Malware is Malware… except when it isn’t

So block anomalous activity first and ask questions later (please).

malwareoptions-700x148

As IT professionals (and logical human beings) we have been taught to analyze a situation first and then act based on knowledge gained from the analysis. Acting without an understanding of the full picture is considered impulsive and oftentimes, even foolish.

This is not always the best strategy in today’s fast-paced environment of ever-evolving and growing security threats. When working with malware, security professionals need to unlearn the “think twice” philosophy – they need to act first on qualified intelligence and then, if needed, analyze the data in more detail. This is especially true in the temporal world of the internet where web-based malware needs to be treated like harmful parasites that must be terminated immediately upon detection to stop propagation. Frequently, web-based threats initially present as benign code or operations; however, they easily morph into overt threats without your knowledge.

Going against the grain is a good thing

Today, Google reports more than 495,000 monthly searches for the term malware, producing around 76.4 million results. This should come as no surprise considering that there are nearly 1 million new malware threats detected every day.  

This high level of interest in the topic of malware combined with the aggressive growth of the security software market (valued at $75 billion in 2015) indicate that enterprises struggle to analyze and come to terms with the increasingly complex digital threat landscape. As studies consistently report on this lack of understanding about cybercrime and threats, it is high time that enterprises do something about it.

(Re)Defining Malware

First, let’s get back to basics and clarify the definition of malware:

“Any code, program or application that displays abnormal behavior or that has an unwarranted presence on a device, network or digital asset.”

This means any code or behavior not germane to the intended execution of a web-based asset is considered malware. Malware does not need to be complex, overt or malicious right from the time it is detected.

This definition means annoying or seemingly innocuous behavior, such as out-of-browser redirect, excessive cookie use, non-human clicks/actions or toolbar drops qualify. Most of these behaviors may seem benign now, but a close look at both Indicators of Threat (IOC) and Patterns of Attack (POA) typically suggest another story altogether.    

Don’t question the malware, question yourself  

IT professionals who’ve spent thousands of dollars and hours of learning to develop a knowledge base find it difficult to simply act without questioning and possibly over-analyzing ready to utilize data sources.

Working with qualified intelligence sources will make it much easier to change the “endless analysis” paradigm. If you must ask questions, question yourself and not the malware (at least not before blocking it first).

IT professionals need to reflect on the rapidly evolving web-based threat landscape. On a frequent basis, ask yourself:  

  1. Where are the vulnerabilities in my enterprise network?
  2. Are the tools used to secure my organization effective enough to handle increasingly sophisticated web-based attacks?
  3. What kind of threat intel resources are available? What is our experience with each source?
  4. What does my incident response look like? Is it swift and cost-effective?
  5. Where and how can I increase my operational efficiencies around my threat intelligence strategy?

Block first, ask questions later

The idea is simple, shield yourself against web-based breaches by being more proactive about the enterprise security posture. If and when breaches do occur, you should have at least limited the level of damage caused by loss of data, reputation and business continuity.

Before you spend all your time, money and effort on a full payload analysis of every malware alert, oftentimes, trying to verify the impossible, remember to block it first. What’s the worst that can happen? You block something that an employee needs? Trust me, they’ll let you know.

 

Ransomware and the small/medium-sized enterprise

When the “cost of doing business” is no longer an option.

hand is coming out of Computer screen front

“It’s the cost of doing business.” Over the long holiday season, I heard this phrase several times while socializing with family, friends and business acquaintances. My usually optimistic social group bemoaned the annoying effect ransomware has had (and continues to have) on their day-to-day business.

The topic isn’t a surprise. Around the country, similar professionals at small/medium-sized enterprises (SMEs) echo their sentiments. What surprised me was their passive reaction to the problem. Even the current President Barack Obama and the President-elect Donald Trump recognize the threat of cybercrime to businesses and the public.

