Presentation is loading. Please wait.

Presentation is loading. Please wait.

E-Commerce Technology Risk and Security

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "E-Commerce Technology Risk and Security"— Presentation transcript:

1 E-Commerce Technology Risk and Security
Brian Trevey and Randy Romes

2 Presenter Contact Information Randall J. Romes, CISSP, MCP Principal, Information Security Services LarsonAllen LLP Office Cell Brian Trevey Vice President - Delivery Trustwave 410/ x7828 Office 410/ Cell

3 Agenda Trends in E-Commerce and Information Security
Compliance Drivers Security Best Practices Recommendations

4 Anatomy of a Data Breach – Initial Entry
Header April 17 Anatomy of a Data Breach – Initial Entry Trustwave Data Breach Analysis Top Methods of Entry Included: Remote Access Applications [45%] Default vendor supplied or weak passwords [90%] 3rd Party Connections [42%] MPLS, ATM, frame relay SQL Injection [6%] Web application compromises [90%] Exposed Services [4%] Remote File Inclusion [2%] Trojan [<1%] 2 recent Adobe vulnerability cases Physical Access [<1%] 218 Investigations 24 countries Trustwave Confidential-Page

5 Anatomy of a Data Breach – Initial Entry
Header April 17 Anatomy of a Data Breach – Initial Entry SANS 2009 Cyber Security Risk Report Client side software vulnerabilities Commonly used programs such as Adobe PDF Reader, QuickTime, Adobe Flash and Microsoft Office Internet facing websites (> 60% of total Internet attack attempts) Web application vulnerabilities such as SQL injection and Cross-Site Scripting flaws in open-source as well as custom-built applications account for more than 80% of the vulnerabilities being discovered. Attack Vectors: Phishing Drive by Downloads Trustwave Confidential-Page 5

6 Email Phishing – Targeted Attack
Randall J. Romes Randall J. Romes Two or Three tell-tale signs Can you find them?

7 Email Phishing – Targeted Attack
Fewer tell tale signs on fake websites

8 Michigan Company Sues Bank
Michigan company is suing its bank after cyber thieves allegedly made fraudulent wire transfers totaling US $560,000. The cyber thieves obtained the banking account credentials through a phishing sent to an employee at EMI. The transactions wired funds to bank accounts in Russia, Estonia, Scotland, Finland, China and the US and were withdrawn soon after the deposits were made. Alleges Comerica's security practices made EMI vulnerable to the phishing attack. The bank allegedly routinely sent its online customers s with links asking them to submit information to renew digital certificates. Also alleges that the bank failed to notice unusual activity. Until the fraudulent transactions were made, EMI had made just two wire transfers ever; in just a three-hour period, 47 wire transfers and 12 transfer of fund requests were made. In addition, after EMI became aware of the situation and asked the bank to halt transactions, the bank allegedly failed to do so until 38 more had been initiated.

9 Bank Sues Customer for ACH Fraud???
A Texas bank is suing commercial banking customers Cyber thieves made a series of ACH transactions that totaled $801,495 from Hillary Machinery Inc.'s bank account. The bank was able to retrieve about $600,000 of the money, Customer subsequently sent a letter requesting that the bank refund the remaining $200,000, Bank responded by filing the lawsuit requesting that the court certify that Banks's security was in fact reasonable, and that it processed the wire transfers in good faith. Documents filed with the court allege that the fraudulent transactions were initiated using the defendant's valid online banking credentials.

10 Incident Response – Investigative Conclusions
Header April 17 Incident Response – Investigative Conclusions Window of Data Exposure While attackers were still on systems an average of 156 days before being detected, elimination of stored data greatly reduces the data loss exposure. Trustwave Confidential-Page

11 Penetration Tests – Top 10 – External Network
Header April 17 Penetration Tests – Top 10 – External Network Rank Vulnerability Name Circa Attack Difficulty 1 Unprotected Application Management Interface 1994 Easy 2 Unprotected Infrastructure Management Interface 1993 3 Access to Internal Application via the Internet 1997 Medium 4 Misconfigured Firewall Permits Access to Internal Hard 5 Default or Easy to Determine Credentials 1979 Trivial 6 Sensitive Information, Source Code, etc. in Web Dir 1990 7 Static Credentials Contained in Client 1980 8 Domain Name Service (DNS) Cache Poisoning 2008 9 Aggressive Mode IKE Handshake Support 2001 10 Exposed Service Version Issues (Buffer Overflows) 1996 1,894 Penetration Tests 48 countries Many Included a Mixture of Vectors Network, application, wireless, physical Tests Averaged 80 hours in Length Over 100,000 hours of testing was performed Classified as Manual Testing Some tools are used but mostly for low level tasks Trustwave Confidential-Page

12 Conclusions Attackers are using old vulnerabilities
Header April 17 Conclusions Attackers are using old vulnerabilities Attackers are using new vulnerabilities (not a contradiction!) Attackers know they won’t be detected Organizations do not know what they own or how their data flows Blind trust in 3rd parties is a huge liability Fixing new/buzz issues, but not fixing basic/old issues In 2010, take a step back before moving forward Trustwave Confidential-Page

