all that you
play

ALL THAT YOU NEED TO KNOW TO ENSURE WEB SECURITY Presented By: - PowerPoint PPT Presentation

Nov 02, 2023 •467 likes •711 views

ALL THAT YOU NEED TO KNOW TO ENSURE WEB SECURITY Presented By: Ryan McElrath & Joe Kocan February 26, 2015 INTRODUCTIONS Ryan McElrath Chief Technology Officer Joe Kocan IT Security Consultant 2/26/2015 2 IMPORTANCE OF SECURITY

  1. ALL THAT YOU NEED TO KNOW TO ENSURE WEB SECURITY Presented By: Ryan McElrath & Joe Kocan February 26, 2015

  2. INTRODUCTIONS Ryan McElrath Chief Technology Officer Joe Kocan IT Security Consultant 2/26/2015 2

  3. IMPORTANCE OF SECURITY Notable breaches: • Sony Pictures (sensitive info, emails, unreleased films) • Target (40 million credit/debit cards, 70 million customer records) • Heartland Payment Systems (134 million credit cards – SQL Injection) 2/26/2015 3

  4. 12 POINTS OF PCI COMPLIANCE https://www.pcisecuritystandards.org/ What is PCI Compliance? Who does it apply to? Why is it helpful for every website? The 12 “Simple” Points of Compliance Our Report on Compliance (2014) is 280 pages long 2/26/2015 4

  5. 1. FIREWALLS • At least 3 pairs of redundant firewalls; EXT, MOST SECURED and VPN. • Only permit ports and services that are linked to a business case. • Customers are in separate network segments. 2/26/2015 5

  6. 2. SYSTEM HARDENING • Configuration Standards; Windows, Linux, Firewalls, Switches, Load Balancers – You name it. • Based on CIS Security Benchmark • Vulnerability Scans • Penetration Tests 2/26/2015 6

  7. 3. PROTECT STORED DATA • Sensitive Information is Encrypted “at rest”. • Sensitive segments (SQL) are in their own locked down VLAN. • Sensitive systems can’t be reached from or connect to the Internet. 2/26/2015 7

  8. 4. ENCRYPTION • All sensitive transactions are secured with TLS (SSL). • If traffic is viewed in transit, all that can be seen is garbage. • Latest best practices are used: SHA256, 2048 bit or higher keys, NO SSL 2.0, NO SSL 3.0 2/26/2015 8

  9. 5. ANTIVIRUS • Challenge; How to get updates and AV updates to most secured segment? • Control Segment; Update and AV servers. 2/26/2015 9

  10. 6. DEVELOP AND MAINTAIN SECURE SYSTEMS AND APPLICATIONS • OWASP - Cross Site Scripting, SQL Injection, secure development practices • Change Request Process 2/26/2015 10

  11. 7. RESTRICT ACCESS • Separation of Duties; Developers can’t push updates, or even have access to production. • Any user account starts as members of only groups necessary for job. • Granular firewall rules, only specific devices can see specific systems. 2/26/2015 11

  12. 8. ASSIGN A UNIQUE ID TO EACH PERSON • Active Directory Integration • All firewalls, switches, load balancers, Linux systems are tied to AD for authentication. • No shared user accounts. • Unique digital certificates are issued to each server admin. 2/26/2015 12

  13. 9. RESTRICT PHYSICAL ACCESS • Biometric Door Locks at facility and then at datacenter door. • Visitor Log • Video Monitoring • 24x7x365 2/26/2015 13

  14. 10. TRACK AND MONITOR ALL ACCESS • Auditing turned on all systems; Windows, Linux, Firewalls, load balancers. • Host Based Intrusion Detection on all servers. • Network Intrusion Detection on key points in network • All logging to centralized log servers. • Critical for digital forensics and incident response. 2/26/2015 14

  15. 11. REGULARLY TEST SECURITY SYSTEMS AND PROCESSES • Vulnerability Scanning • Pen Testing • Patch Management • Quarterly Review meetings (Internal Audits) • Yearly compliance audits • PCI isn’t something that is done once a year, it is part of our process. 2/26/2015 15

  16. 12. MAINTAIN A SECURITY POLICY • Information Security Policy; In writing all employees and contractors are required to read and accept. • Configuration Standards are all written to adhere to the security policy. • It ended up being dozens of separate documents that encompass all areas of security; physical, data destruction, acceptable use, etc. • Security Awareness Training. 2/26/2015 16