It’s not just you, Mr. SME

Ransomware has undoubtedly been on the rise, with some groups such as the FBI claiming 4,000 attacks a day. These high numbers affirm the fact that ransomware is a financially motivated, equal opportunity malware; it wants to lock down any device that has an owner, whether the owner is a teenager, a global business tycoon or a small business owner.

Unfortunately, ransomware can be debilitating for small/medium-sized businesses (SMEs) whose viability hinges on access to customer lists, financial records, product/service details, legal contracts and much more. Most SMEs don’t have the resources or a sophisticated technology infrastructure to adequately secure their business. In fact, almost a third of SME don’t employ an information security professional. And, considering more than 70% of businesses actually pay up, ransomware is the perfect exploit for SMEs.

Clearly, it’s a big problem that needs a big solution, right?

Backups, backups, backups

From hospitals and medical offices to accounting firms and ecommerce shops, ransomware has proven to be a successful criminal endeavor, with many paying more than $10,000 for each incident to regain access to their business data. And, SMEs seem to have learned to accept it as a cost of doing business.

“It’s not a big deal, Mark. We just do more frequent backups.” Yes, this was an overwhelmingly common approach to the problem. It seems my discussion partners spend several hours a week making backup copies of files. When asked about the costs (storage, time resources, duplicate systems, access to backups, energy usage, etc.) the response was a casual shoulder shrug. Really? Frequent backups is your security strategy? At a time when businesses are getting leaner in every way, spending time and resources on backups isn’t a good use of ever-thinning IT budgets or the scarce security talent.

Beyond backups – seal the entryway

Backups are good, but they are just one piece of a more holistic security strategy against ransomware. The biggest challenge is helping my fellow IT professionals understand that ransomware—and any malware for that matter—can penetrate the best of defenses. The key is knowing how it enters: basic everyday Internet usage at work (think about email, websites, apps, out-of-date software/patches, etc.

“We use anti-virus software, blacklist the typical non-business sites, installed ad blockers, and repeatedly train staff about the perils of email links and attachments. What else is there?”

First, anti-virus (AV) and blacklisting isn’t enough as these defenses assume the bad guy is known; his signature is captured and stopped from executing. With thousands of new malware variants entering the digital ecosystem each day it’s nearly impossible for AVs to keep their protection levels up. Blacklisting is good for general business purposes. (I mean, if coworkers need to access porn, gambling or gaming during the work day you’ve got bigger problems!) But this doesn’t mean that all other websites are good, even the Alexa 1,000. Some of the largest web-based attacks occur on legitimate, premium websites.

Second, enterprise ad blocking isn’t all it seems. You may think that all ads are blocked, but this isn’t true. Large advertising networks pay a fee to whitelist their ads in exchange for agreeing to fit a stilted format. Media website owners (Facebook anyone?) are adopting technology to detect ad blockers and then re-insert their ads or content.

“Well, dammit, what should we do?”, you ask.

All is not lost – A new year has dawned

Now’s the time to take stock of your business’s information security plan. Conducting a full-scale audit can be daunting. To kick-off the process, I recommend the following initial steps:

  1. Identify all data sources (employee, vendors, customer). Increasingly, enterprises are asking their partners about security processes as part of their own security governance.
  2. Document how data is collected, used and stored. This includes mapping data input sources, e.g. website forms, emailed contracts, customer portals, payroll, etc.
  3. Estimate costs to collect and store data.
  4. Assign an owner to each data element, e.g., financial information to Finance, marketing data to Sales/Marketing, legal information to Contracts/Finance, etc.
  5. Score data value. On a scale of 1-100 assess the data’s criticality to business, e.g. if it’s lost what is the impact from financial, brand, relationship perspectives.
  6. Consider a Threat Intelligence Platform (TIP) to streamline data management and terminate threats before they penetrate the business.

Once you have this information you can then start to evaluate weaknesses, reinforce existing security processes and align IT budgets accordingly.

Ransomware isn’t as hard to tackle as many SME information security teams think.


 

You know nothing, CISO

Shadow IT can stab you in the back

CISO work overload

Disclaimer: This blog post contains strong references to Game of Thrones. Memes courtesy of ImgFlip. 

