In preparation for one of the biggest revenue seasons of the year for ecommerce and Retail, Tricia Pattee, Security Product Manager from HOSTING and Paul Fletcher, Security Evangelist from Alert Logic will provide insight into the latest cyber security trends related to ecommerce and retail as well as the following:
· Examine the attack vectors and the profile of the threat actors of cyber attacks
· Provide an understanding of the weaknesses and vulnerabilities that are affecting retail and ecommerce companies
· Discuss defenses against the retail and ecommerce-related breaches to help detect and prevent copycat attackers
1. HOLIDAY PREP FOR ECOMMERCE & RETAIL:
LATEST CYBER THREATS & STRATEGIES
Paul Fletcher – Cyber Security Evangelist
@_PaulFletcher
2. • This webinar is being recorded and an on-demand version
will be available at the same URL at the conclusion of the
webinar
• Please submit questions via the button on the upper left of
the viewer
- If we don’t get to your question during the webinar, we
will follow up with you via email
• Download related resources via the “Attachments” button
above the viewing panel
• On Twitter? Join the conversation: @HOSTINGdotcom,
@AlertLogic
2
Housekeeping
5. Changes in the Traditional Solutions
Application attack
Brute force
Recon
Suspicious
DoS
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
6. Recent Payment-Related Breaches
• Village Pizza Pub
- Vendor (TransformPOS)
- Malware gained access to active transactions
• Utah Food Bank
- 10k donators exposed PII and payment card data
- Poor website security
• Genworth Insurance
- Agent social engineered on the phone
- Exposed (PII) Personal Identifiable Information
and (PHI) Personal Healthcare Information
7. Threats to Retail
On-going threats Newer threats
• Point of sale (POS)
• Vendors
• Web applications
• eCommerce infrastructure
• Employees
• Denial of service
- DoS
- DDoS
• Advanced persistent threat (APT)
• Hacking groups
• Supply chain
• Manufacturing process
• Business details
• Insiders
11. Technology Plan
• Assessments
• External penetration tests
• Internal vulnerability scans
• Application security review
• Configuration management
• Data integrity
• Analyze and optimize
• Gather system utilization data
• Understand resource requirements/limitations
• Establish threshold capacities
• Plan for the best
12. Technology Scale
• Prepare to Scale
• Properly sized and tested images
• Instance efficiency
• Identity and access management
• Security tools
• DDoS options
13. Technology Tactics
• Network segmentation
• Isolate from operational network/web
• Block all, then only allow documented exceptions
• Security logging & monitoring on each segment
• Firewall (NGFW)
• Intrusion Detection/Prevention System
• Deep packet inspection
• Two factor authentication
• Patch management
14. Technology Tactics
• Full mobility security plan
• Require passwords
• Enforce timeouts
• Provide software updates
• Eradicate “jail broken” devices
• Encryption first approach
• Security over functionality
• Re-direct to appropriate web site
• Email security
• Spam
• Phishing
TRAIN EMPLOYEES
16. People and Process
• Communications list
• Prepare online and offline references
• Multiple ways to contact
• Expected response
• Escalation path
• Review IAM
• Ensure least privilege concept
• System tests after modification
• Establish “normal” activity for system accounts
• Review log systems
18. PCI 3.1
• Compliance
- Unprotected primary account numbers (PANs)
o SMS (text message)
- Eliminate old versions of SSL and TLS
• Security
- Never send account information in the clear
- Obfuscation is an easy solution
- Encryption is best
- Patch management to update SSL and TLS
TRAIN EMPLOYEES
20. Incident Response
• Test the plan
• Self assessment
• Incident response director
• Team walk through
• Everybody with a role in the plan
• Walk through a recent breach
• Use the plan as a guide
• Edit the plan as needed
• Executive assessment
• Walk through of scenario
• Validate priorities
• Live exercise
21. Incident Response
• Revise the plan
• Roles and responsibilities
• Externalize the plan
• Forensics experts
• Technical consultants
• Legal
• Public relations
• Partners
• Vendors
• Law enforcement
22. Incident Response
• Cloud considerations
• Clearly defined resources
• Include when you test the plan
• Pristine content ready to re-deploy
• Test this capability
• Test the plan…again
24. Proactive Pursuit
• Assume you are breached and act accordingly
• Established the baseline
• Understand normal system behavior
• Use existing sources
• Net flow
• Log activity
• Inbound and outbound connectivity
• File integrity
• Configuration settings
• Use new technology
• Tools to find zero day attacks
• Short term engagement
27. Threat to Threat Intelligence
Wassenaar Proposal
• 2013 Amendment
• Prevent the selling of surveillance technology to governments known to abuse human rights
• Surveillance technology includes
- Intrusion Detection Systems
- Zero Day exploits
• Punishment
- $250k fine
- Five years in prison
28. Threat to Threat Intelligence
Wassenaar Proposal – The Problem
• Read about the proposal
• Share it within your sphere of influence
• Make sure your legal team is informed
• Keep the conversation going
• Be specific about how this proposal will
impact your ability to do your job
• Prevents information sharing of
vulnerabilities
• Prevents us from knowing our enemy
• Prevents research sharing…even within
the same organization
• Hackers gonna hack – so it really only
impacts law abiding security
professionals
Wassenaar Proposal – The Fix
30. 30
Q&A
Paul Fletcher | Alert Logic Cyber Security Evangelist
Tricia Pattee| HOSTING Product Manager
For more information about security solutions by HOSTING, please contact our
team at 888.894.4678.