2997: Imperva's Guide to PCI DSS 4.0 Compliance and Client-Side Protection

[00:00:01] [SPEAKER_01]: Are you aware that the security of your online transactions could be under threat from invisible

[00:00:07] [SPEAKER_01]: adversaries lurking in the very code of the websites that you trust?

[00:00:12] [SPEAKER_01]: Well, today on Tech Talks Daily I'm welcoming Lynn Marks, Senior Product Director at Imperva,

[00:00:19] [SPEAKER_01]: which is a tar-less company.

[00:00:21] [SPEAKER_01]: Lynn brings with us a wealth of expertise on the alarming rise of client-side attacks.

[00:00:28] [SPEAKER_01]: This is something I want to talk about today.

[00:00:30] [SPEAKER_01]: They're commonly known as mage car attacks and they proliferate as our world has increasingly

[00:00:36] [SPEAKER_01]: moved online.

[00:00:37] [SPEAKER_01]: So, with the introduction of the new PCI DSS requirements though, I found myself asking

[00:00:43] [SPEAKER_01]: what does this mean for businesses that are handling sensitive payment data?

[00:00:48] [SPEAKER_01]: So I asked Lynn to come on here and help me unravel the complexities of these threats

[00:00:52] [SPEAKER_01]: and also the necessary steps to safeguard against them.

[00:00:56] [SPEAKER_01]: And thankfully, she said yes.

[00:00:59] [SPEAKER_01]: Before we get today's guest on, I want to talk about the fact that defence contractors face

[00:01:03] [SPEAKER_01]: immense pressure to comply with something called CMMC 2.0 Security Standards and finding

[00:01:10] [SPEAKER_01]: a secure, easy-to-use file sharing solution meeting those guidelines can be a major challenge.

[00:01:16] [SPEAKER_01]: The federal government and federal systems integrators supporting the Department of

[00:01:20] [SPEAKER_01]: Defence have similar compliance requirements for improving cybersecurity and data protection

[00:01:25] [SPEAKER_01]: too.

[00:01:25] [SPEAKER_01]: So if you are an IT admin in the defence sector, if you are tired of juggling complex security

[00:01:31] [SPEAKER_01]: solutions, KiteWorks offers a game-changing approach to CMMC 2.0 compliance because their

[00:01:37] [SPEAKER_01]: centralised policy management simplifies administration across the entire platform.

[00:01:42] [SPEAKER_01]: What that means is no more productivity disruptions or difficult user training.

[00:01:46] [SPEAKER_01]: They've done the heavy lifting with their FedRAMP authorisation so you don't have

[00:01:50] [SPEAKER_01]: to.

[00:01:50] [SPEAKER_01]: And yes, while other solutions complicate your workflow, KiteWorks streamlines it.

[00:01:56] [SPEAKER_01]: So upgrade to KiteWorks and experience the perfect blend of security and simplicity.

[00:02:01] [SPEAKER_01]: So if you're interested in accelerating your CMMC 2.0 compliance and begin addressing

[00:02:06] [SPEAKER_01]: federal zero trust requirements with KiteWorks' universal secure file sharing platform made

[00:02:12] [SPEAKER_01]: for defence contractors, simply visit kiteworks.com to get started.

[00:02:16] [SPEAKER_01]: Well, you can learn more about this secure content platform for CMMC compliance.

[00:02:21] [SPEAKER_01]: But now it's time to return to our regularly scheduled programming and welcome today's

[00:02:26] [SPEAKER_01]: guest onto the mic.

[00:02:28] [SPEAKER_01]: So buckle up and hold on tight as I beam your ears all the way to San Francisco where

[00:02:33] [SPEAKER_01]: Lynne is waiting to speak with us today.

[00:02:36] [SPEAKER_01]: So a massive welcome to the show, Lynne.

[00:02:40] [SPEAKER_01]: Can you tell everyone listening a little bit who you are and what you do?

[00:02:43] [SPEAKER_00]: Hello, thanks so much for having me.

[00:02:46] [SPEAKER_00]: So my name is Lynne Marks based in San Francisco, California.

[00:02:52] [SPEAKER_00]: And I'm a senior product manager at Imperva.

[00:02:56] [SPEAKER_00]: And I've had the luck to work in cybersecurity for seven years already.

[00:03:02] [SPEAKER_00]: And at the Imperva, I get to work on really interesting problems.

[00:03:07] [SPEAKER_00]: I own three products and two of them are related to mitigating bots.

[00:03:12] [SPEAKER_00]: And one of them, which is the topic for today, is about how can we prevent client side attacks

[00:03:19] [SPEAKER_00]: specifically major credit tax for our customers?

[00:03:23] [SPEAKER_01]: Well, it's a pleasure to have you join me on the podcast.

[00:03:26] [SPEAKER_01]: And Imperva are pretty much friends of the show.

[00:03:28] [SPEAKER_01]: We've had Terry Ray on a couple of times.

[00:03:30] [SPEAKER_01]: I think he was in Texas so quite a few miles away.

[00:03:33] [SPEAKER_01]: Do you know Terry? Is he still at Imperva?

[00:03:35] [SPEAKER_00]: Yeah, he's a great guy, very knowledgeable.

[00:03:39] [SPEAKER_00]: And I'm sure that you all had a very interesting and fun conversation together.

[00:03:44] [SPEAKER_01]: Yeah, it's always a pleasure to speak with him.

[00:03:47] [SPEAKER_01]: But today is all about you.

[00:03:49] [SPEAKER_01]: And obviously you've had a great career in cybersecurity.

[00:03:52] [SPEAKER_01]: And every day I try and take a different topic in the industry and demystify it,

[00:03:57] [SPEAKER_01]: put it in a language everyone understands.

[00:03:59] [SPEAKER_01]: And one of the reasons I was excited to get you on here today

[00:04:02] [SPEAKER_01]: was to talk about the client side attacks,

[00:04:05] [SPEAKER_01]: particularly in things like the mage cart attacks

[00:04:08] [SPEAKER_01]: and how they've become so much more prevalent since 2015.

[00:04:12] [SPEAKER_01]: I'm curious, what have you seen here?

[00:04:14] [SPEAKER_01]: Have you seen this evolve?

[00:04:16] [SPEAKER_00]: So first of all, just in case some of your listeners might not be familiar

[00:04:20] [SPEAKER_00]: with what client side attacks or major credit tax are.

[00:04:24] [SPEAKER_00]: So client side, it's really everything that's on the end user's device,

[00:04:29] [SPEAKER_00]: right, like the images, the text and for example, all over the forms

[00:04:32] [SPEAKER_00]: where they're entering in any information,

[00:04:34] [SPEAKER_00]: like the log in information or their credit card information.

[00:04:39] [SPEAKER_00]: This is opposed to the server side.

[00:04:42] [SPEAKER_00]: So what mage cart attacks are doing, it's either the name of the attack

[00:04:48] [SPEAKER_00]: or actually the name of the group that originally popularized this.

[00:04:51] [SPEAKER_00]: You might hear either version, but the attack itself is designed

[00:04:55] [SPEAKER_00]: to steal data directly from the client side

[00:05:01] [SPEAKER_00]: by targeting vulnerable JavaScript code.

[00:05:05] [SPEAKER_00]: The way that this is done is they're either injecting JavaScript

[00:05:09] [SPEAKER_00]: into the first party code of the application

[00:05:12] [SPEAKER_00]: or into the third party code, which we call like the supply chain.

