Watch this to better understand your attack surface and how to keep your ecommerce website safe.
In this webinar, SecurityMetrics Deputy CISO, Matt Heffelfinger, discusses:
Learn more about Shopping Cart Inspect here.
Request a quote to see how Shopping Cart Inspect can protect your business here.
We are SecurityMetrics. We are one of the world's leading companies for compliance, risk, and cybersecurity.
We help businesses of all sizes, including businesses from small and medium size to large enterprises and entrepreneurs.
We help them see the threats they've been missing.
And today's conversation is all about helping you understand the threats that may happen in your shopping cart or your ecommerce platform. I'm Heff, and I am the d deputy CISO here at SecurityMetrics. I also help lead the threat intelligence center where we have a team of security operations analysts who are hunting for hackers on behalf of all of our clients.
Now if you would like to watch this again, we encourage it. We've actually made two different webinars. This webinar is specifically designed for small to medium sized business owners. Or if you have an IT person on your staff, then they definitely wanna listen and pay attention.
We also have a second webinar, and that webinar is designed for the enterprise level client. Perhaps you have a bigger team, and perhaps you have more people on your staff and your compliance department or your cybersecurity team that can look at the shopping cart and get in a handle and an idea. In that second webinar, we include a lot more technical information, including a demo of how this works. With that in mind, folks, we encourage you to share this and enjoy it.
And, of course, we will do our best to keep the information not as technical as possible. We'll try to make this as as simple to understand because it is a very complex topic.
Okay. There are a lot of misconceptions out there when it comes to talking about securing your shopping cart. And a lot of misconceptions come from whichever vendor you're using to handle your payment processing. So for example, the one of the biggest misconceptions out there is that the payment processor handles all the security they promise you the world, and your shopping cart is secure. And the reality is there's a lot of things that are happening inside the shopping cart that you may not be aware of, and that is what we're gonna try to kinda demystify today and explain what are those things that could potentially cause a vulnerability or potentially allow a threat actor into your environment, into your shopping cart.
Now if you do have questions during today's webinar, feel free to submit them. We'll do our best to answer as many questions as we can at the end of today's webinar. But the real topic that we wanna get into is this, and that is there are many pathways, many doorways that could potentially be exposed inside your shopping cart, inside your ecommerce platform. But before we answer those questions and all those doorways, I it's helpful to set the stage.
And that is in your business right now, if you have an online shopping cart, chances are you're probably using a vendor like Amazon or perhaps Shopify. Shopify is very popular out there. There's also other vendors that offer ecommerce platforms such as Wix. They're gaining market share.
Also, Shift4Shop is another vendor that's on the scene. And, of course, the the bread and butter, the most popular one that's been around a long time is Magento.
And then maybe maybe perhaps you're using WordPress or WooCommerce, for example. They're very prominent out there.
No matter which vendor you're using for your ecommerce platform, it's important to really ask yourself, is your shopping cart secure? Is it safe from the bad guys? And what's surprising is in many of these instances, not knowing is one of the worst things, and that's where really security metrics tries to provide that peace of mind that your shopping cart is secure. And we do that in several ways, and we're gonna talk about those ways here in just a moment.
It's very difficult though, folks. It's very difficult to identify e skimming attacks. We're talking about e skimmers. An e skimmer e skimmers are the kind of things that gets in there into your shopping cart without you knowing, without your customer knowing, and tries to steal things like credit card data or PII, personally identifiable information.
I mentioned it's hard to detect, and it's hard to detect for several reasons. One of the big reasons why it's hard to detect is that the checkout process actually occurs in the web browser. So it does not happen on the server. Now that makes it a challenge because for your customer, they may not know that their web browser has been compromised or your shopping cart's been compromised.
Another thing that makes it really hard to detect, e skimming is that many of the tools that are on the market right now do not detect e skimmers. And what I'm talking about here is things like FIM or file integrity monitoring, or perhaps you have antivirus at your business. That will not detect if your shopping cart's been compromised.
Other tools that will potentially not see what's happening in your shopping cart are things like IDS and IPS. So we're talking about intrusion detection system or intrusion prevention system.
