This article originally appeared in Security Boulevard on November 19, 2018.
Vigilance Isn’t Enough
The simple challenge when trying to defend against Magecart is that traditional website security isn’t enough. They can compromise your website by attacking your trusted third-party partners, so you won’t find suspicious activity inside of your databases. You’ll only discover that Magecart is in the house if their skimmer code is detected inside your third-party scripts, or when suspicious activity is spotted on the credit cards of customers. By then, it’s too late—not only is security penetrated, but customer trust suffers, brand damage occurs, compliance violations require reporting and there may be government fines.
But Wait, There’s Hope
Prevention is the Best Option
Prevention approaches for addressing client-side connections not only secure the organization but are required for adequate data control defined by regulatory compliance (e.g. GDPR and California’s newly passed Digital Privacy Law). Without the ability to control private customer data and prevent unauthorized access by third-party website vendors or hackers, an organization is in a state of non-compliance.
Prevention approaches include:
Application Monitoring: Monitoring provides a detection-based approach that provides a less secure, reactive methodology. The major inadequacy of detection approaches is that they are incapable of preventing attacks. These include technologies such as DAST and RASP. Even with a multitude of global sensors, detection schemes often miss highly targeted and hyper-segmented attacks altogether. Additionally, a detection event signals leakage of customer data and constitutes a compliance violation that requires disclosure. The resulting fines, PR crises, remediation and operational fire drills are often significant. Fundamentally, these approaches are not scalable, and the persistence of the underlying vulnerability renders these approaches ineffective.
Vendor Due Diligence Assessments: Many organizations, and especially those under strict compliance mandates, perform routine, comprehensive vendor security assessments. Although well-intended and highly recommended, such exercises provide point-in-time assessments. They do not provide prevention or even continuous detection. Although these assessments should be part of a comprehensive security program, they are in no way adequate as a standalone approach to mitigating or preventing website supply chain third-party risk.
Restricting the Use of Third-Party Tools: Exercising a debilitating level of caution by limiting or restricting the usage of beneficial third-party tools on websites is generally counterproductive to the overall goals of the business. Limiting the number of tools able to be deployed on an organization’s website limits the ability to provide an engaging user experience and extract meaningful analytics. This methodology makes delivering a compelling, differentiated and dynamic web presence difficult.
Website Operators Have a New Responsibility to their Customers
CISOs and CIOs need to secure their websites, but they can’t do it at the expense of the functionality that keeps the business running. The most secure website would be the one that has no connection to the internet, but this would, of course, defeat the purpose of having a website that serves customers. As we protect the website, we must also ensure the business is being driven forward.