WIXLIB

eBookImperva Cloud WAFHow to Protect Your Website from HackersTable of ContentsIntroductionWebsiteThreatsPCI DSSComplianceImpervaCloud WAFCase Study:Keystone RVWeb attacks are the greatest threat facing organizations today.In the last year, Web attacks have brought down businessesof all sizes and resulted in massive-scale data breaches.Regulations like the PCI Data Security Standard attempt to reignin these threats by mandating Web application protection.There’s a smart and easy way for businesses to safeguard theirWebsite and achieve compliance.In this eBook, we look at today’s most dangerous Websitethreats. We also examine PCI DSS compliance requirements.Then, we introduce Imperva Cloud WAF, a managed securityservice that protects applications from Web attacks, and profileKeystone RV, a company that stopped a devastating DDoSattack with Imperva Cloud WAF.Hackers*BotsLegitimateTrafficYour WebsitesScrapersCommentSpammers

eBookTable of ContentsIntroductionWebsiteThreatsPCI DSSComplianceImpervaCloud WAFCase Study:Keystone RVImperva Cloud WAFWebsite ThreatsWeb Attacks Are Your Number One RiskWebsite ThreatsBy the NumbersWeb application attacks are the most prevalent anddevastating threat facing organizations today.230 is the average number ofWeb attacks are responsible for some of the largestinformation security breaches in history, including four ofthe top credit card breaches between 2005 and 2011. Atone retailer, hackers used SQL injection to compromiseservers and steal 45 million personal information records,costing the organization an estimated 256 million.vulnerabilities on a Website1Web Attacks Are Increasingfix Web vulnerabilities quickly4Web attacks are growing in number, with 64% oforganizations in a 2011 survey reporting they hadsuffered a Web attack in the past four weeks.1 The samesurvey found that Denial of Service (DoS) and Webapplication attacks, both of which target Websites, werethe two most costly types of cyber crime.Web Attacks Are Becoming More AdvancedSophisticated attack techniques have enabled hackersto launch large-scale attacks more quickly. Hackers havealso become more organized, pooling resources, andsharing exploits in underground forums.Automated attack tools use search engines to rapidlydiscover vulnerabilities and attack thousands of sites.For even greater efficiency, hackers have built networksof bots – remotely controlled computers – to unleashlarge-scale attacks.Most Web Applications Have VulnerabilitiesMost Web applications – over 80%2 – have hadserious vulnerabilities. This is due in part to the lack ofeffort applied to secure coding; most developers aremotivated to write code quickly or add advanced newfunctionality rather than write applications securely.12Second Annual Cost of Cyber Crime Study, Ponemon Institute, 2011WhiteHat Website Security Statistic Report,” WhiteHat Security, 201175% of all cyber attacks target Webapplications289% of compromised records are duehacking and external threats364% of organizations feel that they can’t 7.2 Million is the average cost of adata breach5Example of a Botnet Management Dashboard1Traditional Solutions Don’t Stop Web AttacksFirewalls and Intrusion Prevention Systems (IPSs) preventnetwork attacks, but they are not designed to stop Webapplication attacks. They cannot differentiate betweenbots and human users, so they cannot block businesslogic attacks like site scraping and comment spam.Since they rely on signatures, hackers can use encoding,comments, and other evasion techniques to circumventthem. Most firewalls and IPSs cannot inspect HTTPStraffic, leaving SSL-enabled sites completely unprotected.Web Application Firewalls Stop Web AttacksWeb Application Firewalls (WAFs) are purpose-builtto protect against Web attacks. WAFs combine severalsecurity measures together to offer accurate protectionfor a myriad of threats, including SQL injection, Crosssite scripting (XSS), CSRF, site scraping, application DDoSattacks, and many more.2345“WhiteHat Website Security Statistic Report,”WhiteHat Security, 2011Gartner Research“2011 Data Breach Investigations Report,”Verizon Business, 2011“State of Web Security,” Ponemon Institute,2011“US Cost of a Data Breach,” Ponemon Institute, 2011

