As we move into October and thus National Cybersecurity Awareness Month (NCSAM), we work to increase visibility into the importance of cybersecurity. But as we look at 2020, it has certainly been a year unlike any other, with many people from across the globe spending much more time at home and online.
Now in its 17th year, the National Cybersecurity Awareness Month announced that this October’s theme will be Do Your Part; #BeCyberSmart, highlighting that the objective is to encourage individuals and organizations to own their role in protecting their part of cyberspace. With visibility into the increased home-based presence, the agenda focuses heavily on device security and protecting everything from employment to ecommerce.
Cybersecurity awareness is everyone’s responsibility
As collective users of the world wide web, generally there is a lot we take for granted with respect to security. When we shop online, we expect our credit card numbers to be safe and the things that we purchase to remain confidential, when we sign into online banking, we expect our money to be protected and when we interact socially, we expect privacy.
Because of this expectation, business owners have an obligation to protect our data and interactions with them – there is an intrinsic trust which we give when doing business with a company online and in return these companies are expected to provide us with a safe and secure environment.
With 2020 seeing drastic changes in the way people work and live, cybercrimimals have adapted their approaches accordingly, leading to an all-time high in phishing and ransomware attacks. This increase in home-based online activities has also exposed another weakness, as for many, work is now being done on insecure devices and insecure networks.
Take stock of enterprise cybersecurity
NCSAM is mostly aimed at the end-user and educating them on how to protect themselves against threats, but it is also a perfect time for organizations to consider their current security stance and whether it is relevant and keeping pace given current threats. Most businesses already have an established security strategy, but as threats change and new attack methods emerge, this security must also evolve.
Consider the shift in attack focus from the origin to the client – mostly due to elements such as the web browser or email client being easy targets and low-hanging fruit. Over the past couple of years, we have seen some of the largest ecommerce organizations fall victim to online skimming attacks, leaking the personal and financial data of millions of customers, even though the business likely invests millions of dollars in its origin-based security.
While it’s easy for most organizations to look at the data breaches referenced every day in the news and assume that they are not vulnerable, the reality is that almost every ecommerce site online utilizes third-party libraries or services and as such, is equally at risk from such attacks. The challenge in almost all cases is that because of the substantial investment made in origin-based security, most organizations assume they are protected but unfortunately don’t fully understand client-side threats.
Trust but verify – use NCSAM to raise your knowledge
Websites present a unique security challenge for organizations because of how they are composed – most sites use a combination of first-party content and third-party code. All web developers are used to including libraries with tags on pages but often don’t understand the security risk associated with this practice - there simply isn’t enough wide-spread awareness of the issue yet.
When a developer opts to make use of Google Analytics or jQuery and does so by referencing a library on a public CDN, they expect the code to be secure and protected and in this case, both are examples of good, secure code. The problem is that most websites don’t have two or three trusted libraries, in-fact, the average website uses around 60 inclusions from providers ranging from massive social networking companies to open-source dorm room projects and it’s the later that is the problem.
When you include code in your website, you basically allow that code the ability to run when your site is visited by a user – it’s no different than if your own developers produced it. If a library is included on the page where your customers enter their credentials to login, there is nothing to prevent that library capturing those credentials and sending them to any server on the web.
It’s easy to dismiss this as hyperbole, after all, we’re writing this as a vendor who provides technology to stop such attacks, but to see just how much of a problem this really is, go to Google and search for Magecart attacks. Take a look at the types of vendors who have been breached – most of these had exceptionally strong security.
In the interest of NCSAM it is important to be aware of these attacks, understand that your website is likely vulnerable to them and assess what you do can do protect your organization.
Let Ensighten help
Ensighten has been focused on client-side security for a significant amount of time, we provide technology to protect against client-side attacks and engage in threat intelligence to discover emerging ones. The challenge that we find most organizations have relating to these attacks though is that they simply don’t understand them or how their websites are at risk.
In the spirit of National Cybersecurity Awareness Month, Ensighten are offering website risk assessments to show you where your website is at risk. If you are interested in learning more about client-side attacks, become aware of their risk during NCSAM, get in contact or request your website risk assessment.