ALL THAT YOU NEED TO KNOW TO ENSURE WEB SECURITY Presented By: Ryan McElrath & Joe Kocan February 26, 2015
INTRODUCTIONS Ryan McElrath Chief Technology Officer Joe Kocan IT Security Consultant 2/26/2015 2
IMPORTANCE OF SECURITY Notable breaches: • Sony Pictures (sensitive info, emails, unreleased films) • Target (40 million credit/debit cards, 70 million customer records) • Heartland Payment Systems (134 million credit cards – SQL Injection) 2/26/2015 3
12 POINTS OF PCI COMPLIANCE https://www.pcisecuritystandards.org/ What is PCI Compliance? Who does it apply to? Why is it helpful for every website? The 12 “Simple” Points of Compliance Our Report on Compliance (2014) is 280 pages long 2/26/2015 4
1. FIREWALLS • At least 3 pairs of redundant firewalls; EXT, MOST SECURED and VPN. • Only permit ports and services that are linked to a business case. • Customers are in separate network segments. 2/26/2015 5
2. SYSTEM HARDENING • Configuration Standards; Windows, Linux, Firewalls, Switches, Load Balancers – You name it. • Based on CIS Security Benchmark • Vulnerability Scans • Penetration Tests 2/26/2015 6
3. PROTECT STORED DATA • Sensitive Information is Encrypted “at rest”. • Sensitive segments (SQL) are in their own locked down VLAN. • Sensitive systems can’t be reached from or connect to the Internet. 2/26/2015 7
4. ENCRYPTION • All sensitive transactions are secured with TLS (SSL). • If traffic is viewed in transit, all that can be seen is garbage. • Latest best practices are used: SHA256, 2048 bit or higher keys, NO SSL 2.0, NO SSL 3.0 2/26/2015 8
5. ANTIVIRUS • Challenge; How to get updates and AV updates to most secured segment? • Control Segment; Update and AV servers. 2/26/2015 9
6. DEVELOP AND MAINTAIN SECURE SYSTEMS AND APPLICATIONS • OWASP - Cross Site Scripting, SQL Injection, secure development practices • Change Request Process 2/26/2015 10
7. RESTRICT ACCESS • Separation of Duties; Developers can’t push updates, or even have access to production. • Any user account starts as members of only groups necessary for job. • Granular firewall rules, only specific devices can see specific systems. 2/26/2015 11
8. ASSIGN A UNIQUE ID TO EACH PERSON • Active Directory Integration • All firewalls, switches, load balancers, Linux systems are tied to AD for authentication. • No shared user accounts. • Unique digital certificates are issued to each server admin. 2/26/2015 12
9. RESTRICT PHYSICAL ACCESS • Biometric Door Locks at facility and then at datacenter door. • Visitor Log • Video Monitoring • 24x7x365 2/26/2015 13
10. TRACK AND MONITOR ALL ACCESS • Auditing turned on all systems; Windows, Linux, Firewalls, load balancers. • Host Based Intrusion Detection on all servers. • Network Intrusion Detection on key points in network • All logging to centralized log servers. • Critical for digital forensics and incident response. 2/26/2015 14
11. REGULARLY TEST SECURITY SYSTEMS AND PROCESSES • Vulnerability Scanning • Pen Testing • Patch Management • Quarterly Review meetings (Internal Audits) • Yearly compliance audits • PCI isn’t something that is done once a year, it is part of our process. 2/26/2015 15
12. MAINTAIN A SECURITY POLICY • Information Security Policy; In writing all employees and contractors are required to read and accept. • Configuration Standards are all written to adhere to the security policy. • It ended up being dozens of separate documents that encompass all areas of security; physical, data destruction, acceptable use, etc. • Security Awareness Training. 2/26/2015 16
SUMMARY – SECURE PCI NETWORK • System Isolation • Secure Access • PCI Compliant from the ground up. • Secure Facility • Scalable (Add firewall pairs as needed). • Fully redundant; no single point of failure. 2/26/2015 17
INCAPSULA Official Americaneagle.com Partner Only “leader” in Gartner’s Magic Quadrant for web security 2/26/2015 18
INCAPSULA NETWORK 21 data centers 6 under construction 1 Tbps of capacity (terabits per second) 2/26/2015 19
INCAPSULA NETWORK Web Application Firewall (WAF) - Allows good traffic in (blue) - Keeps bad traffic out (red) - DDoS attacks - Bad bots - Web application attacks 2/26/2015 20
DDOS ATTACKS Goal is to take your site offline Easy to launch attacks, little to no risk of being caught Non-technical people rent botnets of thousands of computers 2/26/2015 21
DDOS ATTACKS DDoS attacks are continuing to gain in popularity* - 57 percent increase in total DDoS attacks - 52 percent increase in average peak bandwidth 28 percent increase in average attack duration (avg. attack – 29 hours) - * Akamai - State of the Internet [security] (stats from Q4 2013 to Q4 2014) 2/26/2015 22
THANK YOU! Q U E S TI O N S ? C O N T AC T Y O U R AC C O U N T M AN A G E R O R E M AI L : S TR AT E G Y I N F O @ AM E R I C A N E A G L E . C O M #AEWebForum
Recommend
More recommend