how the nist framework helps companies protect against ...€¦ · attackers are likely to focus...
TRANSCRIPT
How the NIST Framework Helps Companies Protect Against Client-side Attacks
1
Overview
What are Client-side attacks?
NIST Framework Core
NIST Framework Implementation Tiers
How to implement the NIST Framework
Summarizing How the NIST Framework Can Help Companies Prevent Client-side Attacks
Why Does Monitoring and Detection Still Leave Companies exposed?
Guidance to Ensure Organizations are Protected from Client-Side Security Threats
2
3
3
7
9
10
11
5
Table of Contents
In today’s increasingly dangerous cybersecurity environment, organizations are being bombarded by clever and devious exploits, such as the Magecart or Formjacking client-side attacks that steal credit card data or other personal information when a customer attempts to make a purchase at an ecommerce site.
Taking a piecemeal or reactive approach to combating these types of attacks
won’t cut it. Organizations need to take a comprehensive, organized,
measurable, risk-based approach to combating cyberattacks that is based on
accepted industry best practices.
The National Institute of Standards and Technology (NIST) Framework for
Improving Critical Infrastructure Cybersecurity represents the gold standard
when it comes to providing guidelines for implementing a cybersecurity
program. The NIST framework is not something that organizations can ever
fully comply with because attackers are constantly changing their methods and
an organization’s business processes are also constantly changing. So, there’s
no NIST certification or seal of approval.
As NIST puts it: “The Framework is not a one-size-fits all approach to
managing cybersecurity risks. Organizations will continue to have unique
risks – different threats, different vulnerabilities, different risk tolerances.
To account for the unique cybersecurity needs of organizations, there are a
variety of ways to use the Framework.”
What the framework does provide is a methodology, a taxonomy and a
consistent risk-based approach to cybersecurity that can help organizations
protect themselves from a variety of threats, including client-side attacks.
Specifically, the framework gives organizations a way to describe their current
cybersecurity posture and their target state, identify and prioritize
opportunities for improvement, to assess progress toward the target state and
to improve communication among internal and external stakeholders about
cybersecurity risk.
2
What are Client-side attacks?
Client-side attacks have been around for a while, but they remain a blind spot
for many organizations. Every client-side web attack is different, but they all
rely on the fact that the attackers are able to gain access to the browser of the
customer who is visiting the website, and they are able to steal the customer’s
payment details, including credit card information, in real time.
These attacks are rapidly accelerating and they all exploit the trust relationship
between a user and the websites they visit. In fact, according to our research, a
new online attack occurs every 39 seconds. Most client-side attacks are a
consequence of a more sophisticated attack chain that eventually affects the
visitors of the website.
The Framework Core
The core of the framework is a set of activities that organizations need to take
to achieve specific cybersecurity outcomes. The five core functions are:
identify, protect, detect, respond and recover.
IDENTIFY: The first step in the process is identifying the risk to people, assets,
data and capabilities. Understanding the business context, the resources that
support critical functions and the related cybersecurity risks enables
organizations to prioritize their efforts. For organizations in industries like
3
IDENTIFY
Asset Management
Business Environment
Governance
Risk Assessment
Risk Management
Strategy
PROTECT
Awareness Control
Awareness and Training
Data Security
Info Protection and
Procedures
Maintenance
Protective Technology
DETECT
Anomalies andEvents
Security Continuos
Monitoring
Detection Process
RESPOND
Response Planning
Communications
Analysis
Mitigation
Improvements
RECOVER
Recovery Planning
Improvements
Communications
travel, finance, healthcare and ticketing, or any organization engaged in
ecommerce, client-side attacks constitute a high priority risk. A well-publicized
breach in which data is stolen from a customer’s shopping cart could result in
the loss of brand reputation (and a loss of revenue) that could cast a shadow
on the company for years.
PROTECT: Once the most critical risks have been identified, organizations need
to prioritize their efforts toward protecting against attacks. With companies
moving into hybrid cloud environments, deploying IoT devices and more
employees working remotely, the attack vector has certainly expanded. So,
organizations need to look for the weak links, the chinks in the armor where
attackers are likely to focus their efforts. Client-side security represents a blind
spot in traditional security defenses. These client-side attacks, in which
malicious scripts can be inserted into ecommerce transaction processing
systems via weaknesses in third-party code, are designed to evade traditional
web application firewalls and other security tactics.