A lot of those tools, again, do not have visibility into all of the scripts that are running potentially in your shopping cart. Now patching can help. And if you have an IT person, they can probably get a handle on this, but it also helps to have a second set of eyes. And that's where Security Metrics has a product called shopping cart monitor and shopping cart inspect. Each one of these products does something a little bit different, but the overall goal is to get into the shopping cart and figure out if it's been compromised.
Now, before we talk about all of the doorways into the business, I also wanna mention who the bad guys are. Because I often hear this from business owners. Well, who's the bad guy? You keep talking about these bad guys.
Well, the interesting part of shopping cart vulnerabilities and shopping cart exploitation is who the threat actor is. Now what we know from an industry perspective and from what we see happening is there's about seven different flavors of bad guys. And what I mean by that is the bad guy's name is called mage cart, and there it's an umbrella term. I want you to think of it like a Internet mafia guy.
Alright? That's the best way to describe it. They're like the Internet mafia. And there's about seven different types of these Internet mafia guys, called mage cart.
Now what mage cart does is they try to get into the shopping cart and exploit. They every single one of these mage cart flavors, these seven different types, and there may be more, but we typically talk about the seven different major card types. Each one of them has a different tactic, different technique, a different process for infiltrating the shopping cart. And that means having knowledge of how that happens is key.
And and we specialize in mage cart, identifying mage cart and their different techniques, their different tactics, their TTPs as we call it in the industry. Now it's important that you understand that there are seven flavors, seven different types. However, for the scope of today's webinar, we're not gonna go into every single type of mage cart threat actor. But I want you to be aware of it.
That is who we are primarily looking for, the threat actor mage cart.
So for a small business owner, you might be wondering what is the doorway? How are they getting in? How do I know if my shopping cart has been compromised? If my ecommerce platform is secure, how do I check that and verify that?
Well, I will tell you that there are a lot of ways and doorways that the bad guy can get in. One of the most common ways they do it is embedding malicious scripts without your knowledge into your ecommerce platform. And again, this gets back to that perception where you may say, well, I thought I thought my payment processor had those safeguards in place. And oftentimes, they have the bare minimum.
Oftentimes, they may not even have the technical controls in place to protect you and your shopping cart. That is one door way. Another common doorway, I mentioned the word third party scripts. And what typically happens in the shopping cart is you have a lot of stuff going on in there.
And what I mean by that is if you've ever checked out your shopping cart and you realize you have marketing scripts in there, you have data analytics scripts that are in there, you might have other types of scripts running in that thing, in that shopping cart that could potentially be compromised.
Some clients we have found have over six hundred scripts running at any given time during a customer's checkout process. Now imagine that for a moment. Six hundred scripts running. How do you know whether or not they're all secure or not?
Or better yet, do you have inventory on all of those scripts that you have running in your shopping cart. And chances are you may not even know that, which scripts you have running. That is one other doorway that could happen. Okay.
There are many other doorways that are into your shopping cart, and one such way is for a threat actor like mage cart to compromise your iframe. Now even if you think your iframe is secure, they're the right threat actor, they could actually get a the the right malicious script in there in that payment page, and they can scrape credit card data. So you need to be concerned about that. There are many other doorways too.
One other doorway is actually hacking your third party supplier. So if you have any sort of service or functionality running inside your shopping cart, and what I'm referring to here is things like, again, ads, static content, corrupting any additional functionality that is running in that shopping cart is what threat actors like major cart are after. And another example of a doorway would be registering domains that mimic your analytics providers. That's another doorway they they love to use.
And spoofing victim domains is another very popular tactic. I will also say this. If you have any sort of volume of traffic on your online shopping cart, anything going on that's that is transactional in nature, you should got get and try to attempt to get a baseline of what normal looks like in your shopping cart. And that is the goal of today's conversation.
And as we switch gears here to talking about potential solutions to help you, I just wanna mention this, that hackers, bad guys, they're gonna use whatever weakness is exploitable.
And it might be even things like a compromised shipping provider, and we give a perfect example of this in our other briefing, on our other webinar that we have. And that webinar, you can find online on our site. I host it with Aaron Willis from our shopping cart team. He gives an excellent example of how the customer goes and checks out of the website, and as they're checking out, they choose a shipper. It could be FedEx, it could be UPS, or it could be another vendor. And it was that script, the checkout script, that was compromised, and we show an awesome example of how that happens. And, again, that's in our other webinar.
