11:24 PM

Securing SMB Online Transactions

Giving consumers the assurances they need to know they're securely sending their private information to your business

As more consumers and business grow savvy about the safety of the private information asked for by companies they do business with, these customers are pushing their SMB vendors to improve the way they collect and store sensitive details during online transactions. Most fundamental in their demand for protection strategies is the assurance that when they're entering information into their browsers the information is encrypted during transmission so that no snooping parties can capture those details as they make their way through an Internet connection to the vendor's Web servers.

"I always say put yourself in your customer's shoes as they come to your site. What are you asking them to do? Are you asking them to buy something? Are you asking them to disclose any personal information?" says Jeff Huckaby, CEO of rackAID, an IT management firm. "At the very minimum today, their expectation is that these are secure transactions."

[Is your small business being asked by customers to provide enterprise-class security? See Stepping Up SMB Security.]

The process of encrypting to create a so-called secured session depends on one very important item that many SMBs overlook or skimp on to their detriment: a digital certificate. They're often referred to as SSL certificates--named for the technical protocol that governs how information is hidden from anybody but the consumer and the party they're transmitting information to.

Without getting too mired in the under-the-hood details, the high and low of these certificates is that they're used to prove to the user that the server they're connected to through their browser really belongs to your business. Since some third party has got to referee the process of proving that identity, a whole business model has cropped up where vendors called certificate authorities (CA) or issuers have stepped in to act as that arbiter or trust.

These CAs offer a ton of different certificates at wildly different prices, so it can be pretty confusing for uninitiated SMBs to sift through the options. While the underlying technology is just about the same for all of these certificates, Huckaby says, the CA vendors who offer them are not all created equal and the different types of certificates available make it necessary for all businesses to shop around carefully for the right fit for their business needs.

"The hardcore security guys may have qualms with me saying this, but the security you're getting is more or less the same at every CA brand in terms of the technical encryption of data going between your web visitor and you," he says. "The difference is in how they verify who you are."

For example, some brands may issue $10 certificates that only require an email to confirm the holder's identity, while others charge more than ten times as much for what are called extended validation (EV) certificates that require lots of documentation like copies of business licenses or articles of incorporation before they hand over a certificate to be installed on the business site. One of the biggest benefits of such an expensive and extensive process is that it gives users added assurance you really are who you claim to be through the visual cue of a green bar in the browser that's activated when it is on a site secured using an EV certificate.

Consumers have been trained at this point to not only look for visual cues like the green bar, but also for special badges on sites marketing their use of certificates from well known CA brands. According to Huckaby, sometimes the decision of which brand to go with may come down to marketing rather than technology.

"Especially when you're in a small business, if customers don't know who you are, the person visiting the site could have some questions about whether you're a legitimate company or not and by showing a seal for a well-known company like Symantec or VeriSign, you can help assuage that fear," he says. "There's marketing evidence that shows when you put these badges next to checkout carts or order forms, you see increases in the numbers of clients you get to spend money."

How To Choose Your CA
But cost or marketing appeal shouldn't be the only deciding factor of what kind of certificate to buy or who to buy it from. Technical support and customer service should also be top of mind, CA experts warn. Support can play a huge part in the resiliency of your online business when things go wrong. Because when certificates don't work, the site can't take orders. And when the site can't take orders, cash flow is cut off.

"Many times we will see independent reviews [of other CAs] from customers where they chose to go the route of the lowest cost provider and then when crunch time came, they were left hanging," says Flavio Martins, vice president of support and validation for DigiCert, a CA that specializes in servicing SMBs. "Websites were down in middle of the night, they try to contact their SSL provider and come to find out hey don't offer 24-hour support. So the business is dead in the water until someone is able to get a hold of someone during business hours."

Martins says that when SMBs choose a certificate issuer, they should test that issuer at odd hours to make sure customer service would be available to them had a problem occurred outside of normal business hours.

Having looked into all the factors that go into the process of encrypting a site and buying a certificate to support that, some SMB leaders may wonder whether they can just outsource it all and be done with it.

The answer is yes, but Huckaby warns SMBs to be careful not to make assumptions about what kind of security an IT service provider will or will not install on a site. For example, don't just assume that your hosting provider is going to automatically take care of securing sessions and installing certificates on your behalf, he says. If you're not sure whether the site you have already institutes secured sessions, check for the most basic tell-tale sign in the address bar.

"If you already have site and you're not sure, go to any place where you ask for information on your site and simply see if it says 'https' [instead of just 'http'] on the address," he says.

Other visual cues, of course, include that green bar for EV certificates. If an outsourced provider has secured your sessions but used cheaper certificates or unrecognizable brands, it may be worth the investment to ask them to buy more expensive ones on your behalf or take care of it yourself, Huckaby says.

It may also be smart to think twice about outsourcing certificate buying, Martins says. One of the problems with kicking the duty to a solution provider is that as an SMB changes IT vendors or as employees at these vendors shift, they may not maintain the kind of institutional memory necessary to do a good job managing these long-term products.

"SSL is a market where you're dealing with certificates that are valid for multiple years," Martins says."So frequently, we run into situations where an organization has changed a solution provider and they need to renew certificates and they can't contact previous providers to get a hold of all that information and that can become a headache and a waste of time."

Should you choose to outsource, he suggests at very least ensuring that someone internal to the business is registered with the certificate issuer.

"Even if you're working with an integrator that normally handles your IT, make sure that your contact details as a business person are included in all of your orders so you always stay up to date and be notified of anything that's happening [from the issuer]," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-03-06
Unspecified vulnerability in the Java Virtual Machine (JVM) in IBM SDK, Java Technology Edition 5.0 before SR16-FP9, 6 before SR16-FP3, 6R1 before SR8-FP3, 7 before SR8-FP10, and 7R1 before SR2-FP10 allows remote attackers to escape the Java sandbox and execute arbitrary code via unspecified vectors...

Published: 2015-03-06
Unspecified vulnerability in the Java Virtual Machine (JVM) in IBM SDK, Java Technology Edition 5.0 before SR16-FP9, 6 before SR16-FP3, 6R1 before SR8-FP3, 7 before SR8-FP10, and 7R1 before SR2-FP10 allows remote attackers to bypass intended access permissions and obtain sensitive information via un...

Published: 2015-03-06
The NVIDIA Display Driver R304 before 309.08, R340 before 341.44, R343 before 345.20, and R346 before 347.52 does not properly validate local client impersonation levels when performing a "kernel administrator check," which allows local users to gain administrator privileges via unspecified API call...

Published: 2015-03-06
Schannel (aka Secure Channel) in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not properly restrict TLS state transitions, which makes it easier for r...

Published: 2015-03-05
Cisco Secure Access Control Server (ACS) provides an unintentional administration web interface based on Apache Tomcat, which allows remote authenticated users to modify application files and configuration files, and consequently execute arbitrary code, by leveraging administrative privileges, aka B...

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.