Threat landscape how are you getting attacked and what can you do better protect yourself and your e-commerce platform

Transcription

1 Threat landscape how are you getting attacked and what can you do better protect yourself and your e-commerce platform Sebastian Zabala Senior Systems Engineer 2013 Trustwave Holdings, Inc. 1

2 THREAT MANAGEMENT TRUSTWAVE VULNERABILITY MANAGEMENT OVERVIEW COMPLIANCE MANAGEMENT

3 Who We Are WHO WE ARE Company facts and figures SERVING GROWING GLOBAL over 3 MILLION subscribers with over 1,100 EMPLOYEES THREAT MANAGEMENT Integrated portfolio of technologies delivering comprehensive protection VULNERABILITY MANAGEMENT Global Threat Database feeding Big Data back-end employees in 26 countries INNOVATING over 56 patents granted / pending COMPLIANCE MANAGEMENT Leading provider of cloud delivered IT-GRC services 3 Strictly confidential Do not distribute

4 WHAT WE DO (OUR MISSION) We help businesses fight cybercrime, protect data, and reduce security risk Threat Management Services Prevention of external and internal threats through a combination of intelligence, detection, protection and remediation services. Threat Management Vulnerability Management Vulnerability Management Services Proactive scanning, testing and remediation of database, network and application vulnerabilities to protect internal assets. Compliance Management Services Multi-compliance frameworks that help businesses to identify and deploy security best practices. Managed Services Compliance Management All Services Provided Through TrustKeeper Portal All of our services are based on Trustwave technology 4 Strictly confidential Do not distribute

5 2014 COMPLIANCE SECURITY TRUSTWAVE GLOBAL SECURITY REPORT

6 WHAT ARE WE SEEING OUT THERE?

7 CASES: 691 vs 450 THE VOLUME OF DATA BREACH INVESTIGATIONS INCREASED 54 % OVER 2012

8 2014 WHAT WAS TRUSTWAVE GLOBAL TARGETED? SECURITY REPORT

9 E-COMMERCE MADE UP 54 % OF ASSETS TARGETED 54 %

10 33 % INCREASE IN NON-CARD DATA TARGETED 45 % 36 % 19 % Non-payment card data E-commerce payment card data POS payment card data (track data)

11 2014 DETECTION TRUSTWAVE GLOBAL STATISTICS SECURITY REPORT

12 71 % OF COMPROMISE VICTIMS DID NOT DETECT BREACHES THEMSELVES

13

14 DURATIONS BY DETECTION METHOD

15

16 2014 HOW DID TRUSTWAVE ATTACKERS GLOBAL GET SECURITY ACCESS? REPORT

17 WEAK PASSWORDS OPENED THE DOOR FOR THE INITIAL INTRUSION IN 31% OF COMPROMISES

18 ALMOST ALL APPLICATIONS SCANNED HARBORED ONE OR MORE SERIOUS SECURITY VULNERABILITIES 96 %

19 TOP 10 APPLICATION VULNERABILITIES

20 2014 TRUSTWAVE Malware GLOBAL SECURITY REPORT

21 Attackers continue to install malicious files onto web servers.

22 E-commerce malware Web shells A web shell is a file written in a web language (e.g., PHP, ColdFusion and ASP.net) IRC BOT An attacker will infect the web server with an IRC bot via SQL injection or other web-based attacks. The attacker will then add the victim s web server to a botnet Bot masters then instruct the victim bots, or zombie machines, to execute tasks File Upload/Execute Preferred by attackers who desire the functionality of a web shell, but with a smaller footprint.

23 2014 SECURITY TRUSTWAVE GLOBAL PRESSURES SECURITY REPORT

24 SPEED VS. SECURITY Pressure to Roll Out IT Projects Despite Security Issues Source: Trustwave 2015 Security Pressures Report

25 WHAT HAPPENS IF THERE IS A BREACH? It Begins With a Suspected Breach Notification Suspected Breach Results Provided Breach Fines & Fees Levied Forensics Investigation (30-90 days) Window to Validate Compliance (30 days) Validation Level Increased to Level 1 Merchant ü During the investigation you cannot process credit card payments electronically ü Breach costs range from $50,000-75,000 for a single store operator ü Customer confidence impact = lost business & revenue ü This will cause a serious disruption in your business!

26 2014 ACTION PLAN/ TRUSTWAVE GLOBAL RECOMMENDATIONS SECURITY REPORT

27 THE BIG PICTURE Compliance sets the minimum level of security Cybercriminals aren t stopping E-commerce apps are the #1 targeted asset Breach self-detection is S-L-O-W Don t forget to TEST your security

28 Layered Defence Application Penetration Testing Manual, not automatic A human tester: Ensures no false positives Best understands business logic Automated Application Vulnerability Scanning Regular testing in a cost effective way Database Security Scanning and Monitory Ensure the security of the backend database Web Application Firewall (Continuous) Continuous learning (positive and negative security models) Application profile and integrity

29 Take Aways Secure application development training Regular testing throughout your development life cycle Deploy a WAF (why not Trustwave J ) Protect the database and monitor it (*cough* Trustwave *cough*) Monitor your application root directory for suspicious activity Single factor is lame do 2 factor Make sure your hosting provider is certified and demand proof.

30 THANK YOU