1. What is Marketing Security/MarSec™?
Marketing Security or MarSec refers to client-side detection and prevention of unauthorized leakage and data theft through your website. Traditionally, people think of cybersecurity or information technology security as the protection of computer systems from theft or damage to hardware, software or electronic data. But these solutions do not extend to the client side of the website where users share a variety of personal data, for example within the payment or checkout process.
2. How does MarSec™ work and how does it get deployed on my website?
3. What are third-party scripts?
4. How can cybercriminals collect customer data from my website?
5. What is Magecart?
Magecart refers to a collective group of hackers, who are known for stealing customer data from ecommerce websites. They use a number of different techniques to inject malicious code on to a website, the most prolific attack vector is through the compromise of a third-party supplier who already has permission to run on the site. This is achieved through an injection of malicious code into the original code. It also provides the hacking collective with scalability - by compromising a single third party they can often gain unauthorized access to 1000's of ecommerce stores. The method they use to steal payment card data is also known as payment card skimming.
They are responsible for such attacks against Vision Express, NewEgg, and Ticketmaster to name a few victims.
6. I have firewalls, WAF and various methods to protect internal systems. How am I at risk?
You are still at risk, even with traditional practices like this in place. Firewall, WAF, secure connection and many other solutions are focused on securing internal servers and the communication between the browser and these internal servers. As defined above, third-party scripts are executed on the user’s browser but are called from a remote server. This client-side connection operates completely outside of the security capabilities an organization deploys to secure the server side of the browser session.
These tools do not ensure that sensitive data being input onto the website is not being passed to external third parties. Furthermore, these tools do not allow whitelisiting or of third-party technology vendors. MarSec™ enables organizations to proactively enforce security policies across their digital properties and permit data and scripts from only authorized domains.
7. Will MarSec™ affect the performance of my website?
No, the MarSec™ solution is designed to minimize any performance impact.
8. How will the deployment of MarSec™ affect our business resource?
Deploying Ensighten’s MarSec™ is not resource intensive nor does it require a technical expert. The Ensighten code can be deployed within minutes across your digital properties. Once MarSec™ is configured it immediately delivers results; full website data security.
9. What is Server-Side Tagging (SST)?
Server-Side Tagging enables improved page performance, data match rates and quality as SST is unaffected by client-side ad blockers and provides additional data leakage protection.
10. What is ad injection?
Ad injection is a rapidly growing problem for ecommerce websites, where a website can be exposed to unauthorized, injected pop-ups and banner ads that promote similar, competitive products to the user. These are not served by the online retailer and are actually driven by malware that is injected into a consumer’s web browser or device. The unwanted distractions damage a retailer’s brand reputation and divert customers away to competitor sites - leading to losses in revenue for retailers and an interrupted customer experience for shoppers.
11. How can I restrict the data my third-party vendors have access to and prevent data leakage?
You can restrict data going to third-party vendors using Ensighten MarSec:
- Real-time website monitoring: Monitoring of all network requests coming into the website or out of the website to detect potential malicious threats
- Automated website privacy audit and alerts: Detect risks to your organizations privacy rules, website scanning will check for unapproved technologies that might have access to your customer data
- Masking of sensitive data: Determine unique data patterns to prevent being exposed within the URL, to block tag piggybacking and prevent sensitive data from being passed to unauthorized third-party technologies
- White- and blacklisting of third-party technologies: Define permissions all appropriate third-party vendors you want to allow to receive data or block from receiving any of specific types of data
- Privacy gateways: Block unknown and unwanted website trackers, technologies and tags from firing on site and collecting data
12. How do I know if my website is at risk of data leakage or a supply chain attack?
You can do a simple test of this using browser developer tools or a proxy tool, from here you can modify the DOM within the console for example or inject unknown or malicious code to see if your site would allow that code or sensitive information to appear and be sent to the unknown third party. If you see the network request made within the browser console your site is at risk, or if you see the sensitive data such as email or credit card information appear within the console your site is at risk.
Without website security tools in place to enable whitelisting of authorized third-party website technologies, along with blocking of sensitive data being exposed within the URL your website is vulnerable to a data breach.