Public-Facing Websites: A Loaded Gun Pointing at Customers, Partners and Employees



Similar documents
Application Security in the Software Development Lifecycle

white paper Malware Security and the Bottom Line

Web site security issues White paper November Maintaining trust: protecting your Web site users from malware.

The Four-Step Guide to Understanding Cyber Risk

The Symantec Approach to Defeating Advanced Threats

What Do You Mean My Cloud Data Isn t Secure?

Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

INSTANT MESSAGING SECURITY

Stopping secure Web traffic from bypassing your content filter. BLACK BOX

McAfee Global Threat Intelligence File Reputation Service. Best Practices Guide for McAfee VirusScan Enterprise Software

Introduction: 1. Daily 360 Website Scanning for Malware

QUARTERLY REPORT 2015 INFOBLOX DNS THREAT INDEX POWERED BY

Basic Security Considerations for and Web Browsing

Ten Tips to Avoid Viruses and Spyware

Five Tips to Reduce Risk From Modern Web Threats

PREVENTIA. Skyhigh Best Practices and Use cases. Table of Contents

Concierge SIEM Reporting Overview

Where every interaction matters.

Types of cyber-attacks. And how to prevent them

HTML5 and security on the new web

Five Trends to Track in E-Commerce Fraud

End-user Security Analytics Strengthens Protection with ArcSight

Reducing the Cost and Complexity of Web Vulnerability Management

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

Cisco IPS Tuning Overview

Getting Ahead of Malware

WEB ATTACKS AND COUNTERMEASURES

Protecting Your Network Against Risky SSL Traffic ABSTRACT

Top tips for improved network security

THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS

Cisco Advanced Services for Network Security

Perspectives on Cybersecurity in Healthcare June 2015

Threat Spotlight: Angler Lurking in the Domain Shadows

INTRODUCING isheriff CLOUD SECURITY

WHITE PAPER. AirGap. The Technology That Makes Isla a Powerful Web Malware Isolation System

Kaseya White Paper. Endpoint Security. Fighting Cyber Crime with Automated, Centralized Management.

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

PCI Compliance for Healthcare

The 7 Key Pieces To Successful Marketing

Nine Steps to Smart Security for Small Businesses

Securing Endpoints without a Security Expert

ADDING NETWORK INTELLIGENCE TO VULNERABILITY MANAGEMENT

Recommended Practice Case Study: Cross-Site Scripting. February 2007

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Infinity Acute Care System monitoring system

Mobile Discrepancancies

Website Security: A good practice guide

PROTECT YOUR COMPUTER AND YOUR PRIVACY!

October 24, Mitigating Legal and Business Risks of Cyber Breaches

Beyond the Hype: Advanced Persistent Threats

WHITE PAPER. Understanding How File Size Affects Malware Detection

Deciphering and Mitigating Blackhole Spam from -borne Threats

Towards a Comprehensive Internet Security Strategy for SMEs

Best Practices for Building a Security Operations Center

Protecting Applications on Microsoft Azure against an Evolving Threat Landscape

Streamlining Web and Security

Managing Security Risks in Modern IT Networks

Why Leaks Matter. Leak Detection and Mitigation as a Critical Element of Network Assurance. A publication of Lumeta Corporation

Advanced Threat Detection: Necessary but Not Sufficient The First Installment in the Blinded By the Hype Series

FEELING VULNERABLE? YOU SHOULD BE.

