As Cloud Computing continues to grow, so do the breaches and disclosures of sensitive information. With the recent news surrounding credit card fraud, it may be worth investigating your third-party providers and your Amazon S3 buckets to ensure security controls are enabled to prevent a hefty fine in case of a breach.
Background on Magecart
To protect your organization, consider the following:
- Consider an AWS audit that checks for insecure permissions – there shouldn’t be any public write access available, especially if it’s a bucket that hosts your critical supporting web application files.
- Conduct a penetration test against your AWS instances that also includes all third-party services currently being used on your web application. Any weakness within those third-parties could lead to your users being compromised.
- Ensure logging is sufficient – if a breach was to occur, you need to have logs that will tell you what and how it occurred to assist in remediation time and future prevention.
Many of our clients used to ask that we exclude or remove third-party findings from their reports as it doesn’t affect them directly, but with recent uptick in Magecart attacks, their inclusion is a wise decision. Remember, web applications are only as strong as their weakest links, and weaknesses found in third-parties are being noticed by attackers. Thus, if a third-party is hosting your resource files, or web application server, they should also be included in the scope of any security testing to ensure your web application will not be affected by any malicious campaigns that will impact your company and its users.