Publishers of technology books, eBooks, and videos for creative people

Home > Blogs > Have a Emergency Plan: Five Critical E-Commerce Security Tips in Five Days

Have a Emergency Plan: Five Critical E-Commerce Security Tips in Five Days

The bulk of security-related advice is based upon preventing break-ins, hacks, and attacks, but responsible e-commerce developers and administrators know that it's just as important to have created an emergency plan well before trouble occurs. In this post, Larry Ullman talks about why an emergency plan is important and what, exactly, that means.

The first thing one has to do either immediately before or immediately after getting a driver's license or buying a car is acquire insurance. Why? Because at some point or another you're likely to need it. And when you do, being without insurance can be catastrophic. The same can be said when it comes to having an emergency plan for your e-commerce sites.

There are clear goals for an emergency plan:

  • Find the cause of the trouble
  • Fix the cause to prevent future problems
  • Minimize the fallout
  • Repair the damage

The hardest, and most important of these goals, are the first two: identifying and fixing the cause of the problem. Actually, fixing the problem shouldn't be that hard, once you've found it, that is. If there's a hole in software you wrote, you should be able to close it. If there's a hole in some other server software, such as the Web server application, upgrading to the most recent version or applying a patch should take care of that. But how do you find the cause in the first place? The first part of your emergency plan, then, is to log all the key incoming traffic. By reviewing the logs, hopefully you can pinpoint the vulnerability. You may want to also use notifications for particular connections. For example, I normally have my servers email me when anyone logs in or connects via FTP. Knowing who accessed the computer when is invaluable with respect to your site's and server's security.

As for minimizing the fallout, let's start by dividing the possible calamities into two broad categories: those that are only bad for your site and those that are also bad for your site's customers. The latter is a much more serious concern than the former. If an intrusion could possibly mean access to your customer's data, the proper thing to do is to notify your customers of the potential risk (ASAP). While to some this sounds like a public relations nightmare, protecting your customers is more important. In particular, let customers know that if they use the same password in other places, they should change the password on those other sites. Also, the customers should watch their credit card bills (if that data might have been stored on your system) for fraudulent charges. Having a pre-written email that conveys all this, and having a pre-defined system for sending out such an email en masse, will save you valuable time after discovering the break.

As part of the emergency plan, you should also look into whatever laws might apply to your business. The state of California, for example, has rules in place for what an e-commerce site must do upon discovery of a security breach.

And finally, there's repairing the damage. In terms of things that can be bad for your site, hacking the data, getting virus, manipulating files, and so forth, are all real possibilities. The emergency plan--the quick fix--for such occurrences is simple: restore the site to a previous backup. If you discover that someone has inserted code (such as JavaScript for Cross-Site Scripting hacks) into your site's pages, being able to quickly revert to safe versions of those files will be a life saver. Depending upon the activity level and complexity of your site, regular backups might be warranted hourly, daily, or weekly. Don't forget to back up the databases, too.

So there you have some quick, bare bones, but effective suggestions for how to go about creating an emergency plan. The most critical thing is that you're not pondering what to do in the case of a security breach for the first time after a security breach. And, as with everything related to security, the particulars of your plan will be largely dictated by the particulars of your site: the hosting, the type of business, what customer data is being stored, how active the site is, and so forth.