Are you managing risk from third-parties?

Third-party attacks on ecommerce sites have hit the headlines, but this isn't a new strategy. Is it time to think bigger about security?

The Magecart attacks on ecommerce sites have hit the headlines this year, impacting customers and those who pick up the bill for the resulting card fraud. But business risks introduced by third parties is not a new thing; Petya/NotPetya was a third-party attack and Dragonfly (AKA Energetic Bear/Crouching Yeti) targeted the energy sector through supply chains. The list of victims hit by third party risks will no doubt continue to increase, so what can you do to protect your business?

Compliance or a false sense of security?

Content security policies and compliance seals of approval don’t necessarily offer peace-of-mind when third-party scripts are on the page. In fact, many of the websites we’ve identified as compromised by Magecart attacks carry a logo/seal claiming to be secure, so clearly something is not working.

We looked at a random sample of ecommerce site homepages and found an average of four different third-party scripts on each. The security posture of all of these websites is reliant on the security of any one of these third-parties – which demonstrates how simple it would be for an attacker to monitor high-traffic sites and choose a common denominator to economise an attack.

Simple monitoring to manage your third-party risk

File integrity monitoring is a simple and non-intrusive way to manage risk from third-party scripts. Subresource Integrity Checks (SRI) are great for enabling browsers to verify remotely that included JavaScripts are not modified from expected content – if an SRI check fails because the third-party JavaScript has been maliciously modified, it simply won’t load.  

Beyond JavaScript, think about the libraries you use, like jQuery, Dojo Toolkit and Midori, and also consider your web frameworks – are you assessing changes and monitoring vulnerabilities there? What about the third-parties which enable your business to run smoothly, such as your IT services, payroll system or expenses platform – how do you monitor security and ensure they meet your standards?

Is it time to think bigger about your customers’ security?

In the Magecart attacks, JavaScript skimmers were used to capture payment card details from unsuspecting customers. In the end, it’s the card issuers who foot the huge bills for the fraud resulting from skimming attacks. If an attacker can monitor the software used across ecommerce sites for vulnerable versions, surely the organization picking up the bill can be doing this too?

Looking for vulnerabilities that will affect your customers could pay dividends, whether they’re hosted in your infrastructure or not. When next year’s Apache Struts vulnerability comes out, a quick email to your suppliers that you know are using it might be the thing that saves yours and many other people’s payroll records from landing in the wrong hands.  

Leading organizations are already doing this – Google’s Project Zero team continuously research vulnerabilities in the technologies Google customers use because ensuring their customers are secure makes business sense to Google.  

What impacts your customers? What do they rely on? And what can you do to enhance the security of those technologies?  




Accreditations & Certificates

MWR is an accredited member of The Cyber Security Incident Response Scheme (CSIR) approved by CREST (Council of Registered Ethical Security Testers).
MWR is certified under the Cyber Incident Response (CIR) scheme to deal with sophisticated targeted attacks against networks of national significance.
We are certified to comply with ISO 9001 and 14001 in the UK, internationally accepted standards that outline how to put an effective quality and environmental management systems in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR is approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.
As members of CHECK we are measured against high standards set by NCSC for the services we provide to Her Majesty's Government.
MWR’s consultants hold Certified Simulated Attack Manager (CCSAM) and Certified Simulated Attack Specialist (CCSAS) qualifications and are authorized by CREST to perform STAR penetration testing services.