Frequently asked questions

1. What is Marketing Security/MarSec™?

Marketing Security or MarSec refers to client-side detection and prevention of unauthorized leakage and data theft through your website. Traditionally, people think of cybersecurity or information technology security as the protection of computer systems from theft or damage to hardware, software or electronic data. But these solutions do not extend to the client side of the website where users share a variety of personal data, for example within the payment or checkout process. 

Customer data can be vulnerable to data leakage in a number of ways. The most common is via an injection of malicious JavaScript into a third-party technology, thus enabling cybercriminals to collect customer data, as its being input into the chat boxes, form fills etc.

2. How does MarSec™ work and how does it get deployed on my website?

The MarSec™ solution is deployed through a single line of code. Deploying our script at the top of your website page acts as an invisible JavaScript layer to your site, monitoring all script interactions and identifying and blocking those that are not authorized, malicious or non-compliant.

3. What are third-party scripts?

Third-party scripts refer to the JavaScript code related to the website technologies running on your site. These scripts that can be embedded into any website directly via a third-party vendor. Scripts include ads, analytics, widgets and other technologies which make a website more dynamic and interactive, but they can be very susceptible to data leakage. 

4. How can cybercriminals collect customer data from my website?

There are a number of ways that cybercriminals can steal customer data from your website. The most common way is via an injection of malicious JavaScript code onto a website - this method intercepts customer data as it is being input into a website, this method can also be known as digital skimming, a known technique used by notorious hacking group Magecart. These types of attacks are hard to detect and can go unnoticed for months. 

5. What is Magecart?

Magecart refers to a collective group of hackers, who are known for stealing customer data from ecommerce websites. They use a number of different techniques to inject malicious code on to a website, the most prolific attack vector is through the compromise of a third-party supplier who already has permission to run on the site. This is achieved through an injection of malicious code into the original code. It also provides the hacking collective with scalability - by compromising a single third party they can often gain unauthorized access to 1000's of ecommerce stores. The method they use to steal payment card data is also known as payment card skimming.

They are responsible for such attacks against Vision Express, NewEgg, and Ticketmaster to name a few victims. 

6. I have firewalls, WAF and various methods to protect internal systems. How am I at risk?

You are still at risk, even with traditional practices like this in place. Firewall, WAF, secure connection and many other solutions are focused on securing internal servers and the communication between the browser and these internal servers. As defined above, third-party scripts are executed on the user’s browser but are called from a remote server. This client-side connection operates completely outside of the security capabilities an organization deploys to secure the server side of the browser session.

These tools do not ensure that sensitive data being input onto the website is not being passed to external third parties. Furthermore, these tools do not allow whitelisiting or of third-party technology vendors. MarSec™ enables organizations to proactively enforce security policies across their digital properties and permit data and scripts from only authorized domains.  

7. Will MarSec™ affect the performance of my website?

No, the MarSec™ solution is designed to minimise any performance impact. 

Each line of JavaScript means an additional request to a server, increasing the load on your visitor’s connection and constricting bandwidth. MarSec™ will block any unauthorized network requests that are being made to your site. This will reduce the number of calls made and third-party scripts that are loading onto your web pages therefore improving website performance.

8. How will the deployment of MarSec™ affect our business resource?

Deploying Ensighten’s MarSec™ is not resource intensive nor does it require a technical expert. The Ensighten code can be deployed within minutes across your digital properties. Once MarSec™ is configured it immediately delivers results; full website data security.

9. What is Server-Side Tagging (SST)? 

Server-Side Tagging is the process where JavaScript is removed from the page and is replaced with a HTML data collection pixel. The data is then sent to the server which loads the request in a virtual browser directly from the server. 

Server-Side Tagging enables improved page performance, data match rates and quality as SST is unaffected by client-side ad blockers and provides additional data leakage protection.

10. What is customer journey hijacking?

Customer journey hijacking is a rapidly growing problem for ecommerce websites, where a website can be exposed to unauthorized, injected pop-ups and banner ads that promote similar, competitive products to the user. These are not served by the online retailer and are actually driven by malware that is injected into a consumer’s web browser or device. The unwanted distractions damage a retailer’s brand reputation and divert customers away to competitor sites - leading to losses in revenue for retailers and an interrupted customer experience for shoppers.

11. How can I restrict the data my third-party vendors have access to and prevent data leakage?

You can restrict data going to third-party vendors using Ensighten MarSec:

  • Real-time website monitoring - Monitoring of all network requests coming into the website or out of the website to detect potential malicious threats
  • Automated website privacy audit and alerts - Detect risks to your organizations privacy rules, website scanning will check for unapproved technologies that might have access to your customer data
  • Masking of sensitive data - Determine unique data patterns to prevent being exposed within the URL, to block tag piggybacking and prevent sensitive data from being passed to unauthorized third-party technologies  
  • White and blacklisting of third-party technologies – Define permissions all appropriate third-party vendors you want to allow to receive data, or block from receiving any of specific types of data
  • Privacy gateways - Block unknown and unwanted website trackers, technologies and tags from firing on site and collecting data
  •  Blocking of malware, JavaScript, CSS and hardcoded network calls – Block Magecart, malicious data breaches, CSS hacks, man in browser attacks and hardcoded network calls to stop data leakage

12. How do I know if my website is at risk of data leakage or a supply chain attack?

You can do a simple test of this using browser developer tools or a proxy tool, from here you can modify the DOM within the console for example or inject unknown or malicious code to see if your site would allow that code or sensitive information to appear and be sent to the unknown third party. If you see the network request made within the browser console your site is at risk, or if you see the sensitive data such as email or credit card information appear within the console your site is at risk.

Without website security tools in place to enable whitelisting of authorized third-party website technologies, along with blocking of sensitive data being exposed within the URL your website is vulnerable to a data breach.