You, CISO, are a brave warrior who fights unknown threats from all corners of the digital world. You, CISO, try with all your might to manage an increasingly complex digital ecosystem of malware, exploit kits, Trojans, unwanted toolbars, annoying redirects and more. You, CISO, wrangle a shortage of security professionals and an overload of security solutions. You, CISO, have lost sleep over protecting your enterprise network and endpoints. You, CISO, are aware of the lurking threat of shadow IT, but you CISO, know nothing until you understand that your own corporate website is one of the biggest contributors of shadow IT.

Beware of your Corporate Website

Did you know it’s likely you are only monitoring around 20–25% of the code executing on your website? The remaining 75-80% is provided by third-parties who operate outside the IT infrastructure. You may think website application firewall (WAF) and the various other types of web app security tools like Dynamic Application Security (DAST), Static Application Security (SAST), and Runtime Application Self-Protection (RASP) adequately protect your website. News flash: these applications only monitor owned and operated code. In fact, they can’t even properly see third-party code as it’s triggered by user profiles. There is a dearth of security solutions that can emulate a true end user experience to detect threats.

Think about it, if there are so many traditional website security solutions available, why do websites still get compromised? This third-party code presents a multitude of opportunities for malware to enter your website and attack your website visitors–customers and employees alike–with the end goal to ultimately compromise endpoints and the enterprise network.

Shadow IT in the corporate website

Avoid the Shame!

Practical CISOs will keep these hard facts in mind:

1.  There is no true king

You could argue that marketing is the rightful king to the Iron Throne of your corporate website since it is responsible for the UX, messaging, branding and so forth. But the enterprise website requires so much more. Every department has a stake: IT, legal, ad ops (if you have an advertising-supported website), security and finance, to name a few. Each department’s differing objectives may lead to adoption of unsanctioned programs, plugins and widgets to meet their needs. As a result, the website’s third-party code operates outside the purview of IT and security. Further complicating matters, there is no one department or person to be accountable when the website is compromised. This makes it hard for security teams to detect a compromise via third-party code and easier for malware to evade traditional security tools. In the absence of ownership, the CISO is blamed.

2.  Malware is getting more evil

Bad actors continue to hone their malware delivery techniques. They use malicious code to fingerprint or steal information to develop a device profile which can be used to evade detection by security research systems and networks. Furthermore, web-based malware can also remain benign in a sandbox environment or be dormant until triggered to become overt at a later date.

3. You’re afraid of everyone’s website…but your own

You know the perils of the internet and have adopted various strategies to protect your network from the evils of world wide web. From black and white listing to firewall monitoring and ad blocking, these defenses help guard against intrusion. But what about your website?

As previously stated, everyday web-enablement programs such as a video platform or content recommendation engine operate outside the IT infrastructure. The more dynamic and function rich your website is, the more you are at risk of a breach from third-party vendor code. Below is a not so exhaustive list of apps and programs contributing third-party code:

  • RSS Feed
  • News Feed
  • Third Party Partner Widgets
  • Third Party Content MS Integrations
  • Third Party Digital Asset MS Integrations
  • Third Party ECommerce Platforms
  • Image Submission Sites
  • Ad Tags
  • Video Hosting Platform
  • Crowd Sharing Functionality
  • File Sharing Functionality
  • Customer Authentication Platforms
  • Third-Party Software Development (SD) Kits
  • Social Media Connectors
  • Marketing Software
  • Visitor Tracking Software

Stick ‘em with the pointy end

Yes, we know, what lies beyond the realm of your security team’s watchful eye is truly scary. But now that you know that your website’s third-party vendor code is a major contributor of shadow IT, you can more effectively address website security within your overall IT governance framework.

 

Is Your Threat Intelligence Certified Organic?

Certified _Organic_Threat_Intelligence

7 questions to ask before choosing a web-based threat intelligence feed.

