Transcript E-Commerce Technology Risk and Security

E-Commerce Technology Risk and
Security
Brian Trevey and Randy Romes
Presenter Contact Information
Randall J. Romes, CISSP, MCP
Principal, Information Security Services
LarsonAllen LLP
612-397-3114 Office
612-554-3967 Cell
[email protected]
www.larsonallen.com
Brian Trevey
Vice President - Delivery
Trustwave
410/573-6910 x7828 Office
410/507-3084 Cell
[email protected]
www.trustwave.com
Confidential
Agenda
• Trends in E-Commerce and Information Security
• Compliance Drivers
• Security Best Practices
• Recommendations
Confidential
Anatomy of a Data Breach – Initial Entry
Trustwave Data Breach Analysis
Top Methods of Entry Included:
•
Remote Access Applications [45%]
– Default vendor supplied or weak passwords [90%]
•
3rd Party Connections [42%]
– MPLS, ATM, frame relay
•
SQL Injection [6%]
– Web application compromises [90%]
•
•
•
Exposed Services [4%]
Remote File Inclusion [2%]
Email Trojan [<1%]
– 2 recent Adobe vulnerability cases
•
Physical Access [<1%]
Confidential
Anatomy of a Data Breach – Initial Entry
SANS 2009 Cyber Security Risk Report
•
Client side software vulnerabilities
• Commonly used programs such as Adobe PDF Reader, QuickTime,
Adobe Flash and Microsoft Office
•
Internet facing websites (> 60% of total Internet attack attempts)
• Web application vulnerabilities such as SQL injection and Cross-Site
Scripting flaws in open-source as well as custom-built applications
account for more than 80% of the vulnerabilities being discovered.
Attack Vectors:
• Email Phishing
• Drive by Downloads
Confidential
Email Phishing – Targeted Attack
Randall J. Romes [[email protected]]
Randall J. Romes [[email protected]]
Two or Three telltale signs
Can you find them?
https://microsoft.issgs.net
Confidential
Email
Phishing – Targeted Attack
https://microsoft.issgs.net
Fewer tell tale signs
on fake websites
Confidential
Michigan Company Sues Bank
Michigan company is suing its bank after cyber thieves allegedly made
fraudulent wire transfers totaling US $560,000.
The cyber thieves obtained the banking account credentials through a phishing
email sent to an employee at EMI.
The transactions wired funds to bank accounts in Russia, Estonia, Scotland,
Finland, China and the US and were withdrawn soon after the deposits were made.
Alleges Comerica's security practices made EMI vulnerable to the phishing attack. The
bank allegedly routinely sent its online customers emails with links asking them to submit
information to renew digital certificates.
Also alleges that the bank failed to notice unusual activity.
Until the fraudulent transactions were made, EMI had made just two wire
transfers ever; in just a three-hour period, 47 wire transfers and 12 transfer
of fund requests were made.
In addition, after EMI became aware of the situation and asked the bank to halt
transactions, the bank allegedly failed to do so until 38 more had been initiated.
Confidential
Bank Sues Customer for ACH Fraud???
A Texas bank is suing commercial banking customers
Cyber thieves made a series of ACH transactions that totaled $801,495 from
Hillary Machinery Inc.'s bank account.
The bank was able to retrieve about $600,000 of the money,
Customer subsequently sent a letter requesting that the bank refund the
remaining $200,000,
Bank responded by filing the lawsuit requesting that the court certify that Banks's
security was in fact reasonable, and that it processed the wire transfers in good faith.
Documents filed with the court allege that the fraudulent transactions were
initiated using the defendant's valid online banking credentials.
Confidential
Incident Response – Investigative Conclusions
Window of Data Exposure
While attackers were still on systems an average of 156 days before being detected,
elimination of stored data greatly reduces the data loss exposure.
Confidential
Penetration Tests – Top 10 – External Network
Rank
Vulnerability Name
Circa
Attack Difficulty
1
Unprotected Application Management Interface
1994
Easy
2
Unprotected Infrastructure Management Interface
1993
Easy
3
Access to Internal Application via the Internet
1997
Medium
4
Misconfigured Firewall Permits Access to Internal
1993
Hard
5
Default or Easy to Determine Credentials
1979
Trivial
6
Sensitive Information, Source Code, etc. in Web Dir
1990
Easy
7
Static Credentials Contained in Client
1980
Easy
8
