E-Commerce Technology Risk and Security

Brian Trevey and Randy Romes

Confidential

Presenter Contact Information

Randall J. Romes, CISSP, MCP Principal, Information Security Services LarsonAllen LLP 612-397-3114 Office612-554-3967 Cellrromes@larsonallen.comwww.larsonallen.com

Brian TreveyVice President - DeliveryTrustwave410/573-6910 x7828 Office410/507-3084 Cellbtrevey@trustwave.comwww.trustwave.com

Confidential

Agenda

• Trends in E-Commerce and Information Security

• Compliance Drivers

• Security Best Practices

• Recommendations

Confidential

Anatomy of a Data Breach – Initial EntryTrustwave Data Breach Analysis

Top Methods of Entry Included:• Remote Access Applications [45%]

– Default vendor supplied or weak passwords [90%]

• 3rd Party Connections [42%]– MPLS, ATM, frame relay

• SQL Injection [6%]– Web application compromises [90%]

• Exposed Services [4%]• Remote File Inclusion [2%]• Email Trojan [<1%]

– 2 recent Adobe vulnerability cases

• Physical Access [<1%]

Confidential

Anatomy of a Data Breach – Initial Entry

SANS 2009 Cyber Security Risk Report

• Client side software vulnerabilities

• Commonly used programs such as Adobe PDF Reader, QuickTime, Adobe Flash and Microsoft Office

• Internet facing websites (> 60% of total Internet attack attempts)

• Web application vulnerabilities such as SQL injection and Cross-Site Scripting flaws in open-source as well as custom-built applications account for more than 80% of the vulnerabilities being discovered.

Attack Vectors:• Email Phishing• Drive by Downloads

Confidential

Email Phishing – Targeted AttackRandall J. Romes [rromes@larsonallen.com]

Two or Three tell-tale signs

Can you find them?

Randall J. Romes [rromes@larsonallen.com]

https://microsoft.issgs.net

Confidential

Email Phishing – Targeted Attack

Fewer tell tale signs on fake websites

https://microsoft.issgs.net

Confidential

Michigan Company Sues Bank

Michigan company is suing its bank after cyber thieves allegedly made fraudulent wire transfers totaling US $560,000.

The cyber thieves obtained the banking account credentials through a phishing

email sent to an employee at EMI.

The transactions wired funds to bank accounts in Russia, Estonia, Scotland,

Finland, China and the US and were withdrawn soon after the deposits were made.

Alleges Comerica's security practices made EMI vulnerable to the phishing attack. The

bank allegedly routinely sent its online customers emails with links asking them to submit

information to renew digital certificates.

Also alleges that the bank failed to notice unusual activity. Until the fraudulent transactions were made, EMI had made just two

wire transfers ever; in just a three-hour period, 47 wire transfers and 12

transfer of fund requests were made.

In addition, after EMI became aware of the situation and asked the bank to halt

transactions, the bank allegedly failed to do so until 38 more had been initiated.

Confidential

Bank Sues Customer for ACH Fraud???

A Texas bank is suing commercial banking customers

Cyber thieves made a series of ACH transactions that totaled $801,495 from

Hillary Machinery Inc.'s bank account.

The bank was able to retrieve about $600,000 of the money,

Customer subsequently sent a letter requesting that the bank refund the

remaining $200,000,

Bank responded by filing the lawsuit requesting that the court certify that Banks's

security was in fact reasonable, and that it processed the wire transfers in good faith.

Documents filed with the court allege that the fraudulent transactions were

initiated using the defendant's valid online banking credentials.

Confidential

Incident Response – Investigative Conclusions

Window of Data Exposure

While attackers were still on systems an average of 156 days before being detected, elimination of stored data greatly reduces the data loss exposure.

Confidential

Penetration Tests – Top 10 – External Network

Rank Vulnerability Name Circa Attack Difficulty

1 Unprotected Application Management Interface 1994 Easy

2 Unprotected Infrastructure Management Interface 1993 Easy

3 Access to Internal Application via the Internet 1997 Medium

4 Misconfigured Firewall Permits Access to Internal 1993 Hard

5 Default or Easy to Determine Credentials 1979 Trivial

6 Sensitive Information, Source Code, etc. in Web Dir 1990 Easy

7 Static Credentials Contained in Client 1980 Easy

8 Domain Name Service (DNS) Cache Poisoning 2008 Medium

9 Aggressive Mode IKE Handshake Support 2001 Easy

10 Exposed Service Version Issues (Buffer Overflows) 1996 Hard

Confidential

Conclusions

• Attackers are using old vulnerabilities

• Attackers are using new vulnerabilities (not a contradiction!)

