mfpbws grow your business safely - nbs system€¦ · 2828 leveraging native magento security •...
TRANSCRIPT
![Page 1: MFpBWS Grow your business safely - NBS System€¦ · 2828 Leveraging native Magento security • Use HTTPS in Backoffice & order tunnels access • Change your backoffice default](https://reader033.vdocuments.mx/reader033/viewer/2022042310/5ed7c76e7626b373466bc359/html5/thumbnails/1.jpg)
1www.nbs-system.com
1
Magento Security
Best practices 2015
Q4 2015
Grow your business safelyhttp://goo.gl/MFpBWS
![Page 2: MFpBWS Grow your business safely - NBS System€¦ · 2828 Leveraging native Magento security • Use HTTPS in Backoffice & order tunnels access • Change your backoffice default](https://reader033.vdocuments.mx/reader033/viewer/2022042310/5ed7c76e7626b373466bc359/html5/thumbnails/2.jpg)
2www.nbs-system.com
2www.nbs-system.com
e-Commerce: the 60% rules
• >60% of web traffic is non-human• >60% of attempts to steal databases target e-Commerce sites• >60% of growth for identity theft over three years• A 2012 study showed Retailer websites are at risk 328 days/year• An IP address is scanned around 40 times per day
![Page 3: MFpBWS Grow your business safely - NBS System€¦ · 2828 Leveraging native Magento security • Use HTTPS in Backoffice & order tunnels access • Change your backoffice default](https://reader033.vdocuments.mx/reader033/viewer/2022042310/5ed7c76e7626b373466bc359/html5/thumbnails/3.jpg)
3www.nbs-system.com
3www.nbs-system.com
The triple loot
![Page 4: MFpBWS Grow your business safely - NBS System€¦ · 2828 Leveraging native Magento security • Use HTTPS in Backoffice & order tunnels access • Change your backoffice default](https://reader033.vdocuments.mx/reader033/viewer/2022042310/5ed7c76e7626b373466bc359/html5/thumbnails/4.jpg)
5www.nbs-system.com
5www.nbs-system.com
A different time scale
Seconds Minutes Hours Days Weeks Months Years
Time between
compromising and
discovery of it
Time between attack
launch and
compromising
Statistics made based on large corporations in 2012 (Verizon Databreach report)
![Page 5: MFpBWS Grow your business safely - NBS System€¦ · 2828 Leveraging native Magento security • Use HTTPS in Backoffice & order tunnels access • Change your backoffice default](https://reader033.vdocuments.mx/reader033/viewer/2022042310/5ed7c76e7626b373466bc359/html5/thumbnails/5.jpg)
6www.nbs-system.com
6
A *very* bad year
www.nbs-system.com
![Page 6: MFpBWS Grow your business safely - NBS System€¦ · 2828 Leveraging native Magento security • Use HTTPS in Backoffice & order tunnels access • Change your backoffice default](https://reader033.vdocuments.mx/reader033/viewer/2022042310/5ed7c76e7626b373466bc359/html5/thumbnails/6.jpg)
7www.nbs-system.com
7www.nbs-system.com
A *very* bad year#@%
![Page 7: MFpBWS Grow your business safely - NBS System€¦ · 2828 Leveraging native Magento security • Use HTTPS in Backoffice & order tunnels access • Change your backoffice default](https://reader033.vdocuments.mx/reader033/viewer/2022042310/5ed7c76e7626b373466bc359/html5/thumbnails/7.jpg)
8www.nbs-system.com
8www.nbs-system.com
It all started with a big #fail (Shoplift)#@%
![Page 8: MFpBWS Grow your business safely - NBS System€¦ · 2828 Leveraging native Magento security • Use HTTPS in Backoffice & order tunnels access • Change your backoffice default](https://reader033.vdocuments.mx/reader033/viewer/2022042310/5ed7c76e7626b373466bc359/html5/thumbnails/8.jpg)
9www.nbs-system.com
9www.nbs-system.com
It all started with a big #fail (RSS orders)#@%
![Page 9: MFpBWS Grow your business safely - NBS System€¦ · 2828 Leveraging native Magento security • Use HTTPS in Backoffice & order tunnels access • Change your backoffice default](https://reader033.vdocuments.mx/reader033/viewer/2022042310/5ed7c76e7626b373466bc359/html5/thumbnails/9.jpg)
