Top 10 Tips From DEF CON 25 for Magento Merchants

If you’re not familiar with DEF CON, it is an annual hacker conference held in Las Vegas each year attended by over 20,000 hackers, security experts, FBI agents, device manufacturers and merchants. The conference celebrates exploits, no matter how impractical, of hackers, penetration testers, and security professionals.

Razoyo attended for the first time with an eye toward understanding upcoming threats to merchants and their customers, how to better shield merchants from existing threats, and, generally gaining a better understanding of security issues, themes and concepts.

1 - Keep your software up to date

Most hacks take a while to develop. Ethical hackers will inform software providers (like Magento) about security bugs before releasing the information publicly. Implementing patches in time decreases the probability a hacker will have time to exploit the weakness on your site.

2 - Remember your security chain is only as strong as its weakest link

Merchants who have outside developers, designers, catalog people and so forth work on their sites, should ensure that everyone that has access follows good procedure. Using strong passwords for admin users and rotating them regularly, is a good start.

3 - Use good password practices

90% of the most widely-used Point of Sale card readers could be defeated. By having changed from the default password to a custom one. One hacker demonstrated his ability to not only hack, but, completely take over credit card readers. Brute force attacks thrive on using common passwords.

4 - Use encryption everywhere

Keeping data encrypted makes it much harder for hackers to find and pull meaningful data out of your system. If you keep customer information on your laptop or somewhere not on your web site, it needs to be encrypted.

5 - Assume you have been hacked or could be hacked

While this sounds a little fatalistic, it is better to assume you have than hope you haven’t. When doing an assessment of one client’s web site, we found a fatal vulnerability in a major hosting company’s platform that would allow a hacker to gain access of your site from a site in the same data center. Even if the security is solid, the company would still be vulnerable from a compromised neighbor. We reported this to the hosting company, but, it was going to be too hard for them to correct, so, they haven’t two years later. Using the notion that you have already been hacked will assist in preventing actual attacks.

6 - Don’t trust anyone with the keys to the kingdom

An employee of a state lottery contracting firm was able to hide a hack that he used to gain millions in lottery winnings.  Requiring two people to perform certain tasks and having a 3rd party review access logs can help keep people honest.

7 - IoT is the new frontier for hackers

Everything from web cams to printers to light bulbs is hack prone. Don’t skimp on these products, buy ones from companies that have done their security homework. And remember #5.

8 - Ask your providers for specifics about their security protocols

Talk to your hosting company and ask them what their vulnerabilities are. Have a developer review any extensions you intend to install for unsafe practices. Don’t take anyone’s word for it.

9 - Get some basic knowledge

You don’t have to be a developer or network engineer to understand the basics of cybersecurity. A little knowledge will go a long way in helping you to ask the right questions.

10 - Don’t assume technology will provide security

Social hacking is the new black hat. Your employees need to be aware of scams, not click on dangerous email attachments, and generally approach their work with an eye to security. Encourage employees to ensure the security of the business. Facilities need to be secured and any outside visits should be detected. It doesn’t take a lot of money, simply implementing a Canary security camera, a solid dead bolt, can help make your company a hardened target for hackers.