Are you responsible for 3rd-party risk management and/or for securing your company’s web presence? If so, then you have a blind side that could bite you big. It comes in the form of Magecart attacks like formjacking, digital skimming and credential harvesting.
And it’s time you take that blind side seriously.
Your blind side
Remember the movie “The Blind Side,” based on the book by Michael Lewis? It includes a flashback to a career-ending pro football play – one that I’ll never forget – in which quarterback Joe Theismann is blindsided by linebacker Lawrence Taylor.
“He doesn’t see Taylor leap, both arms over his head, and fill the sky behind him. Theismann prides himself on his ability to stand in the pocket and disregard his fear. He thinks this quality is a prerequisite in a successful NFL quarterback. . . What happened to the ball, and to the person holding the ball, was just the final link in a chain of events that began well before the ball was snapped.
“At the beginning of the chain that ended Joe Theismann’s career was an obvious question:
“Who was meant to block Taylor?”
– The Blind Side by Michael Lewis
Picture yourself as the Joe Theismann of your company’s web security. You’ve invested plenty in shoring up the assets you’re responsible for – so much so, that you might think you’ve got all the angles covered. You update your web apps and apply patches to your servers religiously. You put in place everything necessary to defend your servers from incoming threats. With such rigorous security, you’re confident you can focus on driving your company’s transactional or e-commerce site without fear of a successful attack.
Then you’re blindsided by a client-side web attack, smuggled in by ordinary, ubiquitously utilized 3rd-party JavaScript your site has used for years. The attack copies the data your clients enter on your website – whether PII, PHI, credit card data or anything of value – and sends it to a malicious actor, who then sells it or uses it for other nefarious purposes. Maybe you see the chain of events right away, or maybe it takes you entire months or quarters to see what’s going on – like the recent case of Nuna Baby, where a year transpired before the attack was discovered. Either way, the result, as the owner of Segway’s online store just found out, is the kind of headlines you don’t want.
At the beginning of that chain of events is an obvious question: Who was meant to block that attack?
3rd Party Risk is 3rd Party Risk
We’ve posted recently about the digital supply chain and how can you mitigate your 3rd-party risk.
You may not feel that your physical supply chain is vulnerable – but if your web properties are like the 95% of websites operating in the world, then your digital supply chain is most definitely vulnerable. You likely have a dozen or more 3rd party partners helping power the site experience (each potentially calling on even more 4th parties). These partners are loading JavaScript on the client-side that can be used as the vector for attack.
You rely on traditional web security to mitigate the risk of attackers compromising your server through malicious activity. But this 3rd-party client-side risk is one that can easily blindside you, stepping around your traditional defenses and attacking from the pass-rushing, catch-you-by-surprise side.
That’s why we look at this as a 3rd-party risk management issue. Addressing vulnerability and 3rd-party client-side risk is not some completely new security domain demanding that you study, budget for and create headcount to deal with. Your organization is already investing in 3rd-party risk management, and this is another source of the same kind of risk.
The Source Defense approach
Fortunately, the Source Defense platform offers you an easy to way to manage 3rd-party risk in your digital supply chain and prevent attacks from your blind side.
- Easy deployment — Simply place Source Defense tags into the headers of the web pages running the JavaScript you want to protect. No need to change your configurations or add anything to your servers.
- No burden on staff — Cybersecurity teams are stretched thin as it is. Source Defense is a low-impact, low-effort way to protect your blind side. It doesn’t add to the burden on your staff or force you to attract and train more security talent.
- Prevention instead of detect-and-alert — Source Defense uses real-time sandbox isolation to prevent client-side attacks that originate in the digital supply chain your site depends on.
- No management headaches — You accept policy recommendations as necessary. Source Defense continually monitors and updates protection instead making you implement and maintain it.
Malicious actors have wasted no time this year. Formjacking, a common type of client-side web attack, was already grabbing headlines on the first workday of 2022, with a single compromise that affected more than 100 real estate sites.
As you mull over your cybersecurity priorities in 2022, look at mitigating the 3rd-party risk from client-side web attacks as a low-effort, top-5 priority. It’s another form of the risk management you already undertake and a solid use of your already-allocated budget for mitigating 3rd party risk this year.
For more information and to evaluate the potential risk to your website, check out our free, non-invasive website risk report today. To get a technical perspective on client-side 3rd party JavaScript risk, join our next Cyber Academy.
PCI DSS 4.0 makes client-side security a priority.
Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.
