22 October 2019

Creating stronger passwords

Hey there and welcome back to another edition of the Hussey Coding blog.

It is October and thus the spookiest holiday is almost upon us, in recent blogs we have been looking at Cybersecurity, what it means, what you need to know and why it's important. In this blog we are going to be looking at one of the simplest ways you can help keep your stores and sites secure and yet one of the most overlooked methods ever!

That's right, in this blog we will be looking at

Everybody uses passwords these days it's become one of those facts of life but are they secure? are they strong enough to keep people out or are they so poor that anyone could guess given enough information? Maybe you are reading this and feeling really confident about your passwords strength, but what about Dorris in shipping? or Luke over in online sales? How strong are their passwords? Are they using the same password over and over? 
Here is a list of 10 things that you can do or introduce into your company to help keep not just your business safe, but your staff and customers too.

#1 - Size matters!
Create a password that is over 8 characters long, the longer it is the harder it will be to guess.

#2 - M1x 1t up
Throw in some uppercase and lower case letters but don't just stop there, numbers and symbols are also a gr8 Way 2 sT0p an @ack3r gu3ss1ng Y0ur PassW0rds

#3 - 3's a crowd
Don't bunch up your numbers and symbols, for example Huss3yC0d1ng is much harder to guess than HusseyCoding123!

#4 - It's not personal
Steer clear of using personal information, pet's name, favourite place you brag about visiting every weekend, maiden name etc. Sure your password needs to be memorable but that doesn't mean it has to be easy. Also, unlike the example above, try to avoid using companies names or references.

#5 - It takes 2 baby!
Two-factor authentication is an amazing little tool in helping keep your business secure and you should use it whenever possible. Two-factor authentication is basically when a site will send you a PIN to input on logging in as well as your password and it is an feature that Magento supports.
Follow this link for a guide on setting up two-factor authentication by CLOUDWAYS - https://www.cloudways.com/blog/magento-two-factor-authentication/

#6 - Get creative
Use different passwords for different accounts, yeah it can be annoying having to remember them all but having just one password to rule them all is not good security! When your Facebook password is also your admin panel password all it takes is for someone to get into your Facebook and your whole business is compromised.

#7 -Memories, all alone in the moonlight!
Don't store your passwords, either physically or digitally as these are easily stolen, lost or passed onto undesired parties, giving hackers easy access to your store and other accounts. However if you just have too many passwords to remember you can always sign up to a password manager like lasspass, bitwarden or Keeper meaning you will only need to remember the one master password while the others are securely stored.

#8 - If you've got it, use it
If you use a mobile device to work from then make sure you secure it with a strong password/number or when possible enable fingerprint or facial recognition.

#9 - Ch-ch-ch-ch-changes
Change your password regularly, especially when people leave your company or a contract ends with third party providers. A good number of security breaches happen because a disgruntled former employee or someone from a third party company still has access to sensitive data and decided to take advantage.

#10 - Log out and switch off
Log out of apps and sites when you are done using them, staying logged in is a great way for hackers to access your accounts, the log out button is there for a reason, use it.
On the same note when you are finished with an application don't forget to delete it and remove all permissions you may have granted it, especially on your mobile device, all your gear might be secure but remember that game you used to play about 6 years ago that you never logged out of? How secure is that now?

Now I know we said this would be a list of 10 things but because we like you so much and because you stuck with us to the end we're going to throw in a bonus tip

 - Adopt a password policy
Adopting a password Policy for your company will ensure that everyone is on the same page, that you and everyone else who has access to sensitive data are not reusing old passwords or creating weak ones.
A study performed by the University of Indiana found that making longer more complicated passwords a requirement almost completely stopped University staff reusing passwords and helping the general security of the University.
Follow the link to read the full article https://news.iu.edu/stories/2018/10/iub/releases/11-stringent-password-policies-prevent-fraud-study.html

Thank you for giving us your time today and we hope that this article has helped you and your company get that little bit more secure.
If you have any questions about this article please feel free to leave a comment or contact us using our various details listed below.
We would also like to take this opportunity to remind you of our limited time launch offer of 50% for all clients and developers signing up to our new service www.developerconnection.co.uk.
Thanks again and until next time, stay safe and have a great day.

