Website Security: It s Not all About the Hacker Anymore

Size: px

Start display at page:

Download "Website Security: It s Not all About the Hacker Anymore"

Gervais Merritt
8 years ago
Views:

1 Website Security: It s Not all About the Hacker Anymore Mike Smart Sr. Manager, Products and Solutions Trust Services & Website Security Website Security 1

2 Website Security Challenges Evolving Web Use Consumerization More Mobility Social Augmented Big Data Website Enable Business Innovation and Agility Protect the Brand March 26, 2012 Title of presentation 2

Data Website Enable Business Innovation and

3 UK Mobile Web Usage Growth 82% Of UK population use the Internet 58% Of European population use the Internet Website Security Source 2011 Tecmark Research 3

4 Personalising the Web Social-Personal Financial-Personal Website Security 4

5 Website Security Challenges Evolving Cyber Crime Web-Focused Targeting users Stealing Confidential Information Evolving Web Use Consumerization More Mobility Social Augmented Big Data Website Enable Business Innovation and Agility Protect the Brand March 26, 2012 Title of presentation 5

Consumerization More Mobility Social Augmented Big Data Website Enable

6 Today s Web Threat Lifecycle More Malware Variations 13,300 Signatures created per day Of malicious 87.5% websites are compromised legitimate Web 2.0 is the Catalyst! 93% Increase of Web-based Attacks Increasing Attack Success! 4,915 Malicious websites blocked per day 1in179 s are Phishing! Attack Target Users vs Machines March 26, Source Symantec Research Title of presentation

93% Increase of Web-based Attacks Increasing Attack Success!

7 Anatomy of Web Site Attack Enterprise and Consumer users are infected today from Web based attacks: Web Attack Toolkits Drive-by downloads Social Engineering Attacks Hacker compromises legitimate Web site URL Website attacks user s browser by targeting vulnerabilities (drive-by-download) Legitimate Web Site User is machine now owned User is infected using Social Engineering techniques (fake AV/fake codec) Website Security

Website attacks user s browser by targeting vulnerabilities (drive-by-download) Legitimate Web Site User

8 Anatomy of a Web User Based Attack Cyber Criminals are targeting users: Web sites use SSL sparingly Sniffing tools allow attackers to steal session cookies sent in clear Attacker steals cookie and emulates user ( Sidejacking ) Attacker can now steal personal information or plant malicious links or malware 5 53 When Website asks 5 for cookie outside SSL it is sent in the clear Website Security User Visits Secure site to log on under SSL Legitimate Web Site Website Plants session Cookie on users machine

steal personal information or plant malicious links or malware 5 53 When Website asks 5 for cookie outside SSL it is sent in the

9 Sidejacking Becomes Mainstream The only effective fix for this problem is full end-to-end encryption, known on the web as HTTPS or SSL. Eric Butler, author of Firesheep Website Security 9

10 Website Security Challenges Evolving Cyber Crime Web-Focused Targeting users Stealing Confidential Information Evolving Web Use Consumerization More Mobility Social Augmented Big Data Enable Business Innovation and Agility Website Evolving Infrastructures Externalisation & Virtualisation Consolidation Integration Protect the Brand March 26, 2012 Title of presentation 10

Data Enable Business Innovation and Agility Website Evolving Infrastructures Externalisation

11 IT Shift all point at Data Governance External IT Areas 11

12 Website Security Challenges Evolving Cyber Crime Web-Focused Targeting users Stealing Confidential Information Evolving Infrastructures Externalisation & Virtualisation Consolidation Integration Evolving Web Use Consumerization More Mobility Social Augmented Big Data Website Evolving Regulations Protect the Consumer Protect the User Increasing scope Enable Business Innovation and Agility Protect the Brand March 26, Title of presentation

Consumerization More Mobility Social Augmented Big Data Website Evolving Regulations Protect the Consumer

