Everybody has a website — big sporting goods stores, mid-sized regional chains, even the small, local, family-run shops like my gunsmith have a website. That’s how the typical consumer finds what he’s looking for these days. The days of the local Yellow Pages are gone; they’ve become paper dinosaurs, although they do make good test media for certain bullet types. As a result, shop owners now pay for an internet presence to draw customers in, but hackers love to go after websites at small businesses based on the assumption that they’re not as secure as those of a larger company. As of April 2016, cyber security incidents in the retail sector were up 154 percent in 2015 versus 2014. With much of that involving small businesses, it’s even more critical to make sure your website is secure.
Computer criminals generally start an attack on an organization by assessing its website for any vulnerabilities that they can exploit. They don’t start out by trying to find vulnerable gunshop or sporting goods store websites. Instead, they run semi-automated sweeps of the internet that identify potentially vulnerable targets at a high level. Then, once they have that starting list, they dig down deeper to see whose website they can break into and what they can steal. It doesn’t matter what kind of business it is so long as it has something worth taking, like payment card records or customer email accounts.
From a technical perspective, it can be easy to break into a website if it’s not set up properly. Once the hacker gets into the data behind the public website, it can be difficult and expensive to get him out, and by then the damage is done. He can use or sell any credit card information he gets or use customer email addresses to send out phishing emails to try and get more compromised computers for his network of “bots.” Whether you use a third-party website service to build and host your site or develop it yourself, there are a number of steps you can take to harden it against these clowns.
Your website developer and hosting company should help you find and fix any vulnerabilities your website has. If they don’t, you may want to consider hiring a consultant for that. As they say, “buy once, cry once,” but it’s a hell of a lot cheaper than paying for a cleanup after you’ve been popped.
So, what information do you have that the bad guys want? If your website has an online store, there’s a connection to your customers’ personal information and payment card information. All of that is valuable to a hacker. The personal information can be used for identity theft, and the card info can be used to buy anything the mutt wants before the card gets shut down, assuming the theft is even noticed.
From a more sinister perspective, a gunshop’s customer list is also a list of current gun owners. Your webstore’s database is a list of your current inventory. Your front page already shows an address and maybe even a map of where to find everything. In today’s complicated political climate, all of that could be exploited to cause real-world harm to innocent people, which we have to avoid at all costs.
Other technical vulnerabilities that can be exploited are weaknesses that the bad guys can use to leverage your website as a storage or launch site for their malicious software. I’ve seen many cases in which the business owner had no idea that his or her website was being used as a weapon until the local FBI field Ooffice showed up at their door. If that happens, it can get really uncomfortable until you can prove that you’re not the guy running the “hacker site” and that you’re an unwitting victim. It can also get expensive to prove it.
In one recent case, a site owner received an email from a “vulnerability researcher” outlining the holes he had found in the website. There are a lot of legitimate researchers who do this in the interest of world cyberharmony, but this clown wanted a payoff to disclose the weaknesses, under threat of exposure. While he was negotiating with the business owner, he was also advertising the site to other hackers as a place to store their malware! In the end, it cost the poor business owner over $100,000 just to find and fix all the vulnerabilities, not including the indirect costs of lost business and reputation.
It can be easy breaking into a website. One of the most common and effective methods is known as an “injection” attack. Your website likely has forms a viewer can submit to contact you, subscribe to a newsletter or purchase something. A hacker can enter commands into that field that the server will execute if the form is not set up securely, which means he then owns your system.
Another common attack is to email the website Admin (which anyone can get from the site’s public registration) a slick, shiny email with some link or attachment that gets their attention. Once the Admin clicks on it and launches the malware behind it, the bad guy might now have Admin access to the website backend and all it contains.
There are a number of brute force methods to break into improperly-secured websites, but rather than go on for pages describing those, let me suggest a handful of approaches for your consideration. The website hosting company or consultant you hire will know what to look for and fix.
Speaking of consultants, I wanted to get an expert’s perspective for this article, so I called an old friend and colleague — another veteran of the global cyberwars — and talked with him about all this. Ian Duffy is an executive with the information security consulting firm Polito, Inc., in Woodbridge, Virginia. He and I have worked together on a number of very interesting and challenging cyber security projects for more than a few years, so trust me when I tell you he knows his stuff.
The first point Duffy made when we started talking about this was that there is no reason for shop owners to be intimidated by technology or cyber security. “Gunshop owners have already proven they’re smart enough to run a successful business,” he pointed out, “so they can easily understand these issues.”
And he’s absolutely right. Website security is no more difficult to achieve than physical or personnel security; it’s just another flavor of something you already do. “The key,” Duffy continued, “is that everybody from the business owners down to the salesmen have to be aware of cyber security as much as they are of the threat of robbery.”
This doesn’t mean that all of your people have to become cyber experts. You and your website administrator may need to step up your awareness, but the main thing your employees need to understand is the phishing threat. Never click on a link or an attachment in an unexpected email, even from a sender you know or trust. Contact the sender in a new message to confirm they sent it, or go to the sender’s known website from a browser to follow up. It’s the same mindset as the elevated awareness you have when opening and closing the store.
As for you and your Admin, there are several good resources available to you to help secure your website and your business network in general. The National Institute of Standards & Technology (NIST) recently published their Cybersecurity Framework for Small Businesses to provide just this kind of assistance to help keep the bad guys out of your business, literally. It’s a valuable tool for any business to have on hand though — not just small shops.
There’s also the SysAdmin, Audit, Network, Security Institute (SANS), which is an organization founded for education and research on cyber security issues. They have a lot of great information available, including some boilerplate contract language for dealing with website developers and hosting providers.
Last, but certainly not least, talk with your internet service provider. These days, most providers include a security package as part of the service you pay for. Ask about it. Add it to your package if it’s not there. And speaking of security packages, make sure that the computers in your office (including your cash registers, if they’re connected) have active firewalls and antivirus software on them, and keep it up to date. Set up your computers to download and install the monthly and critical operating system updates while you’re at it. Yes, I know, it can be a pain in the asset, but it’s one of the easiest ways to close up the vulnerabilities on your computers.
The point of all this is to make it more difficult for the hacker to get into your website and network. If the choice comes down to your network and another target, and yours takes longer, guess what? He’s going after the other guy. It’s harsh, but in this case, you really do just have to outrun him and not the bear.
Let’s say the worst happens. You read this and take it to heart, applying all of my fantastic and valuable recommendations to harden your website, but you still become a victim. It could happen, despite all the precautions we take; sometimes they find a way in. If you take none other of these recommendations, please consider these last two: talk to your service provider or a cyber security consultant about an Incident Response Plan before you need one and look into cyber insurance to protect you from losses and liability resulting from a breach. Cyber insurance is a fairly new, and frankly somewhat controversial idea, but it’s a good one in my opinion. Many traditional insurance companies won’t cover losses from a cyber incident; check with them first.
The bottom line is that your website is the world’s front door to your business, and there are many more bad guys wanting to break in that way than there are coming in from the street. Make sure you make it hard enough for them that they move on to the next guy.
“Websites are not ‘set it and forget it,’” Duffy said. “You have to test them, update them and monitor them if you can. Do your research before something bad happens, and have a plan in place.”
L.M. Larsen is the Director of Cyber Security for Apple Federal Credit Union and has over 20 years in information technology, cyber security, forensics and counterintelligence consulting experience. He is also a lifelong firearms and shooting enthusiast.
Featured image: iStock