ALL THAT YOU NEED TO KNOW TO ENSURE WEB SECURITY Presented By: - - PowerPoint PPT Presentation

all that you
SMART_READER_LITE
LIVE PREVIEW

ALL THAT YOU NEED TO KNOW TO ENSURE WEB SECURITY Presented By: - - PowerPoint PPT Presentation

Nov 02, 2023 467 likes •711 views

ALL THAT YOU NEED TO KNOW TO ENSURE WEB SECURITY Presented By: Ryan McElrath & Joe Kocan February 26, 2015 INTRODUCTIONS Ryan McElrath Chief Technology Officer Joe Kocan IT Security Consultant 2/26/2015 2 IMPORTANCE OF SECURITY

slide-1
SLIDE 1

ALL THAT YOU NEED TO KNOW TO ENSURE WEB SECURITY

Presented By: Ryan McElrath & Joe Kocan

February 26, 2015

slide-2
SLIDE 2

2/26/2015 2

INTRODUCTIONS

Ryan McElrath Chief Technology Officer Joe Kocan IT Security Consultant

slide-3
SLIDE 3

2/26/2015 3

IMPORTANCE OF SECURITY

Notable breaches:

  • Sony Pictures (sensitive info, emails, unreleased films)
  • Target (40 million credit/debit cards, 70 million customer records)
  • Heartland Payment Systems (134 million credit cards – SQL Injection)
slide-4
SLIDE 4

2/26/2015 4

12 POINTS OF PCI COMPLIANCE

What is PCI Compliance?

Who does it apply to? Why is it helpful for every website? The 12 “Simple” Points of Compliance Our Report on Compliance (2014) is 280 pages long https://www.pcisecuritystandards.org/

slide-5
SLIDE 5

2/26/2015 5

  • 1. FIREWALLS
  • At least 3 pairs of redundant firewalls; EXT,

MOST SECURED and VPN.

  • Only permit ports and services that are linked

to a business case.

  • Customers are in separate network

segments.

slide-6
SLIDE 6

2/26/2015 6

  • 2. SYSTEM HARDENING
  • Configuration Standards;

Windows, Linux, Firewalls, Switches, Load Balancers – You name it.

  • Based on CIS Security

Benchmark

  • Vulnerability Scans
  • Penetration Tests
slide-7
SLIDE 7

2/26/2015 7

  • 3. PROTECT STORED DATA
  • Sensitive Information is

Encrypted “at rest”.

  • Sensitive segments (SQL)

are in their own locked down VLAN.

  • Sensitive systems can’t be

reached from or connect to the Internet.

slide-8
SLIDE 8

2/26/2015 8

  • 4. ENCRYPTION
  • All sensitive transactions

are secured with TLS (SSL).

  • If traffic is viewed in

transit, all that can be seen is garbage.

  • Latest best practices are

used: SHA256, 2048 bit

  • r higher keys, NO SSL

2.0, NO SSL 3.0

slide-9
SLIDE 9

2/26/2015 9

  • 5. ANTIVIRUS
  • Challenge; How to get updates

and AV updates to most secured segment?

  • Control Segment; Update and

AV servers.

slide-10
SLIDE 10

2/26/2015 10

  • 6. DEVELOP AND MAINTAIN SECURE

SYSTEMS AND APPLICATIONS

  • OWASP - Cross Site

Scripting, SQL Injection, secure development practices

  • Change Request

Process

slide-11
SLIDE 11

2/26/2015 11

  • 7. RESTRICT ACCESS
  • Separation of Duties; Developers can’t push updates, or even have

access to production.

  • Any user account starts as members of only groups necessary for

job.

  • Granular firewall rules, only specific devices can see specific

systems.

slide-12
SLIDE 12

2/26/2015 12

  • 8. ASSIGN A UNIQUE ID TO EACH

PERSON

  • Active Directory Integration
  • All firewalls, switches, load

balancers, Linux systems are tied to AD for authentication.

  • No shared user accounts.
  • Unique digital certificates are

issued to each server admin.

slide-13
SLIDE 13

2/26/2015 13

  • 9. RESTRICT PHYSICAL ACCESS
  • Biometric Door Locks at facility

and then at datacenter door.

  • Visitor Log
  • Video Monitoring
  • 24x7x365
slide-14
SLIDE 14

2/26/2015 14

  • 10. TRACK AND MONITOR ALL

ACCESS

  • Auditing turned on all systems;

Windows, Linux, Firewalls, load balancers.

  • Host Based Intrusion Detection on

all servers.

  • Network Intrusion Detection on key

points in network

  • All logging to centralized log

servers.

  • Critical for digital forensics and

incident response.

slide-15
SLIDE 15

2/26/2015 15

  • 11. REGULARLY TEST SECURITY

SYSTEMS AND PROCESSES

  • Vulnerability Scanning
  • Pen Testing
  • Patch Management
  • Quarterly Review meetings

(Internal Audits)

  • Yearly compliance audits
  • PCI isn’t something that is

done once a year, it is part of

  • ur process.
slide-16
SLIDE 16

2/26/2015 16

  • 12. MAINTAIN A SECURITY POLICY
  • Information Security Policy; In writing

all employees and contractors are required to read and accept.

  • Configuration Standards are all

written to adhere to the security policy.

  • It ended up being dozens of separate

documents that encompass all areas

  • f security; physical, data destruction,

acceptable use, etc.

  • Security Awareness Training.
slide-17
SLIDE 17

2/26/2015 17

SUMMARY – SECURE PCI NETWORK

  • System Isolation
  • Secure Access
  • PCI Compliant from

the ground up.

  • Secure Facility
  • Scalable (Add firewall

pairs as needed).

  • Fully redundant; no

single point of failure.

slide-18
SLIDE 18

2/26/2015 18

INCAPSULA

Official Americaneagle.com Partner Only “leader” in Gartner’s Magic Quadrant for web security

slide-19
SLIDE 19

2/26/2015 19

INCAPSULA NETWORK

21 data centers 6 under construction 1 Tbps of capacity (terabits per second)

slide-20
SLIDE 20

2/26/2015 20

INCAPSULA NETWORK

Web Application Firewall (WAF)

  • Allows good traffic in (blue)
  • Keeps bad traffic out (red)
  • DDoS attacks
  • Bad bots
  • Web application attacks
slide-21
SLIDE 21

2/26/2015 21

DDOS ATTACKS

Goal is to take your site offline Easy to launch attacks, little to no risk of being caught Non-technical people rent botnets of thousands of computers

slide-22
SLIDE 22

2/26/2015 22

DDOS ATTACKS

DDoS attacks are continuing to gain in popularity*

  • 57 percent increase in total DDoS attacks
  • 52 percent increase in average peak bandwidth
  • 28 percent increase in average attack duration (avg. attack – 29 hours)

* Akamai - State of the Internet [security] (stats from Q4 2013 to Q4 2014)

slide-23
SLIDE 23

THANK YOU!

Q U E S TI O N S ? C O N T AC T Y O U R AC C O U N T M AN A G E R O R E M AI L : S TR AT E G Y I N F O @ AM E R I C A N E A G L E . C O M

#AEWebForum

slide-24
SLIDE 24