Christmas is a time of the year when thoughts turn to shopping, and of course security analysts’ thoughts turn to online security and safe shopping. In truth, no matter what the time of year, online safety should always be a critical consideration, and it's not just the responsibility of the consumer. Online safety needs to start with businesses, which must make sure their websites are secure.
Having an online presence is practically a "must have" for businesses nowadays, whether it is just an informational site with contact information or a fully-fledged e-commerce platform. Business owners need to actively manage the website to ensure cyber-criminals haven't hijacked the site and redirected consumers away to malicious pages. No business wants to lose a sale to such a hijack, of course, but even worse can be the long-term effects of loss of reputation such incidents can cause – not to mention potential liability issues.
Symantec researchers identify, on average, 9,314 malicious websites every day. Nearly 61 per cent of malicious sites out there are legitimate business sites that have been somehow compromised.
That compromise can take many forms, such as exploiting vulnerabilities in the off-the-shelf content management system being used to build the site, brute-forcing passwords on the FTP server, or displaying malicious advertisements using a third-party ad network.
This Xmas shopping season, businesses should take the following steps to secure their websites and protect customers from malware and cyber-attacks.
SSL is about trust
The most important thing businesses can do to protect their customers is to deploy Secure Socket Layer (SSL) on all their web pages, according to Symantec. With SSL enabled, all the information transferred between the user and the business passes through an encrypted tunnel, making it harder for a malicious third-party to intercept the data or eavesdrop.
Businesses that offer catalogues and online shopping on their sites must, at the very least, offer SSL on shopping pages where the user will enter a credit card number. Instead of turning on SSL for only a handful of pages related to sensitive financial data, it would be easier to maintain the site and give users a more streamlined user experience with all the pages being protected from the get go.
The easiest way for a visitor to the website to tell whether SSL is turned on is by looking at the URL. If there is a green "https" box in the address bar on the browser, the data is protected. Businesses can "build customer trust" with that green browser bar, Symantec noted.
Security experts generally recommend that users don’t shop on sites that aren't using HTTPS, and they certainly shouldn’t enter credit or debit card numbers if the page isn't secure.
"When I shop online, I always check the address of the payment website, making sure it has the Secure Hyper Text Transfer Protocol (Https://)," Catalin Cosoi, chief security strategist at BitDefender, told ITProPortal.
"Recognised trust marks" should be displayed in highly visible locations on the website, Symantec said. One such trust mark is the Norton Secured Seal, which informs shoppers that the website is verified, trusted, and likely free from malware.
Businesses should also get digital SSL certificates from established, trustworthy certificate authorities, Symantec advised. There are plenty of fly-by-night operations offering SSL certificates at a low cost, but there is no guarantee the certificate authority is following security practices, warned Melih Abdulhayoglu, president and CEO of Comodo.
Not all CAs have strict procedures in place to ensure the applicant actually owns the domain and is not trying to get SSL certificates for sites owned by someone else, Abdulhayoglu said. Digital signatures is one area in which businesses shouldn't trust unknown organisations with their website and customers, and they shouldn’t simply be looking for the lowest possible price.
"I check if the Certificate Authority such as VeriSign is recognised by the browser," Cosoi agreed.
Monitor the network
Symantec also recommended that businesses regularly scan their sites for malware, monitor the infrastructure for intrusions, and keep a close eye on traffic for malicious activity. Administrators should check the logs for attempted connections to known malicious or suspicious hosts from their servers, which would indicate something on the computer is trying to "phone-home" to a remote machine.
The website should be checked daily to see whether it is loading up malware to site visitors, whether it is vulnerable to web attacks such as SQL injection, and whether there have been any unusual login attempts or intrusions on the web server. Many malware variants compromise the website by modifying certain files or injecting a malicious script into the site's directory.
It's not just online
It's important to remember that securing the website starts with physical security. Businesses have to make sure servers and other assets are protected from physical theft. In the case of a cloud host, the business has to make sure the cloud provider is making sure only authorised personnel are allowed in the data centre.
Back to the issue of SSL: Organisations have to store private keys in secure, tamper-proof, cryptographic hardware devices to protect the integrity of the digital certificates, Symantec said. These private keys are saved in these secure devices so that cyber-criminals can't easily intercept the keys or trick site owners into giving them up.
1.5 million people are victims of cyber-crime every day. Business owners can protect their customers – and by extension, their own bottom lines – by doing their part to make sure their sites aren't a cyber-crime vector.