all that you
play

ALL THAT YOU NEED TO KNOW TO ENSURE WEB SECURITY Presented By: - PowerPoint PPT Presentation

ALL THAT YOU NEED TO KNOW TO ENSURE WEB SECURITY Presented By: Ryan McElrath & Joe Kocan February 26, 2015 INTRODUCTIONS Ryan McElrath Chief Technology Officer Joe Kocan IT Security Consultant 2/26/2015 2 IMPORTANCE OF SECURITY


  1. ALL THAT YOU NEED TO KNOW TO ENSURE WEB SECURITY Presented By: Ryan McElrath & Joe Kocan February 26, 2015

  2. INTRODUCTIONS Ryan McElrath Chief Technology Officer Joe Kocan IT Security Consultant 2/26/2015 2

  3. IMPORTANCE OF SECURITY Notable breaches: • Sony Pictures (sensitive info, emails, unreleased films) • Target (40 million credit/debit cards, 70 million customer records) • Heartland Payment Systems (134 million credit cards – SQL Injection) 2/26/2015 3

  4. 12 POINTS OF PCI COMPLIANCE https://www.pcisecuritystandards.org/ What is PCI Compliance? Who does it apply to? Why is it helpful for every website? The 12 “Simple” Points of Compliance Our Report on Compliance (2014) is 280 pages long 2/26/2015 4

  5. 1. FIREWALLS • At least 3 pairs of redundant firewalls; EXT, MOST SECURED and VPN. • Only permit ports and services that are linked to a business case. • Customers are in separate network segments. 2/26/2015 5

  6. 2. SYSTEM HARDENING • Configuration Standards; Windows, Linux, Firewalls, Switches, Load Balancers – You name it. • Based on CIS Security Benchmark • Vulnerability Scans • Penetration Tests 2/26/2015 6

  7. 3. PROTECT STORED DATA • Sensitive Information is Encrypted “at rest”. • Sensitive segments (SQL) are in their own locked down VLAN. • Sensitive systems can’t be reached from or connect to the Internet. 2/26/2015 7

  8. 4. ENCRYPTION • All sensitive transactions are secured with TLS (SSL). • If traffic is viewed in transit, all that can be seen is garbage. • Latest best practices are used: SHA256, 2048 bit or higher keys, NO SSL 2.0, NO SSL 3.0 2/26/2015 8

  9. 5. ANTIVIRUS • Challenge; How to get updates and AV updates to most secured segment? • Control Segment; Update and AV servers. 2/26/2015 9

  10. 6. DEVELOP AND MAINTAIN SECURE SYSTEMS AND APPLICATIONS • OWASP - Cross Site Scripting, SQL Injection, secure development practices • Change Request Process 2/26/2015 10

  11. 7. RESTRICT ACCESS • Separation of Duties; Developers can’t push updates, or even have access to production. • Any user account starts as members of only groups necessary for job. • Granular firewall rules, only specific devices can see specific systems. 2/26/2015 11

  12. 8. ASSIGN A UNIQUE ID TO EACH PERSON • Active Directory Integration • All firewalls, switches, load balancers, Linux systems are tied to AD for authentication. • No shared user accounts. • Unique digital certificates are issued to each server admin. 2/26/2015 12

  13. 9. RESTRICT PHYSICAL ACCESS • Biometric Door Locks at facility and then at datacenter door. • Visitor Log • Video Monitoring • 24x7x365 2/26/2015 13

  14. 10. TRACK AND MONITOR ALL ACCESS • Auditing turned on all systems; Windows, Linux, Firewalls, load balancers. • Host Based Intrusion Detection on all servers. • Network Intrusion Detection on key points in network • All logging to centralized log servers. • Critical for digital forensics and incident response. 2/26/2015 14

  15. 11. REGULARLY TEST SECURITY SYSTEMS AND PROCESSES • Vulnerability Scanning • Pen Testing • Patch Management • Quarterly Review meetings (Internal Audits) • Yearly compliance audits • PCI isn’t something that is done once a year, it is part of our process. 2/26/2015 15

  16. 12. MAINTAIN A SECURITY POLICY • Information Security Policy; In writing all employees and contractors are required to read and accept. • Configuration Standards are all written to adhere to the security policy. • It ended up being dozens of separate documents that encompass all areas of security; physical, data destruction, acceptable use, etc. • Security Awareness Training. 2/26/2015 16

  17. SUMMARY – SECURE PCI NETWORK • System Isolation • Secure Access • PCI Compliant from the ground up. • Secure Facility • Scalable (Add firewall pairs as needed). • Fully redundant; no single point of failure. 2/26/2015 17

  18. INCAPSULA Official Americaneagle.com Partner Only “leader” in Gartner’s Magic Quadrant for web security 2/26/2015 18

  19. INCAPSULA NETWORK 21 data centers 6 under construction 1 Tbps of capacity (terabits per second) 2/26/2015 19

  20. INCAPSULA NETWORK Web Application Firewall (WAF) - Allows good traffic in (blue) - Keeps bad traffic out (red) - DDoS attacks - Bad bots - Web application attacks 2/26/2015 20

  21. DDOS ATTACKS Goal is to take your site offline Easy to launch attacks, little to no risk of being caught Non-technical people rent botnets of thousands of computers 2/26/2015 21

  22. DDOS ATTACKS DDoS attacks are continuing to gain in popularity* - 57 percent increase in total DDoS attacks - 52 percent increase in average peak bandwidth 28 percent increase in average attack duration (avg. attack – 29 hours) - * Akamai - State of the Internet [security] (stats from Q4 2013 to Q4 2014) 2/26/2015 22

  23. THANK YOU! Q U E S TI O N S ? C O N T AC T Y O U R AC C O U N T M AN A G E R O R E M AI L : S TR AT E G Y I N F O @ AM E R I C A N E A G L E . C O M #AEWebForum

Recommend


More recommend