[00:05:17] [SPEAKER_00]: And all of this, the purpose is either to steal payment information,

[00:05:21] [SPEAKER_00]: right, so as a customer is entering in their credit card information

[00:05:26] [SPEAKER_00]: on the checkout page, that data would not only be sent

[00:05:30] [SPEAKER_00]: to the correct database and they're able to finish their transaction,

[00:05:35] [SPEAKER_00]: but it also ends up being sent to the attacker's database.

[00:05:40] [SPEAKER_00]: So you can really think of it as a data breach

[00:05:42] [SPEAKER_00]: that's occurring record by record.

[00:05:45] [SPEAKER_00]: And one reason why this is so difficult to detect

[00:05:50] [SPEAKER_00]: and why we have seen it become more prevalent is because first of all,

[00:05:56] [SPEAKER_00]: the application continues to work as intended.

[00:05:59] [SPEAKER_00]: Like I mentioned in my example, right, the user's data

[00:06:05] [SPEAKER_00]: does actually get sent to the correct database

[00:06:08] [SPEAKER_00]: so they're able to finish their transaction and go on with their day.

[00:06:12] [SPEAKER_00]: And the business also thinks, well, this customer is able to finish their transaction.

[00:06:16] [SPEAKER_00]: Nothing seems unusual or nothing is like

[00:06:20] [SPEAKER_00]: throwing off like warnings and the business doesn't have any obvious

[00:06:24] [SPEAKER_00]: indicators that there's actually something malicious going on.

[00:06:29] [SPEAKER_00]: So that's definitely one reason why we've seen such an issue for this.

[00:06:35] [SPEAKER_00]: And the second reason that I'll be talking about a lot during this conversation

[00:06:41] [SPEAKER_00]: is really this idea of the blind spot.

[00:06:45] [SPEAKER_00]: I think this is oftentimes something that's discussed in the security world, right?

[00:06:50] [SPEAKER_00]: You can't protect something that you don't know exists.

[00:06:54] [SPEAKER_00]: And what we've seen is the large majority of our organizations

[00:06:59] [SPEAKER_00]: have a blind spot to the makeup of their client side.

[00:07:03] [SPEAKER_00]: And because the client side, the most likely thing to end up in

[00:07:08] [SPEAKER_00]: compromise is the JavaScript.

[00:07:10] [SPEAKER_00]: So it is really a large issue that many organizations have a blind spot

[00:07:15] [SPEAKER_00]: to their all of the JavaScript that's actually executing on their client side.

[00:07:22] [SPEAKER_00]: And, you know, we always like to ask three questions to security practitioners

[00:07:27] [SPEAKER_00]: that can help them better understand how well do they understand their client side.

[00:07:33] [SPEAKER_00]: So do you know what JavaScript is running?

[00:07:37] [SPEAKER_00]: And do you know if it's supposed to be there or shouldn't be there?

[00:07:41] [SPEAKER_00]: Do you know if any of the scripts are sending data outside of your application?

[00:07:46] [SPEAKER_00]: And do you know?

[00:07:47] [SPEAKER_00]: Do you have any way to know if the JavaScript on your client side has been compromised?

[00:07:53] [SPEAKER_00]: So for any organization that doesn't know how to properly answer even one of those,

[00:08:01] [SPEAKER_00]: there's more of a risk for them to end up having major text occurring

[00:08:07] [SPEAKER_00]: on their application and then later on having to deal with the negative

[00:08:11] [SPEAKER_00]: repercussions that occur from a data theft like this.

[00:08:17] [SPEAKER_01]: So much gold in your answer there.

[00:08:19] [SPEAKER_01]: And as you said, it's been so prevalent since 2015, but then five years later,

[00:08:24] [SPEAKER_01]: 2020, something else happened.

[00:08:26] [SPEAKER_01]: So how did that global pandemic accelerate it even further, especially

[00:08:31] [SPEAKER_01]: the rise of client side attacks?

[00:08:33] [SPEAKER_01]: And what kind of vulnerabilities did it expose in digital infrastructures

[00:08:36] [SPEAKER_01]: just as everyone was getting the grips with working from home at scale?

[00:08:42] [SPEAKER_00]: Yeah, definitely.

[00:08:42] [SPEAKER_00]: So I would say one thing.

[00:08:46] [SPEAKER_00]: This is just an overall trend that I think even precedes the pandemic is

[00:08:50] [SPEAKER_00]: that more logic over time has been moved from the server side to the client side.

[00:08:57] [SPEAKER_00]: This is in order to a lot of times to provide better performance

[00:09:02] [SPEAKER_00]: or just better usability for the end users.

[00:09:05] [SPEAKER_00]: So just the fact that there are more, there's more logic and thus

[00:09:10] [SPEAKER_00]: more JavaScript that's being added to the client side just means that now

[00:09:14] [SPEAKER_00]: the risk is higher.

[00:09:19] [SPEAKER_00]: Now specifically around the pandemic itself, I was looking at some data

[00:09:24] [SPEAKER_00]: from the Impurva Threat Labs.

[00:09:27] [SPEAKER_00]: This is by our great threat research team.

[00:09:30] [SPEAKER_00]: And shortly after the stay at home orders were given at the beginning

[00:09:35] [SPEAKER_00]: of the pandemic, we saw that there was a 28 percent increased in online retail traffic.

[00:09:42] [SPEAKER_00]: Right.

[00:09:43] [SPEAKER_00]: So that's a very large jump.

[00:09:44] [SPEAKER_00]: And then of course, as the pandemic continued, it was even a larger and larger

[00:09:48] [SPEAKER_00]: growth of traffic that's going to online retailers.

[00:09:53] [SPEAKER_00]: And of course, many other businesses that had to conduct their business online

[00:09:57] [SPEAKER_00]: as opposed to in the real world like we did in the past.

[00:10:02] [SPEAKER_00]: So I think my main interpretation of how the pandemic has accelerated this is

[00:10:09] [SPEAKER_00]: not necessarily that it had an impact that's unique to client side attacks.

[00:10:16] [SPEAKER_00]: But I believe that it actually just had a more far reaching impact and

[00:10:21] [SPEAKER_00]: increased to many different cyber attack vectors, simply because there was

[00:10:27] [SPEAKER_00]: more business and more users were doing their business online.

[00:10:32] [SPEAKER_00]: We know that cyber attack the attackers themselves were just very opportunistic,

[00:10:39] [SPEAKER_00]: right, where there is an opportunity for them to make more money.

[00:10:43] [SPEAKER_00]: They're going to follow it.

[00:10:44] [SPEAKER_00]: So I believe that simply because so much more business, so much more

[00:10:49] [SPEAKER_00]: money was going through these online retailers, that's where we saw

[00:10:54] [SPEAKER_00]: the attackers realizing that we should probably go and attack their

[00:11:01] [SPEAKER_00]: JavaScript and figure out how we can make a couple dollars or a couple pounds

[00:11:08] [SPEAKER_00]: and make some money off of this great opportunity.

[00:11:12] [SPEAKER_01]: And a question I've got to ask is around PCI.

[00:11:14] [SPEAKER_01]: And whenever I say PCI out loud, I get flashbacks from my own IT

[00:11:18] [SPEAKER_01]: past and that PCI song.

[00:11:21] [SPEAKER_01]: I don't know if you've ever heard that.

