Fixing the Internet One Digital Ecosystem at a Time

Note: This article was initially published in ExchangeWire on May 10, 2018.

Read article

Over the past 14 years, The Media Trust has focused on one audacious goal: to fix the internet. The company has continuously monitored the internet for malvertising, creative quality, data leakage, and other compliance issues on behalf of organisations seeking to protect and monetise their mobile apps and websites. In this piece, ExchangeWire speaks with The Media Trust CEO Chris Olson; CRO Alex Calic; and European General Manager Matt O’Neill.

How The Media Trust delivers on its promise has evolved and expanded in scope over the years. The company’s products have noticeably shifted in approach from a reactive detect-and-notify to a pre-emptive identify-evaluate-notify-and-resolve. Olson and CTO Dave Crane started The Media Trust to meet publishers’ emergent need for a systematic way to verify whether an online ad published according to the contract with the ad buyer: on the right page location, to the right audience, at the right time. Next, they pioneered malware scanning and spawned services for malware prevention, creative QA, and data protection. Today, the company helps their clients address the three dimensions of digital risks – security, privacy, and quality – from a single platform known as ‘Digital Vendor Risk Management’. “We work with most of the largest publishers, advertising exchanges, demand side platforms (DSPs), brands, and e-commerce companies”, explains Olson.

Continue reading

What are the Experts saying about PyRoMine?

Article appeared in Brilliance Security Magazine, April 25, 2018.

Read article

Recently, a new python-based cryptocurrency mining malware that uses the ETERNALROMANCE exploit was uncovered and dubbed “PyRoMine.” This malware is particularly malicious and those Windows machines that have not installed the patch from Microsoft remain vulnerable to this attack and similar attacks.

Alex Calic, Chief Strategy and Revenue Officer of The Media Trust explains, “Cryptomining is a profitable business, and its perpetrators are accelerating in numbers and innovation thanks to a growing number of weaponized exploits in their arsenals. What makes this incident unique and alarming are (1) the exploit’s ability to spread fast around the world, (2) the malware’s ability to disable a machine’s security features for future attacks, and (3) the malware authors’ intent to test a campaign before a multi-phased, full-scale launch. Such a campaign will pave the way for harvesting CPU power and personal data from millions of Windows users. Now is the time for enterprise IT to fortify their defenses by identifying who is executing on their sites and flagging suspect executables that indicate unauthorized activity may be afoot. Otherwise, enterprises may find themselves running afoul of GDPR, a European privacy protection regulation that goes into force on May 25th and is poised to fine infringing parties up to four percent of their annual global revenue.”

Continue Reading

Top 10 Mistakes Companies Make in GDPR Preparation

This article appeared in the March 14, 2018 issue of ITBusinessEdge 

Read

With the EU’s General Data Protection Regulation (GDPR) only less than three months away from enforcement, organizations are (hopefully) pulling together their GDPR strategy. However, the nuances of GDPR are something most of us are still trying to understand – and we probably won’t grasp until the regulation is in effect and tested. In the rush to meet the compliance standards, errors will likely be made. I talked to security experts, and here are some of the more common GDPR prep mistakes.

“When it comes to GDPR compliance, the primary focus for most enterprises is on determining customer, partner, and employee-held data elements by the organization. Unfortunately, most have overlooked the significant amount of data collection activities occurring via the organization’s websites and mobile apps,” explained Chris Olson, CEO of The Media Trust. “This is a critical oversight since there are anywhere between tens to hundreds of unknown vendors not only executing code but also collecting personally identifiable information on website visitors. In fact, enterprises tend to find two to three times more vendor-contributed code on their websites than expected.”

Continue Reading

Cryptomining: the new lottery for cybercriminals

This article by Chris Olson, CEO at The Media Trust, was originally published on CSO, March 14, 2018

Read

Cryptomining has surpassed even ransomware as the revenue generator of choice according to a Cisco Talos report, which claims crypto-mining botnets can earn hackers up to $500 dollars a day and a dedicated effort could equate to more than $100,000 dollars a year. Representing the perfect balance of stealth and wealth for cybercriminals and some unscrupulous, but legitimate online businesses, cryptomining is quickly becoming a major concern for enterprise IT who frequently don’t know their digital assets have been compromised.