Okay. So let's discuss what can you do about it. You're a small business owner. Chances are you have limited resources.
Maybe you have an IT person that you can help that can help you out on this. I will say this. There are many options here, and they range from completely free, and that includes things like educating yourself on what the latest threats are that happen in the shopping cart all the way on up to services that will give you ongoing monitoring of your shopping cart. Let's start with the most basic stuff, and that's the free stuff.
What we have available to you is a weekly free threat intelligence email. In that email, we go out and we find all the latest news that is happening in the world of cybersecurity and specifically in the world of shopping cart monitoring and shopping cart threats. We correlate that every week. It's completely free.
You can sign up for that on our website.
And I will encourage you to do that because we don't just cover shopping cart threats. We also cover the latest cybersecurity breaches, and we showcase and highlight the latest phishing tactics, which are great to share with your staff, post it in the break room, or if you have startup meetings with your staff, you could explain to them, hey. This week, this is the latest phishing that just happened.
Okay. So that's the free stuff. Right? But then there's also other options out there. And one of the best things that you could possibly do to get a handle on your shopping cart is by getting a baseline.
What you wanna know is what normal looks like inside your shopping cart. That can be a challenge. And why that is a challenge is because if you don't wanna know what normal looks like, then you may already be compromised and you may not know. So we have created a product here at Security Metrics, and that product is called shopping cart inspect.
Shopping cart inspect is a one time scan. What that scan does is it gets in there, and it starts looking for any malicious activity. It's also gonna give you an idea of how many scripts are running inside your shopping cart. You see, the real challenge, though, with shopping cart and understanding those threats is the bad guys, they don't attack on every transaction, and that's another common misconception.
Oftentimes, the threat actor will not compromise every single transaction. They might skip a few because they don't wanna get detected. They may skip a bunch. They may skip a whole month and then come back to you.
So to help you out with that, we have shopping cart inspect does a one time scan with a very nice comprehensive report, but we also have shopping cart monitor. And shopping cart monitor is ongoing scans, which means if the threat actor is not compromising your cart every day or every transaction, it may take a while to find where the bad guy or the threat actor is inside your ecommerce platform. So I hope that makes sense. Shopping cart inspect is a one time scan.
Shopping cart monitor is ongoing scans.
So the conversation then shifts. Once you have a baseline, the conversation can change and start talking about other things. And what I mean by that is looking for other gaps in your shopping cart and in your environment. It's not just about always becoming p c PCI compliant.
Compliance is great, but there's a lot of other things that go into a defense in-depth. And as a small business owner, my recommendation to all of you out there is start slow, start small, and do what's best for the business. Don't do it just because Hef says you gotta do a scan. Do it because it's the right thing to do and do it within your budget.
So with that in mind, I would say, after the baseline, you wanna do some sort of scanning. And I'm talking about here internal vulnerability scanning or external vulnerability scanning. Things like that can be done through our Pulse platform. SecurityMetrics has a platform where you can put sensors in your environment and start to look at that network traffic and then get alerts when something malicious is happening.
I would also recommend that you take a look at NIST, n I s t. NIST has an incredible framework for small business owners to get an understanding of security in their environment. They give you a checklist, and they discuss everything from security operations center monitoring monitoring, like my team does, to looking at external vulnerability scanning, internal vulnerability scanning, even using things like endpoint software, these tiny pieces of software that you can put on all the devices inside your business. It's very inexpensive, and it can really give you a lot of bang for your buck.
But those are the the the real key takeaway here is this. Doing at least one thing is better than doing nothing. And if you're concerned really about that shopping cart, start with shopping cart inspect. Alright.
So I hope that helped you today understand the the and again, it's real high level folks on what you can do to protect your business in terms of the shopping cart and your e commerce platform. Don't accept what your vendor tells you when it say when they say, you're secure. We've got we've got technical controls in place. You're safe.
Always get a second opinion, and that is really where security metrics can provide you a lot of intelligence on what is happening inside that shopping cart. We do have a lot of questions that came in. I'm gonna do my best to try to get to all those questions. I mean, there's a lot.
