HOW TO BULLETPROOF YOUR ECOMMERCE SITE HOW TO BULLETPROOF YOUR ECOMMERCE SITE Maria Karaivanova Head of Business Development CloudFlare Inc. @mariakar I. What Keeps Merchants Up At Night? Competition! Losing customer trust Delivering high quality customer service Store getting hacked Data theft Not enough traffic to store Has Your Store Been Attacked? May be / Not Sure 17% No 41% Yes 42% What Kind Of Attack Was It? 6% 2% DDoS Attack 8% SQL injection 9% 45% Other Cross-site scripting (XSS) Unauthorized admin access 13% Credit card theft Directory traversal 17% How Did You Respond To The Attack? 26% Firewall Software update Using ISP 4% 55% 4% Changed password Changed server configuration Not reported 5% 6% How Much Did The Attack Cost You? 4% 1% 14% 0-$10k $10-30k $30-100k $100-1 million 82% II. Security Trends The latest attacks are increasingly sophisticated and human-like Sophistication The Evolving Landscape Of DDoS Attacks DNS amplification Up to 300 Gbps NTP reflection Up to 400+ Gbps (35% up from DNS ampl.) DNS infrastructure 100s Gbps 2013 2014 HTTP Application 100s Gbps Source: www.digitalattackmap.com Ecommerce Sites Are A Lucrative Target Media & Entertainment 16% High Tech 9% Commerce 27% Public Sector 20% Enterprise 28% Source: www.akamai.com/stateoftheinternet Example: Application Layer Attack Layer 7 Attack Application Layer DDoS Attacks – Layer 7 Layer 7 Attack Mitigation Application Layer DDoS Attacks – Layer 7 IP challenged and “grey listed” in a matter of seconds. III. Five Steps to Bulletproof Your Store 1. Encrypt & Secure Customer Data Use HTTPS/SSL For Your Entire Website Create A Custom Admin Path Exercise password hygiene • Two-factor authentication • Choose complex passwords • Always Use Secure FTP 2. Deploy a Web Application Firewall PCI Compliance - DSS requirement 6.6 The Right Firewall 3. Have A DDoS Mitigation Plan Better Ways To Delight Your Customers? …And Better Ways To Kick Off The Holiday Season “We are getting hammered and can’t keep the site online. We need to get behind a proxy to shield us from the attacks.” Have A DDoS Mitigation Plan 4. Keep Your Website Software Updated Always Use the Latest Version of Magento Be Vigilant With Add-ons Perform Regular Malware Scans 5. Get Ready for Spikes in Traffic Source: Adobe Digital Index Be fast around the world Five easy steps to a more secure Magento shop Thank you! Maria Karaivanova Head of Business Development CloudFlare Inc. @mariakar