Note: This guide refers to Source Defense's Security solution, for more information on this solution contact us.
1 General concepts and terms
-
User types: End users visiting a website will be called visitors. The owner of the site will be referred to as a client. An administrative user or just admin is an agent of the client responsible for operating all or part of the client’s Source Defense management.
- Sessions: A session commences when a visitor logs in to a monitored site. The session may be terminated in any one of three ways:
- The visitor does a normal logout
- The visitor navigates away to another site
- The visitor is inactive for 30 minutes. The session is closed and a new one is opened.
- Observed behaviors: Monitored script behaviors and characteristics that may indicate suspicious behavior or contribute to the riskiness of the script (for example, when the source domain of the script is found in blacklists).
Listed below are the observed behaviors, organized by topic:- Accessing data
- Monitoring input elements
- Monitoring keylogging on input
- Monitoring editable div elements
- Monitoring text area elements
- Accessing payments data
- Monitoring input elements
- Monitoring keylogging on input
- Monitoring editable div elements
- Monitoring text area elements
- Accessing PII data
- Monitoring input elements
- Monitoring keylogging on input
- Monitoring editable div elements
- Monitoring text area elements
- Accessing credentials data
- Monitoring input elements
- Monitoring keylogging on input
- Monitoring editable div elements
- Monitoring text area elements
- Transferring data
- Execute XHR command to a foreign domain
- Foreign image
- Submit form to foreign domain
- Foreign iframe
- Executing risky actions
- Executing the eval function
- Interacting with malicious domain
- Website blacklisted
- Uses 1st party cookies
- Reads 1st party cookies
- Writes to 1st party cookies
- Uses browser storage
- Reads local storage
- Writes to local storage
- Reads session storage
- Writes to session storage
- Uses GPS
- Uses microphone
- Uses camera
- Uses push notifications
- Accessing data
- Events: An event consists of one or more signals.
Listed below are event types:- Data exposure suspected
- Payment exposure suspected
- PII exposure suspected
- Credential exposure suspected
- Risky code execution
- Website domain was found in blacklists
- Script domain is blacklisted
- Sending data to a blacklisted domain
- Uses 1st party cookies
- Uses browser storage
- Risk: Each event has a risk level; it is labeled as Information, Medium, High or Critical based on Source Defense’s AI system. The same event type may have different risk levels based on its severity. For example, if the event type “Suspected Data Breach” is composed of the signals belonging to the signal group “Data Collecting” and signals belonging to the group “Data Transfer” only (where the data being collected is not defined as sensitive - PII, payment or credentials), it will have a risk level “Information”. If the session will have signals from the signal group “Risky Action”, such as eval execution, the event risk will be “Medium”.
- Detection sites: Sites configured for Source Defense monitoring.
- Protection sites: Sites configured for Source Defense monitoring and protecting against risks introduced by 3rd party scripts. A site is protected by setting its scripts to Source Defense recommended policies (see Policy).
- Policy: A set of rules defining how scripts are allowed to interact with the site. Available for Protection sites.
Script Policies
Our proprietary security policies are applied to scripts automatically - unless otherwise requested - based on our collective and evergrowing expertise of script behaviors and potential risks they introduce.
The best practice is to set the highest policy without interfering with the desired functionality, which varies from script to script.
See below for descriptions of how each policy protects against potential risks introduced by 3rd party scripts.
Block
This policy removes all risks associated with running the 3rd policy script by completely blocking the script from running at all.
This should be used in cases where the script was either found to be:
- loaded from a blacklist domain
- sends data to a blacklisted domain
- otherwise confirmed to be malicious
- has no business or technical justification to be used / no owner
Keep in mind that the script's functionality won’t run at all.
Isolation
Isolation is the policy with the highest level of protection against threats without completely blocking the script from running at all.
Isolation ensures the script runs within a sandbox environment, preventing the script from reading or writing sensitive content to the page; including new forms.
This protects against attacks that skim sensitive data entered by the user and those that place fake forms to steal sensitive information from the user.
This policy leverages our patented technology which isolates the script to a virtual page, preventing it from introducing malicious activity while allowing the required and approved behaviors to run.
Redaction
The redaction policy ensures that when a script is attempting to skim data a user is entering on the webpage, this data will be redacted and the script will not have access to the actual values being entered.
There are several types of redaction policies, as follows:
- Redact - All
This policy ensures that all data entered by the user and being accessed by the script will be redacted.
- Redact - PCI
This policy ensures that all data entered by the user and being accessed by the script related to payment details will be redacted.
- Redact - PII
This policy ensures that all data entered by the user and being accessed by the script related to personally identifiable information will be redacted.
- Redact - Credentials
This policy ensures that all data entered by the user and being accessed by the script related to credentials such as login and password will be redacted.
We also support all of the combination of the above policies, listed below:
- Redact - PII, PCI
- Redact - PII, Credentials
- Redact - PCI, Credentials
- Redact - PII, PCI, Credentials
Input fields that weren’t given suitable names may need to be configured specifically.
Monitored
The monitored policy ensures that when the 3rd party script runs additional 3rd party scripts, known as 4th+ party scripts, they are identified and may be placed into a policy of their own. The 3rd party script runs on the page as if there is no policy; meaning without any explicit protection, but with reporting capabilities that allow monitoring and tracking potential malicious activity, alongside identifying and monitoring additional scripts introduced.
| Protects from creation of fake forms | Protects from reading data entered by the user | Monitors and reports when 4th+ party scripts are executed | Reports script behavior & alerts of new behavior found | |
| Blocked | V | V | NA | NA |
| Isolated | V | V | V | V |
| Redacted | X | V | V | V |
| Monitored | X | X | V | V |
Note that regardless of the policy, or even if there is no policy at all, Source Defense will report on new scripts identified and alert of new behavior found. Furthermore, you can see which fields are being accessed via the observed behavior widget on the script page. It shows the signals related to accessing data (accessing PII data, accessing PCI data, accessing credential data and accessing data) and by clicking on them you can see which fields are being accessed.
2 Dashboard specific concepts
- Reporting Period: Reporting Period selection affects all the data that appears on the dashboard, except where otherwise specified. Available choices are: last 24 hours, 48 hours, 7 days, 30 days.
- Page Views: The number of page visits in a website monitored by Source Defense.