third-party scriptsThird- and fourth-party scripts and open-source or insecure JavaScript-based web applications are your worst nightmare, since it is unlikely they were built with security in mind. Remember the Ticketmaster and British Airways hacks we mentioned above? Those occurred as the result of an insecure JavaScript-based app called Feedify that was added to these corporate websites.
6. Add a little extra policing. Implement Content Security PoliciesContent security policies (CSP) add some extra security that can detect and mitigate some types of attacks, such as XSS and data injections. Configure your web server to enable CSP. You can also define your own CSP using meta tags within the HTML page.
7. Avoid the drama. Compartmentalize your web applicationsSecurity professionals advise you to split your front-end applications up into smaller components, such as public, authenticated, and admin, and to deploy these parts in a separate origin (e.g., https://admin.websitename.com). This can help reduce client-side vulnerabilities by limiting the exposure across the application.
8. Eek! Cover up. Don’t expose all your data!If you have some sensitive merchant data that no one needs to see, then make sure you store this data in a unique metafield. Also, if you’re using something like GitHub, remember to keep your API keys hidden from public view and access.
9. Certify yourself. Use an SSL Certificate for all websitesSSL certificates are a protocol for encrypting Internet traffic and verifying server identity. In a nutshell, they are basic website-security 101. They enable website authentication and make SSL/TSL encryption possible. They also enable the website to have an HTTPS web address. Many browsers have started tagging websites without an SSL certificate as “not secure.” While an SSL certificate and HTTPS address does not guarantee a website is secure (since SSL certificates are easy to obtain and a malicious threat actor could create a fake or malicious website with an HTTPS address), having that HTTPS web address and encrypting any customer data being sent over the internet, does make customers more trustworthy of your site.
10. Never give up. Never surrender! (i.e. Stay vigilant)Cybercriminals don’t give up and neither should you. Make sure to dedicate regular efforts to inspection, monitoring, and patching.
RSS Feed