With stringent privacy laws coming online in 2018, it is imperative that organizations know all partners that execute code on the website. This information is critical for not only identifying the rogue source but also communicating expectations and enforcing compliance—key mitigating factors when it comes to regulatory penalties.

Continue Reading

The Battle to Secure the Digital Environment

This article by Chris Olson, CEO at The Media Trust, was published in “CSO Online” on January 12, 2018.

Read article

There’s no escaping it: costs to recover from a cyber incident continue to mount, projected to reach $8 Trillion by 2022 according to Juniper Research. Enterprises can’t keep pace with the increasing sophistication and cadence of internet-attacks, which are orchestrated by leveraging the components involved in everyday website functionality.

Information security is a growing, multibillion dollar business. Yet, the hits keep coming, with numerous high-profile breaches in 2017 generating unwanted front-page news for Equifax, Dun & Bradstreet, U.S. Securities and Exchange Commission (SEC), Deloitte, Whole Foods Market, Hyatt Hotels, Uber, and Anthem, among others. While there are many facets to the security problem, the digital environment proves to be the most elusive. In fact, the past 12 months bore witness to countless man-in-the-middle attacks, vendor compromises and bots to harm to consumers and employees alike, grabbing credit card data, enslaving system resources, and so much more.

Something is wrong. Could it be that security providers don’t have solutions to address today’s malware problems?

Continue reading

 

Websites: The Code for Cyberattacks

This article by Alex Calic, Chief Revenue Officer at The Media Trust, was first published in “Home Business Journal” on December 26, 2017.

Read article

Hacktivists, cybercriminals, disgruntled employees and even students deface websites as a satisfying pastime. Much like spraying graffiti across a storefront or government building, cyber attackers deliver in-your-face messages to not only your market but also the internet at large. What’s worse is that you might not even know about it until customer complaints begin to roll in. Clearly, these are high stakes for a small or medium-sized business that relies on the internet as a revenue channel and brand ambassador.

Continue reading

MarTech Today: Companies are afraid of everyone’s website but their own

Article appeared in MarTech Today, Nov. 16, 2017

Read article

The Media Trust CEO: Most of what happens on your web site is not controlled by you

And this third-party code, says Chris Olson, results in dozens of cookies for each user, security vulnerabilities and performance hits.

 

The Honest Truth about The Honest Ads Act

Building transparency with a little upfront disclosure

Authored by Chris Olson, CEO & Co-Founder, The Media Trust

The fake news furor and potential Russian involvement in the U.S. 2016 general election is reaching a fever point with multiple congressional hearings, and, digital advertising is in the crosshairs. Like many challenging discussions about digital advertising, transparency is at the heart of the issue.

Digital compliance for political ads

The proposed Honest Ads Act, a bipartisan effort to govern digital advertising according to the same rules followed by traditional broadcast media regarding political advertising, and is the one tangible fallout from the investigations.

The act calls for all politically-oriented digital ads to be declared at purchase, clearly labeled in the creative, and available for consumer access via a searchable interface. Among other things, the buyer must disclose their contact information, candidate and/or campaign, ad flight duration, number of impressions/views, and targeting criteria. The platform must collect this information and retain it for at least four years. It applies to digital platforms with at least 50 million unique visitors a month for the preceding 12-month period that have political ad buyers who spend at least $500 within a calendar year.

In a nutshell, it requires publishers know their ad buyers, ensure ads comply with (regulatory) policies and provide consumer access to these ads and any associated targeting criteria. Sounds familiar?

Transparency starts with the buyer

As The Media Trust announced a few short months ago, our Digital Vendor Risk Management (DVRM) platform provides real-time visibility and insight into non-compliant activity and threats operating in an enterprise website and mobile app environments. More than a risk management framework, DVRM operationalizes client-specific digital asset policies, continuously evaluates digital partner compliance, and actively facilitates the resolution of violating behavior.