DETECT: Organizations need to deploy detection tools such as anomaly
detection and continuous monitoring. But traditional general purpose
intrusion detection tools don’t seem to be all that effective. The Mandiant
Security Effectiveness Report 2020 found that 53% of successful cyberattacks
infiltrate organizations without being detected, and 91% of all incidents didn’t
generate an alert. Even worse, on average, companies take about 197 days to
identify and 69 days to contain a breach, according to IBM.
In order to detect client-side attacks, organizations should be sure to monitor
outbound traffic so you can spot data being transferred to unknown sources,
4
an early indication that something might be amiss. Be sure to also conduct
routine, periodic audits to double check that your website’s code has not been
altered. Also, don’t forget to assess third-party applications. Magecart attacks
exploit third-party, fourth-party or even fifth-party applications that handle
various parts of the checkout process, so you need to verify that those apps
have not been tampered with.
RESPOND: The ability to quickly respond to an attack is critical. Organizations
must have a playbook that has been shared with all of the appropriate
stakeholders so that incident response takes place quickly and efficiently, with
everyone knowing their roles and responsibilities. Beyond immediately putting
out the fire and squelching the attack, organizations need to have a plan that
covers both internal and external communication. They need to conduct a
forensic analysis to determine how the attacker was able to get in and what
they were able to accomplish. Once the damage has been mitigated,
organizations need to focus on plugging the holes, changing passwords,
conducting vulnerability assessments and taking whatever action is needed to
make sure a similar type of attack will not succeed in the future.
RECOVER: Once everything is back up and running, organizations still need to
recover data that might have been lost, or restore capabilities or services that
were impacted by the cybersecurity incident. Companies then need to develop
and implement plans for resilience, such as having data backed up or having
redundant systems.
Framework Implementation Tiers
The NIST Framework specifies four different Implementation Tiers that
organizations can align with, based on “how an organization views their
cybersecurity risk and processes in place to manage that risk.” Companies can
select the appropriate tier for their organization based on current risk
management practices, the threat environment, regulatory requirements,
information sharing practices, supply chain cybersecurity requirements,
5
organizational constraints and business objectives. Achieving Tier 4 isn’t the
holy grail; it’s only encouraged when a cost-benefit analysis indicates that it
makes sense. But organizations that find themselves in Tier 1 should try to at
least reach Tier 2, according to NIST.
Tier 1 | PartialAt this tier, risk management processes are not formalized and risk is managed
in an ad hoc manner. There is limited awareness of cybersecurity risks at the
organizational level. And the organization does not understand its role in the
larger ecosystem. In other words, the organization doesn’t collaborate with
other entities and doesn’t share information. It is generally unaware of cyber
supply chain risk, such as the possibility that malicious code from a third-party
could infect an ecommerce site and trigger a client-side attack.
Tier 2 | Risk Informed At this level, companies have a smattering of risk management practices, but
they are not deployed across the organization. Cybersecurity information is
shared within the organization on an informal basis. The organization is aware
of supply chain risks, but does not act consistently or formally on those risks.
Tier 3 | Repeatable In Tier 3, risk management practices are formally approved and expressed as
policy. Cybersecurity practices are regularly updated based on the application
of risk management principles to changes in the business and to the changing
threat landscape. For example, if a retailer makes a significant shift from
bricks-and-mortar stores to online sales due to Covid-19, protecting
e-commerce sales from client-side attacks becomes even more important.
The organization also collaborates with and receives information from the
broader community. It is aware of cyber supply chain risks associated with
products and services that it uses and acts on those risks with policy
implementation and monitoring.