[00:11:22] [SPEAKER_01]: But once it gets in your head, it's a little

[00:11:24] [SPEAKER_01]: bit like Small World from the Disney right now.

[00:11:27] [SPEAKER_01]: But what are the key changes introduced in the recently published PCI DSS 4.0?

[00:11:34] [SPEAKER_01]: And how do they address the growing threat of client side attacks here

[00:11:38] [SPEAKER_01]: in 2024 and beyond?

[00:11:40] [SPEAKER_01]: That's a great question.

[00:11:41] [SPEAKER_00]: So first of all, in case not everyone is familiar.

[00:11:45] [SPEAKER_00]: So every couple of years, PCI releases a new version.

[00:11:49] [SPEAKER_00]: They released 4.0 a year or two ago.

[00:11:52] [SPEAKER_00]: Since then, this is like the hottest news in the PCI world.

[00:11:55] [SPEAKER_00]: They actually released a revision around six weeks ago and they're calling

[00:12:00] [SPEAKER_00]: this version 4.0.1 where they realize that some of the requirements

[00:12:05] [SPEAKER_00]: that they have added were maybe not clear enough or people had too many

[00:12:09] [SPEAKER_00]: questions on how they should actually implement it.

[00:12:12] [SPEAKER_00]: So that's why I'll be talking about language actually from 4.0.1.

[00:12:18] [SPEAKER_00]: But from 4.0, what they have done is they have added many different

[00:12:26] [SPEAKER_00]: requirements, including two requirements that are supposed to help

[00:12:30] [SPEAKER_00]: organizations better protect themselves from mage card attacks or other types

[00:12:36] [SPEAKER_00]: of client side attacks.

[00:12:39] [SPEAKER_00]: And if you have to be PCI compliant, you'll definitely be hearing these

[00:12:44] [SPEAKER_00]: numbers a lot.

[00:12:45] [SPEAKER_00]: So the first one is 6.4.3.

[00:12:48] [SPEAKER_00]: The second one is 11.6.1.

[00:12:52] [SPEAKER_00]: And both of these are really supposed to address the growing

[00:12:58] [SPEAKER_00]: threat by forcing vendors to overcome their client side blind spot.

[00:13:03] [SPEAKER_00]: Once again, I said that I'll be talking about this blind spot a lot.

[00:13:06] [SPEAKER_00]: And we can see that the PCI organization saw that there was

[00:13:11] [SPEAKER_00]: the same sort of issue where the blind spot was very prevalent.

[00:13:16] [SPEAKER_00]: So both of these requirements are related to how can you make sure

[00:13:21] [SPEAKER_00]: you have an inventory of all of the scripts that are executing on

[00:13:26] [SPEAKER_00]: your payment page?

[00:13:28] [SPEAKER_00]: How can you make sure that each one of them is authorized and that

[00:13:32] [SPEAKER_00]: you have a written justification of it?

[00:13:34] [SPEAKER_00]: So this is like, you can think of it as sort of forcing all of

[00:13:38] [SPEAKER_00]: the organizations to inventory their script, to authorize them and

[00:13:42] [SPEAKER_00]: to understand why they're on there or maybe why they shouldn't be

[00:13:45] [SPEAKER_00]: on there because they have to write that written justification.

[00:13:49] [SPEAKER_00]: There's a couple other requirements like details, but the

[00:13:53] [SPEAKER_00]: other one that I really wanted to call out is that they're

[00:13:57] [SPEAKER_00]: also now being told that they need to set up alerting for this.

[00:14:03] [SPEAKER_00]: So organizations are going to have to set up alerting for,

[00:14:06] [SPEAKER_00]: first of all, if there are any new scripts that are discovered on

[00:14:10] [SPEAKER_00]: their client side or if there are any changes in the possible

[00:14:13] [SPEAKER_00]: integrity of the script that are on there, which of course is

[00:14:17] [SPEAKER_00]: very important.

[00:14:18] [SPEAKER_00]: We know alerting in the security world is pertinent to being

[00:14:21] [SPEAKER_00]: able to protect the assets they are protecting.

[00:14:25] [SPEAKER_00]: But not only do they want to have alerting for if a new

[00:14:28] [SPEAKER_00]: script shows, but also if the change detection mechanism

[00:14:34] [SPEAKER_00]: that organizations have in place in order to ensure that their

[00:14:38] [SPEAKER_00]: client side is secure.

[00:14:39] [SPEAKER_00]: If anything is compromised about that, there also needs to be

[00:14:42] [SPEAKER_00]: alerting put in place so that organizations can better

[00:14:45] [SPEAKER_00]: understand, well, is my change detection mechanism actually

[00:14:49] [SPEAKER_00]: working right now and helping me understand if there's a

[00:14:52] [SPEAKER_00]: possible attack or is it compromised?

[00:14:56] [SPEAKER_00]: And I need to figure out a different way to ensure that

[00:14:59] [SPEAKER_00]: my client side is secure.

[00:15:01] [SPEAKER_00]: So I know that was a very long answer, but really it's about

[00:15:07] [SPEAKER_00]: how can we make organizations have a better understanding of

[00:15:11] [SPEAKER_00]: what's actually executing on their client side.

[00:15:14] [SPEAKER_01]: No, beautiful answer.

[00:15:15] [SPEAKER_01]: And if we zoom out for a moment just for any business

[00:15:18] [SPEAKER_01]: leader listening and let's bring this to life a little,

[00:15:21] [SPEAKER_01]: how will the this new PCR requirement impact businesses

[00:15:24] [SPEAKER_01]: that maybe accept or process payments online?

[00:15:27] [SPEAKER_01]: And are there any particular steps that they should be

[00:15:29] [SPEAKER_01]: taking to ensure that compliance too?

[00:15:32] [SPEAKER_00]: First of all, I would highly recommend that all

[00:15:35] [SPEAKER_00]: organizations have to comply with the PCI go and talk to your

[00:15:39] [SPEAKER_00]: QSAs and figure out do I already have some kind of

[00:15:44] [SPEAKER_00]: mechanism in place.

[00:15:45] [SPEAKER_00]: If you don't, I would recommend that you go and get

[00:15:50] [SPEAKER_00]: working on starting to inventory the scripts because

[00:15:54] [SPEAKER_00]: I don't think I actually mentioned that even though

[00:15:57] [SPEAKER_00]: these two requirements were added as part of the release

[00:16:00] [SPEAKER_00]: of 4.0, they actually don't become official requirements

[00:16:06] [SPEAKER_00]: like they're not going to be part of any audits until

[00:16:10] [SPEAKER_00]: April 1st of 2025.

[00:16:13] [SPEAKER_00]: So that means that from the time of this recording,

[00:16:15] [SPEAKER_00]: organizations let's say have around seven ish months

[00:16:21] [SPEAKER_00]: in order to get compliant with this so that after

[00:16:27] [SPEAKER_00]: April 1st when they do their next audit,

[00:16:29] [SPEAKER_00]: they have to make sure that they can prove these things.

[00:16:32] [SPEAKER_00]: So I would say definitely get started on inventorying

[00:16:36] [SPEAKER_00]: your script, talking with your development team or maybe

[00:16:39] [SPEAKER_00]: your marketing team to understand what are these

[00:16:42] [SPEAKER_00]: scripts doing on the payment page and should they be on

[00:16:45] [SPEAKER_00]: there? Of course, like I mentioned, alerting is a crucial

[00:16:49] [SPEAKER_00]: part of both of the requirements.

