5 Tips to Protect Your Business From Hackers

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://finance.yahoo.com/news/5-tips-protect-business-hackers-223000653.html

Last year will go down as the year of the security breach.

Reports of attacks and breaches made headlines across the world as many
companies learned firsthand the damage a high-profile breach can inflict on
a brand. Of the several lessons learned, the biggest may be that security
needs to be top-of-mind for any online business -- regardless of size.

In fact, small companies stand to lose the most because they typically lack
the dedicated security staff and expertise of a business ranked in the top
half of the Fortune 500. While breaches at smaller companies may not make
the headlines -- if they're detected at all -- the sheer number of small
e-commerce sites in operation is just too tempting for hackers to ignore.

A recent study found that not only do the number of bots (automated
applications that crawl and scan websites) on the Internet outnumber human
visitors, but smaller websites actually receive a disproportionately higher
percentage of automated bot visitors -- up to 80 percent of all traffic on
sites with fewer than 1,000 visitors a day. Malicious bots probe sites for
vulnerabilities, effectively automating web hacking.

The rise of automation has broadened the scope of attacks, making small
businesses just as vulnerable as Home Depot or Target. Today, all online
businesses are at risk. You don’t have to be a Fortune 500 company to
protect your business and customers from malfeasance. The following are
simple measures any business owner can take to thwart attacks and prevent
breach.

1. Mind the gaps

Vulnerabilities are just that: exploitable weaknesses that allow attackers
to penetrate systems. Fortunately, many of these vulnerabilities are well
known and easy to patch. Specifically, there are two vulnerabilities all
e-commerce business owners should be aware of: SQL and Cross Site Scripting
(XXS).

Many sites, based on how their e-commerce application was built, are
vulnerable to SQL injection attacks. Criminals probe web applications with
SQL queries to try to extract information from the e-commerce database.

Cross Site Scripting attacks can occur when applications take untrusted
data from users and send it to web browsers without properly validating or
“treating” that data to ensure it isn’t malicious. XSS can be used to take
over user accounts, change website content or redirect visitors to
malicious websites without their knowledge.

Because attacks on these vulnerabilities are directed at web application, a
web application firewall (WAF) very effective in preventing them.

2. Denial of service

Some criminals are taking a brute force approach and flooding websites with
traffic to take them offline -- called a distributed denial of service
(DDoS) attack. For e-commerce sites, a DDoS attack has a direct impact on
revenue. A single DDoS can cost more than $400,000, with some sources
reporting costs of up to $40,000 per hour. With attacks ranging from mere
hours to several days, no business can afford the risk of a DDoS attack.

Often times these attacks are accompanied by a ransom note demanding funds
to stop the DDoS attack; other times the attack is merely a smokescreen,
giving hackers time to probe the site for vulnerabilities.

In either case, rather than fall prey to extortionists, e-commerce sites
should enlist DDoS protection to detect and mitigate the attack before it
impacts their bottom line. DDoS protection is often available from hosting
providers, so small businesses can ask their website hoster for options.

3. Two-factor authentication

Stolen or compromised user credentials are a common cause of breaches. eBay
reported that cyber attackers compromised a small number of employee log-in
credentials, allowing unauthorized access to eBay's corporate network.
Criminals use social engineering, phishing, malware and other means to
guess or capture usernames and passwords. In other cases, attackers target
administrators, whom they discover on social networks, using spear phishing
attacks to obtain sensitive data.

Stopping this problem is as simple as implementing two-factor
authentication. This second factor is usually a code generated via an app
or received via text on a phone owned by the user. Two-factor
authentication has been around for a while, but just as better smartphone
cameras opened up a whole new market of photo editing and sharing
applications, so too has the escalation in breaches increased the number of
options for two-factor authentication.

Today, there are a number of great two-factor authentication solutions that
are both easier to use and very effective at keeping hackers out. Many are
free, including Google Authenticator, and are packaged as handy apps on
smartphones. With the increasing risk of breach, it’s more important than
ever that any application dealing with customer data be protected by
two-factor authentication.

4. Scan your site

Web scanners are an important tool for detecting the SQL injection
vulnerabilities and XSS mentioned above, as well as a host of other
vulnerabilities. Information from these scanners can be used to assess the
security posture of an e-commerce website, providing insights for engineers
on how to remediate vulnerabilities at the code level or tune a WAF to
protect against the specific vulnerabilities.

However, in order to be effective, businesses need to use them regularly.
It’s important to subscribe to a service that scans on a periodic basis --
not every three years.

5. Keep your 'friends' close

According to research by the Ponemon institute, third party providers --
hosters, payment processors, call centers, shredders -- have a significant
impact on breach likelihood and scope. You wouldn’t trust your money to a
bank without rigorous, proven security measures in place. Nor should you
trust a software vendor without security practices in place.

When seeking new providers, make sure they're compliant with security best
practices like the Payment Card Industry’s Data Security Standard (PCI-DSS)
and cloud-security certification SSAE16. Don’t be intimidated to ask cloud
software vendors how they’re managing security and what certifications they
have. If they have none, you should think twice about working with them.

Don’t overlook this. No matter how good the product, if the software
introduces risk to your business, it’s not worth it.

Today the risk of data breach is greater than ever, for large and small
businesses alike. But security does not have to be complicated. By using
the right tools, partnering with the right vendors and implementing
safeguards, online businesses can reduce risk and keep out of the headlines.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!