Magento Security Best practices 2015

http://goo.gl/MFpBWS
Grow your business safely
Magento Security
Best practices 2015
www.nbs-system.com
Q4 2015
11
e-Commerce: the 60% rules
•
•
•
•
•
>60% of web traffic is non-human
>60% of attempts to steal databases target e-Commerce sites
>60% of growth for identity theft over three years
A 2012 study showed Retailer websites are at risk 328 days/year
An IP address is scanned around 40 times per day
www.nbs-system.com
www.nbs-system.com
22
The triple loot
www.nbs-system.com
www.nbs-system.com
33
A different time scale
Seconds Minutes
Hours
Days
Weeks
Months
Years
Time between attack
launch and
compromising
Time between
compromising and
discovery of it
Statistics made based on large corporations in 2012 (Verizon Databreach report)
www.nbs-system.com
www.nbs-system.com
55
A *very* bad year
www.nbs-system.com
www.nbs-system.com
66
#@%
A *very* bad year
www.nbs-system.com
77
#@%
It all started with a big #fail (Shoplift)
www.nbs-system.com
88
#@%
It all started with a big #fail (RSS orders)
www.nbs-system.com
99
#@%
It all started with a big #fail (Magmi)
www.nbs-system.com
10
10
#@%
Other “SUrPrEEses
www.nbs-system.com
11
11
#@%
Magento cache leak
www.nbs-system.com
12
12
But there were other before
www.nbs-system.com
www.nbs-system.com
13
13
#@%
Did you took care of the previous ones?
www.nbs-system.com
14
14
#@%
Did you took care of the previous ones?
www.nbs-system.com
15
15
#@%
Did you took care of the previous ones?
The PayPal / Magento integration flaw (by NBS)
www.nbs-system.com
16
16
NBS System will release a new vulnerability soon
www.nbs-system.com
17
17
#@%
Or even the one that were not Magento specific?
www.nbs-system.com
18
18
PHP: two versions behind, really?
PHP versions in use, in our parc:
88% are outdated and not
supported anymore…
No security fixes.
(and +12% to +40%
performances to gain)
www.nbs-system.com
19
19
Easily exploitable things beyond
classical vulnerabilities
www.nbs-system.com
www.nbs-system.com
20
20
When Magento support is being creative…
Magento Support giving dangerous advices
•
•
•
•
“Chmod 777 your document root…” *REALLY* ?
“Magento is not compatible with Reverse proxies.” *Woot* ?
“Give me your root password so we can look” *NO KIDDING*?
Etc…
Don’t go to a car dealer to fix a bad tooth…
www.nbs-system.com
www.nbs-system.com
21
21
Classical mistakes that cost…





Leaving your logs accessible, especially Debug one
Leaving payment gateway logs accessible to all
Not hiding Magento, PHP, Apache versions
Use a minimum of unaudited extensions, a lot are BAD
Weak passwords, along with no locking policies are a plague
www.nbs-system.com
www.nbs-system.com
22
22
Applicative level D.o.S attacks




Leaving import/export scripts, reindexers, crontabs accessible
Try calling pages that load very slowly
Access directly the API to import / export
Etc.
www.nbs-system.com
www.nbs-system.com
23
23
Securing Magento Flaws
www.nbs-system.com
www.nbs-system.com
24
24
Securing Magento flaws
•
•
•
Update to versions CE > 1.9 or EE > 1.14.1
Use PHP 5.6
Shoplift, Magmi, XML-RPC-XEE : filter the access with a
.htaccess file (or an nginx rule)
www.nbs-system.com
www.nbs-system.com
25
25
Securing recent flaws
Example with Magmi (using Apache)
RewriteCond %{REQUEST_URI} ^/(index.php/)?magmi/ [NC]
RewriteCond %{REMOTE_ADDR} !^192.168.0.1
RewriteRule ^(.*)$ http://%{HTTP_HOST}/ [R=302,L]
Example with Magmi (using Nginx)
location ~* ^/(index.php/)?magmi {
allow 192.168.0.1;
deny all;
location ~* .(php) {
include fastcgi_params; } }
www.nbs-system.com
www.nbs-system.com
26
26
Protect your backoffice & updater
Example using Apache
<Location /wp-admin>
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /etc/apache2/access/htpasswd
Require valid-user
Order deny,allow
Allow from [MY_IP]
Satisfy any
</Location>
Then, just add a user:
htpasswd –c /etc/apache2/access/htpasswd [user]
www.nbs-system.com
www.nbs-system.com
27
27
Leveraging native Magento security
•
•
•
•
•
•
•
Use HTTPS in Backoffice & order tunnels access
Change your backoffice default URL
Do *NOT* use a weak password (no « tommy4242 » is not safe)
Put some limits to number of failed login attempts
Put a password expiration time and change it every 3 months
Enforce use of case sensitive password
Disable email password recovery
www.nbs-system.com
www.nbs-system.com
28
28
Securing Web application
www.nbs-system.com
www.nbs-system.com
29
29
Organizational security
•
•
•
•
•
•
•
Get a security review
Keep track of vulnerabilities on Magento ecosystem
Have serious passwords, change them every 3 months
Do not keep informations unless they are needed
Pick a PCI/DSS certified hosting company
Use 3D secure
Keep up to date versions of Magento & PHP
www.nbs-system.com
www.nbs-system.com
30
30
Infrastructure security
•
•
•
•
Keep a daily backup
Use a WAF, NAXSI is opensource, free and stable
Put rate limits on your Reverse Proxies
Filter your outgoing trafic
It’s the job of your managed services provider.
www.nbs-system.com
www.nbs-system.com
31
31
Host level security
•
•
•
•
•
Change default backoffice URL
Disable directory indexing
Have correct permissions : file=644, directory=755
No follow, no index on preprod
Use the best practices mentioned before
It’s the job of your managed services provider.
www.nbs-system.com
www.nbs-system.com
32
32
High end security
www.nbs-system.com
www.nbs-system.com
33
33
CerberHost
Motivating wages
Equipe SOC
Security trainings
Background checks
Humans
Website
Database
Applicative stack
Network
Operating system
Hardware
N.A.X.S.I (web application firewall)
ReqLimit (Anti applicative DoS)
ExecVE killer
File Upload checker
PHP Suhosin V2
App scan
Threadfix virtual patching
MySQL Interceptor
PHP Suhosin V2
Daemon hardening
Anti DDoS
Isolated Vlans
Firewalling
PAX
GrSec
Watch Folder
PHP Malware finder
Redundant hardware
Redundant datacenters
Redundant data storage
Redundant telecom uplinks
www.nbs-system.com
Log central
Security Event
Manager
Ban Commander
Flex Dynamic
Firewall
34
9
Grow your business safely
Contact
[email protected]
+33.1.58.56.60.80
www.nbs-system.com
Twitter : @nbs_system
www.nbs-system.com
www.nbs-system.com
35