Want to contact Hussey Coding? here's how
You can mail us at info@husseycoding.co.uk
Visit our website at www.husseycoding.co.uk

Or join in all the fun on our social media profiles
Facebook - facebook.com/husseycoding
Twitter - twitter.com/husseycoding
LinkedIn -linkedin.com/company/hussey-coding
We look forward to hearing from you soon.

17 October 2019

Another 5 tips to secure your store

Hi there and welcome back to another of our Hussey Coding blogs, today we're going to be continuing our look into cybersecurity by giving you another helping of hints and tips that you can do right now to help secure your Magento store, so what are you waiting for?

In this blog we will look at
 - 1. K.O. the F.T.P.
 - 2. Check the oil
 - 3. Who knows what?
 - 4. Practice, practice, practice
 - 5. I have a cunning plan!

#1 -K.O. the F.T.P.
If you are using FTP then it is our strong recommendation that you stop!
Instead allow your server to use SSH, which in turn will allow you to use SFTP, giving you a much better and secure way of transferring your files. A common way for hackers to gain access to online stores is by going after FTP passwords. Remember to also delete access to anyone who has had access in the past like old employees or third party companies as this is a great way of allowing unwelcome access.

Getting yourself set up with SSH if you are using the Linux OS is easy as it's part of the package, if you are using the Windows OS then follow this link to the "How to use PuTTY on Windows" guide by SSH.com
or if you are using MAC OS check out SSH.com's guide for you here
Or you can ask your development team to do it for you, don't have one? info@husseycoding.co.uk

 #2 - Check the oil.
In the same way that you check your oil and water levels in your car, every now and then go over your settings, change your passwords, review who has access to what and you'll be amazed when you remember how much you forgot.
Ask your dev team to analyse your store for any vulnerabilities, if they don't find anything great, if they do, get it fixed.
If you are using Magento extensions, do bare in mind that they may not be updated often, creating an opportunity for hackers until a patch or update is released so keep an eye on your extensions. Using popular extensions is a great way to combat this as they will traditionally receive good support and updates more regularly. Ask yourself questions like "do I need this extension?", "is it still useful to my company?", "Is there another extension out there now that can do the job of multiple extensions I have running at the moment?".

#3 -Who knows what?
OK, so your computer is up to date, your Magento store is up to date even all of your extensions are up to date, what about your staff?
You may have heard of the term social engineering, this is where an attacker will manipulate individuals into unknowingly releasing confidential data for the use of illegal purposes.
Put another way, your bank just e-mailed your accounts department asking them to verify some details otherwise there may be issues with payments further down the line, they even provided a handy link to follow and it looks legitimate. Once there, all they need to do is confirm your companies address, credit card number, email address, all the sorts of things your bank would need to know. A few months later, when you decide to "check the oil" you notice a steady stream of money has been leaving your company and is now missing, no once can seem to track it down and after you spend more money  hiring a team to find the root of the problem you discover that your whole company has been breached and that you need to fire Susie from accounting who's been with you for nearly 20 years.

A huge number of companies spend all their cybersecurity budget on teams and software, which is great, but considering that one of the greatest risks to your security is through social engineering you are going to need to invest some of that budget in training all of your staff in cybersecurity.
Training staff to identify fraudulent email, unsecure websites and general social engineering methods used by attackers could save your company, your reputation, your stock, your finances and Susie's job!

#4 - Practice, practice, practice.
This might seem like an odd one but it's really effective, don't just tell your staff about cybercrime, let them experience it in a controlled environment.
Send out some emails with a fake link in it and see who opens them or if you have an IT department ask them to simulate a cyberattack and see how your staff respond. Simulated attacks really help to show vulnerabilities in your security, gives you and your staff real time experience of the stress filled, chaotic nature of an attack and an opportunity for all involved to learn, adapt and better prepare for the real thing.