eBookTable of ContentsIntroductionWebsiteThreatsPCI DSSComplianceImpervaCloud WAFCase Study:Keystone RVImperva Cloud WAFPCI DSS 6.6 ComplianceDoes your organization process, store, or transmit creditcard data? If so, you probably need to comply with thePayment Card Industry Data Security Standard (PCI DSS). Toaddress PCI, you must satisfy 12 high-level requirements,including requirement 6.6, which governs Web security.PCI 6.6 offers two ways for organizations to protect publicfacing Web applications:» Review web applications at least annually and after anychanges» Protect applications with a Web Application FirewallOption 2: Implement a Web Application FirewallWeb Application Firewalls automatically detect and blockattacks before damage can occur. WAFs offer the followingbenefits:» WAFs proactively stop Web attacks. WAFs use multipledetection techniques to identify advanced attacks,automated threats, and bots with precision.» WAFs provide continuous security. WAFs protect Webapplications around the clock – not just immediatelyafter a find-and-fix cycle.For many organizations, WAFs offer a secure, cost-effectiveway to address PCI 6.6.Option 1: Review Web ApplicationsSelecting a Web Application FirewallAll organizations should follow secure application codingbest practices. However, addressing PCI# 6.6 by reviewingand fixing applications has the following challenges:If you’ve decided to address PCI 6.6 with a WAF, considerthe following evaluation criteria when selecting a WAF:» Organizations must assess application annually andafter any changes» Organizations must fix any vulnerabilities and retestapplicationsReviewing and fixing Web vulnerabilities is costly and mayimpact application development schedules.Imperva Cloud WAF has beencertified by a PCI QualifiedSecurity Assessor (QSA) as aPCI-compliant WAF service.» WAFs offer low total cost of ownership and won’timpact Web application development or entailexpensive consulting engagements.First, you must decide whether you want to scan and fixapplications or use a Web Application Firewall (WAF) toaddress PCI 6.6. Then, you must select a WAF solutionor a Web scanning or consulting company to achievecompliance.» Organizations must hire an organization that specializesin application security or train internal staff that areindependent of the development teamSecurityStandards Council» Security accuracy – The WAF should block all Webattacks and bots without creating false positives.» Ease of management – The WAF should not requirein-depth knowledge or training to configure. For smallerorganizations, a managed WAF service may be ideal.» Ease of deployment – The WAF should be easyto deploy with minimal network changes or newequipment.Achieving PCI 6.6 compliance is quick and easy onceyou’ve considered your options and determined yourrequirements.Imperva subsidiary Incapsula hascertified the underlying Imperva CloudWAF technology.

eBookTable of ContentsIntroductionWebsiteThreatsPCI DSSComplianceImpervaCloud WAFCase Study:Keystone RVImperva Cloud WAFImperva Cloud WAFTo avoid a costly data breach and stay out of the newsheadlines, you need to protect your Website against Webattacks. If you sell product or services online, you also needto address PCI compliance.Cloud WAF Benefits» Stop Web attacks like SQLinjection and XSS» Achieve PCI 6.6 compliancequickly and cost-effectivelyImperva Cloud WAF, powered by Incapsula, is an easy andaffordable cloud-based Web Application Firewall servicethat stops Web attacks and meets PCI requirement 6.6.Security professionals at Imperva provide around-the-clockmonitoring, policy tuning, and reports, so you can restassured that your Web applications and data are safe.» Stop automated attacks like sitescraping» Improve Website performance» Avoid search engine blacklisting» Outsource WAF management tosecurity expertsProtect Your Website Against HackersHaving an online presence is critical. The challenge isthat hackers often prey on smaller organization. ImpervaCloud WAF protects Web applications against current andemerging threats, including SQL Injection, XSS, maliciousbots, and other OWASP Top 10 threats.Achieve PCI 6.6 ComplianceIf your company processes credit cards, Imperva CloudWAF will help you address PCI requirement 6.6 quickly andaffordably. With Imperva Cloud WAF, you can protect yourWeb applications all of the time – not just after a test-andfix cycle. As a managed, hands-free service, Imperva CloudWAF will not impact Web development processes and willnot entail burdensome consulting costs.Avoid Search Engine BlacklistingIf a hacker injects malware in your Website, you might notonly distribute that malware to your visitors, you mightalso be blacklisted by search engines – reducing theamount of traffic to your site. Imperva Cloud WAF preventsthe attacks, like SQL injection, that allow hackers to uploadmalware to your site.Improve Website PerformanceImperva Cloud WAF accelerates the performance of yourWebsite, improving Web page load times and loweringWebsite bandwidth consumption. It also monitors Websiteperformance and automatically notifies you of errors inyour applications and performance issues.Deploy Cloud WAF Through a Simple DNS ChangeProvisioning Imperva Cloud WAF couldn’t be easier. Simplyupdate your Website’s DNS settings to redirect Web trafficthrough the Imperva Cloud. This effortless deploymentenables you to jumpstart their Web application securityinitiative while keeping your existing hosting provider andinfrastructure.Benefit from Low Total Cost of Ownership (TCO)By leveraging a software-as-a-service (SaaS) delivery model,Imperva Cloud WAF provides businesses with the highestlevels of Web security available without requiring a largeresource investment. Imperva Cloud WAF couples effortlessdeployment and dedicated security expertise with lowannual costs to avoid hardware and operational costs.Imperva Cloud DDoS ProtectionImperva Cloud DDoS Protection is asimple, secure cloud-based servicethat safeguards businesses from themost debilitating and protractedDDoS attacks. As a service, CloudDDoS Protection can be deployedquickly and can scale on demand tomitigate malicious traffic.