Mobile Application Security. Helping Organizations Develop a Secure and Effective Mobile Application Security Program

Sophistication of attacks will keep improving, especially APT and zero-day exploits

Protecting Organizations from Spyware

Enterprise-Grade Security from the Cloud

Securing Privileges in the Cloud. A Clear View of Challenges, Solutions and Business Benefits

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

2014 Entry Form (Complete one for each entry.) Fill out the entry name exactly as you want it listed in the program.

Bad Ads Trend Alert: Shining a Light on Tech Support Advertising Scams. May TrustInAds.org. Keeping people safe from bad online ads

Software Engineering 4C03 Class Project. Computer Networks and Computer Security COMBATING HACKERS

Anti-exploit tools: The next wave of enterprise security

Development of Technology for Detecting Advanced Persistent Threat Activities

White Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI

Defending Against Cyber Attacks with SessionLevel Network Security

Advanced Persistent Threats

10 Things Every Web Application Firewall Should Provide Share this ebook

Protecting Your Organisation from Targeted Cyber Intrusion

WHITE PAPER: THREAT INTELLIGENCE RANKING

Best Practices Top 10: Keep your e-marketing safe from threats

Kaspersky Fraud Prevention: a Comprehensive Protection Solution for Online and Mobile Banking

How to Prevent Secure Web Traffic (HTTPS) from Crippling Your Content Filter. A Cymphonix White Paper

What a Vulnerability Assessment Scanner Can t Tell You. Leveraging Network Context to Prioritize Remediation Efforts and Identify Options

4 Steps to Effective Mobile Application Security

How To Prevent Fraud Through Ad Verification

Data Privacy: The High Cost of Unprotected Sensitive Data 6 Step Data Privacy Protection Plan

Is your data secure?

Addressing Big Data Security Challenges: The Right Tools for Smart Protection

Best Practices in Digital Rights Management:

LASTLINE WHITEPAPER. Large-Scale Detection of Malicious Web Pages

Securing Your Business with DNS Servers That Protect Themselves

WHITEPAPER. How a DNS Firewall Helps in the Battle against Advanced Persistent Threat and Similar Malware

How To Deal With A Converged Threat From A Cloud And Mobile Device To A Business Or A Customer'S Computer Or Network To A Cloud Device

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

Technology Blueprint. Protect Your Servers. Guard the data and availability that enable business-critical communications

Bitrix Software Security. Powerful content management with advanced security features

Cisco Advanced Malware Protection for Endpoints

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

End-to-End Application Security from the Cloud

Transcription:

Public-Facing Websites: A Loaded Gun Pointing at Customers, Partners and Employees The Importance of Incorporating Digital Property Security Into Your IT Strategy

Public-Facing Websites: A Loaded Gun Pointing at Customers, Partners and Employees The Importance of Incorporating Digital Property Security Into Your IT Strategy In today s technology-oriented world, websites and mobile apps play a vital role in day-to-day business operations from product and service education to customer loyalty programs to actual sales transactions while also functioning as a mission-critical branding vehicle. So, it goes without saying that no organization can survive without a comprehensive digital presence. At the same time, an organization with a public-facing website has a responsibility to ensure a completely safe browsing experience for every single individual visiting its site customers, partners and employees. Yet when asked, less than 32% of IT leaders claimed responsibility for providing this level of protection to their website visitors. Degree to which IT professionals feel responsible for individuals visiting the company s public-facing digital properties Responsibility for Protecting Frequenters of Company Websites ENTIRELY RESPONSIBLE RESPONSIBLE SOMEWHAT RESPONSIBLE NOT VERY RESPONSIBLE NOT AT ALL RESPONSIBLE CONSUMERS 27% 39 22 7 5 CLIENTS 32% 38 21 6 4 EMPLOYEES 32% 37 21 9 6 100% This finding, along with others from a recent IDG Research poll, sponsored by The Media Trust, clearly indicates IT leaders remain unaware of the risks posed by their public-facing web properties as well as the need to make risk mitigation a priority. IT leaders that don t 1