13 Challenges In Managing an Evolving Certificate Infrastructure 43% 46% 62% 75% Don t have a policy for crypto (key lengths, certificate lifetime & Private key admin requirements.. Don t have the ability to generate a report on how many certificates were due to expire within 30 days Don t have an automated process to ensure corporate policy and regulatory compliance Did not have an automated process to replace compromised certificates Source 2011 Osterman Research Website Security 13

. Don t have the ability to generate a report on how many certificates were due to expire within 30 days Don t have an

14 Regulations Share The Same DNA Many Regulations and Many Controls Unified Framework Regulatory Framework Common Data Protection Mandates Limit use of confidential data Control access to confidential data Guarantee confidentiality of confidential data Maintain the integrity of confidential data Enforce administrator separation of duties on systems confidential data Maintain audit and log records of confidential data activities All regulations are based on the same confidentiality and integrity goals

confidential data Maintain the integrity of confidential data Enforce administrator separation of duties on systems

15 Encryption in the Key Website Security 15

16 Encryption Underpins Information Protection Unified Framework Regulatory Framework Encryption Directly Addressing Requirements Common Data Protection Mandates Limit use of confidential data Control access to confidential data Guarantee confidentiality of confidential data Maintain the integrity of confidential data Enforce administrator separation of duties on systems confidential data Maintain audit and log records of confidential data activities Data encryption and tokenization limits exposed footprint of data. Encryption enables authentication and authorization layer. Encryption fundamentally isolates your data from other tenants in a share cloud environment, shields from unauthorized data breach. Encryption inherently provides for integrity controls. Encryption can add additional authentication and authorization layer for administrators separate from data owners Encryption Key ownership is tangible proof to data ownership. Encrypt/Decrypt actions become easy log and audit proofs. Data encryption directly addresses the same core confidentiality and integrity requirements common across all regulations

audit and log records of confidential data activities Data encryption and tokenization limits exposed footprint of data. Encryption enables authentication and authorization layer.

17 Perfect Storm of Attack on SSL Model Certificate Authority Attacks Exploiting weaknesses in SSL certificate infrastructure Serious Repercussion: Diginotar resulted in the removal from the browsers' trust lists and bankruptcy!

certificate infrastructure Serious Repercussion:

18 Leading Browsers All Major Certificate Authorities Industry Self-regulation Experts collaborate to address common concerns and improve security for the consumer Sharing information about the evolving threat environment and potential breaches Leaving room for competition

improve security for the consumer Sharing information about the

19 Not All SSL Certificates Are Created Equal Domain Validation Encryption Validation of domain control Padlock in browser Issued in minutes Organization Validation Authentication of organization Proof of applicant s right to request cert for domain Organization details in Certificate Info Blue address bar in browser Issued in 1-2 days Extended Validation Stringent, industrystandardized authentication of organization Business-beneficial green address bar in browser Issued in 7-10 days

domain Organization details in Certificate Info Blue address bar in browser Issued in 1-2 days Extended Validation

20 Domain or Organisation Validation Website Security 20

21 Extended Validation Website Security 21

22 Extended Validation Display By Browser Website Security 22

23 Always On-Line SSL Recommendations Use HTTPS on all pages Resolve and avoid mixed content Encrypt all identifying and private information Use only secure cookies Use valid SSL certificates from trusted CA s Patch, update, and harden systems

24 What Is The Industry Doing? Website Security 24

25 Website Security 25

26 Your Action List Move to EV SSL certificates to increase customer trust, their click-throughs, and conversions 60% Growth Turn on the Always-On SSL switch to protect customer s identities and strengthen your brand Regain visibility and control of certificates to reduce risk of business interruption and Increase compliance Use value-add features like malware, vulnerability scanning & display trust seals to validate web site security and drive more visits 26

27 Summary Drive More Business To Your Site & Increase Revenues Protect Your Customer Data and Their Financial Records Reduce Your Risk Exposure and Time to Compliance 27

Making Your Enterprise SSL Security Less of a Gamble

Making Your Enterprise SSL Security Less of a Gamble Rob Glickman Sr. Director, Product Marketing Amar Doshi Sr. Manager, Product Management Symantec Vision 2012 The VeriSign Seal is Now the Norton Secured