MFpBWS Grow your business safely - NBS System€¦ · 2828 Leveraging native Magento security •...

transcript

1www.nbs-system.com

Magento Security

Best practices 2015

Q4 2015

Grow your business safelyhttp://goo.gl/MFpBWS

2www.nbs-system.com

e-Commerce: the 60% rules

• >60% of web traffic is non-human• >60% of attempts to steal databases target e-Commerce sites• >60% of growth for identity theft over three years• A 2012 study showed Retailer websites are at risk 328 days/year• An IP address is scanned around 40 times per day

3www.nbs-system.com

The triple loot

5www.nbs-system.com

A different time scale

Seconds Minutes Hours Days Weeks Months Years

Time between

compromising and

discovery of it

Time between attack

launch and

compromising

Statistics made based on large corporations in 2012 (Verizon Databreach report)

6www.nbs-system.com

A *very* bad year

www.nbs-system.com

7www.nbs-system.com

A *very* bad year#@%

8www.nbs-system.com

It all started with a big #fail (Shoplift)#@%

9www.nbs-system.com

It all started with a big #fail (RSS orders)#@%

10www.nbs-system.com

It all started with a big #fail (Magmi)#@%

Other “SUrPrEEses#@%

Magento cache leak#@%

But there were other before

www.nbs-system.com

Did you took care of the previous ones?#@%

The PayPal / Magento integration flaw (by NBS)

NBS System will release a new vulnerability soon

Or even the one that were not Magento specific?#@%

PHP: two versions behind, really?

88% are outdated and not

supported anymore…

No security fixes.

(and +12% to +40%

performances to gain)

PHP versions in use, in our parc:

Easily exploitable things beyondclassical vulnerabilities

www.nbs-system.com

Magento Support giving dangerous advices

• “Chmod 777 your document root…” *REALLY* ?• “Magento is not compatible with Reverse proxies.” *Woot* ?• “Give me your root password so we can look” *NO KIDDING*?• Etc…

When Magento support is being creative…

Don’t go to a car dealer to fix a bad tooth…

Leaving your logs accessible, especially Debug one

Leaving payment gateway logs accessible to all

Not hiding Magento, PHP, Apache versions

Use a minimum of unaudited extensions, a lot are BAD

Weak passwords, along with no locking policies are a plague

Classical mistakes that cost…

Leaving import/export scripts, reindexers, crontabs accessible

Try calling pages that load very slowly

Access directly the API to import / export

Applicative level D.o.S attacks

Securing Magento Flaws

www.nbs-system.com

Securing Magento flaws

• Update to versions CE > 1.9 or EE > 1.14.1• Use PHP 5.6• Shoplift, Magmi, XML-RPC-XEE : filter the access with a

.htaccess file (or an nginx rule)

Securing recent flaws

Example with Magmi (using Apache)

RewriteCond %{REQUEST_URI} ^/(index.php/)?magmi/ [NC]RewriteCond %{REMOTE_ADDR} !^192.168.0.1RewriteRule ^(.*)$ http://%{HTTP_HOST}/ [R=302,L]

Example with Magmi (using Nginx)

location ~* ^/(index.php/)?magmi {allow 192.168.0.1;deny all;location ~* .(php) {include fastcgi_params; } }

Protect your backoffice & updater

Example using Apache

<Location /wp-admin>AuthType BasicAuthName "Restricted Area"AuthUserFile /etc/apache2/access/htpasswdRequire valid-userOrder deny,allowAllow from [MY_IP]

Satisfy any</Location>

Then, just add a user:

htpasswd –c /etc/apache2/access/htpasswd [user]

Leveraging native Magento security

• Use HTTPS in Backoffice & order tunnels access• Change your backoffice default URL• Do *NOT* use a weak password (no « tommy4242 » is not safe)• Put some limits to number of failed login attempts• Put a password expiration time and change it every 3 months• Enforce use of case sensitive password• Disable email password recovery

Securing Web application

www.nbs-system.com

Organizational security

• Get a security review• Keep track of vulnerabilities on Magento ecosystem• Have serious passwords, change them every 3 months• Do not keep informations unless they are needed• Pick a PCI/DSS certified hosting company• Use 3D secure• Keep up to date versions of Magento & PHP

Infrastructure security

• Keep a daily backup• Use a WAF, NAXSI is opensource, free and stable• Put rate limits on your Reverse Proxies• Filter your outgoing trafic

It’s the job of your managed services provider.

Host level security

• Change default backoffice URL• Disable directory indexing• Have correct permissions : file=644, directory=755• No follow, no index on preprod• Use the best practices mentioned before

It’s the job of your managed services provider.

High end security

www.nbs-system.com

Hardware

Operating system

Network

Applicative stack

Database

Website

Humans

Motivating wages

Equipe SOC

Security trainings

Background checks

N.A.X.S.I (web application firewall)

ReqLimit (Anti applicative DoS)

ExecVE killer

File Upload checker

PHP Suhosin V2

App scan

Threadfix virtual patching

MySQL Interceptor

PHP Suhosin V2

Daemon hardening

Anti DDoS

Isolated Vlans

Firewalling

Watch Folder

PHP Malware finder

Redundant hardware

Redundant datacenters

Redundant data storage

Redundant telecom uplinks

Log central

Security Event

Manager

Flex Dynamic Firewall

Ban Commander

CerberHost

Contact

Grow your business safely

contact@nbs-system.com +33.1.58.56.60.80

www.nbs-system.comTwitter : @nbs_system

www.nbs-system.com

MFpBWS Grow your business safely - NBS System€¦ · 2828 Leveraging native Magento security •...

Documents