An Introduction to E-Commerce Security By Graham Mead.

9
An Introduction to E-Commerce Security By Graham Mead

Transcript of An Introduction to E-Commerce Security By Graham Mead.

Page 1: An Introduction to E-Commerce Security By Graham Mead.

An Introduction to E-Commerce Security

By Graham Mead

Page 2: An Introduction to E-Commerce Security By Graham Mead.

Security Strategies

• Enforce Secure Passwords by Design.

• Don’t trust users are who they say they are, unless they can prove it.

• PCI Data Security Standard https://www.pcisecuritystandards.org/

• ISO/IEC 27001 (risks to information

• assets)

Page 3: An Introduction to E-Commerce Security By Graham Mead.

Secure Transfer Methods

• HTTPS, SSH, SFTP.

• These protocols use encryption.

• They allow you to transfer data securely.

• Use the ‘High’ encryption level for Remote Desktop. This uses a 128 bit key.

• Never use telnet, http or ftp to login. These are insecure protocols.

Page 4: An Introduction to E-Commerce Security By Graham Mead.

Default Security is Weak• Configuration found in Admin Tools -> Terminal Services

Configuration.• Change the Encryption drop down box to at least High.

Page 5: An Introduction to E-Commerce Security By Graham Mead.

HTTPS Example• Click on the padlock to see this window.• The White box would display the address of the web site.• The Green box would

Page 6: An Introduction to E-Commerce Security By Graham Mead.

Implementing Security

• Mod_security http://www.modsecurity.org/ can filter out bad traffic and help protect web applications.

• mod_ssl allows the HTTPS protocol to be used with apache.

Page 7: An Introduction to E-Commerce Security By Graham Mead.

Mod Security

• Over 70% of all attacks now carried out over the web port. (modsecurity)

• Mod Security is a web application layer firewall.• It can be used to help protect web sites.• Two example alerts can be seen in the image below.• First it protects against a directory listing, that could be

valuable to an attacker• Secondly it protects against an SQL Injection attack.

Page 8: An Introduction to E-Commerce Security By Graham Mead.

Security is Everyone'sResponsibility.

Don’t be the weak link.

Page 9: An Introduction to E-Commerce Security By Graham Mead.

References

• http://www.modsecurity.org/documentation/faq.html#d0e47 (modsecurity.org 2007)