Since the advent of digital commerce, hackers have kept both online merchants and the cybersecurity industry on their toes. Large security breaches occur almost every other week, and cyber-attacks on industry giants such as Marriott Hotels, Facebook, and Target continue to remain in the news. What’s more, with cybercriminals becoming more sophisticated and using automation to execute attacks at scale, the need for advanced security to protect digital storefronts and users (their identities and credit card data), is higher than ever before.
The most sophisticated hackers today are no longer coming through the “front door” and launching massive DDoS attacks; instead, attacks are becoming more frequent at the “back door”, or the application layer where most of the customer information resides. (Learn more about how cyber-attacks on Magento storefronts are typically executed.)
Fortunately, online merchants can avoid a great deal of pain by regularly updating their security patches (for known vulnerabilities), using a web application firewall (WAF), and periodically reviewing whitelists.
How a WAF helps
A WAF provides a layer of protection between a web application and the Internet. It determines, based on pre-defined rules and the site administrator’s directions, who or what enters the web application. WAFs protect web applications by monitoring and filtering web traffic (differentiating between legitimate users and illegitimate traffic), and mitigating a wide range of cyberthreats.
Most WAFs have pre-defined rules (or policies) built in for protecting against commonly known threats, such as the OWASP Top 10. Rules may also involve adding IP addresses belonging to known bad actors (or malicious bots) to a block list.
Is this enough?
Picture this. The person responsible for your web application’s security went on a well-deserved vacation two days ago. Your e-commerce platform provider published a vulnerability (they just found out about) in the interim and a patch to fix the same. A hacker uses this window of opportunity to gain admin access to your storefront and steals credit card data (remember, hackers are always staying on top of vulnerabilities, even when you aren’t).
How would you deal with this security breach? What do you do when the origin of the attack doesn’t show up on published lists of bad actors? What happens when you’re facing a zero-day attack? How do you deal with a cyberattack that’s already in progress?
The answer…you need to be able to customize your WAF, in real-time.
It’s easier said than done, however. To customize and configure new security rules in your WAF, you need the help of a security expert that can make the necessary code changes. These highly-skilled professionals can be both expensive and hard to find.
That’s where Webscale’s Web Controls come to the rescue.
Web Controls: No Code, No Compromise, No Complexity
Webscale’s Web Controls enable site administrators to use pre-defined, pre-tested security rulesets based on their e-commerce application, minimizing the need to discover, define, and maintain the rules themselves.
With Web Controls, site administrators can also create the equivalent of firewall rules, without having a deep technical understanding of how to build them. They have been designed to allow a user, of any skill set (technical as well as non-technical), to quickly take actions to ensure enterprise-grade security, high availability, and fast performance of their web applications. A few examples of what you can accomplish with Web Controls, include:
- Blocking certain requests for a specified duration.
- Blocking all traffic from a specific country, if you don’t want to do business with potential customers from that country
- Rate-limiting resource-intensive user sessions to mitigate their impact on the overall application, and much more.
Web Controls are very easy (and intuitive) to create. All you need to understand is, conditions and actions. While conditions are the triggers that activate a Web Control, actions are completed when conditions in a Web Control are met.
Here’s an example of the steps a site administrator would need to follow to create a Web Control for rate-limiting traffic:
Step 1: Login to the Webscale portal and select the appropriate domain by clicking on Zoom
Step 2: Click on Actions -> Edit.
Step 3: Select the Web Controls tab, then click on the “Add A Web Control” button.
Step 4: From the “Add a Web Control” window:
- Enter a name to describe your control. You may also add a description to further clarify the control purpose.
- Select a Condition for the control. In this case, select “Rate Limit” from the selection list.
- Add a limit to the number of requests in a time interval.
- Click on Save.
- Select an Action to take. In this case, select “Add Address to Set” from the selection list.
- Click on Save Action.
- Click on the Save Web Control button.
Step 5: From the “Add a Web Control” window,
- Select Web Controls tab, then click on the “ Address in set” button.
- Set Action as “Deny Request.”
Step 6: Your new Web Control is now created but is disabled by default. To enable the Web Control, click on the “Enable” switch to the right of the Web Control details.
Your Web Control is now enabled and all traffic exceeding the limit of the number of requests will receive a Forbidden error message.
… and you’re done. No code, no compromise, no complexity!
Another example outlining the steps to set up a Web Control that blocks specific countries from accessing a website can be found here: https://www.webscale.com/knowledgebase/user-guide/web-controls-how-to-block-countries-from-accessing-my-site
Web Controls combined with Webscale’s next-generation WAF, intrusion detection, and bot management solutions, are one of the most powerful ways to defend your online storefront against all types of cyberattacks that threaten digital commerce.