Simulated attacks also shift your companies thinking from a reactionary mindset to a proactive one, what's that saying about the best defence being a strong offence? Thinking about what and how attackers might attempt to infiltrate your business helps you be better prepared than just dealing with an attack that has already happened or that you have heard about.

#5 - I have a cunning plan!
Form a responce plan, have one in place from day 1, there's an old saying that goes "it is far better to have and not need than to need and not have".

There are various different ways that you can be attacked, some of which we have covered in our previous blog 6 CYBERATTACKS THAT WILL DESTROY YOUR BUSINESS, some very obvious and some are not.
In the event that you think you are under or have been the victim of a cyberattack we strongly recommend you contact your developer/development team right away, if you don't have a regular team to keep costs down then now is the time to pay out for one as they will be able to identify the origin, type and extent of the attack and be able to take steps in preventing and repairing the damaged caused. As always you can contact us here on info@husseycoding.co.uk to take advantage of a decades worth of experience using and developing the Magento platform.
Want some more pointers in what should be in a cunning responce plan? Never fear, Hussey Coding is here! We have a whole blog dedicated to this very issue coming soon.

With all of these things in place you are well on your way to having formidable security in place. Do remember that these are not the only things that can be done but a basic list of things that YOU can do to help secure your store! Also bare in mind that having the best security in the world doesn't guarantee that you will not become the target of an attack, nor does it guarantee that an attacker won't get through but having these things in place does help prevent both losses to you and your customers.

If you missed out first 5 tips to securing your store follow this link to read them now 5 EASY STEPS TO BETTER SECURITY
Thank you for taking the time to read this post, we hope it's helpful in keeping your online store secure and attack free. As always, should you wish to contact us here at Hussey Coding then our details are below and don't forget to go and sign up now to www.developerconnection.co.uk to take advantage of our 50% off launch discount. Until next time, stay safe and have a great day.

Want to contact Hussey Coding? here's how
You can mail us at info@husseycoding.co.uk
Visit our website at www.husseycoding.co.uk

Or join in all the fun on our social media profiles
Facebook - facebook.com/husseycoding
Twitter - twitter.com/husseycoding
LinkedIn -linkedin.com/company/hussey-coding
We look forward to hearing from you soon.

15 October 2019

5 easy steps to better security

Hi there and welcome back to another safe and secure edition of the Hussey Coding blog.

Today we're going to be looking at some helpful hints and tips to help you make your business more secure. Please feel free to leave a comment on your experience with some of these things and to let us know your favourite security tip. Please bare in mind that these are not the only things you can do to help secure your store or business but rather a good foundation to begin your cybersecurity journey.

In this blog we will look at
 - 1. Get your foundations in place
 - 2. Staying up to date
 - 3. Return to sender, address unknown
 - 4. Shhhh, it's a secret
 - 5. Under lock and key

#1 - Get your foundation in place
You can't build a house without a good, strong foundation, if your foundations fail your house will fall down. Then same is true here, make sure that the computers you use to access your administration panel are secure, having the best Magento security in the world won't help you if your computers have no security at all.
Make sure you update them with all the relevant security you need, keep your antivirus software up to date, only allow access to people who need to use them, delete users from the computers and the administration panel for that matter that aren't part of your company any more and don't open anything suspicious, be it email or download, if it doesn't look safe then leave it be!

#2 - Stay up to date
Just like keeping your desktop/laptop security, OS and antivirus up to date the same is true of your Magento store. Magento is constantly being updated and improved by teams of skilled developers and this includes, but is not exclusive to, any vulnerabilities that may be found within the Magento platform.
Once found Magento will typically create a patch that will be part of the next version update, making it of the utmost importance that you A) keep up to date with all the Magento news and B) install all the latest versions, especially since running older patches can now make your store vulnerable to new threats.
Not sure you have the latest version of Magento? follow this link to the Tech resources page to find out - https://magento.com/technical-resources

If for some reason you can't download the latest version of Magento then it's equally important that you download and install the latest security patches or alternatively speak with your developer/dev team. If you don't have one and need one then Hussey Coding are always here to help you out, just contact us at info@husseycoding.co.uk

Remember this practice not only applies to Magento but to all other software that you have installed on your server, again, having the most updated Magento store is great but pointless if everything else is weak and vulnerable. It is also very important to remember that in June of 2020 all official Magento support will be ending for M1 users so if you haven't begun your migration to M2 we highly recommend you start sooner rather than latter.