13 Compliance Mandates and Data Protection
Data Type PCI DSS Payment Card Industry Data Security Standard (2004, 2006) Credit Card Data HIPAA Health Insurance Portability & Accountability Act (1996) Privacy & Security Rules (2003) PHI: Protected Health Information GLBA Gramm-Leach-Bliley Act (1999) Financial Services Modernization Act NPPI: Non-Public Personal Information SOX Sarbanes-Oxley Act (2002) Sections 404 and 302 Financial Records Intellectual Property FERPA Family Educational Rights & Privacy Act (1974) Student Records ITAR International Traffic in Arms Regulations (US Dept of State) Military & Defense Related IP on the US Munitions List FISMA Federal Information Security Management Act (2002) Data Security and Audit Standards for US Government and Contractors Title 21 CFR Part 11 US Food & Drug Administration Regulation Electronic records and signatures US State Data Privacy California SB 1386 44 states (as of June 2008) Customer Data Protection Breach notification to customers

14 Payment Card Industry Data Security Standard (PCI DSS)
Six Goals, Twelve Requirements PCI DSS requirements Build and maintain a secure network Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters Protect cardholder data Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks Maintain a vulnerability management program Use and regularly update anti-virus software or programs Develop and maintain secure systems and applications Implement strong access control measures Restrict access to cardholder data by business need-to-know Assign a unique ID to each person with computer access Restrict physical access to cardholder data Regularly monitor and test networks Track and monitor all access to network resources and cardholder data Regularly test security systems and processes Maintain an information security policy Maintain a policy that addresses information security for employees and contractors

15 Why the PCI-DSS is Successful?
Increased awareness Focus on protection of cardholder data Standardized controls accepted by all card brands Eradication of prohibited data storage Continual improvements and updates to the standard Evolution of the standard Based on information gathered and trends identified in post- compromise forensic investigations PCI Positive Impacts - The upside of PCI DSS Increased awareness Increased focus on protection of CHD Standardized controls for all card brands Targeted initiatives to eradicate prohibited data (highest risk for subsequent fraud) Modifications are a direct result of information gathered / trends identified in post-compromise forensic investigations

16 The Global Remediation Plan
Header April 17 The Global Remediation Plan Rank Strategic Initiative 1 Perform and Maintain a Complete Asset Inventory; Decommission Old Systems 2 Monitor Third Party Relationships 3 Perform Internal Segmentation 4 Rethink Wireless 5 Encrypt Your Data 6 Investigate Anomalies 7 Educate Your Staff 8 Implement and Follow a Software Development Life Cycle (SDLC) 9 Lock Down User Access 10 Use Multifactor Authentication Every Where Possible Trustwave Confidential-Page

17 E-Commerce Best Practices
Header April 17 E-Commerce Best Practices Network Vulnerability Scanning Penetration Testing Application Testing SSL Certificates Web Site Seals Patches and Network Security User Awareness and Training Study research offered by McAfee also showed that one-third of consumers would rather buy from a smaller Web site with a trustmark than a larger, more well-known e-tailer.  When you join a trust and security program, it can benefit your business in two ways. First, you will create a feeling of trust with your consumers, which in could help boost sales. Another benefit can be found in security trust services. These trustmark programs help you to better protect your business and your customer's sensitive data. Trustwave Confidential-Page

18 Conclusion Best Practices Checklist Have you tested security?
Header April 17 Conclusion Best Practices Checklist Have you tested security? Are your SSL or EV SSL certificates valid and not expiring during the holiday season? Are your Web site seals valid and up to date? Have you obtained all patches and are the patches up-to-date? Do you know what and who are using your network? Trustwave Confidential-Page

19 Resources Trustmarks Trustwave’s Global Security Report 2010 SANS 2009 Cyber Security Report SANS NewsBites Vol. 12 Num. 13 – Business Customer Sues Bank Bank Sues Customer

20 Questions?

Download ppt "E-Commerce Technology Risk and Security"

Similar presentations

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.

PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.

PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.
Complying With Payment Card Industry Data Security Standards (PCI DSS)

Complying With Payment Card Industry Data Security Standards (PCI DSS)
2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.

2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.
Springfield Technical Community College Security Awareness Training.

Springfield Technical Community College Security Awareness Training.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
FAIR AND ACCURATE CREDIT TRANSACTIONS ACT (FACTA)- RED FLAG RULES University of Washington Red Flag Rules Protecting Against Identity Fraud.

FAIR AND ACCURATE CREDIT TRANSACTIONS ACT (FACTA)- RED FLAG RULES University of Washington Red Flag Rules Protecting Against Identity Fraud.
Property of CampusGuard Compliance With The PCI DSS.

Property of CampusGuard Compliance With The PCI DSS.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.

PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Jeff Williams Information Security Officer CSU, Sacramento

Jeff Williams Information Security Officer CSU, Sacramento
Property of the University of Notre Dame Navigating the Regulatory Maze: Notre Dame’s PCI DSS Solution EDUCAUSE Midwest Regional Conference March 17, 2008.

Property of the University of Notre Dame Navigating the Regulatory Maze: Notre Dame’s PCI DSS Solution EDUCAUSE Midwest Regional Conference March 17, 2008.
Security Controls – What Works

Security Controls – What Works
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.
GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.

GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.
DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,

DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Contact Center Security Strategies Grant Sainsbury Practice Director, Dimension Data.

Contact Center Security Strategies Grant Sainsbury Practice Director, Dimension Data.
Why Comply with PCI Security Standards?

Why Comply with PCI Security Standards?

Similar presentations

Ads by Google