http://goo.gl/mfpbws Grow your business safely Magento Security Best practices 2015 Q4 2015 11
e-commerce: the 60% rules >60% of web traffic is non-human >60% of attempts to steal databases target e-commerce sites >60% of growth for identity theft over three years A 2012 study showed Retailer websites are at risk 328 days/year An IP address is scanned around 40 times per day 22
The triple loot 33
A different time scale Time between attack launch and compromising Seconds Minutes Hours Days Weeks Months Years Time between compromising and discovery of it Statistics made based on large corporations in 2012 (Verizon Databreach report) 55
A *very* bad year 66
#@% A *very* bad year 7
#@% It all started with a big #fail (Shoplift) 8
#@% It all started with a big #fail (RSS orders) 9
#@% It all started with a big #fail (Magmi) 10
#@% Other SUrPrEEses 11
#@% Magento cache leak 12
But there were other before 13
#@% Did you took care of the previous ones? 14
#@% Did you took care of the previous ones? 15
#@% Did you took care of the previous ones? The PayPal / Magento integration flaw (by NBS) 16
NBS System will release a new vulnerability soon 17
#@% Or even the one that were not Magento specific? 18
PHP: two versions behind, really? PHP versions in use, in our parc: 88% are outdated and not supported anymore No security fixes. (and +12% to +40% performances to gain) 19
Easily exploitable things beyond classical vulnerabilities 20
When Magento support is being creative Magento Support giving dangerous advices Chmod 777 your document root *REALLY*? Magento is not compatible with Reverse proxies. *Woot*? Give me your root password so we can look *NO KIDDING*? Etc Don t go to a car dealer to fix a bad tooth 21
Classical mistakes that cost Leaving your logs accessible, especially Debug one Leaving payment gateway logs accessible to all Not hiding Magento, PHP, Apache versions Use a minimum of unaudited extensions, a lot are BAD Weak passwords, along with no locking policies are a plague 22
Applicative level D.o.S attacks Leaving import/export scripts, reindexers, crontabs accessible Try calling pages that load very slowly Access directly the API to import / export Etc. 23
Securing Magento Flaws 24
Securing Magento flaws Update to versions CE > 1.9 or EE > 1.14.1 Use PHP 5.6 Shoplift, Magmi, XML-RPC-XEE : filter the access with a.htaccess file (or an nginx rule) 25
Securing recent flaws Example with Magmi (using Apache) RewriteCond %{REQUEST_URI} ^/(index.php/)?magmi/ [NC] RewriteCond %{REMOTE_ADDR}!^192.168.0.1 RewriteRule ^(.*)$ http://%{http_host}/ [R=302,L] Example with Magmi (using Nginx) location ~* ^/(index.php/)?magmi { allow 192.168.0.1; deny all; location ~*.(php) { include fastcgi_params; } } 26
Protect your backoffice & updater Example using Apache <Location /wp-admin> AuthType Basic AuthName "Restricted Area" AuthUserFile /etc/apache2/access/htpasswd Require valid-user Order deny,allow Allow from [MY_IP] Satisfy any </Location> Then, just add a user: htpasswd c /etc/apache2/access/htpasswd [user] 27
Leveraging native Magento security Use HTTPS in Backoffice & order tunnels access Change your backoffice default URL Do *NOT* use a weak password (no «tommy4242» is not safe) Put some limits to number of failed login attempts Put a password expiration time and change it every 3 months Enforce use of case sensitive password Disable email password recovery 28
Securing Web application 29
Organizational security Get a security review Keep track of vulnerabilities on Magento ecosystem Have serious passwords, change them every 3 months Do not keep informations unless they are needed Pick a PCI/DSS certified hosting company Use 3D secure Keep up to date versions of Magento & PHP 30
Infrastructure security Keep a daily backup Use a WAF, NAXSI is opensource, free and stable Put rate limits on your Reverse Proxies Filter your outgoing trafic It s the job of your managed services provider. 31
Host level security Change default backoffice URL Disable directory indexing Have correct permissions : file=644, directory=755 No follow, no index on preprod Use the best practices mentioned before It s the job of your managed services provider. 32
High end security 33
CerberHost Humans Website Database Applicative stack Network Operating system Hardware Motivating wages Equipe SOC Security trainings Background checks N.A.X.S.I (web application firewall) ReqLimit (Anti applicative DoS) ExecVE killer File Upload checker PHP Suhosin V2 App scan Threadfix virtual patching MySQL Interceptor PHP Suhosin V2 Daemon hardening Anti DDoS Isolated Vlans Firewalling PAX GrSec Watch Folder PHP Malware finder Redundant hardware Redundant datacenters Redundant data storage Redundant telecom uplinks Log central Security Event Manager Ban Commander Flex Dynamic Firewall 34 9
Grow your business safely Contact contact@nbs-system.com +33.1.58.56.60.80 Twitter : @nbs_system 35