You know nothing, CISO

Shadow IT can stab you in the back

CISO work overload

Disclaimer: This blog post contains strong references to Game of Thrones. Memes courtesy of ImgFlip. 

You, CISO, are a brave warrior who fights unknown threats from all corners of the digital world. You, CISO, try with all your might to manage an increasingly complex digital ecosystem of malware, exploit kits, Trojans, unwanted toolbars, annoying redirects and more. You, CISO, wrangle a shortage of security professionals and an overload of security solutions. You, CISO, have lost sleep over protecting your enterprise network and endpoints. You, CISO, are aware of the lurking threat of shadow IT, but you CISO, know nothing until you understand that your own corporate website is one of the biggest contributors of shadow IT.

Beware of your Corporate Website

Did you know it’s likely you are only monitoring around 20–25% of the code executing on your website? The remaining 75-80% is provided by third-parties who operate outside the IT infrastructure. You may think website application firewall (WAF) and the various other types of web app security tools like Dynamic Application Security (DAST), Static Application Security (SAST), and Runtime Application Self-Protection (RASP) adequately protect your website. News flash: these applications only monitor owned and operated code. In fact, they can’t even properly see third-party code as it’s triggered by user profiles. There is a dearth of security solutions that can emulate a true end user experience to detect threats.

Think about it, if there are so many traditional website security solutions available, why do websites still get compromised? This third-party code presents a multitude of opportunities for malware to enter your website and attack your website visitors–customers and employees alike–with the end goal to ultimately compromise endpoints and the enterprise network.

Shadow IT in the corporate website

Avoid the Shame!

Practical CISOs will keep these hard facts in mind:

1.  There is no true king

You could argue that marketing is the rightful king to the Iron Throne of your corporate website since it is responsible for the UX, messaging, branding and so forth. But the enterprise website requires so much more. Every department has a stake: IT, legal, ad ops (if you have an advertising-supported website), security and finance, to name a few. Each department’s differing objectives may lead to adoption of unsanctioned programs, plugins and widgets to meet their needs. As a result, the website’s third-party code operates outside the purview of IT and security. Further complicating matters, there is no one department or person to be accountable when the website is compromised. This makes it hard for security teams to detect a compromise via third-party code and easier for malware to evade traditional security tools. In the absence of ownership, the CISO is blamed.

2.  Malware is getting more evil

Bad actors continue to hone their malware delivery techniques. They use malicious code to fingerprint or steal information to develop a device profile which can be used to evade detection by security research systems and networks. Furthermore, web-based malware can also remain benign in a sandbox environment or be dormant until triggered to become overt at a later date.

3. You’re afraid of everyone’s website…but your own

You know the perils of the internet and have adopted various strategies to protect your network from the evils of world wide web. From black and white listing to firewall monitoring and ad blocking, these defenses help guard against intrusion. But what about your website?

As previously stated, everyday web-enablement programs such as a video platform or content recommendation engine operate outside the IT infrastructure. The more dynamic and function rich your website is, the more you are at risk of a breach from third-party vendor code. Below is a not so exhaustive list of apps and programs contributing third-party code:

  • RSS Feed
  • News Feed
  • Third Party Partner Widgets
  • Third Party Content MS Integrations
  • Third Party Digital Asset MS Integrations
  • Third Party ECommerce Platforms
  • Image Submission Sites
  • Ad Tags
  • Video Hosting Platform
  • Crowd Sharing Functionality
  • File Sharing Functionality
  • Customer Authentication Platforms
  • Third-Party Software Development (SD) Kits
  • Social Media Connectors
  • Marketing Software
  • Visitor Tracking Software

Stick ‘em with the pointy end

Yes, we know, what lies beyond the realm of your security team’s watchful eye is truly scary. But now that you know that your website’s third-party vendor code is a major contributor of shadow IT, you can more effectively address website security within your overall IT governance framework.


Encryption – Your website isn’t as secure as you think

HTTPS code does not mean a site is encrypted

Encryption is complicated

Today is D-Day for ecommerce and IT professionals, basically anyone with a revenue-generating digital property. June 30 marks the day that Google’s ad networks move to HTTPS and follows previous statements indicating HTTPS compliance as a critical factor in search engine rankings.

From Google’s announcement to the White House directive mandating HTTPS-compliant federal websites by December 2016, encryption has become the topic du jour. And, rumors abound that browsers are getting into the encryption game by flashing alerts when a site loses encryption. Why all the fanfare?

Encryption adds elements of authenticity to website content, privacy for visitor search and browsing history, and security for commercial transactions. HTTPS guarantees the integrity of the connection between two systems—webserver and browser—by eliminating the inconsistent decision-making between the server and browser regarding which content is sensitive. It does not ensure a hacker-proof website and does not guarantee data security.

Over the past year, businesses worked to convert their website code to HTTPS. With Google’s recent announcement, ad-supported sites can sit back and relax knowing their sites are secure, right? Wrong.

To have a truly encrypted site you must ensure ALL connections to your website communicate through HTTPS, including all third-party code executing on your site, not just advertising. This means sites using providers such as content delivery networks, data management platforms, hosting services, analytic tools, product reviews, and video platforms, need to ensure connections—and any connections to fourth or fifth parties—are made via HTTPS. Just one break in any call chain will unencrypt your site. Considering 57% of ecommerce customers would stop a purchase session when alerted to an insecure page, the ongoing push to encrypted sites should not be ignored.

What’s a website operator to do? By its very nature, third-party code resides outside your infrastructure and is not detected during traditional web code scanning, vulnerability assessment, or penetration testing. To ensure your site—and all the vendors serving it—maintains encryption you must scan it from the user’s point of view to see how the third parties behave. Only then can you detect if encryption has been lost along the call chain.