[00:16:51] [SPEAKER_00]: So make sure that you have alerting in place.

[00:16:54] [SPEAKER_00]: And one of the biggest changes actually is that

[00:16:57] [SPEAKER_00]: oftentimes organizations that have their payment

[00:17:02] [SPEAKER_00]: processor in an iframe on their page,

[00:17:05] [SPEAKER_00]: where in the past exempt from many of the requirements.

[00:17:10] [SPEAKER_00]: Now with these two requirements, they're actually not

[00:17:13] [SPEAKER_00]: exempt from having to meet these two requirements.

[00:17:17] [SPEAKER_00]: So let's say I have a payment page in the past.

[00:17:23] [SPEAKER_00]: I didn't have to worry about a lot of the PCI requirements

[00:17:27] [SPEAKER_00]: because all of the payment information is entered into

[00:17:31] [SPEAKER_00]: an iframe that's on my page by the end users.

[00:17:35] [SPEAKER_00]: Now they actually still have to follow these requirements.

[00:17:40] [SPEAKER_00]: They still need to inventory all of the scripts

[00:17:42] [SPEAKER_00]: that are on their payment page because PCI realizes

[00:17:46] [SPEAKER_00]: that major credit tax are such a big risk and are

[00:17:49] [SPEAKER_00]: likely to become more and more prevalent that even

[00:17:53] [SPEAKER_00]: for the organizations that have iframes, they still

[00:17:56] [SPEAKER_00]: have to start this process.

[00:17:58] [SPEAKER_01]: And if we look at the cost of doing nothing or

[00:18:00] [SPEAKER_01]: thinking, hey, it might not happen to us, which of

[00:18:03] [SPEAKER_01]: course is not advisable.

[00:18:05] [SPEAKER_01]: Are you able to share any examples of recent

[00:18:07] [SPEAKER_01]: maize car attacks and some of the consequences

[00:18:11] [SPEAKER_01]: that they've had for an impact to businesses?

[00:18:13] [SPEAKER_00]: So I mean, if we're thinking very general, right,

[00:18:16] [SPEAKER_00]: you might have fines that are levied on you,

[00:18:19] [SPEAKER_00]: maybe organizations wouldn't want to work with

[00:18:22] [SPEAKER_00]: your organization if you don't comply with PCI.

[00:18:26] [SPEAKER_00]: You know, and those can both have devastating consequences.

[00:18:30] [SPEAKER_00]: If we're thinking of a couple of tax that are recent,

[00:18:33] [SPEAKER_00]: the first one I want to call out that many security

[00:18:36] [SPEAKER_00]: practitioners in the space probably have heard is

[00:18:39] [SPEAKER_00]: the polyfill.io attack.

[00:18:42] [SPEAKER_01]: Yeah.

[00:18:43] [SPEAKER_00]: This I don't know necessarily if I

[00:18:46] [SPEAKER_00]: call it like a strict maize card attack,

[00:18:49] [SPEAKER_00]: because and I'll explain in a little detail, a little

[00:18:51] [SPEAKER_00]: more detail.

[00:18:52] [SPEAKER_00]: There wasn't actual data that was being stolen,

[00:18:57] [SPEAKER_00]: at least that's as far as like the researchers

[00:19:00] [SPEAKER_00]: that are analyzing the office-created script.

[00:19:02] [SPEAKER_00]: They don't think at least at this point that

[00:19:04] [SPEAKER_00]: data is actually being stolen.

[00:19:06] [SPEAKER_00]: But pretty much what was happening with this

[00:19:08] [SPEAKER_00]: attack is that this cdn.polyfill.io

[00:19:14] [SPEAKER_00]: was originally owned by one organization.

[00:19:18] [SPEAKER_00]: Then earlier this year, it changed ownership

[00:19:23] [SPEAKER_00]: and became owned by a Chinese organization.

[00:19:27] [SPEAKER_00]: And then around June of 2024,

[00:19:31] [SPEAKER_00]: researchers were looking into this and they

[00:19:34] [SPEAKER_00]: realized that this script was actually instead

[00:19:39] [SPEAKER_00]: of doing what it was originally just doing,

[00:19:41] [SPEAKER_00]: it now also redirected users to malicious scripts.

[00:19:46] [SPEAKER_00]: So any website that already had this cdn.polyfill.io

[00:19:51] [SPEAKER_00]: domain executing on their site, maybe they

[00:19:54] [SPEAKER_00]: had it in there in the past because it was

[00:19:56] [SPEAKER_00]: a legitimate domain to have.

[00:19:59] [SPEAKER_00]: It now was actually redirecting their users

[00:20:03] [SPEAKER_00]: to malicious sites like we've seen.

[00:20:06] [SPEAKER_00]: They were redirected to sports betting or

[00:20:08] [SPEAKER_00]: maybe adult content platforms based on their

[00:20:11] [SPEAKER_00]: geographical location.

[00:20:13] [SPEAKER_00]: Now the reason that I specifically said at

[00:20:15] [SPEAKER_00]: the beginning that I don't know if this

[00:20:17] [SPEAKER_00]: qualifies as an exact major card attack just

[00:20:21] [SPEAKER_00]: because the outcome of this was pretty good

[00:20:24] [SPEAKER_00]: from like as least as far as as good as you

[00:20:27] [SPEAKER_00]: could be from a security incident like this

[00:20:29] [SPEAKER_00]: because instead of data being stolen,

[00:20:32] [SPEAKER_00]: users were only not put that in quotation

[00:20:34] [SPEAKER_00]: marks or redirected to undesired sites,

[00:20:40] [SPEAKER_00]: which even though that's still a negative

[00:20:42] [SPEAKER_00]: experience or not good security,

[00:20:46] [SPEAKER_00]: it is at least a little better than their

[00:20:49] [SPEAKER_00]: actual data being stolen.

[00:20:52] [SPEAKER_00]: But I still wanted to call this out because

[00:20:55] [SPEAKER_00]: a lot of organizations are now seeing this as

[00:20:57] [SPEAKER_00]: this could have been a lot worse.

[00:20:59] [SPEAKER_00]: This could have been an actual major card

[00:21:02] [SPEAKER_00]: attack and we've seen that anywhere from

[00:21:05] [SPEAKER_00]: 100,000 to several million websites

[00:21:09] [SPEAKER_00]: were impacted by this domain.

[00:21:13] [SPEAKER_00]: I'm sure that there are still many different

[00:21:15] [SPEAKER_00]: organizations that are working on removing

[00:21:18] [SPEAKER_00]: this website from their domains.

[00:21:21] [SPEAKER_00]: So I wanted to make sure to call that out

[00:21:24] [SPEAKER_00]: and show that it's very easy for many

[00:21:28] [SPEAKER_00]: different organizations to be hit,

[00:21:31] [SPEAKER_00]: especially by third party

[00:21:35] [SPEAKER_00]: scripts that are being added onto their domains.

[00:21:41] [SPEAKER_00]: I did quickly want to call out another one.

[00:21:45] [SPEAKER_00]: This one is actually from Q4 of 2023

[00:21:51] [SPEAKER_00]: and the name of this is, it might be

[00:21:54] [SPEAKER_00]: referred as like the 404 page attack

[00:21:59] [SPEAKER_00]: and pretty much what was happening

[00:22:02] [SPEAKER_00]: if this was a legitimate mage card attack.

