Website Security 2
Does PCI Compliance Protect My On-line Customers’ Identities Too?
Mike SmartSr. Manager, Products and Solutions
Symantec Website Security Solutions
A 3600 View on Website Security Strategy Strategy
Enterprise SSL Security
Evolving Web Use
Assurance of PersistentProtection
Evolving Web Threats
UK Mobile Web Usage Evolution
Website Security 4Source 2011 Tecmark Research
Of UK population use the Internet82% Of Europeanpopulation use the Internet58%
Evolving Usage
Website Security 5
Home
Place of work (other than home)
Another person's home
Hotspot (wi-fi)
Place of education
0 10 20 30 40 50 60 70 80 90 100
2011201020092008
Last 3 Months Usage - UK Office of National Statistics 2011
-0.25%
17.3%
3.1%
-0.4%
0.9%
Internet All Retail
Evolving On-line sales
Website Security 6
Internet Retail£489m per week
18.1%Increase
from 2011.
0.4%Increase
from 2011.
All Retail:£5,724m per week
UK Office of National Statistics 2011
8.5%of all retail salesExcl. Auto fuel
On-line Retail Growth
Website Security 7http://www.retailresearch.org/onlineretailing.php
Personalising the Web
Website Security 8
Social-Personal
Financial-Personal
A 3600 View on Website Security Strategy Strategy
Enterprise SSL Security
Evolving Web Use
Assurance of PersistentProtection
Evolving Web Threats
Are we doing enough to protect customers?
Website Security 10
Of websites Lack adequatesecurity Verisign Inc / Netcraft 201292%
Of of websites have a poor implementation of SSL Trustworthy Internet 201252%
SSL Deployment Audits
Website Security 11
A 3600 View on Website Security Strategy Strategy
Enterprise SSL Security
Evolving Web Use
Assurance of PersistentProtection
Evolving Web Threats
Website Comes Online
35.8% have Vulnerability
1 in 4 have CRITICAL
Vulnerability
1 in 156 Get Infected
6,000 get Black-Listed
Per DAY
Source Symantec 2012 / Business Week 2012 13
61%Compromised Sites are Legit
36%Growth in
Blocked Web Attacks
Website Security Threat Analysis
• Use HTTPS on all pages• Resolve and avoid mixed
content• Encrypt all identifying and
private information
• Use only secure cookies• Use valid SSL certificates
from trusted CA’s• Patch, update, and harden
systems
Recommendations
‘Always-On SSL’
Only 10% Sites are ‘Secure’190,000 sites - 2012 Scorecard – Based on SSL & Server Configuration Testing
Enterprise SSL Security
Learn more: go.symantec.com/always-on-ssl
What about the Protection of Our customers?
Leading Browsers All Major Certificate Authorities
Dom
ain
Valid
ation
EncryptionValidation of domain controlPadlock in browserIssued in minutes Org
aniza
tion
Valid
ation Authentication of
organizationProof of applicant’s right to request cert for domainOrganization details in Certificate InfoBlue address bar in browserIssued in 1-2 days
Exte
nded
Val
idati
on
Stringent, industry-standardized authentication of organizationBusiness-beneficial green address bar in browserIssued in 7-10 days
Mobile Browsers & SSL – iOS Safari
Source: Symantec & OTA 2012 17
Green EV bar increases confidence
(60% of online shoppers)
43% of shopperswill abandon cart
if a browser warning message pops up
Internet Trust Marks
Website Security 18
86% of shoppers recognize the
trustmark
Key Takeaways
Private Key & Certificate
Configuration
PerformanceApplication Design
Validation & Re-assess
Source: Qualys SSL Labs / Trustworthy Internet 19
SSL & TLS Best Practices
Configuration
Website Security 21
• Just one certificate is normally not enough, more are needed to establish complete Chain of Trust.
• Multiple Certificates may expire at different times.Valid Certificate Chain
• At minimum SSL v3 & TLS v1.0 are ‘OK’ – Check Logs for impact!• TLS v1.1 & 1.2 are without known issues, but have limited
browser /server support
Use only Secure Protocols
• Force your servers to select the use of the strongest suite the browser can support.
Use Only Secure Cipher Suites & Control Which Ones are Used
• Patching, server software updates• Keep an eye on the latest standards and advice
Mitigate Known Problems
Application Design & implementation (HTTP)
Website Security 23
• If you don’t have SSL - get it; if you have it - turn it on!• if you have it on – keep it on all the time!Always-On SSL
• Mark all cookies as ‘secure’.Secure Cookies
• Think about Java files, pictures, CSS files.No Mixed Content
• HTTP Strict Transport Security – the SSL ‘Safety-net’.• In case you have config error, Its easy, limited browsers.Enable HSTS
• With the increase in ‘External IT’, be clear about what is sensitive and what is not.
Disable Caching of Sensitive Content
• 3rd party services downloaded from another server.• Understand your risk.
Understand & Acknowledge 3rd Party Trust
Your Action List
25
Make positive changes to design like turning on the ‘Always-On SSL’ switch to protect customer’s
identities and strengthen your brand
Discover your Risk Exposure:Audit your website security infrastructure
Review Configuration and design for benchmarking against industry
Consolidate your certificate issuing process and use more stringent standards to demonstrate best practice and increase customer confidence to drive online sales
60%Growth
Summary
27
Drive More Business To Your Site &
Increase Revenues
Protect Your Customer Data
and Their Financial Records
Reduce Your Risk Exposure
and Time to Compliance
Thank you!
Copyright © 2011 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
Website Security 28
Top Related