HOLIDAY PREP FOR ECOMMERCE & RETAIL: LATEST CYBER THREATS & STRATEGIES
Paul Fletcher – Cyber Security Evangelist@_PaulFletcher
• This webinar is being recorded and an on-demand version will be available at the same URL at the conclusion of the webinar
• Please submit questions via the button on the upper left of the viewer- If we don’t get to your question during the webinar, we
will follow up with you via email• Download related resources via the “Attachments” button
above the viewing panel• On Twitter? Join the conversation: @HOSTINGdotcom,
@AlertLogic
2
Housekeeping
Industry Analysis – 2014 Data Breaches - Mandiant
Threats by Customer Environment
40.55%
28.01%
18.75%
10.60% 1.96%0.13% 0.02%
40.79%
22.36%
15.67%
7.40%
5.29% 0.03% 0.02%
Cloud Environment On Premise Environment
Source: Alert Logic CSR 2015
Changes in the Traditional Solutions
Application attack
Brute force
Recon
Suspicious
DoS
0%10%20%30%40%50%60%70%80%90%
100%
Recent Payment-Related Breaches
• Village Pizza Pub- Vendor (TransformPOS)- Malware gained access to active transactions
• Utah Food Bank- 10k donators exposed PII and payment card data - Poor website security
• Genworth Insurance- Agent social engineered on the phone- Exposed (PII) Personal Identifiable Information and (PHI) Personal Healthcare Information
Threats to RetailOn-going threats Newer threats
• Point of sale (POS)• Vendors• Web applications• eCommerce infrastructure• Employees• Denial of service
- DoS- DDoS
• Advanced persistent threat (APT)• Hacking groups• Supply chain• Manufacturing process• Business details• Insiders
Understand your Adversaries
Underground Economy
TECHNOLOGY
Technology Plan
• Assessments• External penetration tests• Internal vulnerability scans• Application security review• Configuration management• Data integrity
• Analyze and optimize• Gather system utilization data• Understand resource requirements/limitations• Establish threshold capacities• Plan for the best
Technology Scale
• Prepare to Scale• Properly sized and tested images• Instance efficiency• Identity and access management• Security tools• DDoS options
Technology Tactics
• Network segmentation• Isolate from operational network/web• Block all, then only allow documented exceptions• Security logging & monitoring on each segment
• Firewall (NGFW)• Intrusion Detection/Prevention System
• Deep packet inspection• Two factor authentication• Patch management
Technology Tactics
• Full mobility security plan• Require passwords• Enforce timeouts• Provide software updates• Eradicate “jail broken” devices• Encryption first approach• Security over functionality
• Re-direct to appropriate web site
• Email security• Spam• Phishing TRAIN EMPLOYEES
PEOPLE AND PROCESS
People and Process
• Communications list• Prepare online and offline references• Multiple ways to contact• Expected response• Escalation path
• Review IAM• Ensure least privilege concept• System tests after modification• Establish “normal” activity for system accounts
• Review log systems
Data Correlation is the Key
PCI 3.1
• Compliance- Unprotected primary account numbers (PANs)
o SMS (text message)
- Eliminate old versions of SSL and TLS
• Security- Never send account information in the clear- Obfuscation is an easy solution- Encryption is best- Patch management to update SSL and TLS
TRAIN EMPLOYEES
INCIDENT RESPONSE
Incident Response
• Test the plan• Self assessment
• Incident response director
• Team walk through• Everybody with a role in the plan• Walk through a recent breach• Use the plan as a guide• Edit the plan as needed
• Executive assessment• Walk through of scenario• Validate priorities
• Live exercise
Incident Response
• Revise the plan• Roles and responsibilities
• Externalize the plan• Forensics experts• Technical consultants• Legal• Public relations• Partners• Vendors• Law enforcement
Incident Response
• Cloud considerations• Clearly defined resources• Include when you test the plan• Pristine content ready to re-deploy• Test this capability
• Test the plan…again
PROACTIVE PURSUIT
Proactive Pursuit
• Assume you are breached and act accordingly• Established the baseline• Understand normal system behavior• Use existing sources
• Net flow• Log activity• Inbound and outbound connectivity• File integrity• Configuration settings
• Use new technology• Tools to find zero day attacks• Short term engagement
Monitoring the Social Media Accounts
Forums to Follow – Exploit.in
Threat to Threat Intelligence
Wassenaar Proposal• 2013 Amendment• Prevent the selling of surveillance technology to governments known to abuse human rights • Surveillance technology includes
- Intrusion Detection Systems- Zero Day exploits
• Punishment- $250k fine- Five years in prison
Threat to Threat IntelligenceWassenaar Proposal – The Problem
• Read about the proposal• Share it within your sphere of influence• Make sure your legal team is informed• Keep the conversation going• Be specific about how this proposal will
impact your ability to do your job
• Prevents information sharing of vulnerabilities
• Prevents us from knowing our enemy• Prevents research sharing…even within
the same organization• Hackers gonna hack – so it really only
impacts law abiding security professionals
Wassenaar Proposal – The Fix
To Follow our Research
• Twitter:- @AlertLogic- @StephenCoty- @_PaulFletcher
• Blog:- https://www.alertlogic.com/resources/blog
• Newsletter:- https://www.alertlogic.com/weekly-threat-report/
• Cloud Security Report- https://www.alertlogic.com/resources/cloud-security
-report/
• Zero Day Magazine- http://www.alertlogic.com/zerodaymagazine/
Websites to follow• http://www.securityfocus.com• http://www.exploit-db.com• http://seclists.org/fulldisclosure/• http://www.securitybloggersnetwork.com/• http://cve.mitre.org/• http://nvd.nist.gov/• https://www.alertlogic.com/weekly-thr
eat-report/
30
Q&APaul Fletcher | Alert Logic Cyber Security EvangelistTricia Pattee| HOSTING Product Manager
For more information about security solutions by HOSTING, please contact our team at 888.894.4678.