protecting the identities of your website customers

23
Website Security 2 Does PCI Compliance Protect My On- line Customers’ Identities Too? Mike Smart Sr. Manager, Products and Solutions Symantec Website Security Solutions

Upload: norton-secured

Post on 18-Nov-2014

928 views

Category:

Technology


0 download

DESCRIPTION

92% of websites lack adequate security measures to protect their customers. This presentation looks at the simple measures that can be taken to keep website users' personal information safe.

TRANSCRIPT

Page 1: Protecting the identities of your website customers

Website Security 2

Does PCI Compliance Protect My On-line Customers’ Identities Too?

Mike SmartSr. Manager, Products and Solutions

Symantec Website Security Solutions

Page 2: Protecting the identities of your website customers

A 3600 View on Website Security Strategy Strategy

Enterprise SSL Security

Evolving Web Use

Assurance of PersistentProtection

Evolving Web Threats

Page 3: Protecting the identities of your website customers

UK Mobile Web Usage Evolution

Website Security 4Source 2011 Tecmark Research

Of UK population use the Internet82% Of Europeanpopulation use the Internet58%

Page 4: Protecting the identities of your website customers

Evolving Usage

Website Security 5

Home

Place of work (other than home)

Another person's home

Hotspot (wi-fi)

Place of education

0 10 20 30 40 50 60 70 80 90 100

2011201020092008

Last 3 Months Usage - UK Office of National Statistics 2011

-0.25%

17.3%

3.1%

-0.4%

0.9%

Page 5: Protecting the identities of your website customers

Internet All Retail

Evolving On-line sales

Website Security 6

Internet Retail£489m per week

18.1%Increase

from 2011.

0.4%Increase

from 2011.

All Retail:£5,724m per week

UK Office of National Statistics 2011

8.5%of all retail salesExcl. Auto fuel

Page 6: Protecting the identities of your website customers

On-line Retail Growth

Website Security 7http://www.retailresearch.org/onlineretailing.php

Page 7: Protecting the identities of your website customers

Personalising the Web

Website Security 8

Social-Personal

Financial-Personal

Page 8: Protecting the identities of your website customers

A 3600 View on Website Security Strategy Strategy

Enterprise SSL Security

Evolving Web Use

Assurance of PersistentProtection

Evolving Web Threats

Page 9: Protecting the identities of your website customers

Are we doing enough to protect customers?

Website Security 10

Of websites Lack adequatesecurity Verisign Inc / Netcraft 201292%

Of of websites have a poor implementation of SSL Trustworthy Internet 201252%

Page 10: Protecting the identities of your website customers

SSL Deployment Audits

Website Security 11

Page 11: Protecting the identities of your website customers

A 3600 View on Website Security Strategy Strategy

Enterprise SSL Security

Evolving Web Use

Assurance of PersistentProtection

Evolving Web Threats

Page 12: Protecting the identities of your website customers

Website Comes Online

35.8% have Vulnerability

1 in 4 have CRITICAL

Vulnerability

1 in 156 Get Infected

6,000 get Black-Listed

Per DAY

Source Symantec 2012 / Business Week 2012 13

61%Compromised Sites are Legit

36%Growth in

Blocked Web Attacks

Website Security Threat Analysis

Page 13: Protecting the identities of your website customers

• Use HTTPS on all pages• Resolve and avoid mixed

content• Encrypt all identifying and

private information

• Use only secure cookies• Use valid SSL certificates

from trusted CA’s• Patch, update, and harden

systems

Recommendations

‘Always-On SSL’

Only 10% Sites are ‘Secure’190,000 sites - 2012 Scorecard – Based on SSL & Server Configuration Testing

Page 14: Protecting the identities of your website customers

Enterprise SSL Security

Learn more: go.symantec.com/always-on-ssl

What about the Protection of Our customers?

Page 15: Protecting the identities of your website customers

Leading Browsers All Major Certificate Authorities

Dom

ain

Valid

ation

EncryptionValidation of domain controlPadlock in browserIssued in minutes Org

aniza

tion

Valid

ation Authentication of

organizationProof of applicant’s right to request cert for domainOrganization details in Certificate InfoBlue address bar in browserIssued in 1-2 days

Exte

nded

Val

idati

on

Stringent, industry-standardized authentication of organizationBusiness-beneficial green address bar in browserIssued in 7-10 days

Page 16: Protecting the identities of your website customers

Mobile Browsers & SSL – iOS Safari

Source: Symantec & OTA 2012 17

Green EV bar increases confidence

(60% of online shoppers)

43% of shopperswill abandon cart

if a browser warning message pops up

Page 17: Protecting the identities of your website customers

Internet Trust Marks

Website Security 18

86% of shoppers recognize the

trustmark

Page 18: Protecting the identities of your website customers

Key Takeaways

Private Key & Certificate

Configuration

PerformanceApplication Design

Validation & Re-assess

Source: Qualys SSL Labs / Trustworthy Internet 19

SSL & TLS Best Practices

Page 19: Protecting the identities of your website customers

Configuration

Website Security 21

• Just one certificate is normally not enough, more are needed to establish complete Chain of Trust.

• Multiple Certificates may expire at different times.Valid Certificate Chain

• At minimum SSL v3 & TLS v1.0 are ‘OK’ – Check Logs for impact!• TLS v1.1 & 1.2 are without known issues, but have limited

browser /server support

Use only Secure Protocols

• Force your servers to select the use of the strongest suite the browser can support.

Use Only Secure Cipher Suites & Control Which Ones are Used

• Patching, server software updates• Keep an eye on the latest standards and advice

Mitigate Known Problems

Page 20: Protecting the identities of your website customers

Application Design & implementation (HTTP)

Website Security 23

• If you don’t have SSL - get it; if you have it - turn it on!• if you have it on – keep it on all the time!Always-On SSL

• Mark all cookies as ‘secure’.Secure Cookies

• Think about Java files, pictures, CSS files.No Mixed Content

• HTTP Strict Transport Security – the SSL ‘Safety-net’.• In case you have config error, Its easy, limited browsers.Enable HSTS

• With the increase in ‘External IT’, be clear about what is sensitive and what is not.

Disable Caching of Sensitive Content

• 3rd party services downloaded from another server.• Understand your risk.

Understand & Acknowledge 3rd Party Trust

Page 21: Protecting the identities of your website customers

Your Action List

25

Make positive changes to design like turning on the ‘Always-On SSL’ switch to protect customer’s

identities and strengthen your brand

Discover your Risk Exposure:Audit your website security infrastructure

Review Configuration and design for benchmarking against industry

Consolidate your certificate issuing process and use more stringent standards to demonstrate best practice and increase customer confidence to drive online sales

60%Growth

Page 22: Protecting the identities of your website customers

Summary

27

Drive More Business To Your Site &

Increase Revenues

Protect Your Customer Data

and Their Financial Records

Reduce Your Risk Exposure

and Time to Compliance

Page 23: Protecting the identities of your website customers

Thank you!

Copyright © 2011 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.

Website Security 28

[email protected]