What are third-party scripts?
- Chat and sales facilitation tools
- Analytics, heatmaps & metrics
- Social media linkage
Why are third-party scripts dangerous?
I have a firewall, WAF and a secure connection, how am I not safe?
Firewall, WAF, secure connection and many other solutions are focused on securing internal servers and the communication between the browser and these internal servers. As defined above, 3rd party scripts are executed on the user’s browser but are called from a remote server. This client-side connection operates completely outside of the security capabilities an organization deploys to secure the server side of the browser session.
What do I need to ask my 3rd parties to do in order to comply with you?
Source Defense’s Vice was built to be “transparent” to your third parties, we require no special cooperation or integration to operate seamlessly with them.
What is "Malvertising"
Malvertising (a term used to describe “malicious advertising”) is the use of online advertising to spread malware. Malvertising involves injecting malicious or malware-laden advertisements into legitimate online advertising networks and webpages.
How do I know if my site is currently at risk to this attack vector?
How can these attacks that victimize 100s (and sometimes 1000s) of sites be so successful on so many sites?
What is Magecart?
Magecart is a hacking group that has been active for several years, they are most known for one of the biggest credit card theft ever to be discovered affecting at least 800 websites and operating undetected for over 3 years. Security analysts claim that this group strategically targeted 3rd parties to efficiently scale the scope of the attack and impact as many sites as possible.
Why can't DAST catch this attack vector?
DAST is Dynamic Application Security Testing, it is usually active on pre-production environments and does not cover live sites. The few who run DAST on a live site will simulate a few user profiles but cannot possibly scale this solution to monitor and detect all web sessions. As third parties change their behavior from user to user, DAST is largely ineffective in detecting attacks on large production networks and completely ineffective at preventing these types of attacks. Detection methodologies do not help organizations fulfill compliance guidelines requiring customer data privacy.
Why cant RASP catch this attack vector?
RASP is Runtime Application Self-Protection, it exists only on the Java virtual machine and .NET Common Language Runtime. Since it will not run on the actual live site, 3rd parties are outside of its detection scope. Again, RASP is not intended as a prevention solution. Detection methodologies do not help organizations fulfill compliance guidelines requiring customer data privacy.
Why does monitoring and detection still leave me exposed?
Monitoring and detection tools will simulate a limited number of user profiles but not all of them. As third parties may change their behavior from user to user, this is not an effective or reliable means to detecting these attacks. Even on occasions where a hack is detected, organizations still need to react to the hack. This requires initiating incident response, removing important tools from your site and replacing them, notifying your users, compliance reporting and damage your brand.
If I review all code, how can my site still be victimized?
The 3rd party code on your page is only a reference, it will always initiate a call to a 3rd party server. These calls result in additional code downloaded to the browser of each user. Even if you evaluate all the code provided by third party in pre-production deployment, the code might be changed after evaluation. The website owner can be diligent and still be very easily victimized by this universal vulnerability.
In an idle world you could, however, if you wish to stay competitive, you will need 3rd parties integrated on your webpages as they enrich the experience and provide useful analytics and monetization.
SITE PERFORMANCE AND BEHAVIOR
Does this solution impact site performance, stability, and behavior?
How can website supply chain vendors damage my site's behavior?
INTEGRATION, CONFIGURATION, & MANAGEMENT
How long does the solution take to integration
Integration is very simple. It requires the simple copy/paste of two lines of JS to your site’s head section.
How hard is the system to configure?
Our experts and machine learning can be leveraged to configure the system for you. Should custom configuration be required the administration console provides these tools.
Does the system require ongoing management and monitoring?
The system is designed to be low touch. The only time you will need to manage it, is when you integrate a new third party to your site.
What is the volume of alerts?
You will be notified by the administration console of new third-parties identified as being added to your website. Additional alerts are FYI-only and designed to keep the administrator informed of unexpected behaviors. Since the Source Defense solution operates in prevention mode, no action is required from the administrator to address these event notifications. A dashboard can be consulted as needed to keep the administrator informed of how the system is working on your website.
Does your system scale?
Yes, the system is built for scale, running of a strong CDN with several redundancies.
What level of access does a hacker have through this attack vector?
Any information that exists on your pages is accessible to a hacker via this attack vector. In addition, there are documented cases when the hacker added fields to forms on websites to get additional information from users.
What if I am being attacked right now - would I even know?
As proven by the Magecart attack that affected over 800 websites for 3 years, this vector is very hard to detect.
If I a being attacked, how do I stop it?
What is organizational response is required if my site is victimized by this type of attack?
You will need to trigger your incident response teams, engage in cyber analysis to understand the scope of the breach. Then contact your users and start dealing with the aftermath. If you are obligated to GDPR or PCI compliance, you should follow these protocols.
Why is my site currently non-compliant?