So let's see what I can do here. Well, the first question that came in is, which of your ecommerce security tools is better to help with e skimming? Now we mentioned this in the in the webinar that for most of you, starting with a baseline with something like security metrics, shopping cart inspect is probably gonna be great. It's probably gonna meet your needs, get you a very comprehensive report.
If you have a little bit more concern about your shopping cart, then perhaps calling us and discussing things like shopping cart monitor where you get those ongoing scans is probably a better move.
And that is really where I would start with the monitoring piece. And then, you know, also, you have folks like my team, which is the security operations folks, which offers low cost. We do syslog monitoring, for example. Get in there and really see, you know, your business is closed at two o'clock in the morning.
We will find if a threat actor is attacking your network at two o'clock in the morning and and give you an alert and let you know. That's the kind of work that my team does. So you have a lot of options there. At at a minimum, though, it's about getting a baseline.
Alright. Question number two. Question number two came in, and it says, wouldn't my third party platform cover most of these security and compliance tasks for me? Should I worry?
Yes. I know. And, you know, that's the kind of stuff that keeps me up at night is when you hire a third party vendor in your business, I always wonder, they promise to the world, but are they under delivering? Alright?
And the key takeaway there is no matter what shopping cart vendor you're using, if you're using Amazon, Shopify, Wistia, Magento, the reality is they may have told you that they are giving you some basic security tools. And then when you actually go to see if they're delivering on that promise that you contracted with them, it may not be there. So having SecurityMetrics come in and give you that peace of mind and giving you that one time shopping cart inspect is a good move. And that's what I recommend.
Question number three. Question number three is, if I have a small staff, a limited budget, where should I focus? And I hear this a lot from our clients. And a lot of our small to medium sized business clients, they don't have a big staff.
You know, for a small business owner, I I always try to put myself in your shoes. I get it. Right? You're trying to take care of accounts payable, accounts receivable, inventory, handling marketing, handling staff concerns, trying to keep the lights on, trying to keep the doors open.
Right? I mean, managing that focus is is so difficult. But you also have the world of cybersecurity.
And the best way to approach this is, again, start small. Don't you don't need to throw a lot of money at this. Start with education. Sign up for things like that free threat intelligence email where we share the latest phishing examples every week and the latest shopping cart threats.
Once you've got an idea of education and you started ingesting some of that knowledge, then you need to move on to getting a baseline. And the best way to do that is through vulnerability scanning. If at a minimum today, I would do that. I would get Security Metrics on the phone and get in there and start having us do some internal vulnerability scanning and external vulnerability scanning.
That's probably one of the best places to start. Once you do that, you'll get an idea of all the assets in your environment. And you when you have all the assets in your environment, all the software that's running, all the hardware that's running, that is wow. You've now have an idea of what needs to get patched and what needs to be looked at, and perhaps you have stuff in there that's no longer supported.
Right? Those are the kind of steps that I would do. Internal and external vulnerability scanning. First steps.
We have time for one more question, folks. I hope you're enjoying the webinar. I love I love answering questions. And there are so many out there.
And always I say, if you have a question, we didn't get to it, please pick up the phone and call us. Our final question is this. Do you have any sort of resources you'd recommend to learn more about ecommerce security?
You've got a bunch of resources out there. Now one of the challenges we have is things are always changing in the world of ecommerce. And what I'm talking about is PCI four point o has come out. Have you heard about it?
PCI four point o? We here at SecurityMetrics, we have an entire floor of folks that are dedicated to helping business owners get compliant with PCI. I would start right there by reading the latest PCI standards. Once you get an idea of the latest standards, you can then start to expand your knowledge and start to look at things like the PCI website where they have a lot of excellent resources.
But we also at Security Metrics have a ton of free resources. We have an entire academy of small business knowledge on cybersecurity and compliance that's completely free. You can go to our website and sign up for SecurityMetrics Academy, and we'll we'll get you access to all that free education.
With that in mind, folks, we are so glad you joined us. I hope you got some value out of this today. This is not an easy topic. It is not easy to explain it.
It's very technical at times. But I will say this. You started on a great journey of answering the question, is my shopping cart secure? And you can now have the knowledge and the background and the confidence by giving us a ring.
Give us a call. Let us help you, and let us get the conversation at least started on is your shopping cart secure. From all of us here at SecurityMetrics, glad you could join us. I'm Heath, and have a good one.
.svg)
