As seen on the RSA blog.

Posted on Feb 11, 2021 by Matt McGuirk

In modern business, large enterprises maintain and secure—via physical controls such as gates, guards and electronically locked doors—their headquarters, as well as their satellite locations throughout the world. If they’re retailers, they’ll also institute measures to protect their products in stores no matter where they operate.

So if we take a global, decentralized approach to physically safeguarding company locations and assets, why don’t we do a better job of this for cybersecurity?

In this case, we’re talking about the focus on servers, at the expense of client-side and even endpoint protection. Organizations aren’t entirely abandoning the latter—for years, they have shifted from a “lock down the perimeter” mindset to a more comprehensive strategy that includes endpoints and clients. But there is a significant imbalance in allocating investments and efforts: While 70% of breaches originate at the endpoint, only 24% of overall security spending is for tools that defend endpoints. What’s more, the top 20 client applications contain at least 5,000 common vulnerabilities and exposures (CVEs). In light of this, the abundance of security attention placed on servers as opposed to clients and endpoints is akin to spending a disproportionately large amount of resources on protecting a company headquarters and comparatively little for the satellite offices and stores.

Chief Information Security Officers (CISOs) and their teams can’t afford to proceed this way any longer, especially at e-commerce companies facing the growing inevitability of client-side attacks, which take place within a web browser as victims are shopping. These attacks have emerged as commonplace today, occurring at a rate of once every 39 seconds. Via formjacking and Magecart exploits, cyber-thieves inject malicious JavaScript code into e-commerce websites to skim data from online checkout pages. Formjacking accounts for 87% of web breaches, and there were 425 Magecart incidents per month last year.

E-tailers are literally paying the price for leaving themselves exposed: We estimate that Magecart incidents require 65 to 130 hours in response time (or about four entire days if you cut it down the middle) for tasks such as the analysis of source code, web server files and logs. If you hire a response specialist, you’ll spend $250 to $500 an hour to do so, or $16,250 to $65,000 to resolve the issue. Then, there is the unavoidable downtime, which ranges from $206,000 in revenue lost per hour for a retailer like to $2.4 million for

Obviously, this is a situation to avoid. Fortunately, there are readily do-able steps to take to better defend against client-side attacks:  

Establish balance. Given the previously stated lack of investment in preventing these attacks, CISOs will likely discover they’ve devoted too many resources to the server side as opposed to the client side. So a reallocation is overdue, with more budgeting for tools, which proactively eliminate any malicious tampering on e-commerce pages.

Implement real-time monitoring. There are effective solutions and those which are … otherwise. To get the most ROI out of their spend, CISOs should seek out products that enable monitoring that detects and prevents breaches in real time before they can do any damage and shut down a site, instead of those which strictly provide after-the-fact alerts.

Improve third-party/vendor oversight. With e-commerce companies using 40 to 60 third-party tools while adding three to five new third-party technologies to their sites every year, CISOs must acquire total awareness/visibility of their third-party vendor environment. It’s also important to note that the European Union’s General Data Protection Regulation (EU GDPR) specifies that websites are liable for the actions of their third-party vendors.

Enforce zero trust. This ensures the maximum level of protection from vendor-based threats, by restricting third parties to only the information for which they’re authorized. Virtual web pages play an indispensable role here: They replicate the original web page for the third party to access, but exclude what the third party isn’t authorized to see. If the third-party input is allowed, the virtual page will transfer it to the original web page. Because third-party scripts are isolated from the original website, hacker-created changes to JavaScript will not cause any harm.

If there’s one certainty we’ve learned about hackers, it’s that they are constantly changing their playbook, always shifting their approaches to target companies and their customers. That’s why CISOs can’t cling to outdated, server-centric security investment/implementation strategies.

Frankly, this is bad business, leading to lost revenue, brand reputational damage and customer churn. By committing more IT budgeting and resources to the client side with solutions which enable real-time monitoring, optimal third-party/vendor oversight and zero trust, organizations will ensure that they are effectively protecting all of their assets—not just the server.

PCI DSS 4.0 makes client-side security a priority.

Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.