10www.nbs-system.com
10www.nbs-system.com
It all started with a big #fail (Magmi)#@%
![Page 10: MFpBWS Grow your business safely - NBS System€¦ · 2828 Leveraging native Magento security • Use HTTPS in Backoffice & order tunnels access • Change your backoffice default](https://reader033.vdocuments.mx/reader033/viewer/2022042310/5ed7c76e7626b373466bc359/html5/thumbnails/10.jpg)
11www.nbs-system.com
11www.nbs-system.com
Other “SUrPrEEses#@%
![Page 11: MFpBWS Grow your business safely - NBS System€¦ · 2828 Leveraging native Magento security • Use HTTPS in Backoffice & order tunnels access • Change your backoffice default](https://reader033.vdocuments.mx/reader033/viewer/2022042310/5ed7c76e7626b373466bc359/html5/thumbnails/11.jpg)
12www.nbs-system.com
12www.nbs-system.com
Magento cache leak#@%
![Page 12: MFpBWS Grow your business safely - NBS System€¦ · 2828 Leveraging native Magento security • Use HTTPS in Backoffice & order tunnels access • Change your backoffice default](https://reader033.vdocuments.mx/reader033/viewer/2022042310/5ed7c76e7626b373466bc359/html5/thumbnails/12.jpg)
13www.nbs-system.com
13
But there were other before
www.nbs-system.com
![Page 13: MFpBWS Grow your business safely - NBS System€¦ · 2828 Leveraging native Magento security • Use HTTPS in Backoffice & order tunnels access • Change your backoffice default](https://reader033.vdocuments.mx/reader033/viewer/2022042310/5ed7c76e7626b373466bc359/html5/thumbnails/13.jpg)
14www.nbs-system.com
14www.nbs-system.com
Did you took care of the previous ones?#@%
![Page 14: MFpBWS Grow your business safely - NBS System€¦ · 2828 Leveraging native Magento security • Use HTTPS in Backoffice & order tunnels access • Change your backoffice default](https://reader033.vdocuments.mx/reader033/viewer/2022042310/5ed7c76e7626b373466bc359/html5/thumbnails/14.jpg)
15www.nbs-system.com
15www.nbs-system.com
Did you took care of the previous ones?#@%
![Page 15: MFpBWS Grow your business safely - NBS System€¦ · 2828 Leveraging native Magento security • Use HTTPS in Backoffice & order tunnels access • Change your backoffice default](https://reader033.vdocuments.mx/reader033/viewer/2022042310/5ed7c76e7626b373466bc359/html5/thumbnails/15.jpg)
16www.nbs-system.com
16www.nbs-system.com
Did you took care of the previous ones?#@%
The PayPal / Magento integration flaw (by NBS)
![Page 16: MFpBWS Grow your business safely - NBS System€¦ · 2828 Leveraging native Magento security • Use HTTPS in Backoffice & order tunnels access • Change your backoffice default](https://reader033.vdocuments.mx/reader033/viewer/2022042310/5ed7c76e7626b373466bc359/html5/thumbnails/16.jpg)
17www.nbs-system.com
17www.nbs-system.com
NBS System will release a new vulnerability soon
![Page 17: MFpBWS Grow your business safely - NBS System€¦ · 2828 Leveraging native Magento security • Use HTTPS in Backoffice & order tunnels access • Change your backoffice default](https://reader033.vdocuments.mx/reader033/viewer/2022042310/5ed7c76e7626b373466bc359/html5/thumbnails/17.jpg)
18www.nbs-system.com
18www.nbs-system.com
Or even the one that were not Magento specific?#@%
![Page 18: MFpBWS Grow your business safely - NBS System€¦ · 2828 Leveraging native Magento security • Use HTTPS in Backoffice & order tunnels access • Change your backoffice default](https://reader033.vdocuments.mx/reader033/viewer/2022042310/5ed7c76e7626b373466bc359/html5/thumbnails/18.jpg)
19www.nbs-system.com
19www.nbs-system.com
PHP: two versions behind, really?
88% are outdated and not
supported anymore…
No security fixes.
