PODCAST: How do we fix the internet?

Check out Charles Tendell’s interview of Chris Olson, CEO of The Media Trust, about the challenges of website security and the risk contributed by third-party code.

Listen here.

The world is a digital economy; however, there is a general lack of awareness for how to secure the highly-dynamic digital environment which requires a continuous security approach. The onus is on mobile app developers & website operators to ensure their assets are safe. The key to managing risk requires:

• Knowing your digital vendors/partners
• Identifying & authorizing their activity
• Communicating your policy & establishing responsibility
• Evaluating vendor compliance with your policy

 

This podcast was recorded on October 24, 2017

Your Threat Intelligence Isn’t Working

False positives undermine your security investments. 

The rapid adoption of threat intelligence data by enterprises signals an increased emphasis on preventing targeted malware attacks. While few question the strategy fueling this boom, it is the quality of this intelligence that is debatable. Recent news of organizations suffering brand damage due to false positives in their “compiled” threat feed, puts the quality of numerous threat intelligence feeds under scrutiny.

In simple terms, a compiled threat intelligence feed aggregates data from various open sources and may also include observed data from the security vendor. The pitfalls of these multiple dependencies are many, the most debilitating of which is the quality of this so-called “intelligence.” In most cases, a compiled threat intelligence feed is a minefield of false positives, false negatives and unverified data.

To make your digital threat intelligence work for you, consider these factors:

Go for original source

Compiled isn’t conclusive

Many vendors use the euphemisms like “comprehensive” or “crowdsourced” threat intelligence to characterize the value of their data. These euphemisms typically describe data compiled from multiple sources. Very few (most likely none) reveal the fact that this aggregated data hasn’t been thoroughly vetted for accuracy – a process that requires significant manpower hours for the volume of data within the feed. In fact, the time needed to properly assess the data would delay an enterprise’s receipt of and action on the intelligence. Needless to say, this time lag is all it takes for serious damage to be done by cyber criminals.

Avoid Costly Cleanups
False positives can be damning

The inherent inaccuracies in a compiled threat intelligence feed can lead to false positives and duplicate threat alerts. It is a well-established fact that malware alerts generate around 81% false positives and average 395 hours a week of wasted resources chasing false negatives and/or false positives.

A critical by-product of false positives is alert fatigue, which induces enterprise security professionals to not react in a timely manner – fatal behavior when an actual breach or violation does occur. In this “boy who cried wolf” scenario, the enterprise is vulnerable from two perspectives. Failure to react to a “positive” alert could expose the entity to malware. On the flip side, reaction to a “false positive” expends countless resources. Whatever the situation, the consequences could damage careers, cripple the security posture, and tarnish the enterprise’s image. By using an original source digital threat intelligence feed vendor, you maximize the level of intel accuracy and minimize the margin for false positives to occur.

Focus on patterns, not just appearances
Both IOCs and POAs are important

Another aspect to deciphering the value of  threat intelligence is what actually goes on behind the scenes. Most threat intelligence feeds factor in indicators of compromise (IOCs) to describe a malware alert is valid  or is marked with “high confidence” in its accuracy. However, what is harder to determine is the actual behavioral pattern of a threat or the method of malware delivery, which is what patterns of attack (POAs) depict. By understanding the POAs, high-quality threat intelligence can also detect new threat vectors, hence allowing enterprises to block suspicious malware before it becomes overt.

The key determining characteristic between IOCs and POAs is that IOCs contain  superfluous, easy-to-alter data points that are not individual or specific to the bad actor, whereas POA data points are difficult to mask. To put it in simpler terms, think of a bank robbery. Information describing the appearance of the robber, such as a shirt or hair color, could be easily changed for the robber to evade detection and be free to commit additional heists. However, more specific, innate information regarding the robber’s gait or voice, would make the individual easier to detect and block their ability to commit the same crime again. These inherent factors or POAs are difficult and expensive to alter. Therefore, threat intelligence data should factor in both IOCs and POAs in order to provide a more conclusive picture of a threat and minimize false positives.

Security Buyer Beware

Yes, factors such as real-time data, number of data points on threat vectors, easy access, and seamless integration with TIP/SIEM are important in determining the overall quality of a threat data feed. However, inaccurate data and false positives are fundamental flaws in many market solutions for threat intelligence. By using an original source digital threat intelligence feed vendor, you maximize the level of intel accuracy and minimize the margin for false positives to occur. Choose wisely.

Malvertising: The story behind the story

Security firms make mountains out of molehills

Malware alert! Malware alert! It seems every time you turn around there’s a news story or report exposing the presence of malware in the online and mobile advertising ecosystem. The vector, exploit kit or function may change, but the story is the same—some industry expert uncovers new ad-based malware or malvertising and the media sounds the alarm. Preying on cyber-related anxieties, these stories typically present an exaggerated synopsis of the situation and focus on a single instance, spotlight one industry provider, and don’t offer actionable information for the reader. As a result, these provocative articles often make mountains out of molehills and end up missing the real story: Why does the industry expert believe this particular malware incident is news?