It should come as no surprise that CISOs are under ever-increasing pressure, with many facing the prospect of losing their jobs if they cannot improve the strength of the enterprise security posture before breaches occur. And, occur they will. Consider these figures—recent studies report that web-based attacks are one of the most common types of digital attacks experienced by the average enterprise, costing $96,000 and requiring 27 days to resolve a single incident. Furthermore, there is a definite positive correlation between both the size of the organization and the cost of the cyber attack and additional correlation between the number of days taken to resolve an attack and the cost of the attack—the larger the organization or days required to remediate, the higher the cost.

Enter, Threat Intelligence

CISOs increasingly embrace threat intelligence as a means to enhance their digital security posture. In the past three years, organizations have significantly raised their spending on threat intelligence, allocating almost 10% of their IT security budget to it, and this number is expected to grow rapidly through 2018. And, this budget allocation appears to be well spent as organizations report enhanced detection of cyber attacks—catching an average 35 cyber attacks previously eluding traditional defenses.

Not all threat intel feeds are created equal

Sure, threat intelligence feeds are increasingly accepted and adopted as an essential element in the enterprise security strategy. In fact, 80 percent of breached companies wish they had invested in threat intelligence. But even as the use of third-party threat intelligence feeds increase, IT/security teams are realizing that not all threat intelligence feeds are created equal.

To begin with, there are several types of threat intelligence feeds based on web-based threats or email threats, and feeds that scan the dark web, among others. While not discounting the value of the various types of feeds, CISOs need to understand why web-based threat intelligence is the first among equals. Web-based malware target the enterprise network and the endpoints through day-to-day internet use by employees–internet critical to their day-to-day office functions. A truly valuable threat intelligence feed will help CISOs achieve their end goal of keeping their organization safe and blocking confirmed bad actors.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Checklist for Choosing the Right Threat Intelligence

Ask these seven questions to determine if the web-based threat intelligence feed(s) you choose are “certified organic” enough to provide tangible goodness and value to the health of your enterprise security posture:

1.    Is the data original source?

Our previous post, Your Threat Intelligence Isn’t Working, discussed the pitfalls of using compiled third-party sources in a threat intel feed—more data isn’t necessarily good data! The time-consuming process of managing duplicates and false positives cripples the performance of most information security teams to the point that many alerts are ignored. Protect cherished resources—budget and time—by choosing an original source threat intelligence feed.

2.    How is the data collected?

While original source threat intelligence minimizes false positives and duplicates, how the data is collected maximizes the tangible value of the feed. Web-based malware is typically delivered through mainstream, heavily-trafficked websites, either via ads or third-party code such as data management platforms, content management systems, customer identification engines, video players and more. Hence, the threat intelligence feed needs to source the data by replicating typical website visitors. This means continuously (24*7*365) scanning the digital ecosystem across multiple geography, browser, devices, operating system and consumer behavior, using REAL user profiles. Unless the engine that gathers the threat intelligence behaves like real internet users (who are the targets of web-based malware), the quality of the “internet threat” data is questionable at best.

3.     Is the threat intelligence dynamic?

Threat intelligence should be a living (frequently updated), constantly active data source. The data in the threat intelligence feed needs to adapt to reflect the rapidly transforming malware landscape. The engine behind the feed should both track and detect malware in real-time, while also accounting for the changing patterns of attack. Even the algorithms driving the machine learning needs to be dynamic and continuously reviewed.

4.     Does it prevent AND detect threats?

As the adage goes, an ounce of prevention is worth a pound of cure, and this holds true in the cyber security space. However, reliance on prevention isn’t practical or realistic. Prevention boils down to deployed policies, products, and processes which help curtail the odds of an attack based on known and confirmed threats. What about unknown or yet to be confirmed threats?

Threat hunting is becoming a crucial element in the security posture. It refers to the detection capabilities stemming from a combination of machine generated intel and human analysis to actively mine for suspicious threat vectors. Does your threat intelligence account for both indicators of compromise (IOC) and patterns of attack (POA)? The goal of threat hunting is to reduce the dwell time of threats and the intensity of potential damage. The threat intelligence feed should allow you to act on threats patterns before they become overt.

