Security is a top concern for internet retailers, particularly during the crucial and high-traffic holiday season. Retailers spend a lot of time protecting the “front door” of their website using firewall rules, intrusion prevention and detection systems, web application firewalls and more. However, the back door “control center” of many web content platforms (think Magento, Drupal and WordPress) is also accessible via the Web, and provides a fertile ground for attackers to infiltrate.
Though it’s easy to forget about the back door, it’s imperative that retailers protect the administrative sections of their web content platforms. Once an attacker gets access to the control center, they can easily add lines of code and make other changes that can exfiltrate sensitive data.
Fortunately, there are steps retailers can take now – in advance of Black Friday – to protect their administrative pages:
Change the default URL of the admin page
All systems have default URLs for the administrative section of their web content platforms. These are convenient, but they are also known to attackers. For example, http://www.yourdomain.com/magento/admin is the default URL for the Admin Panel of Magento. While one should never rely on “security through obscurity” as the only means of protection, modify your administrative section’s default URL as soon as possible. In doing so, you’ll keep yourself off the radar of programmatic scripts scouring the internet looking for direct access to the “control centers.”
Protect external access to the admin page
In an ideal world, you would require a VPN connection to access the admin page, and it would only be available via a private IP address. You could then block access at the firewall for attempts to access the page from public IP addresses. Since site to site and local VPNs can sometimes be tricky to implement, a fall back solution is to whitelist the IP addresses needed to access the admin pages. This means only specific, authorized, external IP addresses can access the admin page, which adds a level of protection against outside users.
Use dual factor authentication
Many web content systems have plug-ins or capabilities to leverage dual factor authentication. In other words, instead of relying on just a username/password combination which can be guessed or stolen if the local PC is compromised, dual factor provides an additional level of authentication that a remote attacker will not have. Most dual factor implementations have convenient applications for your smartphone that generate a one-time security code to be used at each login.
If I were to pick just one of these steps to implement for my retail business today, I would prioritize dual factor authentication. While implementing additional code and systems can sometimes be problematic, dual factor is easily the strongest solution to protect your control center from remote, unauthorized access. Changing the default URL is also a very easy step to implement, and will keep you off the radar from automated scans that could identify your site as a target.
Needless to say, as a security professional, I would recommend taking all three steps. As anyone with a base knowledge of security will tell you, security in layers is the best way to protect your web environment. And as the retail season is ramping up, so are consumers’ concerns about security. These are a few easy-to-implement precautions that retailers can use to give their shoppers the gift of security this holiday season.
Scott Walters is Director of Security at INetU.