 

Keeping it real

Malware serves as an umbrella term for any intrusive software program with malicious or hostile intent, and covers a variety of forms including viruses, Trojans, and worms. Diagnosing malware provides critical insight into identifying current system vulnerabilities and mitigating future compromises and the classic approach used by traditional security researchers requires the collection of malware samples and days of analysis by experts.

Ad-related malware behaves differently from other forms of malware and requires a distinct approach. Anyone that truly understands the advertising ecosystem recognizes that ad-based malware delivers through a publisher website for a very brief time period, typically for an hour or less, before it terminates and moves on in a mutated form to infect hundreds of other sites. In addition, the infected ad must first render on a browser before it deploys—automatically or through site visitor action—and there’s no guarantee that it will impact every browser or deploy every time rendered.

For these reasons, it’s misleading to report on one malvertising incident captured on one site. In addition, it’s irresponsible to call out a publisher for something that cannot be replicated, and these reports cause unnecessary panic among advertisers, ad networks, exchanges and publishers who spend countless resources addressing a malware event that no longer exists.

Diagnosing the motivation

Publishing incident-specific ad-based malware reports provides very little useful information and does very little to eliminate malvertising from the advertising ecosystem. Yet, this reporting persists for two primary reasons—extortion or publicity.

Known as “White Hat Ransomware”, disreputable security analysts mine websites for malvertising incidents and present the findings to the site/publisher hosting the bad ad. They offer to sell the vector information so the publisher can shut down the infection, with the understanding that the malware incident could be publicly released should the publisher choose to not pay. Usually perpetrated by obscure individuals or groups, this type of extortion proves very lucrative as many publishers purchase the information in order to avoid the time-consuming fallout of negative publicity.

The more reputable network, endpoint and intelligence security firms try to extend their traditional malware analysis skill set to malvertising and digital content. However, it doesn’t work. Effective analyses requires continuous, real-time monitoring of the advertising environment from the browser or consumer point of view which requires scanning active ad placements using simulated users set up with the exact geographic and behavioral profiles that the ad is targeting—something that can’t be accurately replicated after the fact. In addition, the ever-shifting nature of malvertising means that capturing a screen shot of an incident found on a single site is misguided—if it exists on one site, it exists on hundreds or thousands of other publisher sites and ad networks—and the post-incident analysis offers no valuable benefit to the consumers already exposed. By publishing malvertising-related reports about something that happened days, weeks or months ago, these firms unleash chaos in the ad tech industry as the publisher and its partners attempt to locate a vector that no longer exists.

Protecting the advertising ecosystem

Malware in the ad tech industry is not news. Admittedly, the ad tech industry plays a central role in the propagation of malware in the online and mobile advertising ecosystem, however, this fact is not ignored by responsible industry players who fiercely combat it every day. From establishing working groups to creating “good ad” certifications to performing extensive due diligence on buyer clients, the industry works hard to tackle the presence of malware. In fact, many of largest, most-visited websites actively scan their advertisements to identify and remove anomalous vectors before they morph and become overt malware drops. Unfortunately, a few ad-based malware vectors get through, but that number is minuscule in comparison to the billions of ads successfully rendered every day.

In effect, malvertising isn’t a new trend. In fact, it emerged shortly after the birth of banner ads 20+ years ago. What’s new is that traditional security companies are finally realizing that digital properties—websites and mobile apps—can be compromised. If you want to know how malvertising really works, ask The Media Trust. We’ve been detecting malware in the online and mobile environment for close to a decade, not the past few months.

Encryption – Your website isn’t as secure as you think

HTTPS code does not mean a site is encrypted

Today is D-Day for ecommerce and IT professionals, basically anyone with a revenue-generating digital property. June 30 marks the day that Google’s ad networks move to HTTPS and follows previous statements indicating HTTPS compliance as a critical factor in search engine rankings.

From Google’s announcement to the White House directive mandating HTTPS-compliant federal websites by December 2016, encryption has become the topic du jour. And, rumors abound that browsers are getting into the encryption game by flashing alerts when a site loses encryption. Why all the fanfare?

Encryption adds elements of authenticity to website content, privacy for visitor search and browsing history, and security for commercial transactions. HTTPS guarantees the integrity of the connection between two systems—webserver and browser—by eliminating the inconsistent decision-making between the server and browser regarding which content is sensitive. It does not ensure a hacker-proof website and does not guarantee data security.

