CHRIS: Absolutely. Even with SSL certs, there are different levels of fidelity. And you may notice this whenever you visit an eCommerce site. The main thing to note is that, essentially, there are different levels of verification. There's domain validated (DV SSL), organization validated (OV SSL), and extended validation (EV SSL). DV is the least, OV is the middle, and EV is the most secure.
And whenever you go to a site with EV, you're going to typically see a nice giant big green lock, or something of that nature depending on your browser. There's a lot of detail that we can go into just on SSL and different types of encryption, et cetera. But even EV SSL and encryption is really just a baseline requirement just to get into the game. You absolutely want to have an SSL encrypted eAuction site, all the communication going over SSL, that's for sure.
In addition to that, there are some other key factors that are absolutely critical for security. The biggest thing that's surprising to most folks is within the auction website itself and for the users themselves. Many times they will, unintentionally and unknowingly in many cases, give out their login information via phishing and malware ransomware or these things. So believe it or not, that is probably one of the easiest areas for hackers to be able to get into a system or into an account and create problems.
A great way to address this is multifactor authentication. Believe it or not, multifactor authentication has become more and more sophisticated. Surprise, surprise, right? And most experts are recommending not just text-based or email-based multifactor authentication, because a lot of times these are the first line of areas that get breached by a hacker. They're recommending using an actual security application that uses a security token that expires after 30 seconds or a minute. If you've ever seen these, they're somewhat less convenient to use.
Maybe the best solution nowadays is to have multifactor authentication for a typical user, allow them to say that they want this online auction site to remember them and show them the options they can use a security app if they want, if they don't hear the ramifications potentially.
Then, for administrators, forcing them to use a very secure security application to log in. That way, the more robust roles that have access to more accounts—and where there could be more potential risk— those are forced to use a more robust level of security.
Now, the security really covers surface area in two places. And this is probably overgeneralizing. But within the application side of things, you have a security surface area. And within the actual physical infrastructure. Without boring everyone on the details—basically on the application side of things, it makes a lot of sense to run consistent monitoring that's proactive.
So what does that mean? Well, there are third-party tools that will run white-hat hacking. You can think of this as trying to simulate what the bad guys are going to do, then report [the vulnerabilities] back to your team. In this case, if you end up working with the Clarity, our team would be the team that reported back to your team so that they can then remediate any issues proactively. This would be before the bad guys get in, so by proactively white-hat hacking and doing what's called pen testing (or penetration testing), this will really help to keep your site out of the fray, out of the easy-target zone. That's on the application side of things. And there's a lot more fidelity we can go into, but that's a good summary for now.