1 / 20

E-Commerce Technology Risk and Security

E-Commerce Technology Risk and Security. Brian Trevey and Randy Romes. Presenter Contact Information. Randall J. Romes, CISSP, MCP Principal, Information Security Services LarsonAllen LLP 612-397-3114 Office 612-554-3967 Cell rromes@larsonallen.com www.larsonallen.com Brian Trevey

avian
Download Presentation

E-Commerce Technology Risk and Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. E-Commerce Technology Risk and Security Brian Trevey and Randy Romes

  2. Presenter Contact Information • Randall J. Romes, CISSP, MCP • Principal, Information Security Services • LarsonAllen LLP • 612-397-3114 Office • 612-554-3967 Cell • rromes@larsonallen.com • www.larsonallen.com • Brian Trevey • Vice President - Delivery • Trustwave • 410/573-6910 x7828 Office • 410/507-3084 Cell • btrevey@trustwave.com • www.trustwave.com

  3. Agenda • Trends in E-Commerce and Information Security • Compliance Drivers • Security Best Practices • Recommendations

  4. Anatomy of a Data Breach – Initial Entry • Trustwave Data Breach Analysis • Top Methods of Entry Included: • Remote Access Applications [45%] • Default vendor supplied or weak passwords [90%] • 3rd Party Connections [42%] • MPLS, ATM, frame relay • SQL Injection [6%] • Web application compromises [90%] • Exposed Services [4%] • Remote File Inclusion [2%] • Email Trojan [<1%] • 2 recent Adobe vulnerability cases • Physical Access [<1%]

  5. Anatomy of a Data Breach – Initial Entry • SANS 2009 Cyber Security Risk Report • Client side software vulnerabilities • Commonly used programs such as Adobe PDF Reader, QuickTime, Adobe Flash and Microsoft Office • Internet facing websites (> 60% of total Internet attack attempts) • Web application vulnerabilities such as SQL injection and Cross-Site Scripting flaws in open-source as well as custom-built applications account for more than 80% of the vulnerabilities being discovered. • Attack Vectors: • Email Phishing • Drive by Downloads

  6. Email Phishing – Targeted Attack Randall J. Romes [rromes@larsonallen.com] https://microsoft.issgs.net Randall J. Romes [rromes@larsonallen.com] Two or Three tell-tale signs Can you find them?

  7. Email Phishing – Targeted Attack Fewer tell tale signs on fake websites https://microsoft.issgs.net

  8. Michigan Company Sues Bank Michigan company is suing its bank after cyber thieves allegedly made fraudulent wire transfers totaling US $560,000. The cyber thieves obtained the banking account credentials through a phishing email sent to an employee at EMI. The transactions wired funds to bank accounts in Russia, Estonia, Scotland, Finland, China and the US and were withdrawn soon after the deposits were made. Alleges Comerica's security practices made EMI vulnerable to the phishing attack. The bank allegedly routinely sent its online customers emails with links asking them to submit information to renew digital certificates. Also alleges that the bank failed to notice unusual activity. Until the fraudulent transactions were made, EMI had made just two wire transfers ever; in just a three-hour period, 47 wire transfers and 12 transfer of fund requests were made. In addition, after EMI became aware of the situation and asked the bank to halt transactions, the bank allegedly failed to do so until 38 more had been initiated.

  9. Bank Sues Customer for ACH Fraud??? A Texas bank is suing commercial banking customers Cyber thieves made a series of ACH transactions that totaled $801,495 from Hillary Machinery Inc.'s bank account. The bank was able to retrieve about $600,000 of the money, Customer subsequently sent a letter requesting that the bank refund the remaining $200,000, Bank responded by filing the lawsuit requesting that the court certify that Banks's security was in fact reasonable, and that it processed the wire transfers in good faith. Documents filed with the court allege that the fraudulent transactions were initiated using the defendant's valid online banking credentials.

  10. Incident Response – Investigative Conclusions • Window of Data Exposure While attackers were still on systems an average of 156 days before being detected, elimination of stored data greatly reduces the data loss exposure.

  11. Penetration Tests – Top 10 – External Network

  12. Conclusions • Attackers are using old vulnerabilities • Attackers are using new vulnerabilities (not a contradiction!) • Attackers know they won’t be detected • Organizations do not know what they own or how their data flows • Blind trust in 3rd parties is a huge liability • Fixing new/buzz issues, but not fixing basic/old issues • In 2010, take a step back before moving forward

  13. Compliance Mandates and Data Protection

  14. Payment Card Industry Data Security Standard (PCI DSS) Six Goals, Twelve Requirements PCI DSS requirements Build and maintain a secure network Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks Protect cardholder data Maintain a vulnerability management program Use and regularly update anti-virus software or programs Develop and maintain secure systems and applications Implement strong access control measures Restrict access to cardholder data by business need-to-know Assign a unique ID to each person with computer access Restrict physical access to cardholder data Regularly monitor and test networks Track and monitor all access to network resources and cardholder data Regularly test security systems and processes Maintain an information security policy Maintain a policy that addresses information security for employees and contractors

  15. Why the PCI-DSS is Successful? • Increased awareness • Focus on protection of cardholder data • Standardized controls accepted by all card brands • Eradication of prohibited data storage • Continual improvements and updates to the standard • Evolution of the standard • Based on information gathered and trends identified in post-compromise forensic investigations

  16. The Global Remediation Plan

  17. E-Commerce Best Practices • Network Vulnerability Scanning • Penetration Testing • Application Testing • SSL Certificates • Web Site Seals • Patches and Network Security • User Awareness and Training

  18. Conclusion • Best Practices Checklist • Have you tested security? • Are your SSL or EV SSL certificates valid and not expiring during the holiday season? • Are your Web site seals valid and up to date? • Have you obtained all patches and are the patches up-to-date? • Do you know what and who are using your network?

  19. Resources • Trustmarks http://www.ecommerce-guide.com/solutions/advertising/article.php/3860526 • Trustwave’s Global Security Report 2010 https://www.trustwave.com/whitePapers.php • SANS 2009 Cyber Security Report http://www.sans.org/top-cyber-security-risks/ • SANS NewsBites Vol. 12 Num. 13 – Business Customer Sues Bank http://www.sans.org/newsletters/#newsbites • Bank Sues Customer http://www.bankinfosecurity.com/articles.php?art_id=2132

  20. Questions?

More Related