With Magento being the platform of choice for most fast going, successful online businesses, security of your Magento Store is a critical aspect of staying successful. Using a Magento Security Scanner is an important step in understanding your security posture. This is what a Magento Security Scan result should tell you (at a minimum):
Your Magento version details
Patching - are you missing any critical security patches
Malware - is your site infected?
Exposed Admin Interface
Vulnerability to known exploits
It shouldn't stop there either, these are the basic reports that you should expect.
Read on for more info...
Subscribe to our Blog
What is the importance of reporting on these various topics?
Magento Version and Details - you most likely know this already, but if you don't you will be updated on whether you are using an up-to-date version of Magento or not. Many websites are still running on Magento 1, for example, which is no longer supported by Magento. Understanding this and the associated risk of using the out of date software is an important aspect of your organisation's cyber security management.
Patching - critical security patches are regularly released by Magento whenever they discover a security issue and figure out how to address it. These security issues are (usually) well documented - meaning that while you and your devs can access that data, so can criminals. Therefore, once a critical security patch is released, we advise to get that patch implemented as soon as possible as criminals will be working to find sites with this vulnerability so that they can exploit it and break into the business. Understanding your patching levels is very important.
Malware - this is a speciality of ours. Arguably we have one of the most comprehensive malware datasets from the huge numbers of forensic investigations we perform. Every new piece of malware we identify, we fingerprint and add it to our ThreatView platform to enable detection across our clients around the world. We also put all the new "fingerprints" into the free Magento Security Scanner to help the community stay ahead of the threats. A Magento Security Scanner should be able to identify the latest malware targeting Magento sites - and you should be able to validate the work they do in the community - we publish a report on the eCommerce ThreatScape every month into the eComm Cyber Security group on LinkedIN and we also publish the report on our website.
Exposed Admin Interface - this is a very important alert - an exposed Admin Interface (login page) is a major security issue. For more info, please read this article: https://www.foregenix.com/en/blog/4-steps-to-improve-your-magento-store-security Vulnerability to known Exploits - this kind of speaks for itself. Most of these exploits are to do with how the Magento Store is configured (or not configured). This is an important area as it highlights what other known exposures your website is presenting to the world.
Information Leakage - this is a basic security issue and an important one to get right. Leaking information about your Magento Store to visitors tells them more than they need to know about the nuts and bolts of your set up - and with a combination of information, you could be arming criminals to attack your business.
Additional areas where a Magento Security Scan could help Magento Store owners are:
Email security - how securely your email is set up.
Site encryption - important but sometimes overlooked.
Site reputation - how does Google and other search engines see your site from a security perspective.
Third Party scripts running on your site - third parties are a source of risk for eCommerce sites - what are the implications of a 3rd party getting hacked and criminals using them as a vector to hack your business? We have seen this happen and expect it to become more of an issue. Understanding which scripts are running on your Magento Store - and validating them - is an important piece of the cyber security puzzle. In fact, your PCI DSS Compliance is going to require you to monitor this exact attack vector.
All of this and more is available for free from our Magento Security Scan here:
Benj Hosack is a Director and co-Founder of Foregenix Limited. Foregenix is a specialist information security business delivering services in Forensics, PCI DSS, PCI P2PE, PA-DSS and information security solutions within the Payment Card Industry. Our technologies are designed to simplify security and PCI Compliance. Specialties: Cardholder Data Discovery - defining and reducing PCI DSS Scope / PA-DSS / PCI DSS / P2PE / Account Data Compromise Investigations. We are specialists in the Payment Card Industry and work with all types of companies in the payment chain (Acquiring banks, Processors, hosting providers, web designers, merchants, systems integrators etc).