5.     How is the data verified?

Just as the automation or machine learning behind the threat intelligence feed should simulate a real user for data collection, human intervention is important for data verification. Without the element of human analysis, data accuracy should be questioned. Otherwise, you run the risk of experiencing increased false positives.

6.     Is the information actionable?

Malware is malware, and by its definition it is “bad”. You do not need an extensive payload analysis of threat data. You do, however, need information about the offending hosts and domains, so that compromised content can be blocked, either manually or via Threat Intelligence Platform (TIP). The granularity of the data can also save CISOs from the politics of whitelisting and blacklisting websites. As a bonus, real-time intelligence will enable you to unblock content when it is no longer compromised.

7.     Does it offer network-level protection?

While CISOs still debate over an optimal endpoint security solution, web-based threats attack at the enterprise network. Frankly, stopping malware at the endpoint is too late! The threat intelligence you choose must offer network-level protection and deter web-based threats from propagating to endpoints in the first place.

Your Threat Intelligence Isn’t Working

False positives undermine your security investments. 

Your Threat Intelligence Isn't Working

The rapid adoption of threat intelligence data by enterprises signals an increased emphasis on preventing targeted malware attacks. While few question the strategy fueling this boom, it is the quality of this intelligence that is debatable. Recent news of organizations suffering brand damage due to false positives in their “compiled” threat feed, puts the quality of numerous threat intelligence feeds under scrutiny.

In simple terms, a compiled threat intelligence feed aggregates data from various open sources and may also include observed data from the security vendor. The pitfalls of these multiple dependencies are many, the most debilitating of which is the quality of this so-called “intelligence.” In most cases, a compiled threat intelligence feed is a minefield of false positives, false negatives and unverified data.

To make your digital threat intelligence work for you, consider these factors:

Go for original source

Compiled isn’t conclusive

Many vendors use the euphemisms like “comprehensive” or “crowdsourced” threat intelligence to characterize the value of their data. These euphemisms typically describe data compiled from multiple sources. Very few (most likely none) reveal the fact that this aggregated data hasn’t been thoroughly vetted for accuracy – a process that requires significant manpower hours for the volume of data within the feed. In fact, the time needed to properly assess the data would delay an enterprise’s receipt of and action on the intelligence. Needless to say, this time lag is all it takes for serious damage to be done by cyber criminals.

Avoid Costly Cleanups
False positives can be damning

The inherent inaccuracies in a compiled threat intelligence feed can lead to false positives and duplicate threat alerts. It is a well-established fact that malware alerts generate around 81% false positives and average 395 hours a week of wasted resources chasing false negatives and/or false positives.

A critical by-product of false positives is alert fatigue, which induces enterprise security professionals to not react in a timely manner – fatal behavior when an actual breach or violation does occur. In this “boy who cried wolf” scenario, the enterprise is vulnerable from two perspectives. Failure to react to a “positive” alert could expose the entity to malware. On the flip side, reaction to a “false positive” expends countless resources. Whatever the situation, the consequences could damage careers, cripple the security posture, and tarnish the enterprise’s image. By using an original source digital threat intelligence feed vendor, you maximize the level of intel accuracy and minimize the margin for false positives to occur.

Focus on patterns, not just appearances
Both IOCs and POAs are important

Another aspect to deciphering the value of  threat intelligence is what actually goes on behind the scenes. Most threat intelligence feeds factor in indicators of compromise (IOCs) to describe a malware alert is valid  or is marked with “high confidence” in its accuracy. However, what is harder to determine is the actual behavioral pattern of a threat or the method of malware delivery, which is what patterns of attack (POAs) depict. By understanding the POAs, high-quality threat intelligence can also detect new threat vectors, hence allowing enterprises to block suspicious malware before it becomes overt.

