What can’t you buy on the internet? Last-minute birthday gifts. Check. A new refrigerator. Check. An engagement ring. Check. Groceries. Check. Travel to foreign lands. Check.
Internet-driven consumerism is a critical component of our economy. But it has its dark side filled with demons. And the demons—more commonly known as cybercriminals—who live in the murky, cesspit-ridden areas of the internet—more commonly known as the dark web—love to take advantage of the vulnerabilities and bugs that exist in the web application programming used to drive websites.
With their demon-torture tools in hand (called Magecart or e-skimming attacks), these demons target vulnerabilities in web application code, injecting malicious scripts designed to steal personally identifiable information (PII), which they then resell to their legions of devil-spawned minions.
Data breaches cost more than just money
Data breaches like these are expensive for companies. Recent 2020 research suggests that the global average price of a data breach is around $3.85 million. Not surprisingly, the cost more than doubles if the attack happens in the United States, with the total average around $8.64 million. And those numbers only reflect the costs associated with things like investigation, legal fees, and customer services, such as credit monitoring. What it doesn’t include is the cost to a business’s reputation because, when a business is breached, you can pretty much guarantee that the customer-victims are going to first say: “What the @#?!!. Didn’t those bleepity-bleep-bleep-bleeps running the company have any cybersecurity in place?” And the next thing the customer-victim will do is research a better, safer, competitor solution.
Traditional security just doesn’t protect the client side
In all fairness to the business, they probably did have cybersecurity in place, just not the right cybersecurity. Traditional, but only partially effective, tools that are sometimes used to prevent script attacks include things like web application firewalls (WAFs), policy controls, and threat intelligence. These cybersecurity solutions are absolutely critical and necessary to protect the ‘server-side’ of the business, but they don’t protect against malicious attacks targeting the client side.
The reasons why it is so easy for the wretched ghouls of the dark web to attack businesses via the client side, include:
Lack of attention to web application vulnerabilities.
Multiple, layered (but likely vulnerable) web applications and scripts designed to add website functionality.
Increasing number of third- and fourth-party sources creating and distributing vulnerable applications and scripts.
Misconfigurations and malicious code in open-source tools.
What can businesses do?
There are a few things that businesses can do to protect themselves from the demon spawn of the dark web, including:
Know your assets—Understand what web assets you own and the type of data they hold. In addition, conduct some deep-dive scans to reveal intrusions, behavioral anomalies, and unknown threats.
Practice good patch and update management—Ensure patches and updates are applied regularly.
Compartmentalize web applications—To limit exposure across the application, split your front-end applications up into smaller components, such as public, authenticated, and admin, and to deploy these parts in a separate origin (e.g., https://admin.websitename.com).
Use an SSL certificate for all websites—Certificates enable website authentication and make SSL/TSL encryption possible. They also enable the website to have an HTTPS web address. Many browsers have started tagging websites without an SSL certificate as “not secure.” While an SSL certificate and HTTPS address does not guarantee a website is secure (since SSL certificates are easy to obtain), having that HTTPS web address and encrypting any customer data, does make customers more trustworthy of your site.
What kind of purpose-built solutions are available?
There are purpose-built solutions that safeguard internet users and consumers from the demon spawn of the dark web. Two tools powered by Feroot that are a part of AT&T MVP are:
Feroot Security PageGuard—Based on the Zero Trust model, PageGuard runs continuously in the background to automatically detect unauthorized scripts and anomalous code behavior. If threats are detected, PageGuard blocks all unauthorized and unwanted behavior in real-time across the organization. PageGuard also automatically applies security configurations and permissions for continuous monitoring of and protection from malicious client-side activities and third-party scripts.
Feroot Security Inspector—In just seconds, Inspector automatically discovers all web assets a company utilizes and reports on their data access. Inspector finds all security vulnerabilities on the client-side and provides specific client-side threat remediation advice to application developers and security teams in real-time.
AT&T is helping customers strengthen their cybersecurity posture and increase their cyber resiliency by enabling organizations to align cyber risks to business goals, meet compliance and regulatory demands, achieve business outcomes, and be prepared to protect an ever-evolving IT ecosystem.
You can also contact AT&T Cybersecurity Consulting to get your 30-day free trial of MVP including Client-side Application Security powered by Feroot.
Microsoft Fixes Security Flaw in Windows Screenshot Tools
Information disclosure vulnerability aCropalypse could enable malicious actors to recover sections of screenshots Read More
Three Variants of IcedID Malware Discovered
The new variants hint that considerable effort is going into the future of IcedID and its codebase Read More
New MacStealer Targets Catalina, Newer MacOS Versions
The malware can extract information from documents, browser cookies and login information Read More
Can zero trust be saved?
Graham Cluley Security News is sponsored this week by the folks at Kolide. Thanks to the great team there for...
Part of Twitter source code leaked on GitHub
Part of Twitter’s source code has been leaked and posted on GitHub by an unknown user. GitHub took down the...
Hacks at Pwn2Own Vancouver 2023
An impressive array of hacks were demonstrated at the first day of the Pwn2Own conference in Vancouver: On the first...