2015 Online Trust Audit & Honor Roll Review June 23, All rights reserved. Online Trust Alliance (OTA) Slide 1

Transcription

1 2015 Online Trust Audit & Honor Roll Review June 23, 2015 Sal Tripi AVP, Publishers Clearing House Jeff Wilbur VP Marketing, Iconix Craig Spiezle Executive Director & President, OTA 2015 All rights reserved. Online Trust Alliance (OTA) Slide 1 Who Is OTA? Mission - To enhance online trust and empowering users, while promoting innovation and the vitality of the internet. Goal to help educate businesses, policy makers and stakeholders while developing and advancing best practices and tools to enhance the protection of users' security, privacy and identity. OTA supports collaborative public-private partnerships, benchmark reporting, meaningful self-regulation and data stewardship. IRS approved 501c3 tax-exempt charitable organization Supported by over 100 leading brands, advertisers, marketers, technology leaders, non-profits and government agencies All rights reserved. Online Trust Alliance (OTA) Slide 2 1

2 Online Trust Audit & Honor Roll Objectives: Move from a compliance mindset to stewardship Recognize leadership brands, sites & apps that implement security and privacy practices protecting users data Incentivize businesses and developers to enhance their security, data protection and privacy practices Make security & privacy part of a brand s value proposition Increase awareness and preference for best practices Education 2015 All rights reserved. Online Trust Alliance (OTA) Slide 3 Honor Roll Overview Analysis of ~1,000 web sites FDIC Banking 100 Internet Retailer Top 500 Top 50 Social Top 50 News/Media (introduced in 2014) Top 50 Federal Gov t OTA Members IoT 50 (Home automation, Wearables) Scoring Up to 100 points in each category Bonus points for emerging practices Penalty points for Data loss incident, fines/settlement Inadequate practices Italics = new in 2015 Security Brand Protection Honor Roll = 80% of total points, 55% or better in each category Privacy 2015 All rights reserved. Online Trust Alliance (OTA) Slide 4 2

3 Collaborative & Open Audit Open call for comments Published methodology Webinar and tools to aid companies Powered in part by Agari, AVG Technologies, DigiCert, Disconnect, Distil Networks, Ensighten, GlobalSign, High- Tech Bridge SA, IID, Microsoft, Return Path, SiteLock, SSL Labs, Symantec, ThreatWave, TRUSTe & VERISIGN 2015 All rights reserved. Online Trust Alliance (OTA) Slide 5 Overall Achievement Record level of Honor Roll achievement, despite more stringent criteria Primarily due to many organizations near threshold raising score with simple improvements Most consistent increase was in privacy policy scores 2015 All rights reserved. Online Trust Alliance (OTA) Slide 6 3

4 Overall Achievement by Sector 2015 All rights reserved. Online Trust Alliance (OTA) Slide 7 Top of The Class Ranked #1 of all 800 sites across all sectors Online Retailers Social Federal Banking News IoT 2015 All rights reserved. Online Trust Alliance (OTA) Slide 8 4

5 Internet Retailer Top All rights reserved. Online Trust Alliance (OTA) Slide 9 Baseline Category Scores 2015 All rights reserved. Online Trust Alliance (OTA) Slide 10 5

6 Range and Median by Sector Online Trust Index is the total of baseline points and bonus/penalty points, normalized to All rights reserved. Online Trust Alliance (OTA) Slide 11 Honor Roll vs. Failures 2015 All rights reserved. Online Trust Alliance (OTA) Slide 12 6

7 Reasons for Failure 2015 All rights reserved. Online Trust Alliance (OTA) Slide 13 Brand Protection Base points authentication SPF and DKIM at top-level and subdomains DMARC record and policy Policy=Reject for max points Bonus points TLS for DNSSEC Penalty points Italics = new in 2015 Domain locking (not locked) Security Brand Protection Privacy Best practices to help detect and prevent malicious and spoofed and protect corporate domains 2015 All rights reserved. Online Trust Alliance (OTA) Slide 14 7

8 Authentication Overview SPF Authenticates Message Path Authorized senders in DNS DKIM Authenticates Message Content Public encryption keys in DNS DMARC Consistency A method to leverage the best of SPF and DKIM Policy Senders can declare how to process unauthenticated Visibility Reports on how receivers process received Aggregated Insights Telemetry into mail streams (RUA) Failure & Spoofed reports (RUF) 2015 All rights reserved. Online Trust Alliance (OTA) Slide 15 Transport Layer Security Rapidly being adopted standard for secure . TLS uses Public Key Infrastructure (PKI) to encrypt messages between mail servers. This encryption makes it difficult for hackers to intercept and read messages. TLS supports the use of digital certificates to authenticate the receiving servers. Authentication of sending servers is optional. This process verifies receivers (or senders) are who they say they are, which helps to prevent spoofing All rights reserved. Online Trust Alliance (OTA) Slide 16 8

9 and Brand Protection 2015 All rights reserved. Online Trust Alliance (OTA) Slide 17 Authentication Adoption Best practice is to support both SPF and DKIM Adoption of both grew in all sectors Use of DMARC records grew in all sectors, but is low Use of policy (reject or quarantine) lagging 2015 All rights reserved. Online Trust Alliance (OTA) Slide 18 9

10 Concerns Brand Protection Lack of DKIM at top-level domain Only 31% overall though 76% have at least some DKIM Lack of DMARC record and policy assertion Only 17% overall have a DMARC record though 92% support some form of authentication Protection of parked domains 2015 All rights reserved. Online Trust Alliance (OTA) Slide 19 Infrastructure Security Base points Server & SSL implementation Anti-bot Domain validation cert Bonus points EV SSL AOSSL Web App Firewall Penalty points Italics = new in 2015 XSS / iframe vulnerabilities Malware Malicious links Security Brand Protection Privacy Best practices to secure data in transit and collected by websites and prevent malicious exploits running against clients devices including desktop, mobile and IoT devices 2015 All rights reserved. Online Trust Alliance (OTA) Slide 20 10

11 SSL/TLS Deployment Best Practices Observed Issues Support of TLS 2.0 Beast Attack Mismatched certs Cross site scripting iframes exploits SHA1 depreciation weak signature, need to upgrade to SHA2 Poodle attack Servers accepting RC4 cipher FREAK Exploits Lack of support of Forward Secrecy with the reference browsers 2015 All rights reserved. Online Trust Alliance (OTA) Slide 21 Enhanced SSL Criteria Two new grades, A+ (100 pts) and A- (90 pts), allow for finer grading. Support for TLS 1.2 required for an A. If not, grade is capped at B. Key lengths below 2048-bit capped at B (below 1024-bit receive an F) MD5 certificate signatures considered insecure, receive an F Warnings servers with good configuration, but one or more warnings, are reduced to an A- Servers not supporting Forward Secrecy receive a warning Servers that do not support secure renegotiation receive a warning Servers that use RC4 with TLS 1.1 or TLS 1.2 receive a warning 2015 All rights reserved. Online Trust Alliance (OTA) Slide 22 11

12 Current Testing Dynamic threat landscape 2015 All rights reserved. Online Trust Alliance (OTA) Slide 23 AOSSL Bonus Points Best practice to secure data for the entire session (not just during/after login) Many sites have moved to AOSSL All rights reserved. Online Trust Alliance (OTA) Slide 24 12

13 Site and Server Security Summary 2015 All rights reserved. Online Trust Alliance (OTA) Slide 25 Concerns Site Security Vulnerabilities constantly emerging sites must keep pace with latest protocols/configuration SHA2 will be required soon (only 51% adoption overall) AOSSL will soon impact interaction with browsers, SEO (only 24% adoption overall) Often a case of operational discipline; vs technical resources All rights reserved. Online Trust Alliance (OTA) Slide 26 13

14 Privacy Base points Privacy policy Third-party trackers on site Bonus points Layered privacy policies Multi-lingual policies Use of Icons Do Not Track status, policy Tag mgmt or privacy solution Penalty points WHOIS (if Private vs Public) Data Breach Incidents Italics = new in 2015 FTC / State Settlements Security Brand Protection Privacy Best practices providing users clear notice and control of the data being collected, tracked and shared with third parties 2015 All rights reserved. Online Trust Alliance (OTA) Slide 27 Privacy Scores and Monitoring 2015 All rights reserved. Online Trust Alliance (OTA) Slide 28 14

15 Privacy Policy and Disclosures 2015 All rights reserved. Online Trust Alliance (OTA) Slide 29 Privacy Bonus Points Layered Notice & Icons Publishers Clearing House Reduced word count from over 4,000 words to 475! Adds clarity, readability & transparency Added bonus points for icons 2015 All rights reserved. Online Trust Alliance (OTA) Slide 30 15

16 Concerns Privacy Though scores rose, improvement is still needed in privacy policy statements (less data sharing and retention, clear disclosure) Miniscule support of icons and multi-lingual policies 2015 All rights reserved. Online Trust Alliance (OTA) Slide 31 Next Steps Continually monitor Your site & SSL configuration streams including top level and all sub domains Privacy policy, practices and those of your partners Make Security & Privacy part of your company DNA Give feedback into the 2016 audit methodology Get involved with OTA! 2015 All rights reserved. Online Trust Alliance (OTA) Slide 32 16

17 Tools & Resources Online Trust Honor Roll Methodology, past reports and related resources Infographic Security SPF/DMARC Record Validator TLS for SSL Server Test Always On SSL (AOSSL) - Extended Validation (EV) Data Protection & Breach Readiness Guide Internet of Things OTA All rights reserved. Online Trust Alliance (OTA) Slide 33 17