#3 - Return to sender, address unknown! 
Your administration panel is at the heart of everything your Magento store is, it’s where you can see, edit and manage everything you need to create the perfect store for you and your customers and so it is vital that it has great security built around it.

By default you're administration panel's URL will look something like this

This is really easy for hackers to find and access and is highly susceptible to brute force attacks (an attack where automated software bombards your site trying to guess your username and password at incredible speeds to gain access) so what you want to do is limit the point of entry by changing the admin panels URL to something more secure, so secure that in theory you wouldn't be able to find it unless you knew exactly where to look.
There is an option to change your admin panels URL using the admin panel it's self and there are a number of "how to" guides out there showing you how to do it however, we came across a number of issues when trying this method and it never worked for us.
But never fear as there are other methods, the easiest one and the one we would recommend is asking your developer to change your admin URL in the environment configuration file, it's simple and fast to do.
If you do choose to change it from the admin panel yourself then we wish you luck and advise that you put your developer on speed dial just in case.

#4 - Shhhh, it's a secret!
Passwords! good, strong passwords!
I know, super obvious right? and you hear people go on about this over and over and over but the reason for that is that people are still using really bad passwords! Things that are easy to guess like their pets name or year they were born. The other common mistake is having a really good password but using it for everything, meaning that once a hacker has your Facebook password, they now have access to your store as well.
If you are reading this and nervously giggling because you know you fit into one of these 2 categories then please go and change your passwords now!
Not sure what you should change it to or what a strong password should include? Again, don't worry, there is a whole Hussey Coding blog dedicated to coming soon!

#5 - Under lock and key
Get a padlock, literally! 

Encryption, that's what we are talking about here. An HTTPS/SSL certificate will help to protect private information your customers send to you during transfer. It's important to note here that HTTPS/SSL just transports the data, once the data is with you, you need to secure it.
The way it works is that HTTPS/SSL will scramble the data during transfer and then unscramble it when it's delivered. That little padlock is the symbol your customers will be looking for and is the universal sign that you take security seriously.
Not only that but as of 2017, Google will flag any website that does not hold an HTTPS/SSL certificate as "NOT SECURE", that is not something you want your customers seeing!
Great, so how do you get one? Follow this link to "How to experts" page on how to get yourself set up with a shiny new encrypted padlock

Hopefully you have found these first 5 hints and tips helpful, "Wait? first 5?" I hear you ask, yes, in the coming days we will be releasing another blog with another 5 hints and tips to help you secure your store along with a few extra things in between.
Do remember that having the best security in the world does not make you immune to a cyberattack but it will help you reduce the damage and even stop and attacker in such an event. These are 5 quick and easy things that you can do right now to help defend against attack, so what are you waiting for?

Thank you for your time today, we hope that you will help support the work of Hussey Coding by heading to our various social media profiles, details below, and hitting those likes, hearts, thumbs up and follow buttons!
Once you've done that don't forget that if you are a Magento developer or a client needing work done on your Magento platform then get on over to www.developerconnection.co.uk NOW to take full advantage of our launch discount of 50% off!
Until next time stay safe and have a great day

Want to contact Hussey Coding? here's how
You can mail us at info@husseycoding.co.uk
Visit our website at www.husseycoding.co.uk

Or join in all the fun on our social media profiles
Facebook - facebook.com/husseycoding
Twitter - twitter.com/husseycoding
LinkedIn -linkedin.com/company/hussey-coding
We look forward to hearing from you soon.