• No results found

Website Security: It s Not all About the Hacker Anymore

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Website Security: It s Not all About the Hacker Anymore"

Copied!
27
0
0

Loading.... (view fulltext now)

Download now ( 27 Page )

Full text

(1)

Website Security 1

Website Security: It’s Not all About the

Hacker Anymore

Mike Smart

Sr. Manager, Products and Solutions Trust Services & Website Security

(2)

Website Security Challenges

March 26, 2012 Title of presentation

2

Evolving Web Use

Enable Business

Innovation and Agility Protect the Brand

Consumerization

More Mobility

Social Augmented ‘Big Data’

(3)

UK Mobile Web Usage Growth

Website Security Source 2011 Tecmark Research 3

Of UK population use the Internet

82%

Of European population use the Internet

(4)

Personalising the Web

Website Security 4

Social-Personal

(5)

Website Security Challenges

March 26, 2012 Title of presentation

5

Evolving Cyber Crime

Web-Focused

Targeting users

Stealing Confidential Information

Evolving Web Use

Enable Business

Innovation and Agility Protect the Brand

Consumerization

More Mobility

Social Augmented ‘Big Data’

(6)

Today’s Web Threat Lifecycle

March 26, 2012 Title of presentation

6 Signatures created per day

13,300

Emails are Phishing!

1in179

More Malware Variations Attack Target Users vs Machines Malicious websites blocked per day

4,915

Increasing Attack Success! Of malicious websites are compromised legitimate

87.5%

Web 2.0 is the Catalyst! Increase of Web-based Attacks

93%

(7)

Hacker compromises legitimate Web site URL

User is infected using Social Engineering techniques

(fake AV/fake codec) Website attacks user’s browser

by targeting vulnerabilities (drive-by-download)     Legitimate

Web Site User is machine

now owned

• Enterprise and Consumer users are infected today from Web based attacks:

– Web Attack Toolkits  Drive-by downloads

– Social Engineering Attacks

Website Security

(8)

Legitimate Web Site

• Cyber Criminals are targeting users:

– Web sites use SSL sparingly

– Sniffing tools allow attackers to steal session cookies sent in clear

Website Security

Anatomy of a Web User Based Attack

User Visits Secure site to log on under SSL

5 5 5 1

Website Plants session Cookie on users machine

5 5 5 2

When Website asks for cookie outside SSL it is sent in the clear

5 5 5 3

Attacker steals cookie and emulates user (‘Sidejacking’)

5 5 5 4

Attacker can now steal personal information or plant malicious

links or malware

5 5 5 5

(9)

“The only effective fix

for this problem is

full end-to-end

encryption,

known on the web

as HTTPS or SSL.”

Eric Butler, author of Firesheep

‘Sidejacking’ Becomes Mainstream

(10)

Website Security Challenges

March 26, 2012 Title of presentation

10

Externalisation & Virtualisation

Consolidation

Integration

Evolving Cyber Crime

Web-Focused

Targeting users

Stealing Confidential Information

Evolving Web Use

Enable Business

Innovation and Agility Protect the Brand

Evolving Infrastructures Consumerization More Mobility Social Augmented ‘Big Data’ Website

(11)

Ext ern al IT A re as

IT Shift – all point at Data Governance

(12)

Website Security Challenges

March 26, 2012 Title of presentation

12 Evolving Regulations Externalisation & Virtualisation Consolidation Integration

Evolving Cyber Crime

Web-Focused

Targeting users

Stealing Confidential Information

Evolving Web Use

Enable Business

Innovation and Agility Protect the Brand

Evolving Infrastructures Consumerization More Mobility Social Augmented ‘Big Data’ Website

Protect the Consumer

Protect the User

(13)

Challenges In Managing an Evolving Certificate Infrastructure

Website Security 13

Don’t have a policy for crypto (key lengths, certificate lifetime & Private key admin requirements..

