An Introduction to E-Commerce Security

By Graham Mead

Security Strategies

• Enforce Secure Passwords by Design.

• Don’t trust users are who they say they are, unless they can prove it.

• PCI Data Security Standard https://www.pcisecuritystandards.org/

• ISO/IEC 27001 (risks to information

• assets)

Secure Transfer Methods

• HTTPS, SSH, SFTP.

• These protocols use encryption.

• They allow you to transfer data securely.

• Use the ‘High’ encryption level for Remote Desktop. This uses a 128 bit key.

• Never use telnet, http or ftp to login. These are insecure protocols.

Default Security is Weak• Configuration found in Admin Tools -> Terminal Services

Configuration.• Change the Encryption drop down box to at least High.

HTTPS Example• Click on the padlock to see this window.• The White box would display the address of the web site.• The Green box would

Implementing Security

• Mod_security http://www.modsecurity.org/ can filter out bad traffic and help protect web applications.

• mod_ssl allows the HTTPS protocol to be used with apache.

Mod Security

• Over 70% of all attacks now carried out over the web port. (modsecurity)

• Mod Security is a web application layer firewall.• It can be used to help protect web sites.• Two example alerts can be seen in the image below.• First it protects against a directory listing, that could be

valuable to an attacker• Secondly it protects against an SQL Injection attack.

Security is Everyone'sResponsibility.

Don’t be the weak link.

References

• http://www.modsecurity.org/documentation/faq.html#d0e47 (modsecurity.org 2007)