Need cloud computing? Get started now

Dark background with blue code overlay
Blog
RSS

How to Be Resilient to Data Theft

Gerhard Giese headshot

Written by

Gerhard Giese

October 13, 2020

Gerhard Giese headshot

Written by

Gerhard Giese

Gerhard Giese is Industry Strategist at Akamai Technologies. He started at Akamai in 2010 and is now manager in the Financial Sector, responsible for customer advisory, information sharing and consulting. With more than 20 years of experience in the security field, Gerd has accumulated in-depth expertise in network security as well as distributed denial of service (DDoS) mitigation and data theft prevention. He continues to interact directly with clients as a trusted security advisor, to identify the most pressing challenges for online businesses. In addition, he regularly delivers talks at industry conferences and works as an independent consultant for federal state authorities such as The German Ministry of IT Defense. Prior to Akamai, Gerd was a senior network engineer at McAfee. Gerd holds CISSP and CCSP certifications and is a certified ethical hacker. 

Client-Side Protection & Compliance is now PCI compliant -- a strong starting point to harden your web applications.

Compliance with the Payment Card Industry Data Security Standard (PCI DSS) is fundamental for any business that accepts payment cards or processes payment card data. Many financial services organizations and e-commerce sites invest substantial time and budget to achieve PCI DSS compliance. Today's web development teams rely on a diverse collection of third-party client-side scripts to simplify development and accelerate time to market. Many of these scripts come from smaller software vendors that haven't invested in PCI-compliant security systems. Threat actors can exploit these third-party scripts to carry out sophisticated data skimming attacks that are difficult to detect and mitigate with traditional data security solutions.

To make passing a compliance audit meaningful, you need to ensure that your strategic website partners, like Akamai, also provide PCI-compliant solutions to harden your web application security and protect you from increasing supply chain threats.

In this blog, I'll briefly review PCI DSS, explain how to combat the latest script-based attacks that target the web application supply chain, and make clear why having a PCI-compliant script attack mitigation solution is critical.

PCI DSS Helps Prevent Payment Card Fraud and Abuse

Client-Side Protection & Compliance is now PCI compliant -- a strong starting point to harden your web applications.

Compliance with the Payment Card Industry Data Security Standard (PCI DSS) is fundamental for any business that accepts payment cards or processes payment card data. Many financial services and e-commerce sites invest substantial time and budget to achieve compliance. To simplify development and accelerate time to market, today's web teams also rely on a diverse collection of third-party, client-side scripts -- often from smaller software vendors that haven't invested in PCI-compliant security systems. Threat actors can exploit these scripts to carry out sophisticated data skimming attacks that are difficult to detect and mitigate with traditional data security solutions.

To make passing a compliance audit meaningful, you need to ensure that your strategic website partners, like Akamai, also provide PCI-compliant solutions to harden your web application security and protect you from increasing supply chain threats. In this blog, I'll briefly review PCI DSS, explain how to combat the latest script-based attacks that target the web application supply chain, and make clear why having a PCI-compliant script attack mitigation solution is critical.

PCI DSS helps prevent payment card fraud and abuse

The PCI DSS helps merchants and banks protect cardholder data and improve trust. Established by major credit card companies like Visa, MasterCard, and American Express, the standard lays out best practices for safeguarding sensitive data, defending against cybersecurity threats, and mitigating risk. PCI DSS applies to any entity that stores, processes, or transmits cardholder data, including financial services providers and online retailers.

PCI DSS Goals and Requirements

PCI DSS Goals and Requirements Source: PCI Security Standards Council PCI DSS Quick Reference Guide

Many online businesses invest significant time and money certifying their systems and processes for PCI compliance. Yet despite these substantial investments, many "PCI-compliant" organizations are not immune to data loss. Threat actors are continuously honing their methods, finding new ways to evade defenses and steal data. Online businesses must continuously review and update their security systems and practices to keep pace with the evolving threat landscape and maintain PCI compliance.