Public-Facing Websites: A Loaded Gun Pointing at Customers, Partners and Employees recognize and address the inherent risks that exist in today s multimedia websites unknowingly create a gaping hole in their IT security strategies. As a result, their websites become loaded guns pointing straight at consumers. The proverbial bullet is malware. An organization has a responsibility to ensure a completely safe browsing experience for every single Understanding the Risks of a Website s Third-Party Code individual visiting its site. Gone are the days of HTML web pages that serve static text and photographs. Today s dynamic websites create highly interactive experiences in which users consume multimedia content and, in some cases, even create and contribute their own. Third-party vendors make this high degree of interactivity possible. The list goes on and on, but a few examples of the third-party service providers used to render a typical website include marketing and data analytics, video, product reviews, polls, content or product recommendations, social media tools and advertising placements. While these third-party providers significantly improve the end user experience, elevate visitors level of engagement and generate valuable visitor behavior data, their presence on a website also presents a significant business risk. To provide their service, each third-party vendor delivers a small piece of its own source code to the website that executes as the site renders the requested page in the end user s browser. This execution calls content from sources third, fourth and sometimes fifth parties that reside outside your website operation. And, these sources are frequently overlooked from a security perspective and therefore easily targeted for abuse. If compromised by malware, this third-party code negatively impacts the user experience in a myriad of ways, including the automatic redirection of the browser to another site, the downloading of harmful exploit kits and the theft of credit card numbers and personal contact information. Compromised third-party code can also damage a company s brand. A dissatisfied customer may not return to the site; even worse, this individual may share how your website infected them with malware on social networks where such reviews can be devastating. Even more severe brand damage can occur if the malware leverages the third-party code to deface the company s website. Such defacement immediately proves to every customer, employee The perception of and partner visiting the site that the company cannot protect ineffective website its digital properties and those who visit them from webbased malware. Taking it one step further, the perception of security can bleed into ineffective website security can bleed into other aspects such as product quality or customer service. other aspects such Finally, malware-infected third-party code executing on a as product quality or corporate website increases an organization s liability exposure. customer service. If this code enables financial fraud or results in the loss of customers personally identifiable information, companies can be held accountable for failing to demonstrate due care standard or conduct due diligence. Obviously, being the object of such a lawsuit not only costs time and money, but also results in significant loss of brand equity, not to mention sales. Unfortunately, most IT strategies and the associated governance framework do not adequately address the risk posed by third-party code executing on a company s website, leaving both the company and its customers vulnerable. Companies fail to understand these risks nor take the necessary mitigation measures (see sidebar). 2

20 23% 12% 6% 4% 6% 0 VERY SOMEWHAT NOT VERY NOT AT ALL NEVER THOUGHT OF IT Public-Facing Websites: A Loaded Gun Pointing at Customers, Partners and Employees To be fair, IT leaders have some awareness of the problem. Nearly three-quarters of IT leaders surveyed for the IDG Research poll worry about how to secure third-party code executing on their public-facing digital properties. Level of concern regarding third-party content executing on public-facing digital properties Security Concerns Over Third-Party Content on Public-Facing Digital Properties 72% 49% 23% 12% 6% 4% 6% VERY SOMEWHAT NOT VERY NOT AT ALL NEVER THOUGHT OF IT However, when further questioned, it becomes evident that IT leaders severely underestimate this problem, because only 56% of respondents continuously monitor their websites and third-party content. Another case in point: on average, respondents report that an average of 34 external vendors execute code on their company s consumer-facing website. That may sound like a lot, but in reality the problem is much larger. The actual amount of third-party code on public-facing IT leaders severely underestimate websites is often double or triple what most IT leaders this problem, because only 56% estimate. In fact, a whopping 78% of the code 1 detected on Fortune 1000 websites is from third parties. The bottom line of respondents continuously is that every additional instance of external code increases monitor their websites and both the company and its users risk for malware to infiltrate the site and users browsers. third-party content. Mitigating the Risk of Third-Party Content While it s impossible to eliminate the risk posed by third-party web content without completely prohibiting their use, it can be mitigated. To do so, companies must view the third-party code executing on their sites and in their apps as points of vulnerability and actively address these weaknesses in their IT strategy by prioritizing investments in risk mitigation controls. For years companies have scanned for website vulnerability, however, this scanning only encompassed the code used to build the website and rarely, if ever, examined and tracked third-party code because it resided outside of the corporate infrastructure. An emerging best practice the 24/7 monitoring of all third-party code, content and cookies executing on a site is gaining traction to fill this security gap. Effective website security governance calls for constant monitoring and immediate notification and alerting of suspicious or malicious code so IT can instantly block and remove malicious 3