6
Tier 4 | Adaptive At the most advanced level, organizations adapt their cybersecurity practices based
on lessons learned and predictive indicators. Through a process of continuous
improvement, companies actively adapt to a changing threat and technology
landscape and respond in a timely and effective manner to evolving, sophisticated
threats. The organizational budget is based on an understanding of the current and
predicted risk environment and risk tolerance. Cybersecurity risk management
becomes part of the organizational culture. And the organization receives,
generates and reviews prioritized information that informs continuous analysis of
risks. The organizations also share that information internally and externally, and
use real-time information to understand and act upon supply chain risks.
How to implement the NIST Framework in Six Steps
The Framework enables organizations to establish a roadmap for reducing
cybersecurity risk by giving organizations a way to define their current state, and to
define their target profile. The Framework doesn’t replace existing processes; it’s an
overlay that can help companies identify gaps and prioritize areas that need to be
improved. It can also be helpful in explaining security requirements to business
leaders who hold the purse strings, as well as to internal employees and partners.
Here are six steps that companies can take to use the Framework to either create a
new cybersecurity program or improve an existing one.
1 | Set Priorities and Scope: The organization identifies business objectives and
high-level priorities. With this information, the company makes strategic decisions
regarding cybersecurity implementations and determines the scope of systems and
assets that support key business processes. The Framework can be adapted to
reflect the reality that different business units and/or business processes might
have different risk tolerances.
7
8
2 | Orient: Once the scope of the cybersecurity program has been determined
for that specific business unit or process, the organization identifies relevant
systems and assets, regulatory requirements and overall risk approach. The
organization then identifies threats and vulnerabilities applicable to those
systems and assets, either with internal staffers or outside experts.
3 | Create a current profile: The organization develops a current profile by
indicating which outcomes from the Framework Core are being achieved. NIST
has a complex, comprehensive set of categories and subcategories associated
with each of the five core functions. For example, in the Protect function,
categories include identity management and access control, awareness and
training and data security. At the subcategory level, there are processes such as
the use of integrity checking mechanisms to verify software, firmware and
information integrity; as well as detecting malicious or unauthorized code.
4 | Conduct a risk assessment: The risk assessment should be guided by the
organization’s overall risk management process or previous risk assessment
activities. The goal is to analyze the current environment to determine the
likelihood of a cybersecurity event, as well as the impact on the organization. It is
important the companies identify new and emerging risks and use threat
information from internal and external sources to gain a better understanding of
the likelihood and potential severity of an attack.
5 | Create a target profile: The target profile reflects the organization’s desired
cybersecurity outcomes, using the Framework’s categories and subcategories as
a guide. Organizations with unique risks can, of course,
add their own categories and subcategories. The target profile should reflect
criteria within the target Implementation Tier.
6 | Determine, analyze and prioritize gaps: Comparing the current profile
against the target profile exposes gaps that must be addressed through a
prioritized action plan that reflects drives, costs, benefits and risks. The
organization then identifies resources, including funding and staff, to
address the gaps.
7 | Implement Action Plan: The organization adjusts its current
cybersecurity practices to achieve the target profile. But that’s not the end of
the process. The organization repeats these steps as needed to continuously
assess and improve its cybersecurity posture. Organizations may monitor
progress through iterative updates to the current profile, comparing the
updated current profile to the target profile and aligning their cybersecurity
program with the desired Implementation Tier.
Summarizing How the NIST Framework Can Help Companies Prevent Client-side Attacks
The framework provides a common language to communicate requirements
among all stakeholders, including those up and down the supply chain. Risk
management in the context of supply chains is typically associated with
automobile assembly plants or large brick-and-mortar retailers. But the NIST
Framework makes clear that a primary objective of supply chain risk
management is to identify, assess and mitigate “products and services that
may contain malicious functionality.”
In the case of client-side attacks, hackers can infiltrate third, fourth or even
fifth-party code that comes from outside companies, so companies need to
put systems in place to be sure that code can not be altered, and that
sensitive customer data can not be skimmed.
9
10
Why Does Monitoring and Detection Still Leave Companies exposed?
3rd party risk presents, in many ways, a novel challenge to traditional
enterprise security strategy. Because of the combination of clear business
necessity, poor security architecture and rapidly accelerating exploitation,
the attack vector presented by 3rd party JavaScript within the browser
requires a unique approach and careful consideration from any organization
providing content to visitors.
