Ryan Marshall
6 min read

One of the questions I hear a lot is, "what’s the common factor you see with breached customers?" and the simple answer is, unpatched / out of date software.  In this blog post I'll walk you through a few tips that can be used to help mitigate breaches. 

A large number of customers we deal with often wonder why they have fallen victim to a breach; however, most of the time there is a common reason behind why they were targeted. Here at Foregenix we constantly perform investigations, both within the payment industry as well as beyond, in a general Incident Response (IR) context.   Most of the time, there is a common factor throughout, environment to environment; specially within the eCommerce space. This common factor is essentially out of date or unpatched software. Unfortunately, this lack of patching and maintenance tends to be the reason they get breached. 

Lately, Foregenix has seen a large number of unpatched Magento websites that have been breached because the framework has been left to wither. On February 13th 2022, Adobe released a rather critical patch to combat a weakness commonly referred to as the template vulnerability - https://helpx.adobe.com/security/products/magento /apsb22-12.html. The patching process was a two part process with the second patch released on February 17th 2022; however, during a number of our investigations we are seeing that either the merchant failed to patch the vulnerability entirely, or they only applied the first part of the patch which meant they were still vulnerable to attacks. 

Below are a number of simple things that Foregenix recommend be performed on a regular bases in order to help mitigate breaches:

1.   Regularly check the framework providers for software updates or patches - if critical security patches are announced, install them within one month (sooner if possible):

 

While you might not be monitoring for security updates, I can assure you that attackers are.

 

2.   Implement a password policy that covers the following:

  • Regularly rotate passwords - if you can, try and stick to a maximum of ninety (90) days between password changes.
  • Accounts that have not been used within the last ninety (90) days, should be deactivated. 
  • If an account is no longer required for an individual, deactivate it and remove it within ninety (90) days.  Sooner if at all possible.
  • Ensure that the last four (4) passwords are not reused upon password resets.
  • Monitor any third-party admin accounts in order to ensure they are used appropriately.
  • Once any and all third-party accounts are no longer required, deactivate the account and remove it.

 

The benefit to monitoring accounts and changing passwords means you prevent stale accounts being available.

 

3.   Implement admin account restrictions:

  • Ensure that only those employees who require a full admin account are provided one. 
  • Ensure that the least level privileges required to complete the job is provided to employees.

 

The less permissions an account has, the harder it is for an attacker to gain the relevant access they need.

 

4.   Implement Multi Factor Authentication (MFA) on all admin user accounts:


MFA is one of the most powerful tools in your arsenal purely because of the way a one time token is required during login.

 

5.   Record admin changes - There are a number of plugins out there that record when an admin user logs in and / or makes changes from within the admin area. As configuration parameters can be configured within the admin area it's good practice to record when changes are made.

 

The plugins referenced above are examples that provide the relevant functionality discussed above. There may be others out there and there may be articles online that compare different plugins so please research prior to installing.

 

You can also check - and monitor - your website security status using our free ThreatView Community service:

CHECK YOUR SITE SECURITY HERE

 

While a number of the recommendation made above may sound simple, they can be very effective in helping prevent an attack on the website. One of the sayings I tend to refer to when speaking to impacted customers is “you don’t have to outrun the bull, you simply need to outrun the person next to you”. It may sound horrible, but when you look at the statistics, attackers simply target those websites that are susceptible to vulnerabilities rather than trying to exploit the unknown. A lot of the time, the attackers will simply monitor the patch notes and security bulletins for frameworks like Magento or Wordpress and then scan the Internet for websites with those vulnerabilities and once detected, exploit them. By implementing a simple update policy that ensures critical security patches are applied within a month, you could be making the difference between your website being targeted or being left alone. 

If you think you might have fallen victim to a breach, do not hesitate to contact us here at Foregenix. 

 

Subscribe to our Blog

Contact Us

Access cybersecurity advisory services

 

Ryan Marshall
Ryan Marshall

See All Articles
SUBSCRIBE

Subscribe to our blog

Security never stops. Get the most up-to-date information by subscribing to the Foregenix blog.