The key determining characteristic between IOCs and POAs is that IOCs contain  superfluous, easy-to-alter data points that are not individual or specific to the bad actor, whereas POA data points are difficult to mask. To put it in simpler terms, think of a bank robbery. Information describing the appearance of the robber, such as a shirt or hair color, could be easily changed for the robber to evade detection and be free to commit additional heists. However, more specific, innate information regarding the robber’s gait or voice, would make the individual easier to detect and block their ability to commit the same crime again. These inherent factors or POAs are difficult and expensive to alter. Therefore, threat intelligence data should factor in both IOCs and POAs in order to provide a more conclusive picture of a threat and minimize false positives.

Security Buyer Beware

Yes, factors such as real-time data, number of data points on threat vectors, easy access, and seamless integration with TIP/SIEM are important in determining the overall quality of a threat data feed. However, inaccurate data and false positives are fundamental flaws in many market solutions for threat intelligence. By using an original source digital threat intelligence feed vendor, you maximize the level of intel accuracy and minimize the margin for false positives to occur. Choose wisely.

Ecommerce can be bad for your financial health

Compromised Landing Pages

Compromised landing page allows unauthorized collection of credit card information. 

A holiday weekend will prove more memorial for some visitors to several ecommerce sites. Customers wishing to purchase athletic gear or sign up for a competition risked having their credit card information collected by an unauthorized third party.

Detecting the infection

In the United States, Memorial Day signals the start of summer and the three-day holiday weekend kicks off with numerous large-scale promotions and sales campaigns pitching outdoor-related goods and services. Consequently, the digital advertising ecosystem usually experiences a jump in campaigns to drive traffic to ecommerce sites—a ripe opportunity to leverage.

The Media Trust team detected extraneous JavaScript code executing on the payment landing page for several medium-sized, sports-oriented ecommerce websites.

First detected in the early afternoon of Saturday, May 28, legitimate advertising creative directed users to legitimate ecommerce sites which happened to be compromised. The “angular” domain (angular.club) injected superfluous JavaScript throughout the sites to collect information input by a user, such as race registration or financial details associated with a purchase.

Memorial Day Sales

Diagnosing the financial headache

The angular domain injected UTF-8 encoded script throughout the entire ecommerce site and obfuscated itself by adopting the name of the site into its script, i.e., angular.club/js/site-name.js. Searching on the root domain “angular.club” redirects to “AngularJS.org”, a valid Google JavaScript framework and another attempt at misdirection to hide the true intention.

It’s likely the bad actor penetrated the content management system (CMS) or website theme template in order to ensure the code executed on all pages, especially the payment landing page.

Compromised JavaScript

Example of JavaScript

This code collects a range of financial and personally identifiable information (PII) including billing name, address, email, telephone number, credit card number, expiration date, and CVV.

The information is then sent to another server unassociated with the ecommerce site owner. The host of the angular domain and the web service that collects the credit card information are owned by the same entity, whose host server is in Germany and registered to someone in Florida.

Per The Media Trust team, there is no valid coding reason for this JavaScript to be on the website. The script’s sole purpose is to inject a block of code into the web page to collect credit card information and send it to another server where it can be used for future use—purchase online goods, sold on the dark web, used to buy domains to launch additional attacks, etc.

Assessing the health of the ecommerce site

The ecommerce site operators removed the code from there sites late on Tuesday, May 31. Frankly, the damage was already done.

During a strong promotional period, several small- to medium- sized ecommerce sites did not realize their expected traffic. Due to the malicious nature of the landing page associated with these campaigns, The Media Trust alerted our ad tech clients to block the serving of the ads. In one instance, seven different creative supporting more than 200 ad impressions did not execute. In addition, one of the campaigns promoted an event with an expiration date of Wednesday, June 1.

Prescribing the cure

The Internet can be a scary place, full of bad actors looking to make a quick buck by preying on the good nature of others—consumers and website properties alike. Holiday periods are when the online ecosystem experiences a surge in attacks, and no business or organization is immune.

The lesson learned is that brand and corporate websites are just as vulnerable to attack as ad content. And, ecommerce is especially vulnerable due to the direct impact to revenue.

