‘Reverse Chronology’ within film making is a method of story-telling whereby the plot is revealed in reverse order. What’s this to do with Cyber Security or eCommerce, I can hear you ask already? Nothing really but let’s start at 1030am on Monday morning, you have just got your email cleared up and that second coffee is due, then you realise your website has been hacked into.. its been offline from the early hours of Saturday morning. The orders over the weekend were low but no one was really thinking that was a sign.
The first you hear of it is when a customer phones in to say “..your website is blocked when I look you up on Google, and there is a big red screen now on saying ‘The Website Ahead Contains Malware!'”… where once your hard work on SEO made you feature highly, but Google have wiped you off.
This isn’t really the end of the story, but it starts a new one, hopefully cleaning your website and recovering your online reputation.
What I tend to see a lot in eCommerce is that there are different parties who are experts in their field and but there is very little continuity holding them together, should it be Search Engine Optimisation, Google Analytics, Digital Marketing or on the technical side of the platform. In most cases each party is the expert in that area and yes there is an overlap of skills, which is fine, but the key thing I have identified is there is a void and this is what I see is where the main web security risks are.
This gap is where everyone is doing what they do best but not taking much notice or responsibility of how things join together, yes its an eCommerce manager’s role, but the issue extends right back to basic fundamentals, that are frequently overlooked.
There are many tools online that can help prevent and detect any malicious activity around your website. Google whether you like or loath them offer a free service called Google Search Console, that amongst other things alerts you to malware in the first instance. I see a lot of eCommerce websites that don’t even have this or know of its existence. It connects seamlessly to Google Analytics, but pretty much each time, no in fact every time I look at an organisations Google Analytics Account, the Google Search Console is never connected. Is this the SEO persons job? or the Google Analytics persons job? or is it just the bit in the middle I mentioned about is missing? It’s a really important part of being online and I recommend you set it up.
The next thing I see, when logging into the back office of websites, are a lots of plugin out-of-date that are just ignored as they are annoying each time you login. With some very basic open source tools anyone scan your website and easily detect what software you are using and whether its out of date or not. I was doing such a scan last week on a WordPress installation (with the website owners permission), and found that not only was WordPress out of date for over nine months, there were seven plugins also out of date even longer.
In addition to this, I found a lot of security issues: there was no SSL in place, the main wp-admin was public, I could detect the back end users logins, including the default ‘admin’ user. That is two out of three things publicly available, that you need to gain direct access to the website, the rest is just a simple brute force way.
The next thing I look at and again, key question I ask is whose responsibility is this, the web designers, the hosting party? A simple port scan of the web server in a lot of cases exposes services that are 100% open to the public, such as access to the database ports, access to execute remote commands, etc.
We make hackers lives too easy, so my advice is don’t be the victim of your own story and let someone say ‘I told you so’, but sit back and take a helicopter view of your online business, make sure you have everything in place to protect yourself. Yes you should consider implementing a web application firewall, patching, regularly vulnerability scans etc but there are still a lot of fundamentals that you probably haven’t in place.