365 days a year: solutions, knowledge and networking.
Find and offer innovative IT security solutions, take part in our diverse action program and make and maintain contacts.
Become part of the it-sa 365 community!
So that you can make an appointment, the calendar will open in a new tab on the personal profile of your contact person.
So that you can make an onsite appointment, the appointment request will open in a new tab.
What to do if your own online shop is hacked and fails? Florian Heinemann and his company CampusPoint fell victim to hacking. In the moment of attack, fast and considered action is necessary and, of course, a security-oriented operating concept. Heinemann talks about his lessons learned from the security incident in this interview.
Florian Heinemann is the managing director of a company that was the victim of a hacker attack. It was only through a lot of luck that he and his company CampusPoint escaped relatively unscathed. CampusPoint focuses on the sale of IT equipment for R&D, but at the start of the semester, of all times, the online shop was hacked and went down. In the following interview, Heinemann tells us what he learned from this and what is important for smaller companies in such situations.
In which situation did the attack hit you and how did you deal with it?
As explained in a video talk (German ), the core of the problem was an outdated shop system. I took over the company in February of the year the hack took place. But the shop system was outdated. At the time of the hack, we were already aware of this and were preparing to change the system. We also set it up from the start so that no customer data is stored there. We work with an interface to the merchandise management system, where the data is stored. Payment data does not even arise because our customers can only pay by Paypal or prepayment.
The preparations for the changeover to the new system were designed in such a way that we could still go through the start of the semester with the old shop, because that is the time with the greatest turnover for us. But after the incident, we had to speed up the changeover and worked through the night to be ready before the start of the semester if possible. We didn't quite manage that, but a few days later we were online with the new system.
Did you use external expertise to deal with the hack?
Immediately the morning after, I went to a lawyer to clarify what the options were, what I had to do and what I shouldn't do. He then asked many appropriate questions and finally recommended that a detailed report be prepared. We discussed this together later and found that no action was necessary.
Luckily, our IT service provider has the necessary security know-how for such situations, so no further external support was necessary. They analysed the damage and created a dossier in which it was written down what had happened and what data movements occured.
How did you manage to be back online just 30 minutes after the shop system went down?
We work according to the blue-green deployment methodology, which means that we always keep the current release or the current version and the two previous versions on the server. This allows us to switch back to an older release very quickly. We only had to change the link from the current version to the previous version to be able to run it again. Since we usually have short version cycles, there was no significant feature loss and the system could be fully used again shortly afterwards.
What consequences have you drawn from the incident?
We have set up a budget and maintenance plan that specifies when we expect a new version and how much money we need for it. When a security patch comes, we drop everything, check the update and install it. This is sometimes very time-consuming. But we have planned for it on a monthly basis. We didn't have this perspective before, we had to work hard for it. This is done in cooperation with our service provider, who has set aside extra time and budget for this. We have to test all the functions each time, for example the many configuration and equipment options that can be booked separately. We have developed a schedule for this, which is worked through page by page. Two employees have to block extra working time for this.
Internally, we have tightened the password rules; now, for example, more complexity is necessary. We now provide each employee with a password safe to deal with the amount of complex passwords. We have also tightened up the security settings for the cloud services.
We have introduced regular mandatory awareness training for our employees. We take great care to ensure that this is done. In regular briefings, we have a service provider explain to us which threats are currently occurring. This has also led to us being able to prevent a fraud attempt that started by e-mail. Otherwise, a whole pallet of notebooks would have disappeared. We were able to contribute to the later discovery and arrest of the fraud gang.
Had the attack led to other effects?
Afterwards, we also noticed that we are often attacked by bots. That's why we installed a kind of bot blocker upstream that filters out such things. Since then, we have also been investigating the bounce rate, i.e. visitors who are rejected by the shop. This rate is quite high. This is done on the basis of conspicuous features, such as when Chinese characters appear in the data stream. We also actively block IP numbers if we notice that more conspicuous requests are coming from there.
What should third parties learn from this, what would you recommend to others after this experience?
The most important thing: Don't postpone updates, ever. That's what I've learned in the private world. I now permanently assume that updates always are important. I am glad that we have our own staff with security know-how and a service provider with expertise that we can trust. Trust is important, it has to be there. Partnerships are based on trust. I would make sure that a service provider has security know-how and is trustworthy. In my perception, the threat on the Internet is constantly increasing. When you operate online, you always have to be alert, both as a customer and as a provider or operator.
Author: Uwe Sievers