[00:22:06] [SPEAKER_00]: So end users data was actually being stolen.

[00:22:09] [SPEAKER_00]: But really what was unique about this attack

[00:22:12] [SPEAKER_00]: was that they were using really advanced

[00:22:15] [SPEAKER_00]: concealment techniques and one of them,

[00:22:19] [SPEAKER_00]: which researchers have never really seen before

[00:22:22] [SPEAKER_00]: and the reason that's called the 404 error

[00:22:25] [SPEAKER_00]: attack is because the attackers were actually

[00:22:28] [SPEAKER_00]: manipulating the website default

[00:22:32] [SPEAKER_00]: 404 error pages to hide the malicious

[00:22:35] [SPEAKER_00]: JavaScript code.

[00:22:38] [SPEAKER_00]: So this like very short snippet of code

[00:22:41] [SPEAKER_00]: that the reason that we all make it short

[00:22:44] [SPEAKER_00]: or they make it obfuscated is to make it

[00:22:46] [SPEAKER_00]: a lot more difficult for any security

[00:22:48] [SPEAKER_00]: practitioners or developers if they're

[00:22:51] [SPEAKER_00]: quickly scanning the code to be able

[00:22:52] [SPEAKER_00]: to detect that there's something wrong.

[00:22:54] [SPEAKER_00]: So the short snippet of code was then

[00:22:56] [SPEAKER_00]: once it executed, it was fetching

[00:23:00] [SPEAKER_00]: the malicious code at runtime and then

[00:23:03] [SPEAKER_00]: the longer string of malicious code

[00:23:06] [SPEAKER_00]: was then executing the attack and stealing

[00:23:10] [SPEAKER_00]: the sensitive data that customers were entering in.

[00:23:14] [SPEAKER_00]: So the reason I specifically want to call

[00:23:16] [SPEAKER_00]: this out is because we are seeing

[00:23:18] [SPEAKER_00]: that attackers are becoming

[00:23:21] [SPEAKER_00]: a lot more advanced and sophisticated.

[00:23:24] [SPEAKER_00]: They know that organizations are putting

[00:23:27] [SPEAKER_00]: in detection mechanisms in place.

[00:23:30] [SPEAKER_00]: So just like we know it's a cat and mouse game,

[00:23:32] [SPEAKER_00]: so the attackers are once again leveling up

[00:23:35] [SPEAKER_00]: and figuring out how can we better hide

[00:23:38] [SPEAKER_00]: our malicious JavaScript in

[00:23:42] [SPEAKER_00]: different places that the security

[00:23:45] [SPEAKER_00]: professional might not be as likely to look out.

[00:23:49] [SPEAKER_01]: I always try to give everyone listening

[00:23:51] [SPEAKER_01]: actionable tips and advice.

[00:23:53] [SPEAKER_01]: And I know the answer to this question

[00:23:54] [SPEAKER_01]: about to ask you could be a podcast

[00:23:56] [SPEAKER_01]: episode in its own right, but are there

[00:23:58] [SPEAKER_01]: any strategies and technologies that

[00:24:01] [SPEAKER_01]: businesses should be implementing

[00:24:02] [SPEAKER_01]: to protect themselves against these

[00:24:04] [SPEAKER_01]: client-side attacks that we're talking

[00:24:06] [SPEAKER_01]: about while also at the same time

[00:24:08] [SPEAKER_01]: complying with the new version of PCI?

[00:24:11] [SPEAKER_00]: Yeah, so I'd like to call out

[00:24:14] [SPEAKER_00]: like three action items

[00:24:16] [SPEAKER_00]: that organizations can do.

[00:24:18] [SPEAKER_00]: So first and foremost,

[00:24:19] [SPEAKER_00]: develop a strong communication

[00:24:23] [SPEAKER_00]: process between the marketing team,

[00:24:26] [SPEAKER_00]: the application development team

[00:24:28] [SPEAKER_00]: and the security team.

[00:24:29] [SPEAKER_00]: Because the marketing team

[00:24:31] [SPEAKER_00]: and the development teams, they're

[00:24:32] [SPEAKER_00]: the ones who are adding this

[00:24:34] [SPEAKER_00]: JavaScript and it's very important

[00:24:37] [SPEAKER_00]: that the security team is aware

[00:24:39] [SPEAKER_00]: of any existing JavaScript

[00:24:41] [SPEAKER_00]: that was added by either the marketing

[00:24:43] [SPEAKER_00]: or development team, but also any

[00:24:45] [SPEAKER_00]: new scripts that they want to add

[00:24:48] [SPEAKER_00]: so that to make sure that they are

[00:24:49] [SPEAKER_00]: properly vetted, there's nothing

[00:24:51] [SPEAKER_00]: obviously malicious from the get-go.

[00:24:54] [SPEAKER_00]: Second thing I would like to

[00:24:56] [SPEAKER_00]: add is that organizations

[00:24:58] [SPEAKER_00]: should make sure to limit

[00:25:00] [SPEAKER_00]: the number of scripts

[00:25:02] [SPEAKER_00]: that are on their payment page

[00:25:04] [SPEAKER_00]: or any other page where

[00:25:07] [SPEAKER_00]: sensitive information can be

[00:25:09] [SPEAKER_00]: entered into forms.

[00:25:11] [SPEAKER_00]: So for example, like your login

[00:25:12] [SPEAKER_00]: page or if customers are entering

[00:25:14] [SPEAKER_00]: in any medical information about

[00:25:16] [SPEAKER_00]: themselves, because we know

[00:25:19] [SPEAKER_00]: that any third-party JavaScript

[00:25:21] [SPEAKER_00]: that you add onto a page now has

[00:25:23] [SPEAKER_00]: access to all of the data

[00:25:26] [SPEAKER_00]: that customers are entering in on

[00:25:28] [SPEAKER_00]: to that page.

[00:25:29] [SPEAKER_00]: So it's a really great way

[00:25:31] [SPEAKER_00]: to reduce the likelihood of an

[00:25:33] [SPEAKER_00]: attack simply by only

[00:25:35] [SPEAKER_00]: putting the JavaScript

[00:25:37] [SPEAKER_00]: that's really pertinent

[00:25:39] [SPEAKER_00]: in order to stay on there

[00:25:42] [SPEAKER_00]: and don't have any superfluous

[00:25:44] [SPEAKER_00]: script on any of your sensitive

[00:25:47] [SPEAKER_00]: pages.

[00:25:49] [SPEAKER_00]: And lastly, of course,

[00:25:50] [SPEAKER_00]: organizations should implement

[00:25:52] [SPEAKER_00]: a tool that provides them with

[00:25:55] [SPEAKER_00]: visibility.

[00:25:56] [SPEAKER_00]: You know, once again, getting rid

[00:25:57] [SPEAKER_00]: of that blind spot on the client

[00:25:59] [SPEAKER_00]: side and also gives them the

[00:26:01] [SPEAKER_00]: ability to mitigate and block

[00:26:03] [SPEAKER_00]: any undesired JavaScript

[00:26:06] [SPEAKER_00]: in case they do detect that

[00:26:08] [SPEAKER_00]: there's something suspicious

[00:26:10] [SPEAKER_00]: and undesired on their client

[00:26:12] [SPEAKER_00]: side.