Domain Name Service (DNS) Cache Poisoning
2008
Medium
9
Aggressive Mode IKE Handshake Support
2001
Easy
Exposed Service Version Issues (Buffer Overflows)
1996
Hard
10
Confidential
Conclusions
• Attackers are using old vulnerabilities
• Attackers are using new vulnerabilities (not a contradiction!)
• Attackers know they won’t be detected
• Organizations do not know what they own or how their data flows
• Blind trust in 3rd parties is a huge liability
• Fixing new/buzz issues, but not fixing basic/old issues
• In 2010, take a step back before moving forward
Confidential
Compliance Mandates and Data Protection
Compliance Mandates
PCI DSS
HIPAA
Data Type
Payment Card Industry
Data Security Standard (2004, 2006)
Health Insurance Portability &
Accountability Act (1996)
Credit Card Data
PHI: Protected Health Information
Privacy & Security Rules (2003)
GLBA
SOX
Gramm-Leach-Bliley Act (1999)
Financial Services Modernization Act
NPPI: Non-Public Personal Information
Financial Records
Intellectual Property
Sarbanes-Oxley Act (2002)
Sections 404 and 302
FERPA
Family Educational Rights & Privacy Act
(1974)
Student Records
ITAR
International Traffic in Arms Regulations
(US Dept of State)
Military & Defense Related IP on the US
Munitions List
FISMA
Federal Information Security Management
Act (2002)
Data Security and Audit Standards for US
Government and Contractors
Title 21 CFR
Part 11
US Food & Drug Administration Regulation
Electronic records and signatures
US State Data
Privacy
California SB 1386
44 states (as of June 2008)
Customer Data Protection
Breach notification to customers
Confidential
Payment Card Industry Data Security Standard
(PCI DSS)
Six Goals, Twelve Requirements
PCI DSS requirements
Build and maintain a secure
network
Protect cardholder data
Maintain a vulnerability
management program
Implement strong access
control measures
Regularly monitor and test
networks
Maintain an information
security policy
1.
Install and maintain a firewall configuration to protect cardholder data
2.
Do not use vendor-supplied defaults for system passwords and other security parameters
3.
Protect stored cardholder data
4.
Encrypt transmission of cardholder data across open, public networks
5.
Use and regularly update anti-virus software or programs
6.
Develop and maintain secure systems and applications
7.
Restrict access to cardholder data by business need-to-know
8.
9.
Assign a unique ID to each person with computer access
Restrict physical access to cardholder data
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security for employees and contractors
Confidential
Why the PCI-DSS is Successful?
Increased awareness
Focus on protection of cardholder data
Standardized controls accepted by all card brands
Eradication of prohibited data storage
Continual improvements and updates to the standard
• Evolution of the standard
• Based on information gathered and trends identified in postcompromise forensic investigations
Confidential
The Global Remediation Plan
Rank Strategic Initiative
1
Perform and Maintain a Complete Asset Inventory; Decommission Old Systems
2
Monitor Third Party Relationships
3
Perform Internal Segmentation
4
Rethink Wireless
5
Encrypt Your Data
6
Investigate Anomalies
7
Educate Your Staff
8
Implement and Follow a Software Development Life Cycle (SDLC)
9
Lock Down User Access
10
Use Multifactor Authentication Every Where Possible
Confidential
E-Commerce Best Practices
• Network Vulnerability Scanning
• Penetration Testing
• Application Testing
• SSL Certificates
• Web Site Seals
• Patches and Network Security
• User Awareness and Training
Confidential
Conclusion
Best Practices Checklist

Have you tested security?

Are your SSL or EV SSL certificates valid and not expiring during
the holiday season?

Are your Web site seals valid and up to date?

Have you obtained all patches and are the patches up-to-date?

Do you know what and who are using your network?
Confidential
Resources
•
Trustmarks
http://www.ecommerce-guide.com/solutions/advertising/article.php/3860526
•
Trustwave’s Global Security Report 2010
https://www.trustwave.com/whitePapers.php
•
SANS 2009 Cyber Security Report
http://www.sans.org/top-cyber-security-risks/
•
SANS NewsBites Vol. 12 Num. 13 – Business Customer Sues Bank
http://www.sans.org/newsletters/#newsbites
•
Bank Sues Customer
http://www.bankinfosecurity.com/articles.php?art_id=2132
Confidential
Questions?