This document summarizes security threats, challenges, and best practices for ecommerce. It discusses 1) new vulnerabilities and zero-day exploits, mitigated through patching and virtual patching. 2) DDoS attacks, addressed through mitigation services or in-house solutions. 3) the goals of hackers, which are often data theft for purposes like blackmail, espionage, or economic gain. It also outlines principles for achieving encryption and hashing, such as keeping keys separate, using multiple authentication, designing keys to self-destruct if stolen, and restricting key export and visibility. The overall message is on the importance of mitigation strategies like patching, firewalls, and encryption to help secure systems from online threats.

1. Security Threats, Challenges and
Best Practices in ecommerce
Presented at CIO roundtable on Secure
the breach ( New Delhi, India)
12th Aug 2015
By Dinesh Aggarwal
VP-IT & CISO
Payu Payments Pvt Ltd

2. What are the treats and
challenges to ecommerce and
online industry today ?

3. 1. New Vulnerabilities and zero
days

9. Solution ??

10. 1.Patching
How do I know when these latest
patches and vulnerabilities comes

11. Regular scanning, at least once
a quarter- Nessus

12. US-CERT

13. 2. Virtual patching

15. Solution ??

16.  DDOS mitigation service from local
service provider
 In-house solution ??

19. More names ??

21. Solution ??

22.  Application firewalls
 Application penetration testing-in-
house, outsourced. Detailed POC
 Secure code review, secure SDLC
 IDS/IPS

23. What do hackers get
with all this hacking and
what is their purpose??

28. More often than not, a Hacker's ultimate goal is Data theft.
Ever wonder what does he/she do with the data? Experts say -
Data theft can be for purposes of blackmail,
espionage, economic gain and more.
The data that is stolen can be financial data (such as
credit card numbers, bank account credentials), personal
data that can further be used for profit (SSN, DOB, etc.),
credentials, private keys and passwords, medical
records, intellectual property (source code, trade secrets,
etc.), the list goes on

29. Can anyone of us claim
that they are un hackable
?

30. Solution ??

31. Secure leak

32. We have got 2
friends

33. Encryption
and hashing

34. How to achieve this
and common
mistakes

36. In real world, key is kept
securely not with
treasure
NO ?

37. Principle 1
 Always keep key
separate
 Use hash wherever possible

38. Principle 2
Lock should open with
3/multiple keys
 Multi administrator authentication for
critical tasks

39. Principle 3
Key destroys itself if someone
tries to steal it.
 Use a key encryption box with in built
Physical security.

40. Principle 4
Even treasure owner cannot see key and
take out key with him but still use it
 Key export disable
 Key not visible from naked eyes

41. Result ???

42. Secure leak

43. Thank You
Happy
mitigating