[00:26:14] [SPEAKER_01]: And of course, I would also add

[00:26:16] [SPEAKER_01]: that this is not a challenge or

[00:26:18] [SPEAKER_01]: a series of challenges that you

[00:26:19] [SPEAKER_01]: do need to attempt to overcome

[00:26:21] [SPEAKER_01]: on your own.

[00:26:22] [SPEAKER_01]: And with that point in mind, how

[00:26:24] [SPEAKER_01]: do you and Imperva support

[00:26:26] [SPEAKER_01]: businesses in mitigating some of

[00:26:27] [SPEAKER_01]: these risks we're talking about

[00:26:28] [SPEAKER_01]: here that are associated with

[00:26:30] [SPEAKER_01]: client side attacks and

[00:26:31] [SPEAKER_01]: ultimately ensuring that they

[00:26:33] [SPEAKER_01]: meet these new PCI standards?

[00:26:36] [SPEAKER_00]: So Imperva has a really

[00:26:38] [SPEAKER_00]: wonderful product.

[00:26:39] [SPEAKER_00]: So I might be biased as the

[00:26:41] [SPEAKER_00]: product manager called

[00:26:43] [SPEAKER_00]: client side protection.

[00:26:45] [SPEAKER_00]: We originally actually launched

[00:26:47] [SPEAKER_00]: this product back in 2020

[00:26:49] [SPEAKER_00]: to help organizations reduce the

[00:26:51] [SPEAKER_00]: risk of the mage card attack

[00:26:53] [SPEAKER_00]: because we already saw that there

[00:26:54] [SPEAKER_00]: was a rise in this and we

[00:26:56] [SPEAKER_00]: wanted to ensure that our

[00:26:58] [SPEAKER_00]: customers have a way to better

[00:27:00] [SPEAKER_00]: protect their client side.

[00:27:02] [SPEAKER_00]: And since then, once

[00:27:05] [SPEAKER_00]: the PCI standard came out,

[00:27:07] [SPEAKER_00]: we realized that we already

[00:27:09] [SPEAKER_00]: have a really great foundation

[00:27:11] [SPEAKER_00]: to provide customers with not

[00:27:13] [SPEAKER_00]: only the value of security

[00:27:16] [SPEAKER_00]: and protecting their sites from

[00:27:17] [SPEAKER_00]: client side attacks like mage

[00:27:19] [SPEAKER_00]: cards, but also providing them

[00:27:21] [SPEAKER_00]: with the value of making

[00:27:23] [SPEAKER_00]: the compliance process easier

[00:27:25] [SPEAKER_00]: for them for the

[00:27:27] [SPEAKER_00]: two PCI requirements that I

[00:27:29] [SPEAKER_00]: mentioned earlier.

[00:27:31] [SPEAKER_00]: So this is a very

[00:27:32] [SPEAKER_00]: easy way for organizations

[00:27:36] [SPEAKER_00]: to start getting that

[00:27:37] [SPEAKER_00]: visibility, provide

[00:27:39] [SPEAKER_00]: a lot of different insights about

[00:27:41] [SPEAKER_00]: the different domains and the

[00:27:42] [SPEAKER_00]: scripts that we discover on your

[00:27:44] [SPEAKER_00]: client side, give you the

[00:27:46] [SPEAKER_00]: ability to either work with a

[00:27:48] [SPEAKER_00]: allow list or a block list

[00:27:50] [SPEAKER_00]: depending on which security

[00:27:53] [SPEAKER_00]: methodology better works for

[00:27:54] [SPEAKER_00]: your organization.

[00:27:55] [SPEAKER_00]: And of course we have lots

[00:27:57] [SPEAKER_00]: of features in there

[00:27:59] [SPEAKER_00]: and reports in there that help

[00:28:01] [SPEAKER_00]: organizations then

[00:28:03] [SPEAKER_00]: better prove their compliance

[00:28:05] [SPEAKER_00]: with the two requirements

[00:28:08] [SPEAKER_00]: during the time of their

[00:28:10] [SPEAKER_00]: audit.

[00:28:12] [SPEAKER_01]: Love that. And as we look

[00:28:14] [SPEAKER_01]: ahead, we're already only five

[00:28:15] [SPEAKER_01]: months away from

[00:28:18] [SPEAKER_01]: 2025, of course.

[00:28:20] [SPEAKER_01]: So what trends do you

[00:28:21] [SPEAKER_01]: foresee in the landscape of

[00:28:23] [SPEAKER_01]: cyber security threats and

[00:28:24] [SPEAKER_01]: anything else that businesses

[00:28:26] [SPEAKER_01]: should be preparing for

[00:28:28] [SPEAKER_01]: and the evolving nature of

[00:28:29] [SPEAKER_01]: client side attacks?

[00:28:30] [SPEAKER_01]: We're already hearing about AI

[00:28:32] [SPEAKER_01]: and good AI versus bad AI,

[00:28:34] [SPEAKER_01]: etc. But what are you

[00:28:35] [SPEAKER_01]: seeing here?

[00:28:36] [SPEAKER_00]: First of all, like I've been

[00:28:38] [SPEAKER_00]: saying this entire episode,

[00:28:40] [SPEAKER_00]: organizations should

[00:28:42] [SPEAKER_00]: right now start

[00:28:44] [SPEAKER_00]: putting in a tool in

[00:28:45] [SPEAKER_00]: place that's going to help them

[00:28:48] [SPEAKER_00]: get that visibility into what's

[00:28:50] [SPEAKER_00]: executing on their client side.

[00:28:52] [SPEAKER_00]: And this is very important

[00:28:54] [SPEAKER_00]: because we know that

[00:28:56] [SPEAKER_00]: we not only have to make sure

[00:28:58] [SPEAKER_00]: that for the sake of the

[00:28:59] [SPEAKER_00]: organization that the

[00:29:00] [SPEAKER_00]: application is secure, but

[00:29:02] [SPEAKER_00]: for all of the end users

[00:29:04] [SPEAKER_00]: that are actually interacting

[00:29:06] [SPEAKER_00]: with the application assuming

[00:29:07] [SPEAKER_00]: that it's secured.

[00:29:08] [SPEAKER_00]: And it's very important that

[00:29:09] [SPEAKER_00]: organizations take

[00:29:10] [SPEAKER_00]: all the steps that they can

[00:29:12] [SPEAKER_00]: in order to protect

[00:29:14] [SPEAKER_00]: all of the end users

[00:29:16] [SPEAKER_00]: that are using their

[00:29:17] [SPEAKER_00]: application.

[00:29:18] [SPEAKER_00]: Now, the reason why it's so

[00:29:19] [SPEAKER_00]: important that they do it now,

[00:29:21] [SPEAKER_00]: whether or not they need to

[00:29:22] [SPEAKER_00]: comply with PCI

[00:29:23] [SPEAKER_00]: is because we know

[00:29:25] [SPEAKER_00]: that attackers are becoming

[00:29:26] [SPEAKER_00]: more and more sophisticated

[00:29:28] [SPEAKER_00]: and are doing

[00:29:31] [SPEAKER_00]: more work in order

[00:29:32] [SPEAKER_00]: to hide their malicious

[00:29:34] [SPEAKER_00]: JavaScript code,

[00:29:36] [SPEAKER_00]: whether that's hiding it

[00:29:38] [SPEAKER_00]: in place that you wouldn't

[00:29:39] [SPEAKER_00]: think that it would be there,

[00:29:41] [SPEAKER_00]: like in the fourth year of

[00:29:41] [SPEAKER_00]: floor attack that I mentioned

[00:29:42] [SPEAKER_00]: earlier.

