Back to Posts List

Ethical Hacking's Role in E-commerce Protection

Share this article




Last updated August 12th, 2020 by Beau Peters in

E-Commerce & Penetration Testing

We live in a high-tech society that has made many things possible. Today, small e-commerce businesses can sell to people wearing their pajamas half a world away. No longer does a business need a storefront to be successful. If you have an in-demand product, you can sell from anywhere with much less on-hand inventory and overhead than you would have needed not long ago. E-commerce has turned dreamers into successful entrepreneurs, and there's no looking back.

With all of the advantages and benefits of e-commerce, however, there also comes a dark side. Hackers want your valuable financial and intellectual information. That is where ethical hacking, also known as "penetration testing," comes in.

Risks of Automation and ERP Systems on E-commerce

Automation has made business much easier. It reduces human error; it is predictable, unlike the human element. Automated systems are also scalable; they will function just as effectively with several tasks as they would with thousands.

Automated systems are vulnerable to threats; however:

  • If your automated system was purchased through a third-party provider and they have a vulnerability in their security, it means that your system is also vulnerable.
  • Automated systems integrate several different databases to work efficiently; therefore, every database within the system is vulnerable to attack.
  • Because the automated system is doing the work, businesses develop complacency when it comes to security measures and may not have proper alert systems in place to warn them of potential security threats.

Enterprise Resource Planning (ERP) is "software that can combine the facets and processes of a business into one integrated system," thereby automating several systems to work as one. It is one way that businesses are becoming more automated. When a customer orders a product, for example, you do not have to email the customer confirming his order, print a shipping label, update your inventory, and determine your profit in separate steps. The ERP covers those steps in one automated process.

There are several types of ERP you can utilize:

  • Workday: Assists worldwide businesses with HR, financials, and accounting operations.
  • ERPAG Software: Manages and ships inventory in addition to accounting and reporting.
  • Odoo: Manages and communicates with customers and performs accounting functions and HR duties.
  • Dynamics 365: Keeps records of leads and promotes better business operations.

In a survey conducted in late 2019, close to two-thirds of organizations that used large ERP platforms had been victim to a security breach in the 24 months prior. Data that was compromised by the breaches included customers' personal identifying information, HR data, financial data, and even data related to intellectual property.

Automating the Hackers

As businesses are becoming more automated, hackers are also becoming more sophisticated. Hacking, these days, is not some guy in a basement writing code to break into a system. Today, hackers are also getting automated:

  • Equipped with lists of stolen passwords, hackers can use an "automated password cracking tool" to break into accounts.
  • Malware and ransomware can now be installed by attackers with no actual hands-on input.
  • Preconfigured keyloggers can track all of the movements of an infected user, gathering valuable data.
  • Banking trojans send users from a legitimate site to a fake one constructed to steal information.

These automated methods of hacking have made our need to protect our systems more critical than ever.

Ethical Hacking or Penetration Testing

The only way to know if a computer network is safe from potential hackers is to test a system's security thoroughly. This is where ethical hacking, sometimes called "penetration testing," comes in. In ethical hacking, a qualified, certified hacker, sometimes referred to as a "white hat hacker," is contracted to determine the weaknesses of a system by purposely trying to break into it. To be proficient at the job, a white hat hacker must do many of the things a malicious hacker would do: follow current hacking trends, study new breaches, and go into hacker forums, all while maintaining integrity.

An ethical hacker's job description, however, includes many shades of grey. Most of these questionable activities involve social engineering. The weakest link to a computer system is not the system itself; it's the people. Social engineering is when the hacker purposely attempts to gather personal information about employees and users without their knowledge. For example, they may impersonate a company's IT department and ask an employee to log on. They may also ask them personal info such as family members' names, which are often used in passwords, or even for social security numbers.

While this is what a malicious hacker might do and is therefore considered necessary, it is also violating someone's privacy. Some companies hire ethical hackers to perform these types of social engineering to determine weaknesses in their systems. This is a major dilemma. If the white hat hacker safeguards an employee's personal information, their tests are not as thorough as they need to be, but to be thorough, they need to violate employees' privacy. A catch-22. Despite that, ethical hacking is necessary to ensure that large-scale systems are as safe as possible from the hackers who are determined to wreak havoc and do harm.

Tools of the Trade

White hat hackers are not alone in their efforts to penetrate computer systems for the benefit of those hiring them. Many penetration testing tools aid them in their efforts. The benefit of using a penetration tester is that, unlike a human, they can find problems and collect data swiftly. Penetration testers act much like their human counterparts, however. They search for possible weaknesses in the system and attack to see if they can get in. Some of the best penetration tools include the following:

  • Acunetix
  • Netsparker
  • Core impact
  • Indusface WAS
  • Intruder

Other Ways to Protect Your System and Your E-commerce Site

Don't feel like you have to rush out and hire an ethical hacker right away. There are many things you can do yourself to safeguard your website:

  • Make sure your customers are following essential security protocols. This includes creating a secure, difficult to decipher password, and changing their passwords regularly.
  • Use a secure firewall. A good firewall will put a layer of protection between you and incoming traffic on your site, and it will warn you when suspicious events occur.
  • Utilize a Transport Layer Security (TLS) or a Secure Socket Layer (SSL). This will encrypt customers' personal information, such as banking info and passwords.
  • Employ the use of an encrypted checkout tunnel to handle credit card info, so your system never has access to that information.
  • Choose your hosting provider carefully. Make sure they can handle e-commerce easily and securely, and that they provide regular network monitoring.

Conclusion

Running an e-commerce business is a dream come true for many entrepreneurs. With most functions being automated, integrated with multiple databases, and having access to the cloud, there are also many opportunities for hackers to maliciously access your information, however. By using certain security measures, in addition to ethical hackers, you can rest a little easier because you are doing all that you can to keep your information safe.

Beau Peters

Beau Peters is a creative professional with a lifetime of experience in service and care. As a manager, he's learned a slew of trade tricks that he enjoys sharing with others who have the same passion and dedication that he brings to his work. When he is not writing, he enjoys reading and trying new things.

comments powered by Disqus