Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Holiday Prep for Ecommerce & Retail: Latest Cyber Threats & Strategies

779 views

Published on

In preparation for one of the biggest revenue seasons of the year for ecommerce and Retail, Tricia Pattee, Security Product Manager from HOSTING and Paul Fletcher, Security Evangelist from Alert Logic will provide insight into the latest cyber security trends related to ecommerce and retail as well as the following:
· Examine the attack vectors and the profile of the threat actors of cyber attacks
· Provide an understanding of the weaknesses and vulnerabilities that are affecting retail and ecommerce companies
· Discuss defenses against the retail and ecommerce-related breaches to help detect and prevent copycat attackers

Published in: Technology
  • Be the first to comment

Holiday Prep for Ecommerce & Retail: Latest Cyber Threats & Strategies

  1. 1. HOLIDAY PREP FOR ECOMMERCE & RETAIL: LATEST CYBER THREATS & STRATEGIES Paul Fletcher – Cyber Security Evangelist @_PaulFletcher
  2. 2. • This webinar is being recorded and an on-demand version will be available at the same URL at the conclusion of the webinar • Please submit questions via the button on the upper left of the viewer - If we don’t get to your question during the webinar, we will follow up with you via email • Download related resources via the “Attachments” button above the viewing panel • On Twitter? Join the conversation: @HOSTINGdotcom, @AlertLogic 2 Housekeeping
  3. 3. Industry Analysis – 2014 Data Breaches - Mandiant
  4. 4. Threats by Customer Environment 40.55 % 28.01 % 18.75 % 10.60 % 1.96 % 0.13 % 0.02 % 40.79 % 22.36 % 15.67 % 7.40 % 5.29 % 0.03 % 0.02 % Cloud Environment On Premise Environment Source: Alert Logic CSR 2015
  5. 5. Changes in the Traditional Solutions Application attack Brute force Recon Suspicious DoS 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
  6. 6. Recent Payment-Related Breaches • Village Pizza Pub - Vendor (TransformPOS) - Malware gained access to active transactions • Utah Food Bank - 10k donators exposed PII and payment card data - Poor website security • Genworth Insurance - Agent social engineered on the phone - Exposed (PII) Personal Identifiable Information and (PHI) Personal Healthcare Information
  7. 7. Threats to Retail On-going threats Newer threats • Point of sale (POS) • Vendors • Web applications • eCommerce infrastructure • Employees • Denial of service - DoS - DDoS • Advanced persistent threat (APT) • Hacking groups • Supply chain • Manufacturing process • Business details • Insiders
  8. 8. Understand your Adversaries
  9. 9. Underground Economy
  10. 10. TECHNOLOGY
  11. 11. Technology Plan • Assessments • External penetration tests • Internal vulnerability scans • Application security review • Configuration management • Data integrity • Analyze and optimize • Gather system utilization data • Understand resource requirements/limitations • Establish threshold capacities • Plan for the best
  12. 12. Technology Scale • Prepare to Scale • Properly sized and tested images • Instance efficiency • Identity and access management • Security tools • DDoS options
  13. 13. Technology Tactics • Network segmentation • Isolate from operational network/web • Block all, then only allow documented exceptions • Security logging & monitoring on each segment • Firewall (NGFW) • Intrusion Detection/Prevention System • Deep packet inspection • Two factor authentication • Patch management
  14. 14. Technology Tactics • Full mobility security plan • Require passwords • Enforce timeouts • Provide software updates • Eradicate “jail broken” devices • Encryption first approach • Security over functionality • Re-direct to appropriate web site • Email security • Spam • Phishing TRAIN EMPLOYEES
  15. 15. PEOPLE AND PROCESS
  16. 16. People and Process • Communications list • Prepare online and offline references • Multiple ways to contact • Expected response • Escalation path • Review IAM • Ensure least privilege concept • System tests after modification • Establish “normal” activity for system accounts • Review log systems
  17. 17. Data Correlation is the Key
  18. 18. PCI 3.1 • Compliance - Unprotected primary account numbers (PANs) o SMS (text message) - Eliminate old versions of SSL and TLS • Security - Never send account information in the clear - Obfuscation is an easy solution - Encryption is best - Patch management to update SSL and TLS TRAIN EMPLOYEES
  19. 19. INCIDENT RESPONSE
  20. 20. Incident Response • Test the plan • Self assessment • Incident response director • Team walk through • Everybody with a role in the plan • Walk through a recent breach • Use the plan as a guide • Edit the plan as needed • Executive assessment • Walk through of scenario • Validate priorities • Live exercise
  21. 21. Incident Response • Revise the plan • Roles and responsibilities • Externalize the plan • Forensics experts • Technical consultants • Legal • Public relations • Partners • Vendors • Law enforcement
  22. 22. Incident Response • Cloud considerations • Clearly defined resources • Include when you test the plan • Pristine content ready to re-deploy • Test this capability • Test the plan…again
  23. 23. PROACTIVE PURSUIT
  24. 24. Proactive Pursuit • Assume you are breached and act accordingly • Established the baseline • Understand normal system behavior • Use existing sources • Net flow • Log activity • Inbound and outbound connectivity • File integrity • Configuration settings • Use new technology • Tools to find zero day attacks • Short term engagement
  25. 25. Monitoring the Social Media Accounts
  26. 26. Forums to Follow – Exploit.in
  27. 27. Threat to Threat Intelligence Wassenaar Proposal • 2013 Amendment • Prevent the selling of surveillance technology to governments known to abuse human rights • Surveillance technology includes - Intrusion Detection Systems - Zero Day exploits • Punishment - $250k fine - Five years in prison
  28. 28. Threat to Threat Intelligence Wassenaar Proposal – The Problem • Read about the proposal • Share it within your sphere of influence • Make sure your legal team is informed • Keep the conversation going • Be specific about how this proposal will impact your ability to do your job • Prevents information sharing of vulnerabilities • Prevents us from knowing our enemy • Prevents research sharing…even within the same organization • Hackers gonna hack – so it really only impacts law abiding security professionals Wassenaar Proposal – The Fix
  29. 29. To Follow our Research • Twitter: - @AlertLogic - @StephenCoty - @_PaulFletcher • Blog: - https://www.alertlogic.com/resources/blog • Newsletter: - https://www.alertlogic.com/weekly-threat-report/ • Cloud Security Report - https://www.alertlogic.com/resources/cloud- security-report/ • Zero Day Magazine - http://www.alertlogic.com/zerodaymagazine/ Websites to follow • http://www.securityfocus.com • http://www.exploit-db.com • http://seclists.org/fulldisclosure/ • http://www.securitybloggersnetwork.com/ • http://cve.mitre.org/ • http://nvd.nist.gov/ • https://www.alertlogic.com/weekly-threat- report/
  30. 30. 30 Q&A Paul Fletcher | Alert Logic Cyber Security Evangelist Tricia Pattee| HOSTING Product Manager For more information about security solutions by HOSTING, please contact our team at 888.894.4678.

×