[00:29:44] [SPEAKER_00]: And another way that we've

[00:29:45] [SPEAKER_00]: seen attackers do this

[00:29:47] [SPEAKER_00]: is actually by impersonating

[00:29:49] [SPEAKER_00]: legitimate domain names.

[00:29:52] [SPEAKER_00]: So for example,

[00:29:54] [SPEAKER_00]: you could think this might be

[00:29:55] [SPEAKER_00]: like a very obvious one to

[00:29:56] [SPEAKER_00]: the spot with your naked eye,

[00:29:58] [SPEAKER_00]: but let's say Google, right?

[00:30:00] [SPEAKER_00]: There's two O's in there.

[00:30:02] [SPEAKER_00]: An attacker, in theory, could

[00:30:04] [SPEAKER_00]: substitute the two O's for two

[00:30:06] [SPEAKER_00]: zeroes and hope

[00:30:08] [SPEAKER_00]: that someone just quickly

[00:30:09] [SPEAKER_00]: glancing through

[00:30:10] [SPEAKER_00]: their scripts that are

[00:30:13] [SPEAKER_00]: executing on their client side

[00:30:14] [SPEAKER_00]: would have noticed.

[00:30:15] [SPEAKER_00]: So this is another technique

[00:30:16] [SPEAKER_00]: that we're seeing that

[00:30:18] [SPEAKER_00]: attackers are trying to

[00:30:20] [SPEAKER_00]: to do.

[00:30:21] [SPEAKER_00]: And that's why it's so

[00:30:22] [SPEAKER_00]: important to not only have

[00:30:23] [SPEAKER_00]: a tool that can

[00:30:25] [SPEAKER_00]: provide you with the

[00:30:26] [SPEAKER_00]: inventory, but does have

[00:30:28] [SPEAKER_00]: more of like those insights

[00:30:29] [SPEAKER_00]: pieces, gives you more

[00:30:31] [SPEAKER_00]: information about these, what

[00:30:32] [SPEAKER_00]: these domains are.

[00:30:33] [SPEAKER_00]: Because even though the naked eye

[00:30:35] [SPEAKER_00]: might think like, oh, this

[00:30:37] [SPEAKER_00]: looks familiar.

[00:30:38] [SPEAKER_00]: I think I know what this is.

[00:30:39] [SPEAKER_00]: A tool that can bring you those

[00:30:41] [SPEAKER_00]: additional details about

[00:30:43] [SPEAKER_00]: the discovered domains or script

[00:30:44] [SPEAKER_00]: that are executing on your

[00:30:46] [SPEAKER_00]: client side would be able

[00:30:48] [SPEAKER_00]: to flag that, hey, this isn't

[00:30:49] [SPEAKER_00]: what you think it is.

[00:30:53] [SPEAKER_00]: The last one that I would say

[00:30:55] [SPEAKER_00]: that I see related to

[00:30:57] [SPEAKER_00]: mage card attacks is

[00:31:00] [SPEAKER_00]: compromising more

[00:31:02] [SPEAKER_00]: third parties.

[00:31:04] [SPEAKER_00]: You know, we saw that with

[00:31:06] [SPEAKER_00]: compromising of the supply

[00:31:08] [SPEAKER_00]: chain, attackers really get

[00:31:10] [SPEAKER_00]: a really big bang for their

[00:31:11] [SPEAKER_00]: buck, right?

[00:31:12] [SPEAKER_00]: They can compromise one

[00:31:13] [SPEAKER_00]: JavaScript and then end

[00:31:15] [SPEAKER_00]: up impacting

[00:31:18] [SPEAKER_00]: maybe it could be hundreds or

[00:31:19] [SPEAKER_00]: thousands of different

[00:31:20] [SPEAKER_00]: organizations that are

[00:31:22] [SPEAKER_00]: actually leveraging

[00:31:24] [SPEAKER_00]: that third party code.

[00:31:26] [SPEAKER_00]: So make sure once again

[00:31:28] [SPEAKER_00]: that you

[00:31:31] [SPEAKER_00]: have a good understanding for

[00:31:33] [SPEAKER_00]: what is this third party code

[00:31:35] [SPEAKER_00]: that you're actually pulling

[00:31:36] [SPEAKER_00]: onto your site.

[00:31:38] [SPEAKER_00]: And, you know, I guess really

[00:31:39] [SPEAKER_00]: the message for the day is

[00:31:41] [SPEAKER_00]: make sure that if it's going

[00:31:43] [SPEAKER_00]: to be executing on your client

[00:31:44] [SPEAKER_00]: side, it's actually supposed

[00:31:46] [SPEAKER_00]: to be on there.

[00:31:47] [SPEAKER_00]: We're going to see that it's

[00:31:48] [SPEAKER_00]: going to be harder in order

[00:31:50] [SPEAKER_00]: to actually detect them

[00:31:51] [SPEAKER_00]: without a proper tool in

[00:31:53] [SPEAKER_00]: place to be able to

[00:31:55] [SPEAKER_00]: bring this visibility

[00:31:57] [SPEAKER_00]: for security practitioners.

[00:32:00] [SPEAKER_01]: Fantastic advice.

[00:32:01] [SPEAKER_01]: And I cannot thank you enough

[00:32:02] [SPEAKER_01]: for coming on here and sharing

[00:32:04] [SPEAKER_01]: your insights today.

[00:32:05] [SPEAKER_01]: But before I let you go on,

[00:32:06] [SPEAKER_01]: have a little fun with you

[00:32:08] [SPEAKER_01]: and ask you to leave one final

[00:32:09] [SPEAKER_01]: gift to everyone listening.

[00:32:11] [SPEAKER_01]: We have a Spotify playlist

[00:32:13] [SPEAKER_01]: and an Amazon wish list.

[00:32:15] [SPEAKER_01]: I'm going to ask you, can

[00:32:16] [SPEAKER_01]: you leave us a book that

[00:32:17] [SPEAKER_01]: means something to you or

[00:32:18] [SPEAKER_01]: a favorite song that means

[00:32:20] [SPEAKER_01]: something to you?

[00:32:21] [SPEAKER_01]: Well, it got added to one of

[00:32:22] [SPEAKER_01]: those lists.

[00:32:22] [SPEAKER_01]: I don't mind which it is.

[00:32:24] [SPEAKER_01]: Guilty pleasures are allowed.

[00:32:25] [SPEAKER_01]: You can add the PCI song if

[00:32:27] [SPEAKER_01]: you want. But what would you

[00:32:28] [SPEAKER_01]: like to leave everyone listening

[00:32:29] [SPEAKER_01]: with and why?

[00:32:32] [SPEAKER_00]: So this is one of my favorite

[00:32:33] [SPEAKER_00]: songs that I discovered

[00:32:35] [SPEAKER_00]: around a year ago.

[00:32:36] [SPEAKER_00]: And I know once I say the song,

[00:32:38] [SPEAKER_00]: many people are going to be

[00:32:39] [SPEAKER_00]: like, how did you not know about

[00:32:40] [SPEAKER_00]: this earlier?