(and +12% to +40%
performances to gain)
PHP versions in use, in our parc:
![Page 19: MFpBWS Grow your business safely - NBS System€¦ · 2828 Leveraging native Magento security • Use HTTPS in Backoffice & order tunnels access • Change your backoffice default](https://reader033.vdocuments.mx/reader033/viewer/2022042310/5ed7c76e7626b373466bc359/html5/thumbnails/19.jpg)
20www.nbs-system.com
20
Easily exploitable things beyondclassical vulnerabilities
www.nbs-system.com
![Page 20: MFpBWS Grow your business safely - NBS System€¦ · 2828 Leveraging native Magento security • Use HTTPS in Backoffice & order tunnels access • Change your backoffice default](https://reader033.vdocuments.mx/reader033/viewer/2022042310/5ed7c76e7626b373466bc359/html5/thumbnails/20.jpg)
21www.nbs-system.com
21www.nbs-system.com
Magento Support giving dangerous advices
• “Chmod 777 your document root…” *REALLY* ?• “Magento is not compatible with Reverse proxies.” *Woot* ?• “Give me your root password so we can look” *NO KIDDING*?• Etc…
When Magento support is being creative…
Don’t go to a car dealer to fix a bad tooth…
![Page 21: MFpBWS Grow your business safely - NBS System€¦ · 2828 Leveraging native Magento security • Use HTTPS in Backoffice & order tunnels access • Change your backoffice default](https://reader033.vdocuments.mx/reader033/viewer/2022042310/5ed7c76e7626b373466bc359/html5/thumbnails/21.jpg)
22www.nbs-system.com
22www.nbs-system.com
Leaving your logs accessible, especially Debug one
Leaving payment gateway logs accessible to all
Not hiding Magento, PHP, Apache versions
Use a minimum of unaudited extensions, a lot are BAD
Weak passwords, along with no locking policies are a plague
Classical mistakes that cost…
![Page 22: MFpBWS Grow your business safely - NBS System€¦ · 2828 Leveraging native Magento security • Use HTTPS in Backoffice & order tunnels access • Change your backoffice default](https://reader033.vdocuments.mx/reader033/viewer/2022042310/5ed7c76e7626b373466bc359/html5/thumbnails/22.jpg)
23www.nbs-system.com
23www.nbs-system.com
Leaving import/export scripts, reindexers, crontabs accessible
Try calling pages that load very slowly
Access directly the API to import / export
Etc.
Applicative level D.o.S attacks
![Page 23: MFpBWS Grow your business safely - NBS System€¦ · 2828 Leveraging native Magento security • Use HTTPS in Backoffice & order tunnels access • Change your backoffice default](https://reader033.vdocuments.mx/reader033/viewer/2022042310/5ed7c76e7626b373466bc359/html5/thumbnails/23.jpg)
24www.nbs-system.com
24
Securing Magento Flaws
www.nbs-system.com
![Page 24: MFpBWS Grow your business safely - NBS System€¦ · 2828 Leveraging native Magento security • Use HTTPS in Backoffice & order tunnels access • Change your backoffice default](https://reader033.vdocuments.mx/reader033/viewer/2022042310/5ed7c76e7626b373466bc359/html5/thumbnails/24.jpg)
25www.nbs-system.com
25www.nbs-system.com
Securing Magento flaws
• Update to versions CE > 1.9 or EE > 1.14.1• Use PHP 5.6• Shoplift, Magmi, XML-RPC-XEE : filter the access with a
.htaccess file (or an nginx rule)
![Page 25: MFpBWS Grow your business safely - NBS System€¦ · 2828 Leveraging native Magento security • Use HTTPS in Backoffice & order tunnels access • Change your backoffice default](https://reader033.vdocuments.mx/reader033/viewer/2022042310/5ed7c76e7626b373466bc359/html5/thumbnails/25.jpg)
26www.nbs-system.com
26www.nbs-system.com
Securing recent flaws
Example with Magmi (using Apache)
RewriteCond %{REQUEST_URI} ^/(index.php/)?magmi/ [NC]RewriteCond %{REMOTE_ADDR} !^192.168.0.1RewriteRule ^(.*)$ http://%{HTTP_HOST}/ [R=302,L]
Example with Magmi (using Nginx)
location ~* ^/(index.php/)?magmi {allow 192.168.0.1;deny all;location ~* .(php) {include fastcgi_params; } }
![Page 26: MFpBWS Grow your business safely - NBS System€¦ · 2828 Leveraging native Magento security • Use HTTPS in Backoffice & order tunnels access • Change your backoffice default](https://reader033.vdocuments.mx/reader033/viewer/2022042310/5ed7c76e7626b373466bc359/html5/thumbnails/26.jpg)
27www.nbs-system.com
27www.nbs-system.com
Protect your backoffice & updater
Example using Apache
<Location /wp-admin>AuthType BasicAuthName "Restricted Area"AuthUserFile /etc/apache2/access/htpasswdRequire valid-userOrder deny,allowAllow from [MY_IP]
Satisfy any</Location>
Then, just add a user:
htpasswd –c /etc/apache2/access/htpasswd [user]