43%

Don’t have the ability to generate a report on how many certificates were due to expire within 30 days

46%

Don’t have an automated process to ensure corporate policy and regulatory compliance

62%

Did not have an automated process to replace compromised certificates

75%

(14)

Many Regulations and Many Controls Unified Framework Regulatory Framework

All regulations are based on the same confidentiality and integrity goals

Common Data Protection Mandates

 Limit use of confidential data

 Control access to confidential data

 Guarantee confidentiality of confidential data

 Maintain the integrity of confidential data

 Enforce administrator separation of duties on systems confidential data

 Maintain audit and log records of confidential data activities

(15)

Encryption in the Key

(16)

Unified Framework Regulatory Framework Encryption Directly Addressing Requirements

Data encryption directly addresses the same core confidentiality and integrity requirements common across all regulations

Common Data Protection Mandates

 Limit use of confidential data

 Control access to confidential data

 Guarantee confidentiality of confidential data

 Maintain the integrity of confidential data

 Enforce administrator separation of duties on systems confidential data

 Maintain audit and log records of confidential data activities

Encryption enables authentication and authorization layer.

Encryption fundamentally isolates your data from other tenants in a share cloud environment, shields from unauthorized data breach.

Encryption inherently provides for integrity controls.

Encryption can add additional authentication and authorization layer for administrators separate from data owners

Encryption Key ownership is tangible proof to data ownership. Encrypt/Decrypt actions become easy log and audit proofs. Data encryption and tokenization limits exposed footprint of data.

(17)

Perfect Storm of Attack on SSL Model

•Certificate Authority Attacks

•Exploiting weaknesses in SSL certificate

infrastructure

•Serious Repercussion: Diginotar resulted in

the removal from the browsers' trust lists

and bankruptcy!

(18)

Leading Browsers All Major Certificate Authorities

• Industry Self-regulation

• Experts collaborate to address common concerns and improve security for the consumer

• Sharing information about the evolving threat environment and potential breaches

(19)

Domain Validation

• Encryption

• Validation of domain control • Padlock in browser

• Issued in minutes

Organization Validation

• Authentication of organization • Proof of applicant’s right to

request cert for domain

• Organization details in Certificate Info

• Blue address bar in browser • Issued in 1-2 days Extended Validation • Stringent, industry-standardized authentication of organization • Business-beneficial green address bar in browser • Issued in 7-10 days

(20)

Domain or Organisation Validation

(21)

Extended Validation

(22)

Extended Validation Display By Browser

(23)

• Use HTTPS on all pages • Resolve and avoid mixed

content

• Encrypt all identifying and private information

• Use only secure cookies • Use valid SSL certificates

from trusted CA’s

• Patch, update, and harden systems

Recommendations

(24)

What Is The Industry Doing?

(25)
(26)

Your Action List

26

Regain visibility and control of certificates to reduce risk of business interruption and Increase

compliance

Move to EV SSL certificates to increase customer trust, their click-throughs, and

conversions

Turn on the ‘Always-On SSL’ switch to protect customer’s identities and strengthen your brand

Use value-add features like malware, vulnerability scanning & display trust seals to validate web site

security and drive more visits

60% Growth

(27)

Summary

27

Drive More Business To

Your Site & Increase Revenues Protect Your Customer Data and Their Financial Records Reduce Your Risk Exposure and Time to Compliance

References

Download now ( PDF - 27 Page - 3.33 MB )

Related documents

Isomers - all.pdf

The third carbon has to be attached to either of the other two carbons forming a three carbon chain with eight additional bonding sites, each bonded to a hydrogen atom.. Propane is

IT S ALL ABOUT THE CUSTOMER FORECASTING 101

SALES & OPERATIONS PLANNING (S&OP) process is used to arrive at a consensus forecast. – Only sales

Social Security Social Website

Because the WC settlement documents are open public records, the DWC will release copies of settlement documents without consent You can get a copy of a settlement without

Consumerization Survey Report The Consumerization of IT

Among companies that have embraced consumerization, the IT teams most often responsible for supporting personal devices, include IT security (37%), help desk (24%), and endpoint

Making Your First Overseas Trade

Access: 22 equity markets, mainly in the developed world, but including a few interesting develop- ing markets: Australia, Austria, Canada, Denmark, Finland, France, Germany,

Microing in Company of Heroes - A Guide for Beginners by MacBryce

When you're beating the computer without pausing on easy, you're ready to play normal. Don't pause the game to issue orders after making

On cloud computing service considerations for the small and medium enterprises

Through an interpretive design, we suggest that the SMEs need to have a strategic and incremental intent, understand their organizational structure, understand the external

"Planning eye health services in Varamin district, Iran: a cross-sectional study".

Conclusions: This analysis demonstrated the need for better integration between eye care services and the general health system, local planning for prevention of blindness,