• Attackers know they won’t be detected

• Organizations do not know what they own or how their data flows

• Blind trust in 3rd parties is a huge liability

• Fixing new/buzz issues, but not fixing basic/old issues

• In 2010, take a step back before moving forward

Confidential

Compliance Mandates and Data Protection

Compliance Mandates Data Type

PCI DSSPayment Card IndustryData Security Standard (2004, 2006)

Credit Card Data

HIPAAHealth Insurance Portability & Accountability Act (1996)Privacy & Security Rules (2003)

PHI: Protected Health Information

GLBAGramm-Leach-Bliley Act (1999)Financial Services Modernization Act

NPPI: Non-Public Personal Information

SOXSarbanes-Oxley Act (2002)Sections 404 and 302

Financial RecordsIntellectual Property

FERPAFamily Educational Rights & Privacy Act (1974)

Student Records

ITARInternational Traffic in Arms Regulations (US Dept of State)

Military & Defense Related IP on the US Munitions List

FISMAFederal Information Security Management Act (2002)

Data Security and Audit Standards for US Government and Contractors

Title 21 CFR Part 11

US Food & Drug Administration Regulation

Electronic records and signatures

US State Data Privacy

California SB 138644 states (as of June 2008)

Customer Data ProtectionBreach notification to customers

Confidential

Payment Card Industry Data Security Standard (PCI DSS)

PCI DSS requirementsPCI DSS requirements

Build and maintain a secure network

Build and maintain a secure network

1. Install and maintain a firewall configuration to protect cardholder data2. Do not use vendor-supplied defaults for system passwords and other security parameters

1. Install and maintain a firewall configuration to protect cardholder data2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect cardholder dataProtect cardholder data 3. Protect stored cardholder data4. Encrypt transmission of cardholder data across open, public networks

3. Protect stored cardholder data4. Encrypt transmission of cardholder data across open, public networks

Maintain a vulnerability management program

Maintain a vulnerability management program

5. Use and regularly update anti-virus software or programs6. Develop and maintain secure systems and applications

5. Use and regularly update anti-virus software or programs6. Develop and maintain secure systems and applications

Implement strong access control measures

Implement strong access control measures

7. Restrict access to cardholder data by business need-to-know8. Assign a unique ID to each person with computer access9. Restrict physical access to cardholder data

7. Restrict access to cardholder data by business need-to-know8. Assign a unique ID to each person with computer access9. Restrict physical access to cardholder data

Regularly monitor and test networks

Regularly monitor and test networks

10. Track and monitor all access to network resources and cardholder data11. Regularly test security systems and processes

10. Track and monitor all access to network resources and cardholder data11. Regularly test security systems and processes

Maintain an information security policy

Maintain an information security policy 12. Maintain a policy that addresses information security for employees and contractors12. Maintain a policy that addresses information security for employees and contractors

Six Goals, Twelve Requirements

Confidential

Why the PCI-DSS is Successful?

Increased awareness

Focus on protection of cardholder data

Standardized controls accepted by all card brands

Eradication of prohibited data storage

Continual improvements and updates to the standard

• Evolution of the standard

• Based on information gathered and trends identified in post-compromise forensic investigations

Confidential

The Global Remediation Plan

Rank Strategic Initiative

1 Perform and Maintain a Complete Asset Inventory; Decommission Old Systems

2 Monitor Third Party Relationships

3 Perform Internal Segmentation

4 Rethink Wireless

5 Encrypt Your Data

6 Investigate Anomalies

7 Educate Your Staff

8 Implement and Follow a Software Development Life Cycle (SDLC)

9 Lock Down User Access

10 Use Multifactor Authentication Every Where Possible

Confidential

E-Commerce Best Practices

• Network Vulnerability Scanning

• Penetration Testing

• Application Testing

• SSL Certificates

• Web Site Seals

• Patches and Network Security

• User Awareness and Training

Confidential

Conclusion

Best Practices Checklist

Have you tested security?

Are your SSL or EV SSL certificates valid and not expiring during the holiday season?

Are your Web site seals valid and up to date?

Have you obtained all patches and are the patches up-to-date?

Do you know what and who are using your network?

Confidential

Resources

• Trustmarkshttp://www.ecommerce-guide.com/solutions/advertising/article.php/3860526

• Trustwave’s Global Security Report 2010https://www.trustwave.com/whitePapers.php

• SANS 2009 Cyber Security Reporthttp://www.sans.org/top-cyber-security-risks/

• SANS NewsBites Vol. 12 Num. 13 – Business Customer Sues Bankhttp://www.sans.org/newsletters/#newsbites

• Bank Sues Customerhttp://www.bankinfosecurity.com/articles.php?art_id=2132

Questions?