Monitoring and detection tools will simulate a limited number of user
profiles but not all of them. As third parties may change their behavior from
user to user, this is not an effective or reliable means to detecting these
attacks. Even on occasions where a hack is detected, organizations still need
to react to the hack. This requires initiating incident response, removing
important tools from your site and replacing them, notifying your users,
compliance reporting and damaging your brand.
Standards-based approaches towards mitigating this
attack vector are well-engineered and logically sound,
however,they fail in the sense that they take the
perspective of a web application developer or
maintainer. In other words, technologies like
CSP and SRI work well in the context of a
self-developed application: if you know
everything about how your application
works then surely you can know what other
code it incorporates and how that code functions.
You may even deploy technologies like dynamic
application testing or application monitoring to further
secure that application.
This, however, is not the challenge presented by 3rd party JavaScript.
The NIST Cybersecurity
Framework
Recover
Resp
ond
Detect
Protec
t
Identify
11
The landscape of a contemporary customer-facing website is wholly unlike an
internally developed web application. The participants contributing code in an
average visitor’s browsing session number in the dozens, if not more. As such, it is
impossible for an enterprise to know, let alone control, the entirety of the attack
surface.
Other techniques such as application monitoring, usage restriction, code review
and general due diligence are valid approaches, however, they rely heavily on
operational and business expenses. In other words, it is possible for organizations
to implement these techniques but that effort will expend resources and decrease
revenue. Each of these approaches fundamentally rely on three things: time, effort
and talent. Should an organization decide that they possess the sufficient surplus
of resources in those three categories then these may be desirable avenues to
pursue. Given the finite and often restrictive constraints of security resources,
however, most enterprise organizations may find themselves unprepared to
respond to this emerging threat.
In summary, it may be possible to partially address the risk presented by 3rd party
vendors through traditional approaches, but only at great cost to the organization
and with limited effectiveness in terms of mitigation. Unfortunately, traditional
security technologies and techniques are proving to be insufficient responses to
this emergent and accelerating threat.
Guidance to Ensure Organizations are Protected from Client-Side Security Threats
1. Implement a control system that will identify and control all 3rd party
JavaScript on your webpages. It is critical to control the access of all 3rd party
JavaScript on your webpages; therefore, making sure the control system is able
to identify and control each external JavaScript is crucial to the process
12
2. Make sure Nth party JavaScript are either blocked or managed by the system.
Many 3rd party JavaScript providers will work in cooperation with other providers to
increase their efficiency; these, as their partners have the same unlimited DOM
(Document Object Model) access and therefore should either be blocked or managed
in the same manner as a 3rd party.
DOM is a programming API for HTML and XML documents. It defines the logical
structure of documents and the way a document is accessed and manipulated.
3. Make sure “whitelisted” 3rd party cannot bypass the security applied policies
Some access policy platforms will use easily bypassed methods to limit 3rd party
access such as CSP/SRI or JavaScript Proxying, these are easily bypassed and are
considered ineffective.
4. Ensure security controls remain effective even if 3rd party resources change 3rd
party resources change rapidly and are often generated dynamically.
5. Implement security controls which protect the entire duration of a visitor’s ses
sion Auditing and inventorying known 3rd party resources is ineffective as additional
resources can be called into a session at any time, from moments after page load to
minutes or even hours later.
6. Ensure controls implemented do not themselves introduce additional
vulnerability Security controls introduced to address 3rd party risk may inherently
present some risk themselves.
Source Defense is the market leader in Client-side Security for websites, providing real-time threat detection, protection and prevention of vulnerabilities originating in JavaScript. The Source Defense patented Website Client-side Security Platform offers the most comprehensive & complete solution addressing threats and risks coming from the increased usage of JavaScript, libraries and open source in websites today.
The ADMIN management console, VICE sandboxing and WiPP data shield offerings utilize patented technology and are deployed by leading Fortune 500 enterprises in the Financial, Retail, and Healthcare markets. Headquartered in Israel, with branches across the US and a strong community of global valuable partnerships, Source Defense is the most innovative, reliable and trusted partner in the fight against client-side attacks.
About Source Defense