JavaScript skimming attacks are a perfect example. These browser-directed attacks are nearly impossible to detect with the traditional security solutions businesses typically use to protect conventional IT systems and applications. They allow cybercriminals to steal confidential data without penetrating private enterprise networks or breaching back-end servers.

Your supply chain security is only as strong as its weakest link

Today's e-commerce and financial services sites rely on client-side JavaScript code to provide fast, dynamic user experiences. Most development teams use third-party code to speed up application delivery and free up developers to focus on core business features.

The web is full of third-party scripts. Most e-commerce sites use third-party JavaScript code for common functions like analytics, ads, and retargeting. In fact, about two-thirds of all scripts come from third parties. The problem is many of these scripts are written and distributed by multiple sources, including smaller companies and even independent software developers who don't have stringent, PCI-compliant security systems and practices in place. Savvy attackers can gain illicit access to poorly-secured, third-party source code and inject malicious software to harvest confidential data directly from a consumer's browser. (The code is often triggered when a victim submits payment information during an online transaction.)

Script-based attacks make life easy for cybercriminals. They can attack major websites without having to penetrate well-defended enterprise networks. And by targeting the web application supply chain rather than websites directly, cybercriminals can strike thousands of online businesses in a single attack.

Not surprisingly, bad actors have carried out millions of web skimming attacks in recent years, including many large-scale attacks against major companies like British Airways, which was fined $230M for a 2018 data breach involving 380,000 credit cards.

Combating JavaScript-based attacks

JavaScript attacks can damage your company's reputation and result in costly regulatory fines and legal payouts. These persistent threats are difficult to detect and shut down, and they can resurface if you don't properly isolate and mitigate them.

To effectively combat script-based attacks, you need to:

  1. Detect anomalous script behavior in real-time -- as it happens

  2. Block malicious activity before it adversely impacts your business

  3. Identify vulnerable resources to prevent repeat attacks

Akamai Client-Side Protection & Compliancer can help protect your online business against sophisticated script-based attacks. Specifically conceived to mitigate security threats posed by third-party, client-side scripts, the solution runs in the browser and uses machine learning to intelligently identify vulnerabilities, detect suspicious script behavior, and block malicious activity.

Because Client-Side Protection & Compliance collects script event information for sensitive web pages, Akamai invested in and recently completed full PCI compliance. The solution continuously analyzes all JavaScript behavior without impeding application performance, helping you strengthen security without impairing the user experience. When Client-Side Protection & Compliance detects suspicious activity, it immediately notifies site operators and provides actionable insights to help contain the threat. 

Assess your risk

Want to learn how vulnerable your website is to JavaScript-based attacks? Get a complimentary Client-Side Protection & Compliance Analysis Report from Akamai. With no effort on your part, we check your site, identify and classify third-party scripts, and help you understand the potential security risks and performance implications they pose.

There will be more opportunities to engage with us on this and more at Edge Live | Adapt. Sign up to see how customers are leveraging these improvements, engage in technical deep dives, and hear from our executives how Akamai is evolving for the future.



Gerhard Giese headshot

Written by

Gerhard Giese

October 13, 2020

Gerhard Giese headshot

Written by

Gerhard Giese

Gerhard Giese is Industry Strategist at Akamai Technologies. He started at Akamai in 2010 and is now manager in the Financial Sector, responsible for customer advisory, information sharing and consulting. With more than 20 years of experience in the security field, Gerd has accumulated in-depth expertise in network security as well as distributed denial of service (DDoS) mitigation and data theft prevention. He continues to interact directly with clients as a trusted security advisor, to identify the most pressing challenges for online businesses. In addition, he regularly delivers talks at industry conferences and works as an independent consultant for federal state authorities such as The German Ministry of IT Defense. Prior to Akamai, Gerd was a senior network engineer at McAfee. Gerd holds CISSP and CCSP certifications and is a certified ethical hacker.