The crux of this solution is the ability to identify and manage an enterprise’s digital ecosystem participants, from ad tech up to the source buyer, and authorize their presence. In addition to privacy regulation and escalating security concerns, the Honest Ads Act is just another reason why enterprises need to know their partners.

DVRM – A simple solution to a complex problem

Applying a political lens to DVRM it’s evident that the platform is already satisfying most of the requirements to enable transparency and accountability. Advertising supply chain partners register via an online portal; ads are uploaded and continuously scanned according to targeting criteria; client-specific policy violations are flagged; and, ads are stored for historical reference.

Self-regulation forces a new digital approach

Major platforms have announced their approaches to address congressional concerns and hopefully stave off the vote, let alone passage, of the Honest Ads Act. However, this self-regulation will need to extend to others meeting the requirement threshold, like ecommerce and media publishers.

Regardless of Honest Ads going to vote, changes are in the air. As an industry that has largely grown via self-regulation, the signals are obvious. It is incumbent upon the industry to embrace these changes, especially with the DVRM platform as an easy way to codify and operationalize your policies.

GDPR: The Pandora’s Box is Open for Enterprise Websites

Authored by Chris Olson, CEO & Co-Founder, The Media Trust

This article originally appeared in Website Magazine in September 2017

Compliance officers need to rein in the regulatory risks associated with their digital properties. The European Union’s General Data Protection Regulation (GDPR) is a conversation starter for most companies looking to control compliance, reputational and revenue risks. However, while focus has been on identifying data elements–customer, partner and employee–held by the organization, most have overlooked the data collection activities occurring via the company’s websites and mobile apps. Just as with Pandora’s box, there’s a slew of GDPR-driven evil emitting from your digital properties. 

Digital vendors and the GDPR

The internet is a highly-dynamic environment and most websites require a host of third-party providers to render content on a consumer’s browser. In fact, enterprises tend to find two to three times more external code on their websites than expected. The purpose of this code is to provide or enable services–data management platforms, image or video hosting, marketing analytics, content delivery, customer identification, payment processing, etc.–required to deliver the website experience. However, most enterprises are not aware of the full depth of their reliance on these vendors and therefore do not fully examine the code executing in their own digital environment. This results in “Digital Shadow IT”, which is rampant on most enterprise digital properties since a majority of third-party contributed code executing on the consumer browser operates outside IT infrastructure.

True, third-party digital vendors power today’s robust and feature-rich websites and apps; the downside, however, is that their code execution goes largely unchecked, enabling unauthorized and unmonitored data tracking. This applies to not only known third-party vendors, but also other vendors with whom they are associated—frequently an external provider needs to call a fourth, fifth and sixth party to help execute its requested service. This essentially means that not only do organizations need to get their own house in order, they need to ensure their digital vendors do so as well.

Reliance on web application security tools (appsec) to holistically monitor website and app code is misguided since current web appsec tools are inadequate in capturing third-party code execution. Additionally, security and compliance professionals aren’t fully aware of the amount of consumer data collection activity that takes place–such as cookie drops, pixel fires, device ID fingerprint collection, and more. When GDPR goes live in May 2018, Ignorantia juris non excusat (ignorance of the law excuses not) will not be a valid defense when confronted with a data privacy violation. It comes as little surprise that around 86% of organizations worldwide are concerned about GDPR noncompliance.

What goes online stays online

One of GDPR’s key requirements centers around personal online behavior data—specifically information collected from an individual’s digital activity, i.e., websites visited, links clicked, forms submitted, etc.–and imposes restrictions on its safe transfer outside the European Union to other businesses or legal entities. Organizations will need a clear understanding of whose data is being collected, what data is being collected, what it is used for, and, if the data subject resides within the EU, where this information is being transferred and confidence that it is adequately protected!

Thanks to the density of code executing behind today’s websites and mobile apps this data inventory task is easier said than done.