  17. SUMMARY – SECURE PCI NETWORK • System Isolation • Secure Access • PCI Compliant from the ground up. • Secure Facility • Scalable (Add firewall pairs as needed). • Fully redundant; no single point of failure. 2/26/2015 17

  18. INCAPSULA Official Americaneagle.com Partner Only “leader” in Gartner’s Magic Quadrant for web security 2/26/2015 18

  19. INCAPSULA NETWORK 21 data centers 6 under construction 1 Tbps of capacity (terabits per second) 2/26/2015 19

  20. INCAPSULA NETWORK Web Application Firewall (WAF) - Allows good traffic in (blue) - Keeps bad traffic out (red) - DDoS attacks - Bad bots - Web application attacks 2/26/2015 20

  21. DDOS ATTACKS Goal is to take your site offline Easy to launch attacks, little to no risk of being caught Non-technical people rent botnets of thousands of computers 2/26/2015 21

  22. DDOS ATTACKS DDoS attacks are continuing to gain in popularity* - 57 percent increase in total DDoS attacks - 52 percent increase in average peak bandwidth 28 percent increase in average attack duration (avg. attack – 29 hours) - * Akamai - State of the Internet [security] (stats from Q4 2013 to Q4 2014) 2/26/2015 22

  23. THANK YOU! Q U E S TI O N S ? C O N T AC T Y O U R AC C O U N T M AN A G E R O R E M AI L : S TR AT E G Y I N F O @ AM E R I C A N E A G L E . C O M #AEWebForum

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CYBERSECURITY: EMERGING THREATS AND MITIGATION STRATEGIES Gogwim , Joel Godwin, B. Tech (Hons),

CYBERSECURITY: EMERGING THREATS AND MITIGATION STRATEGIES Gogwim , Joel Godwin, B. Tech (Hons),

CYBERSECURITY: EMERGING THREATS AND MITIGATION STRATEGIES Gogwim , Joel Godwin, B. Tech (Hons), MPhil. (SA), CCNA, CCDA, CCAI, CCNP, CCDP, CEH, MNCS, MCPN, MNiRA, MCFIN ICT Directorate University of Jos, Nigeria email : gogwim[at]unijos.edu.ng

236 views • 10 slides
Momchil Karov VanSecSIG Best Buy Canada Oct 12, 2018 1 PRESENTED BY: (A.K.A. THE

Momchil Karov VanSecSIG Best Buy Canada Oct 12, 2018 1 PRESENTED BY: (A.K.A. THE

HOW TO EMBED SECURITY INTO AGILE? Momchil Karov VanSecSIG Best Buy Canada Oct 12, 2018 1 PRESENTED BY: (A.K.A. THE WHO AM I SLIDE) Momchil Karov, MSc., CISSP Principal Security Architect Enterprise Risk and Compliance Best

777 views • 44 slides
Project Plan Connected Appliances Analytics Dashboard The Capstone Experience Team Whirlpool

Project Plan Connected Appliances Analytics Dashboard The Capstone Experience Team Whirlpool

Project Plan Connected Appliances Analytics Dashboard The Capstone Experience Team Whirlpool Derrick Neier Jim Solce Zach Taylor Joe Tuohey Department of Computer Science and Engineering Michigan State University Fall 2012 From Students

447 views • 17 slides
Domain System Threat Landscape Pablo Rodriguez Nic.pr Janelle McAlister - MarkMonitor

Domain System Threat Landscape Pablo Rodriguez Nic.pr Janelle McAlister - MarkMonitor

Domain System Threat Landscape Pablo Rodriguez Nic.pr Janelle McAlister - MarkMonitor Agenda n History n Nic.PR Case Study q Registrar Perspective q Registry Perspective n Future solutions History n Over the past few years

643 views • 26 slides
Security challenges within an Information System Directorate Works of the RWGs 5th meeting on

Security challenges within an Information System Directorate Works of the RWGs 5th meeting on

Security challenges within an Information System Directorate Works of the RWGs 5th meeting on Computer Development 25/04/2019 DGD/DSID/Ple Scurit 1 Security challenges within an Information System Directorate 29/04/2019 DGD/DSID/Ple

376 views • 14 slides
Solr Presented by Jacob Pitassi 07.28.12 Monday, July 30, 12 Hello Jacob Pitassi Director of

Solr Presented by Jacob Pitassi 07.28.12 Monday, July 30, 12 Hello Jacob Pitassi Director of

Solr Presented by Jacob Pitassi 07.28.12 Monday, July 30, 12 Hello Jacob Pitassi Director of Engineering jpitassi@stauffer.com stauffer.com Monday, July 30, 12 What are you talking about Monday, July 30, 12 Parts of this presentation

