Tis the Season for a Secure Ecommerce Site
We know retail sales are huge during the holiday season – and unfortunately, so do hackers. With so many online shoppers sharing credit data and personal information, keeping sites secure and running efficiently is more critical than ever.
Fortunately, there are steps you can take to tighten defenses around your ecommerce and data infrastructure. Let’s round out Pivotree’s holiday prep series by touching on ways to keep your site secure and your applications fine-tuned.
Step Up Your Holiday Security
From tech to retail products to apps – criminals are on the prowl for gaps in cybersecurity.
According to an Infosecurity article, attempted cyber-attacks increase at an alarming rate between Black Friday and New Year’s Day. So, while site security is always essential, the holiday season really puts your defense to the test.
Let’s look at five rapid-fire preparations to get your online environment ready for the season.
- Plan for patching – Develop a plan for security issues like emergency patching or unexpected vulnerability. Assign responsibility for monitoring and applying patches within all of your environments, and opt-in to your infrastructure provider’s patch program (if you’re not handling it yourself).
- Limit access – Restrict environment access to authorized personnel. Use strong passwords, audit users, and use two-factor authentication and encrypted communications.
- Monitor for vulnerabilities – Use an Intrusion Detection System to proactively discover potential breaches and notify you of suspicious activity, which allows breach response and prevention.
- Use HTTPS – Use at least SHA256 encryption (not older versions), and utilize HTTPS for all customer ecommerce communication (not just authentication and payment). A Content Delivery Network (CDN) service can ease performance concerns associated with HTTPS use.
- Update Anti-Virus – Make sure you have Anti-Virus running on all servers using the most up-to-date virus signature.
These safeguards are foundational and crucial aspects of your site stability prep. Now let’s move onto three hot button issues that can impact your customers’ data security this season.
Tune Your WAF
A Web Application Firewall (WAF) monitors behaviors between an application and a browser. They protect against application layer attacks, which are increasingly common in ecommerce. However, they must be tuned and configured to respond appropriately to your application and traffic.
It’s essential to understand your WAF provider’s incident response plan, have alerts routed to correctly trained personnel, and automatically direct traffic back to your origin servers when WAF problems occur.
If you’re looking for a WAF solution, Pivotree offers a security suite including a Web Application Firewall meeting PCI requirement 6, with 24×7 support to prevent emerging threats.
Protect Against Zombie Attacks (Yes, Really)
Distributed Denial of Service (DDoS) attacks try to take your internet presence offline. Usually, it’s by overwhelming your site’s network or servers with traffic from a collective of hacker-controlled zombie computers (also known as a Bot-net). Scary, but true.
The Bot-net is used as a distraction while hackers steal credit card data. These attacks can make your site unavailable while your bandwidth provider migrates the threat.
What can you do? First, check with your provider to understand their DDoS response plan. Then, decide if you want a DDoS migration service. Because these services are expensive, many companies only use one during the holidays.
You can further reduce costs by opting for a “pre-staged” versus “always on” configuration. And if DDoS Migration is still out of your budget, consider using a CDN to protect against low-volume attacks.
If you need to zombie-proof your site (and keep it online), Pivotree offers 24×7 protection against a wide number of incursions with our DoS Assure service. DoS Assure is also part of our full Cyber-Security Suite, along with WAF and CDN services.
Testing and Scanning
Finally, it’s important to test and scan your systems. Conduct penetration testing to exploit weaknesses in your code and application. This analysis uses a combination of automated testing and experienced testers.
In addition to penetration testing, you’ll want to run a vulnerability scan to identify known attack vectors in your network, application, or infrastructure. Focus on OWASP-10 vulnerabilities and PCI-specific issues.
Want a team of experts to test and scan your systems and help you prioritize fixes? Pivotree’s scanning services include Penetration Testing and AVS Scanning, providing regular verification of PCI best practice adherence.
Amp Up Your Applications
We’ve touched on how to secure your site and online environments. Now, let’s turn our focus to your applications.
It’s vital to periodically tune your applications to run efficiently and use resources effectively. There’s no better time to assess them than right before the holidays.
Here are some best practices to get your applications ready for the surge in traffic during the holidays:
- Adjust your caching – You can increase your time between caches during peak periods and make sure frequently called items are cached to save resources. Review and adjust these settings as needed.
- Review recurring jobs – Check when jobs are scheduled to run and ensure they don’t collide or run during peak times.
- Limit publishing and catalog updates – Catalog updates are resource-intensive. During peak season, ensure updates are performed when traffic is lowest. Have a catalog change? Make sure minor changes don’t trigger full indexing or force a cache refresh.
Want help tuning overlooked elements of your applications? Pivotree’s Application Assessment conducts an independent review of your application configuration against Hybris and Oracle best practices. We’ll identify your baseline performance, then help you improve it.
Monitor Application Errors
Are you monitoring your applications for errors throughout the year? You should – particularly before busy seasons. Bottlenecks in your database can cascade down to your application servers, causing requests to back up.
Start by setting up database monitoring to track performance. You should also perform activities like right-sizing your database hardware, tuning long-running queries, and indexing frequently accessed tables.
If you need help pinpointing performance bottlenecks in your application code, our Commerce Platform Manager will alert you to defects that affect your customer experience.
Beat the Bad Bots
A bot is a program that operates as an agent for a user or another program or simulates human activity. Some are malicious, but not all. Companies like Google, Pinterest, Yahoo, and Bing collect your site information to power their service. These are the bots you want – they are crucial for your online presence and search rankings.
Bad bots – comment spammers, SQL injection worms, etc. – are harmful, as their traffic can pull resources and negatively affect your site.
How do you manage them?
You can start by reviewing the IP addresses from your top traffic sources to block malicious activity. You can also use strategies like leveraging WAF or CDN to block bot traffic, separating bot traffic from user traffic with a separate server, and showing bots a less resource-intensive site.
When you have healthy applications, you can deploy your resources effectively, which is essential during peak periods. It takes a combination of strategies, but it’s not too late to get ready before the holidays.
Let Your Holiday Bring Success, Not a Security Breach
We want your holiday ecommerce season to be a story of success – not one that involves a security breach or sluggish systems.
Time is tight, but Pivotree can help you secure your site and fine-tune your applications. Contact us to see how we can make the process easy for you.
Finally, don’t miss your chance to watch our Black Friday Video – and grab your copy of The Ultimate 2020 Holiday Prep Guide below!