SPONSORED CONTENT PRESENTED BY FEROOT SECURITY
By Ivan Tsarynny
Online banking has experienced a tremendous shift in the past two years. Banking websites rely heavily on scripts to gather sensitive information and are held to high standards in regard to online compliance. The need to improve security in the financial sector has never been greater, especially from the client-side.
The Types of Client-Side Attacks Threatening the Financial Services Sector
To properly guard their websites and web applications from client-side attacks, the industry’s cybersecurity professionals have little choice but to give more and more attention to what’s happening on their organization’s “surface” to avoid client-side breaches.
What Other Types of Tools Support Client-Side Security?
There are additional client-side security tools available to organizations, none of which, unfortunately, protect the entire client-side surface. Web Application Firewalls (WAFs) scan and protect against some types of skimming attacks. However, WAFs do not protect the browser-level user interface itself and are not able to detect and protect businesses from sophisticated skimming malware, drive-by skimming, supply chain attacks, or sideloading.
Content Security Policies (CSPs) can detect attacks such as cross-site scripting (XSS), but they are not easy to add to an existing website due to their complexity and the extent to which they can conflict and affect website functionality. Penetration testing, vulnerability assessment and security assessment are uncommon for client-side security threats at this point in time. Pen testing and assessments are also a snapshot in time, which means hackers have the ability to execute attacks between quarterly or annual assessments. And if hackers discover new vulnerabilities, then it is likely that they will target those vulnerabilities before a pen test has been completed. Pen testing and assessments are a key part of the security process, but organizations still remain exposed to threats, even after tests are completed. Unfortunately, threat actors are much more nimble than most companies.
Code obfuscation (or scrambling) makes it difficult for cybercriminals to interpret code, but free online de-obfuscation tools can enable threat actors to reverse engineer the original code. Code obfuscators can also be problematic in that sometimes it is difficult to unscramble the code when necessary. Implementing an approach that prioritizes client-side attack surface monitoring provides organizations with a strategic advantage to detect and prevent cyber threats.
What Is Client-Side Attack Surface Monitoring?
Client-side attack surface monitoring automates the process of logging an organization’s web assets. It then provides IT personnel with a list of the data each asset is accessing, offering specific remediation advice to security teams in real time.
Client-side security technologies replicate actual user behavior on a webpage, including the ability to execute custom user journey scenarios. By employing “synthetic users,” disguised as honeypot customers, client-side attack surface monitoring solutions autonomously simulate real user behavior. A client-side attack surface monitoring tool automatically maps and monitors the client-side attack surface, detects and outlines abnormal application behaviors then informs security teams of their client-side attack surface and will alert application developers to code issues to fix in real time. This approach provides security against customer data exfiltration.
The Benefits of Client-Side Attack Surface Monitoring for Financial Firms
The benefits of client-side attack surface monitoring for financial firms are numerous—it’s not just limited to evaluating web applications. It also has the capability of providing financial institutions with synthesized intelligence through post-scanning. Additionally, IT personnel can analyze the data gathered by synthetic users and gain important threat intelligence that security teams can respond to rapidly, if needed. These synthetic users are adaptable and have the ability to learn as they go, identifying and classifying information to discover client-side issues that would be left undetected otherwise.
Client-side attack surface monitoring solutions are simple to implement and maintain on active websites with no major modifications needed and are more effective than the other approaches mentioned. This approach does involve interaction between the financial institution’s development and cybersecurity teams. Both teams need to be well versed on client-side application structures in order to ensure the website is properly secured. But by working together, security and development teams can ensure client-side security with ease.
The best defense for web applications and websites is awareness. By employing some or all of the aforementioned approaches, IT personnel will always know the web assets they own and the data that is stored. And more importantly, they’ll be more confident of how those assets function and how users interact with them. It’s security from the outside-in, giving web assets the attention they deserve so that they don’t transform from a business enabler into a formidable threat.
Ivan Tsarynny is CEO and co-founder of Feroot Security.