624 views • 26 slides
The Future of E-Commerce is More Web-like Ian Jacobs W3C I. What the Web Means for Commerce

The Future of E-Commerce is More Web-like Ian Jacobs W3C I. What the Web Means for Commerce

The Future of E-Commerce is More Web-like Ian Jacobs W3C I. What the Web Means for Commerce Source: merchandisingmatters.com New Zealand E-Commerce Source: Nielsen New Zealand E-Commerce Report 2016 E-Commerce Rising Proportion of Retail

861 views • 45 slides
Software Systems by Incorporating Security Knowledge Stefan Grtner and Kurt Schneider Software

Software Systems by Incorporating Security Knowledge Stefan Grtner and Kurt Schneider Software

Maintaining Requirements for Long-Living Software Systems by Incorporating Security Knowledge Stefan Grtner and Kurt Schneider Software Engineering Group, Leibniz Universitt Hannover, Germany Thomas Ruhroth, Jens Brger, and Jan Jrjens

480 views • 24 slides
DC GIS Steering Committee November 2014 10:00 AM 12:00 PM 200 I Street SE, 5 th Floor

DC GIS Steering Committee November 2014 10:00 AM 12:00 PM 200 I Street SE, 5 th Floor

DC GIS Steering Committee November 2014 10:00 AM 12:00 PM 200 I Street SE, 5 th Floor Washington, DC 20003 Conference Room: 5009 Agenda Introductions and Establish Quorum Approve Minutes 8/21/2014 DC GIS News OCTO GIS News

1.1k views • 93 slides
Monthly Security Bulletin Briefing (July 2013) Teresa Ghiorzoe Security Program Manager LATAM

Monthly Security Bulletin Briefing (July 2013) Teresa Ghiorzoe Security Program Manager LATAM

Monthly Security Bulletin Briefing (July 2013) Teresa Ghiorzoe Security Program Manager LATAM Blog de Seguridad: http://blogs.technet.com/b/seguridad/ Twitter: LATAMSRC GBS Security Worldwide Programs 1 Security Advisories July 2013 New

413 views • 27 slides
Segurana em APIs REST Heitor Vital reas de Atuao o Cloud Computing

Segurana em APIs REST Heitor Vital reas de Atuao o Cloud Computing

Segurana em APIs REST Heitor Vital reas de Atuao o Cloud Computing twitter.com/heitorvital o Segurana Informao o Jogos slideshare.net/HeitorVital o Dispositivos Mveis o labs.siteblindado.com

412 views • 22 slides
Ramy Ahmed Fathy, PhD Vice Chairman of ITU-T SG20 Director, Digital Services Planning and Risk

Ramy Ahmed Fathy, PhD Vice Chairman of ITU-T SG20 Director, Digital Services Planning and Risk

ITU Workshop Smart Sustainable Cities (Samarqand - Uzbekistan 1- 2 June 2017) Trustworthy ICT: The notion of Trust, Security, and Privacy Ramy Ahmed Fathy, PhD Vice Chairman of ITU-T SG20 Director, Digital Services Planning and Risk Assessment

758 views • 52 slides
An Empirical Study of PHP Feature Usage: A Static Analysis Perspective Mark Hills, Paul Klint,

An Empirical Study of PHP Feature Usage: A Static Analysis Perspective Mark Hills, Paul Klint,

An Empirical Study of PHP Feature Usage: A Static Analysis Perspective Mark Hills, Paul Klint, and Jurgen J. Vinju CWI, Software Analysis and Transformation (SWAT) ISSTA 2013 Lugano, Switzerland July 16-18, 2013 http://www.rascal-mpl.org

857 views • 46 slides
Securing Digital Fintech Platform Value Proposition and Security Challenges Agus F. Abdillah

Securing Digital Fintech Platform Value Proposition and Security Challenges Agus F. Abdillah

Securing Digital Fintech Platform Value Proposition and Security Challenges Agus F. Abdillah Jakarta - 28 th Nov, 2018 1 Securing Fintech 1 Introduction 2 What Being Platform Means? AGENDA What is Value Proposition for Digital 3

353 views • 18 slides
Crosstalk - How can we avoid it - Herv Grabas Mutual Inductance and Capacitance Crosstalk

Crosstalk - How can we avoid it - Herv Grabas Mutual Inductance and Capacitance Crosstalk

Crosstalk - How can we avoid it - Herv Grabas Mutual Inductance and Capacitance Crosstalk is the coupling of energy from one line to another via: Mutual capacitance (electric field) Mutual inductance (magnetic field) Mutual Inductance, L