Over the past year, businesses worked to convert their website code to HTTPS. With Google’s recent announcement, ad-supported sites can sit back and relax knowing their sites are secure, right? Wrong.

To have a truly encrypted site you must ensure ALL connections to your website communicate through HTTPS, including all third-party code executing on your site, not just advertising. This means sites using providers such as content delivery networks, data management platforms, hosting services, analytic tools, product reviews, and video platforms, need to ensure connections—and any connections to fourth or fifth parties—are made via HTTPS. Just one break in any call chain will unencrypt your site. Considering 57% of ecommerce customers would stop a purchase session when alerted to an insecure page, the ongoing push to encrypted sites should not be ignored.

What’s a website operator to do? By its very nature, third-party code resides outside your infrastructure and is not detected during traditional web code scanning, vulnerability assessment, or penetration testing. To ensure your site—and all the vendors serving it—maintains encryption you must scan it from the user’s point of view to see how the third parties behave. Only then can you detect if encryption has been lost along the call chain.

Leaving the light on…and exposing visitors to malware

Hotel websites are vulnerable to malware and data leakage

The hotel industry is poised for continued growth in 2015, coming off a stellar 2014 which saw occupancy rise to levels not seen in more than 20 years. With the World Tourism Organization projecting more than 1.4 billion international journeys in the year 2020, you can bet that hotel websites will play a central role in fulfilling these travel needs.

What are hotels doing to secure a share of this volume? Many incorporate video, add feedback collection and recommendation features, leverage blogs, or enhance the content management system. These various services provide for a more interactive and engaging website, as well as enable the site to be optimized. But, did you know that they also represent an entry point for malware and data leakage that can expose a customer’s personally identifiable information?

Yes, hotel ecommerce sites are rife with third-party vendors. As outlined in our recent blog post, brand and ecommerce site managers are not doing enough to protect the online and mobile environment FOR their customers. And hotel websites are no different. In fact, current industry rumors point to a manipulation of an account-checking tool used by a major hotel chain. The compromised tool, in concert with stolen passwords, allowed fraudsters to open new accounts and transfer rewards points which were then exchanged for gift cards. So that got The Media Trust thinking about other website vulnerabilities faced by hotels.

In early December, The Media Trust analyzed the 34 top hotel websites, as listed in STORES magazine’s annual “2013 Top 250 Global Hotels” report published in January 2014. Analysis involved the scanning of all public-facing website pages and the capture of all third-party vendors, domains and cookies present on each hotel’s site.

Over a seven-day period, The Media Trust’s Media Scanner scanned each hotel’s website homepage and major sections 250 times a day—a total 1,750 scans across each site. Each scan executed the web page as if being viewed by a typical consumer, and collected and analyzed all third-party code, content and text for security, latency and data leakage issues. Leveraging our presence in more than 500 global locations, The Media Trust replicated a true user experience as if a real consumer visited the website, and therefore did not have the ability to collect actual visitor data.

The results were interesting. The average site utilized 47 different domains, 31 vendors and 65 cookies; however, some outlier hotel sites used as many as 134 domains and 148 cookies.

                                      Average       High

            Domains:             47              134
Vendors:              31                57
Cookies:              65              148

What does this mean? That’s a good question. In theory, low numbers are preferred from a manageability perspective as each domain, vendor or cookie represents an access point to or action on a site—the fewer utilized in site operation, the fewer to manage. However, the reality is that a sizeable number of third-party vendors, domains and cookies are found on most sites as they provide the interactive and engaging functionality executing on browsers.

This functionality comes at a cost. Each third-party vendor represents an access point that could be compromised and serve malware; or, redirect visitors to another, possibly malicious, website or app; or, secretly collect website visitor (first-party) data. In addition, each third party can call dozens of fourth or fifth parties which exponentially increases the risk to site visitors.

Browser cookies provide essential site functions, including the ability to navigate without repeating data entry such as destination, travel dates and room requirements. However, the process of dropping the cookie can easily be compromised by an unauthorized party piggybacking on the cookie. In addition, some third-party vendors drop cookies to collect website visitor/first-party data without website owner/operator knowledge. Known as “data leakage”, these cookies track valuable user behavior—data about guests, their interests and travel periods—which can be resold into the online ecosystem for customer targeting by competitors or industry partners. If that data includes personally identifiable information (PII) the website owner/operator could be subject to data privacy violations. With state attorneys general and the federal government cracking down on PII, hotels must be mindful of public-facing website properties and what is executing on visitor browsers.

Hotel websites are vulnerable to data leakage and malware, and this vulnerability opens the door to litigation and significant brand damage. For these reasons website owner/operators need to thoroughly identify, approve and monitor third-party vendors and their activities at all times.

The big question is: How are the major hotel chains managing their public-facing websites to protect their customers?