Data documentation is much harder than companies anticipate, particularly for media and ecommerce websites offering digital display advertising space. Ultimately companies will need to ensure each of their advertising partners do not engage in activity which could put their organization or customer data in violation of GDPR.

Let’s not forget that recent website security breaches also demonstrate that third-parties are often the weakest link in the security chain. While an organization may employ rigorous security controls around physical vendors and contracted partners, they fail to extend the same rigor to their digital counterparts. Gartner predicts that by 2020, 33% of attacks experienced by enterprises will be as a result of shadow IT resources. Based on this evidence it is no wonder the GDPR focuses so heavily on third-party relationships. Clearly, when it comes to unchecked third-party code on websites and mobile apps, it isn’t just compliance risks but significant security risks that enterprises need to consider. How do firms control something they enable but don’t see and can ill-afford to ignore?

Limiting the risks

The odds are stacked against enterprise website operators, but creating a holistic digital vendor risk management program is a step in the right direction. The first step is documenting a few basic facts about your specific digital environment by asking website teams the following:

1. How many third-party vendors execute on websites and mobile apps?
2. What are the names of these vendors?
3. What exactly are they doing, i.e., intended purpose and also any additional, out-of-scope activity?
4. Do we have contracts to authorize the scope of the work?
5. How does third-party vendor activity affect overall website and mobile app performance?
6. What are the risks to data privacy?
7. What is my business’s exposure to regulatory risk via vendor behavior?
8. Is my organization maintaining encryption throughout the code execution chain?
9. As these vendors change over time, what is the process to identify new vendors and their activity on websites and apps?
10. Have Data Compliance policies been communicated to digital vendors?

Once these questions are successfully (or satisfactorily) answered, they should be revisited on a regular basis. Continuous monitoring of the digital environment helps create a compliance mechanism that alerts you to violations.

Organizations must then, of course, strive to document how their third-party partners handle this same data—another GDPR requirement. This information is critical to ensuring customer data is not being put at risk at any time regardless of data holder. In effect, both your organization and your third parties need to develop, communicate and enforce the policies, processes and technologies necessary to support all digital-related aspects of GDPR, from consumer online behavior data collection, use, storage and transfer.

When the regulation comes into force, enterprises that look at this as a key opportunity to protect user/ consumer data, and their own brand, could establish a competitive advantage. The end result should also translate to fewer breaches, less opportunities for cybercriminals, and a much safer cyberspace. The internet’s Pandora’s box may have been opened, but it doesn’t have to spread evil into the world.

GDPR Compliance Risks on Websites

Authored by Matt O’Neill, General Manager, Europe, The Media Trust. 

The way the cookie crumbles

Today’s websites and apps (your corporate website included) are powered by sophisticated technology. After all, in order support consumer expectations—content consumption, search, social networking, shopping carts, travel booking, banking, news, gaming and so much more—websites incorporate robust solutions on the backend.

These solutions aren’t news to most InfoSec professionals, but it is where security problems start. Think about it. Almost 80% of a typical website’s functionality is outsourced to vendors providing specialized services such as data management platforms, marketing analytics, customer identification, image or video hosting, payment processing, content delivery and more. This third-party code operates outside the purview of your IT and security infrastructure, which means that you control less than 25% of the code executing on your website. As the website operator, you have no insight into when this code is compromised to act as a conduit for malware propagation and unauthorized audience data collection. Considering the current regulatory environment around data compliance, the above statistics should make you nervous.

Cookie crumbs

To put it bluntly: You can’t control what you don’t see, and the third-party code enabled functionalities on your digital properties are compromised more often than you think. Also, you have more third-party code than you realize.

As the security provider of choice for the world’s largest digital properties, The Media Trust scans websites for security and policy violations and actively manages more than 500 incidents at any one time. Some of the simplest websites average 10 third-party vendors, but most have dozens. The vendors continuously change and so do their actions.