The best defense is to be on constant alert, a security posture that is difficult for most to assume. That’s why many firms leave it up to the experts to continually scan their online and mobile ecosystem. Continuous website monitoring will alert you to an anomalous or unexpected behavior of third-party vendors and first-party, website operator code. Upon detection, these issues can be immediately resolved thereby keeping your ecommerce operation alive and kicking.

The Blind Spot in Enterprise Security

Website security is overlooked in most IT governance frameworks. 

website security blindspot

Managing a website isn’t as easy as you think. Sure, you test your code and periodically scan web applications but this only addresses your first-party owned code. What about third-party code?

Considering more than 78% of the code executing on enterprise websites is from third-parties, IT/ website operations departments cannot truly control what renders on a visitor’s browser. This inability to identify and authorize vendor activity exposes the enterprise to a host of issues affecting security, data privacy and overall website performance. And, your website isn’t immune.

Masked vulnerability: What you don’t know can hurt you

The fact that the majority of the code executing on an enterprise website is not seen, let alone managed, does not absolve the enterprise from blame should something go wrong—and it does.

Much publicized stories about website compromises and digital defacement point to the embarrassing reality that websites are not easy to secure. But that’s not all.

Digital property owners—websites and mobile apps—are beholden to a series of regulations covering consumer privacy, deceptive advertising, and data protection. The U.S. Federal Trade Commission U.S. has dramatically stepped up enforcement of deceptive advertising and promotional practices in the digital environment over the past few years and recently signaled interest in litigating enterprises found to be violating the Children’s Online Privacy Protection Act (COPPA).

Data privacy regulations don’t only apply to minors accessing the website. The recent overturning of EU-US Safe Harbor and resulting EU-US Privacy Shield framework calls attention to the need to understand what data is collected, shared and stored via enterprise digital operations.

Don’t forget that these third parties directly affect website performance. Problematic code or behavior—too many page requests, large page download size, general latency, etc.—render a poor experience for the visitor. Potential customers will walk if your website pages take more than two seconds to load, and third parties are usually the culprits.

The problem is that the prevalence of third-party code masks what’s really happening on a public-facing website. This blindness exposes the enterprise to unnecessary risk of regulatory violations, brand damage and loss of revenue.

Seeing through the camouflage

This is a serious issue that many enterprises come to realize a little too late. Third-party vendors provide the interactive and engaging functionality people expect when they visit a website—content recommendation engines, customer identification platforms, social media widgets and video platforms, to name a few. In addition, they are also the source of numerous back-end services used to optimize the viewing experience—content delivery network, marketing management platforms, and data analytics.

Clearly, third parties are critical to the digital experience. However, no single individual or department in an organization is responsible for everything that occurs on the site—marketing provides the content and design, IT/web operations makes sure it works, sales/ecommerce drives the traffic, etc. This lack of holistic oversight makes it impossible to hold anyone or any group accountable for when things go wrong that can jeopardize the enterprise.

Case in point: can you clearly answer the following:

  • How many third-party vendors executing on your website?
  • How did they get on the site, i.e., were they called by another vendor?
  • Can you identify all activity performed by each vendor?
  • What department authorized and takes ownership of these vendors and their activity?
  • How do you ensure vendor activity complies with your organization’s policies as well as the growing body of government regulations?
  • What is the impact of individual vendor activity on website performance?
  • What recourse do you have for vendors that fail to meet contractually-agreed service level agreements (SLA)?

Questions like these highlight the fact that successfully managing an enterprise website requires a strong command of the collective and individual technologies, processes and vendors used to render the online presence, while simultaneously keeping the IT infrastructure secure and in compliance with company-generated and government-mandated policies regarding data privacy.

Adopting a Website Governance strategy will help you satisfy these requirements.

Take back control

What happens on your website is your responsibility. Don’t you think you should take control and know what’s going on? It’s time you took a proactive approach to security. The Media Trust can shine a light on your entire website operation and alert you to security incidents, privacy violations and performance issues.