As I've written before, web applications are usually the most visible part of the business and are often the focus of cyber-attacks. But there are many advantages to an attacker targeting individual end-users instead of a company's website. End users, especially unmanaged end users (those who are not on devices owned by the company), are usually much softer targets. They typically have fewer defenses – at best simply using a traditional signature-based antivirus solution (which is more than likely not up-to-date), at worst running no security software. Their computers are also much more likely to be behind in applying software patches to address vulnerabilities than the server running the web application. In addition, users visit a wide range of sites, most of which are non-business-related, and they are likely to click links, get fooled by pop-ups or phishing emails, or visit websites that distribute malware.
Attacks against users are also much more likely to go undetected, even if the volume of compromised user devices is high. This is in part because with one malware campaign, an attacker can actually attack many targets. Consider a banking trojan that exfiltrates credentials from users visiting banking sites – since each user would likely only bank with one or two different banks, the attack is spread among dozens of banks (with each bank receiving a smaller subset of the attack volume), rather than concentrating on a single bank.
This is analogous to the shift in the approach to network security. Just as the old notions of protecting the perimeter with network firewalls had to evolve in the face of remote user access, distributed applications, and business-to-business integration, the application “perimeter” needs to be extended to include the users' end of the web session. Expecting end users to be responsible for their own security and blaming them if their devices are compromised is unrealistic and ultimately results in customer ill-will, increased support costs, and, in some industries, liability lawsuits.
Once an organization starts to include both sides of a web application session in scope for security, it becomes clear that using separate, unintegrated security solutions is only moderately effective. Some attacks will not be caught unless both the user and the web server sides are evaluated together, as one web session. There is also a lot to gain with this more comprehensive picture, which can give organizations an edge against fraudulent transactions as well.
For example, consider the approach most endpoint protection products such as traditional antivirus take. The focus of these products is on stopping and cleaning up malware infections on a computer. While this is a respectable goal, it can miss the point. For one thing, almost three decades of antivirus development have demonstrated that this is not a war that can be definitively won, but an ongoing struggle with both sides innovating to counter the other. So it remains true that end-user computers do get infected by malware, and that malware runs for a period of time before the antivirus software recognizes it, and cleans or quarantines it.
This driving focus on keeping the computer clean raises some concerns. If there was a period of time when the malware was active on the user's computer, what was it doing? In many cases, once the antivirus vendor's research team identifies how to recognize the malware and clean the computer, they move on to the next threat. The analysis of what harm is caused extends only to the technical impact on a computer. They may say it contains a keylogger, for example, but will not track or know what data was stolen. Was the keylogger monitoring specific websites? Should user change their passwords on certain websites? Or notify these websites that their accounts may be compromised? This type of malware can also alter a website's pages (in the browser) as viewed by the user, and even manipulate transactions. Was additional data stolen? Should the user review transactions on certain websites? What harm is actually inflicted on the user (not just the computer)? Cleaning the malware from the computer does not clear things up for a user if the malware has already exfiltrated login credentials, stolen personal information, or executed fraudulent transactions on the user's account. It is only by having a security strategy that includes both the web server-side and the user-side of the transaction, and is aware of and mitigating the security threats to both that this problem can be effectively addressed.
The Modern Approach: Full Transaction Stack Protection
Focusing only (or separately) on eradicating malware from endpoints is an incomplete approach at best, and a futile endeavor at worst. Any transaction involves multiple parties, and web application transactions are no different: the website is one participant, and the end-user, or customer, the other. For any single transaction, both participants are equally involved and both need to be included in any risk analysis and security approach.
Organizations conducting transactions with unmanaged endpoints need to consider the full scope of threats to the business. Full Transaction Stack Protection means extending protection to the end user devices, ensuring the communication channel is resilient against service disruption and defending the web server from targeted attacks and bots. It also encompasses all layers of the web application including the infrastructure and application layers as well as the transaction layer to defend against fraud.
Trusted Knight's Protector Air is the only unified solution for addressing security and fraud through Full Transaction Stack Protection. Furthermore, Protector Air's cloud-based, turnkey deployment means there is nothing to install or manage on endpoints and requires no integration or modification with the website. Protector Air has no software to download and zero impact on the user experience, eliminating user frustration and support headaches while still providing protection for 100% of the user base.