Public-Facing Websites: A Loaded Gun Pointing at Customers, Partners and Employees content from their digital properties before it propagates. This An emerging best practice is global, is no easy feat. Malware actors target select OS, browser, 24/7 monitoring of all third-party geography and behavior profile combinations for their attacks for the purpose of evading traditional antivirus and filtering code, content and cookies executing techniques. And the sheer amount of third-party code on any single web page and the need to correlate events to determine on a site. whether any of the activity is malware related makes it nearly impossible for humans to actively monitor the code and successfully shut down malware before it attacks and causes significant harm. Conclusion Enterprise IT governance traditionally addresses security from an internal infrastructure point-of-view, focusing only on the network, gateway, firewall, end point and device perspective, but this approach leaves a gaping hole through which malware can and does attack with great ease and frequency. With the spate of malware infections, it s apparent that traditional tactics aren t working for website security. IT leaders must view their organization s website in its entirety, including the critical juncture where the website s external layer also known as the end user s experience interacts with the end user s browser. Failing to do so exposes valuable critical corporate assets: the customer and corporate brand. IT leaders must make website security a key component of their IT strategy. Only through continuous monitoring of third-party code on public-facing digital properties can you ensure a malware-loaded gun isn t pointing at customers, partners and employees. The risk of not doing so simply isn t an option. SIDEBAR: The Syrian Electronic Army s Thanksgiving Attack illustrates the dangers of third-party code Early Thanksgiving morning 2014 the Syrian Electronic Army (SEA) attacked a wide variety of media websites, including large-volume digital publishers like The New York Times, The Boston Globe and retailers like Office Depot. Benign in nature, this attack consisted of compromising the user experience by directing all visitors to a popup screen containing an SEA propaganda message and logo. The attack was possible because of a vulnerability traced to Gigya, which provides a customer management platform to more than 700 leading brands. This particular attack occurred because the SEA identified a vulnerability at GoDaddy, which hosts gigya.com s DNS server. It was through this vulnerability that the SEA gained access to the GoDaddy servers and redirected Gigya s Internet traffic to servers at imgur.com, a popular image hosting site, which downloaded an SEA-written JavaScript file called socialize.js to any site visitor attempting to the load the page. It was this file that displayed the SEA s message and logo. This attack is an excellent example of how the presence of third-party code the gigya.com domain executing on any of the impacted media sites inadvertently enabled a wide-spread malware attack, impacting hundreds of thousands of people within hours. 1 2014 analysis of the Fortune 1000 public-facing websites conducted by The Media Trust. 4

Public-Facing Websites: A Loaded Gun Pointing at Customers, Partners and Employees The Media Trust With a physical presence in 65 countries and 500 cities located around the globe, The Media Trust s proprietary website and ad tag scanning technology provides continuous, non-stop protection against malware, site performance issues and data leakage, which can lead to lost revenue and privacy violations. The Company also enables comprehensive quality assurance of an ad campaign s technical and creative components, supporting display, rich-media, video, search and mobile advertising. In addition, The Media Trust s technology provides publishers with visual ad verification for geographically-targeted campaigns, ensuring thousands of media buys are executed correctly, reducing discrepancies, errors and make-good scenarios in-flight. More than 500 publishers, ad networks, exchanges, agencies and enterprises including 40 of comscore s AdFocus Top 50 websites rely on The Media Trust s suite of continuous, non-stop monitoring, detecting and alerting services to protect their websites, their revenue and, most importantly, their brands. The Media Trust 1749 Old Meadow Road Suite 500 McLean, VA 22102 703.893.0325 www.themediatrust.com @TheMediaTrust 2015 The Media Trust

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information