The Media Trust’s website security and scanning team often detects persistent or unauthorized cookies with a lifespan of 30 years or more; one brand name ecommerce website recently dropped a 7,000+ year cookie. This is a huge issue with the EU’s General Data Protection Regulation (GDPR) which goes into effect in less than a year. Compliance to GDPR requires detailed, real-time, knowledge of executing digital partners and their activity, including the type of data collected and how long the partner remains on the user’s device, i.e., browser, phone, tablet, etc.

If you are wondering how GDPR affects your business, then you’ve got a lot of catching up to do. GDPR supports the data protection rights of every EU resident, therefore every business with EU interests—in the form of customers, legal entities, business infrastructure, etc.—needs to comply. And, the global nature of the internet means any business with EU website traffic or app users needs to comply as well.

Clearly, enterprises should make some changes to digital operations in order to reduce exposure to GDPR violations. At a minimum, you need to do the following for all your digital properties—websites (desktop and mobile) and mobile apps included:

1. Communicate privacy policy

• Write a clear privacy policy that explains use of third-party code and outlines any data collection activity
• Place banner on homepage
• Deliver Internal training

2. Provide easy-to-use opt in/ opt out mechanism

• Explain need for tracking and how cookies are used to drive digital operations
• Share links to individual privacy policies of all in-scope vendors on your site
• Allow individuals to explicitly agree and/or refuse tracking

3. Understand how website/app-generated data is acquired, used & stored

• Identify data: Registration, Cookies, IP addresses, device IDs
• Assess the legal basis to collect data and determine if consent is necessary, e.g., Personally Identifiable Information (PII) vs. transaction functionality, etc.
• Evaluate need for a specific policy regarding data collection of minor activity (16 years old in GDPR; under 13 years old in U.K. and U.S.)

4. Support data portability

• Provide mechanism to easily satisfy a data subject’s request for personal data in a commonly used format.

5. Incorporate website intrusion in data breach reporting

While the GDPR mandate for websites has been clearly laid out, meeting it is easier said than done! With the fines for noncompliance enumerated in the regulation (between 4% of global revenues or €20 Million), InfoSec is under pressure from internal risk and compliance professionals to ensure all data elements are documented, assessed and controlled.   

Ignorance is real. So is anarchy.

With such a tall order, it is disturbing that so many InfoSec professionals overlook the perils of third-party vendor code going unchecked. Companies desperately need to incorporate digital vendors into their vendor risk management program. Most website/app operators are in the dark about how many direct and indirect vendors contribute to code on their site and who these vendors are, let alone know how many domains and cookies these vendors use to track website visitors.

Digital vendor risk management will highlight the security and compliance gaps inherent in the digital environment. For example, there really isn’t a clear chain of command when it comes to authorizing the presence of third-party vendors executing on a website. It is a fairly decentralized process, with departments like marketing, sales, IT, risk and legal all making decisions regarding the vendors they would like to use for various website functionalities. This makes creating accountability challenging, with most issues relegated to the IT and security departments to solve.

Putting the “Digital” in Vendor Risk Management

Yes, the odds are stacked against website operators, but creating a holistic digital vendor risk management program isn’t impossible. To create a risk management and GDPR compliance program for your digital properties, you should be able to answer the following:

Within 2 weeks:

1. How many third-party vendors execute in websites and mobile apps
2. What are the names of these vendors?
3. What exactly are they doing, i.e., intended purpose and also additional, out-of-scope activity?

Within 1 month:

4. Do we have contracts to authorize the scope of the work?
5. How does third-party vendor activity affect overall website/app performance?
6. What are the risks to data privacy?
7. What is my exposure to regulatory risk via vendor behavior?

Within 3 months:

8. Am I maintaining encryption throughout the call chain?
9. As these vendors change over time, what is the process to identify new vendors and their activity on websites and apps?
10. If the corporate website isn’t fully secure, what happens when employees visit the site? Is the enterprise network at risk?

Once you’ve been able to answer the above questions, within a year’s time, you should be able to create comprehensive digital vendor governance process that looks like this: