12 Habits of Highly Secured Magento Merchants

Transcription

1

2 12 Habits of Highly Secured Magento Merchants

3 Jeries (Jerry) Eadeh VP of Channel Sales 5 years at Nexcess Speaker at Magento Events Small business

4 Have you ever left the doors unlocked?

5 Magento Enterprise is a self-hosted platform. This means that you, not Magento, are responsible for ensuring the data on your server is secure. It also transfers the risks of security breaches entirely onto you, and making sure that this information is secure as it needs to be can consume large amounts time and money. Allen Burt, Founder BlueStout.com Which Enterprise Ecommerce Platform Solution is Better? Shopify Plus vs. Magento EE.

6 Work with reliable hosting providers and solution integrators. When evaluating their qualifications, ask about their approach to security. Verify that they have a secure software development life cycle in accord with industry standards such as The Open Web Application Security Project (OWASP), and that they test their code for security issues. SECURITY BEST PRACTICES by PIOTR KAMINSKI

7

8 Secure Hardware & Network facilities Hosting Provider Define Security Policy Magento Merchant Coding and Logging practices Developer / SI Agency

9

10 How do you start protecting your business?

11 Document a security strategy across the entire company.

12 Do you have a network diagram?

13 Payment Card Industry Data Security Standard One Standard PCI DSS

14

15 Habit 1: Firewall Protection Firewall Block outside traffic from coming into the network One for every access point to the network Restricts traffic to your server Software or Web Application Firewalls (WAF) Operates as close to the network program as possible Ruleset that protects Magento, and blocks malicious activity Allows for monitoring all network traffic

16 Habit 2: Good Password Hygiene Password Protect your Network All wireless & wired networks All server and application logins All personal computers and devices Clean Password Living Expire after 90 days Be unique from any of the last four passwords used Passwords must be alphanumeric Lowercase characters Capital (uppercase) characters Numerals

17 Virtual Password Wallets

18 Habit 3: Data Retention Policy Ask yourself these questions How will you securely store and eventually destroy the data? Where will that data reside while in your possession? What data needs to be collected? Managing sensitive data Place data into a directory that isn t web-accessible Clean up any data after a migration or upgrade Remove any older site data Remove any database dumps Shred documents containing sensitive information,

19 What is Tokenization? Substituting sensitive data with non-sensitive data. If you collect it you must protect it 15 or 16 digit credit card # s Credit card authorization keys Usernames and passwords Last four digits of credit card # s, not sensitive data. WHY TOKENIZATION IS CHANGING THE WAY BUSINESSES DO ECOMMERCE by Joy Daniels. SEPT 2, 2015

20 Habit 4: Purchase an SSL Certificate Why are SSLs important? Send encrypted information to recipient Send info to the right server (Authentication) Types of SSL certificates Domain Validation (DV) Business Validation (BV) Extended Validation (EV) CDN SSL certificates

21

22 Habit 5: Protect Against Malware Home/office malware protection If using Windows on your workstation, be sure to have a current, working anti-virus software installed Windows Defender is an acceptable anti-virus for Windows 10 AVG is a free and reliable anti-virus solution for other versions of Windows. Make certain the definitions are kept up-to-date

23 Habit 6: Stay Up-to-Date. Sources for vulnerability information Magento Security Center Magento Security-Alert Registry MageReport.com

24

25 Habit 7: Restrict Access Document an access policy Define user roles (Support, Sales etc.) Restrict system/device/data privileges Assign privileges necessary to perform job Examples System Administrators Billing Dept. Personnel All Developers Project Managers

26 Habit 8: Assign Unique User IDs Identify and Authenticate Access to data must have a unique ID. Trace actions to known users. Delete old user profiles. PCI DSS 3.1 Two Factor is MANDATORY!

27

28 Habit 9: Lock the front door! Secure all physical entry points Consider badge entry and door lock controls Lock all physical console screens Safeguard against... Cardholder data being accessed Areas where devices, systems, or hardcopies can be accessed Both electronic and POS paper receipts

29 Habit 10: Track and monitor activity Version Control System (VCS) Revert files back to a previous state Revert the entire project back to a previous state Compare changes over time See who last modified something Who introduced an issue and when. File Integrity Manager (FIM) Alerts you to changes in critical system files, configuration files, and content files.

30

31 Magento Administrator Users notifications for admin user changes Notifications of successful and failed login attempts Log user actions that... a. b. c. create edit delete

32

33 Habit 11: Practice Fire Drill Safety Regularly test security systems Run internal and external network vulnerability scans Use up-to-date network intrusion detection systems (IDS) Use up to date file integrity monitoring (FIM) tools

34 Habit 12: Company Security Policy If you build it, the documentation will come. Remember to use the PCI DSS as your guide Document Information Security Manual for your team Document security policies for your patrons Know your responsibilities Determine your scope with the help of your vendors. Diagram and document everything Identify the cardholder environment Partner with companies to narrow your scope. Formally assess your company for PCI Compliance

35 At the heart of any secure system is the staff that implements it. Find out more information by visiting...

36 Jeries (Jerry)