967 views • 29 slides
CRediT Taxonomy of Contributor Roles: Early implementation at Cell Press Patrick Hannon

CRediT Taxonomy of Contributor Roles: Early implementation at Cell Press Patrick Hannon

CRediT Taxonomy of Contributor Roles: Early implementation at Cell Press Patrick Hannon Editorial Operations Manager, Cell Press EMUG, June 2016 CRediT: Background CRediT: Background The traditional author list CRediT: Background 2012 :

437 views • 19 slides
CMOS Image Sensor Simulation 2D and 3D Simulation Basic Structure and operation of CMOS Image

CMOS Image Sensor Simulation 2D and 3D Simulation Basic Structure and operation of CMOS Image

CMOS Image Sensor Simulation 2D and 3D Simulation Basic Structure and operation of CMOS Image Sensor CMOS Image Sensor CMOS Image Sensor cross section of (PD/TG_2/FD): equivalent circuit TG_1 TG FD PD TG_2 FD PD TG_3 TG_3 - 2 - CMOS

572 views • 17 slides
Topological implications of negative curvature for biological and social networks Bhaskar

Topological implications of negative curvature for biological and social networks Bhaskar

Topological implications of negative curvature for biological and social networks Bhaskar DasGupta Department of Computer Science University of Illinois at Chicago Chicago, IL 60607 bdasgup@uic.edu November 29, 2014 Joint work with Rka

1.2k views • 106 slides
EVP, Products & Strategy Strategy Session - MaaS Erez Dagan Mobility Market

EVP, Products & Strategy Strategy Session - MaaS Erez Dagan Mobility Market

EVP, Products & Strategy Strategy Session - MaaS Erez Dagan Mobility Market Inefficiencies & opportunity The Mobility Supply challenge Serve individual A-to-B-at-T demand instances, while minimizing latencies , costs and

610 views • 21 slides
At-Speed BIST for Board-Level Interconnect Artur Jutman artur@pld.ttu.ee Tallinn University of

At-Speed BIST for Board-Level Interconnect Artur Jutman artur@pld.ttu.ee Tallinn University of

EBTW05 EBTW05 At-Speed BIST for Board-Level Interconnect Artur Jutman artur@pld.ttu.ee Tallinn University of Technology, ESTONIA EBTW 2005, Tallinn, Estonia Slide 1 Outline EBTW05 EBTW05 1. Introduction 2. Interconnect Faults: Models

809 views • 54 slides
This transcript was exported on Feb 03, 2020 - view latest version here. Speaker 1: OK. And then

This transcript was exported on Feb 03, 2020 - view latest version here. Speaker 1: OK. And then

This transcript was exported on Feb 03, 2020 - view latest version here. Speaker 1: OK. And then we'll just move on to the action item, which is a consideration of preliminary planned unit development. Plus, SRU, Special Review Use. O

371 views • 13 slides
Applied Performance Theory @kavya719 kavya applying performance theory to practice

Applied Performance Theory @kavya719 kavya applying performance theory to practice

Applied Performance Theory @kavya719 kavya applying performance theory to practice performance Whats the additional load the system can support, without degrading response time ? Whatre the system utilization bottlenecks ?

948 views • 56 slides
RAMA HOETZLEIN Graphics Research Engineer | SIGGRAPH 2013 Outline Atomic Ops state Bottlenecks

RAMA HOETZLEIN Graphics Research Engineer | SIGGRAPH 2013 Outline Atomic Ops state Bottlenecks

RAMA HOETZLEIN Graphics Research Engineer | SIGGRAPH 2013 Outline Atomic Ops state Bottlenecks change Divergence Occupancy Part 1 CUDA Best Practice Hardware Strategies Diffuclty Part 2 CUDA Optimization Deploy Optimize

661 views • 55 slides
NICMOS Status Roelof de Jong (STScI) and the NICMOS team: Santiago Arribas, Elizabeth Barker,

NICMOS Status Roelof de Jong (STScI) and the NICMOS team: Santiago Arribas, Elizabeth Barker,

NICMOS Status Roelof de Jong (STScI) and the NICMOS team: Santiago Arribas, Elizabeth Barker, Eddie Bergeron, Ilana Dashevsky, Anton Koekemoer, Sangeeta Malhotra, Bahram Mobasher, Keith Noll, Tom Wheeler, Tommy Wiklind, Chun Xu and Ralph

541 views • 26 slides

More recommend