[00:32:41] [SPEAKER_00]: So what I'm going to

[00:32:42] [SPEAKER_00]: contribute is Elton John's

[00:32:44] [SPEAKER_00]: Goodbye Yellow Brick Road.

[00:32:47] [SPEAKER_00]: This is a really beautiful

[00:32:49] [SPEAKER_00]: song, very

[00:32:51] [SPEAKER_00]: catchy and the lyrics

[00:32:54] [SPEAKER_00]: are, I think, very meaningful

[00:32:55] [SPEAKER_00]: as well.

[00:32:57] [SPEAKER_00]: I only discovered this a year

[00:32:58] [SPEAKER_00]: ago when I went to

[00:33:01] [SPEAKER_00]: a really wonderful concert by

[00:33:03] [SPEAKER_00]: the San Francisco Symphony

[00:33:06] [SPEAKER_00]: every year during Pride Month.

[00:33:08] [SPEAKER_00]: They do a collaboration

[00:33:09] [SPEAKER_00]: with the San Francisco Gay Men's

[00:33:12] [SPEAKER_00]: Chorus.

[00:33:13] [SPEAKER_00]: And last year they

[00:33:15] [SPEAKER_00]: did a really wonderful show,

[00:33:16] [SPEAKER_00]: all focusing around Elton

[00:33:18] [SPEAKER_00]: John and The Wizard of Oz

[00:33:20] [SPEAKER_00]: and some other great musicals

[00:33:22] [SPEAKER_00]: and that's really when I

[00:33:25] [SPEAKER_00]: had a deeper listening to

[00:33:26] [SPEAKER_00]: Elton John's songs.

[00:33:28] [SPEAKER_00]: And as you can imagine, you know,

[00:33:30] [SPEAKER_00]: having like a live symphony,

[00:33:31] [SPEAKER_00]: a live chorus in front of you.

[00:33:33] [SPEAKER_00]: It was really the first time

[00:33:35] [SPEAKER_00]: I was like, you know, for all

[00:33:36] [SPEAKER_00]: these years when people have been

[00:33:37] [SPEAKER_00]: saying that Elton John is amazing,

[00:33:38] [SPEAKER_00]: I get it now.

[00:33:40] [SPEAKER_00]: So that's the song

[00:33:42] [SPEAKER_00]: that I'd like to contribute

[00:33:44] [SPEAKER_00]: it to the playlist.

[00:33:45] [SPEAKER_01]: Absolutely lovely.

[00:33:47] [SPEAKER_01]: What a great choice.

[00:33:47] [SPEAKER_01]: I can't believe it took you so

[00:33:48] [SPEAKER_01]: long to find it, but it is a

[00:33:50] [SPEAKER_01]: great song.

[00:33:50] [SPEAKER_01]: So I will get that added

[00:33:52] [SPEAKER_01]: to our Spotify playlist.

[00:33:54] [SPEAKER_01]: And obviously, for anybody listening,

[00:33:56] [SPEAKER_01]: wanting to find out more information

[00:33:58] [SPEAKER_01]: about Imperva, contact you

[00:34:00] [SPEAKER_01]: or your team or just find out

[00:34:02] [SPEAKER_01]: anything or explore a little bit

[00:34:04] [SPEAKER_01]: deeper on anything we talked about

[00:34:05] [SPEAKER_01]: today. Where would you like to send them?

[00:34:08] [SPEAKER_00]: So we have a very easy

[00:34:10] [SPEAKER_00]: place where you can find us.

[00:34:12] [SPEAKER_00]: Go to imperva.com.

[00:34:14] [SPEAKER_00]: You'll be able to learn all about

[00:34:15] [SPEAKER_00]: the different suite of products

[00:34:18] [SPEAKER_00]: and how we can protect both your

[00:34:19] [SPEAKER_00]: applications and also your data

[00:34:22] [SPEAKER_00]: side as well.

[00:34:23] [SPEAKER_00]: And you can also reach out directly

[00:34:25] [SPEAKER_00]: to our sales team on there in case

[00:34:27] [SPEAKER_00]: you would like to learn more.

[00:34:30] [SPEAKER_01]: Well, we covered so much today from

[00:34:32] [SPEAKER_01]: the rise of those mage car attacks

[00:34:34] [SPEAKER_01]: and the new PCI requirements,

[00:34:37] [SPEAKER_01]: what they mean for businesses.

[00:34:38] [SPEAKER_01]: I think we talked about in a

[00:34:39] [SPEAKER_01]: language everyone can understand.

[00:34:40] [SPEAKER_01]: So hopefully everyone will take

[00:34:42] [SPEAKER_01]: something away from that.

[00:34:43] [SPEAKER_01]: And for anybody listening that

[00:34:45] [SPEAKER_01]: hasn't heard Goodbye Yelabric

[00:34:46] [SPEAKER_01]: Road, let's sort that out as well.

[00:34:48] [SPEAKER_01]: Let's get straight on that.

[00:34:49] [SPEAKER_01]: But more than anything, thanks for

[00:34:51] [SPEAKER_01]: joining me today, Lynn.

[00:34:51] [SPEAKER_00]: Thank you so much for having me.

[00:34:53] [SPEAKER_01]: As we wrap up today's insightful

[00:34:55] [SPEAKER_01]: discussion with Lynn Marks, I think

[00:34:57] [SPEAKER_01]: it's clear that the evolution of

[00:34:59] [SPEAKER_01]: client-side attacks demands

[00:35:00] [SPEAKER_01]: vigilant and sophisticated defense

[00:35:03] [SPEAKER_01]: strategies, especially in light of

[00:35:05] [SPEAKER_01]: the new PCI DSS standards.

[00:35:07] [SPEAKER_01]: So the big question for everybody

[00:35:09] [SPEAKER_01]: listening, how prepared are you

[00:35:11] [SPEAKER_01]: and your organization to meet

[00:35:13] [SPEAKER_01]: these updated requirements and

[00:35:15] [SPEAKER_01]: ultimately protect against these

[00:35:17] [SPEAKER_01]: increasingly cunning cyber attacks?

[00:35:20] [SPEAKER_01]: Well, I hope today's conversation

[00:35:21] [SPEAKER_01]: has illuminated some of the crucial

[00:35:23] [SPEAKER_01]: measures that you can take to fortify

[00:35:25] [SPEAKER_01]: your defenses, but I invite you to

[00:35:28] [SPEAKER_01]: share your thoughts and experiences

[00:35:30] [SPEAKER_01]: and how you're dealing with these

[00:35:32] [SPEAKER_01]: client-side security challenges.

[00:35:34] [SPEAKER_01]: Let me know how you're adapting

[00:35:35] [SPEAKER_01]: to the evolving cyber security

[00:35:37] [SPEAKER_01]: landscape. Please email me

[00:35:40] [SPEAKER_01]: techblogwriteroutlook.com,

[00:35:42] [SPEAKER_01]: Twitter, LinkedIn, Instagram.

[00:35:44] [SPEAKER_01]: Just out and you'll see hues.

[00:35:45] [SPEAKER_01]: But that's it for today.

[00:35:47] [SPEAKER_01]: I'll be back again tomorrow

[00:35:48] [SPEAKER_01]: with another topic that we'll

[00:35:50] [SPEAKER_01]: explore together.

[00:35:51] [SPEAKER_01]: But thank you for listening today

[00:35:52] [SPEAKER_01]: and until next time, don't be a

[00:35:56] [SPEAKER_01]: stranger.