![Page 27: MFpBWS Grow your business safely - NBS System€¦ · 2828 Leveraging native Magento security • Use HTTPS in Backoffice & order tunnels access • Change your backoffice default](https://reader033.vdocuments.mx/reader033/viewer/2022042310/5ed7c76e7626b373466bc359/html5/thumbnails/27.jpg)
28www.nbs-system.com
28www.nbs-system.com
Leveraging native Magento security
• Use HTTPS in Backoffice & order tunnels access• Change your backoffice default URL• Do *NOT* use a weak password (no « tommy4242 » is not safe)• Put some limits to number of failed login attempts• Put a password expiration time and change it every 3 months• Enforce use of case sensitive password• Disable email password recovery
![Page 28: MFpBWS Grow your business safely - NBS System€¦ · 2828 Leveraging native Magento security • Use HTTPS in Backoffice & order tunnels access • Change your backoffice default](https://reader033.vdocuments.mx/reader033/viewer/2022042310/5ed7c76e7626b373466bc359/html5/thumbnails/28.jpg)
29www.nbs-system.com
29
Securing Web application
www.nbs-system.com
![Page 29: MFpBWS Grow your business safely - NBS System€¦ · 2828 Leveraging native Magento security • Use HTTPS in Backoffice & order tunnels access • Change your backoffice default](https://reader033.vdocuments.mx/reader033/viewer/2022042310/5ed7c76e7626b373466bc359/html5/thumbnails/29.jpg)
30www.nbs-system.com
30www.nbs-system.com
Organizational security
• Get a security review• Keep track of vulnerabilities on Magento ecosystem• Have serious passwords, change them every 3 months• Do not keep informations unless they are needed• Pick a PCI/DSS certified hosting company• Use 3D secure• Keep up to date versions of Magento & PHP
![Page 30: MFpBWS Grow your business safely - NBS System€¦ · 2828 Leveraging native Magento security • Use HTTPS in Backoffice & order tunnels access • Change your backoffice default](https://reader033.vdocuments.mx/reader033/viewer/2022042310/5ed7c76e7626b373466bc359/html5/thumbnails/30.jpg)
31www.nbs-system.com
31www.nbs-system.com
Infrastructure security
• Keep a daily backup• Use a WAF, NAXSI is opensource, free and stable• Put rate limits on your Reverse Proxies• Filter your outgoing trafic
It’s the job of your managed services provider.
![Page 31: MFpBWS Grow your business safely - NBS System€¦ · 2828 Leveraging native Magento security • Use HTTPS in Backoffice & order tunnels access • Change your backoffice default](https://reader033.vdocuments.mx/reader033/viewer/2022042310/5ed7c76e7626b373466bc359/html5/thumbnails/31.jpg)
32www.nbs-system.com
32www.nbs-system.com
Host level security
• Change default backoffice URL• Disable directory indexing• Have correct permissions : file=644, directory=755• No follow, no index on preprod• Use the best practices mentioned before
It’s the job of your managed services provider.
![Page 32: MFpBWS Grow your business safely - NBS System€¦ · 2828 Leveraging native Magento security • Use HTTPS in Backoffice & order tunnels access • Change your backoffice default](https://reader033.vdocuments.mx/reader033/viewer/2022042310/5ed7c76e7626b373466bc359/html5/thumbnails/32.jpg)
33www.nbs-system.com
33
High end security
www.nbs-system.com
![Page 33: MFpBWS Grow your business safely - NBS System€¦ · 2828 Leveraging native Magento security • Use HTTPS in Backoffice & order tunnels access • Change your backoffice default](https://reader033.vdocuments.mx/reader033/viewer/2022042310/5ed7c76e7626b373466bc359/html5/thumbnails/33.jpg)
34www.nbs-system.com
Hardware
Operating system
Network
Applicative stack
Database
Website
Humans
Motivating wages
Equipe SOC
Security trainings
Background checks
N.A.X.S.I (web application firewall)
ReqLimit (Anti applicative DoS)
ExecVE killer
File Upload checker
PHP Suhosin V2
App scan
Threadfix virtual patching
MySQL Interceptor
PHP Suhosin V2
Daemon hardening
Anti DDoS
Isolated Vlans
Firewalling
PAX
GrSec
Watch Folder
PHP Malware finder
Redundant hardware
Redundant datacenters
Redundant data storage
Redundant telecom uplinks
Log central
Security Event
Manager
Flex Dynamic Firewall
Ban Commander
9
CerberHost
![Page 34: MFpBWS Grow your business safely - NBS System€¦ · 2828 Leveraging native Magento security • Use HTTPS in Backoffice & order tunnels access • Change your backoffice default](https://reader033.vdocuments.mx/reader033/viewer/2022042310/5ed7c76e7626b373466bc359/html5/thumbnails/34.jpg)
35www.nbs-system.com
Contact
Grow your business safely
[email protected] +33.1.58.56.60.80
www.nbs-system.comTwitter : @nbs_system
www.nbs-system.com