You know nothing, CISO

Shadow IT can stab you in the back

CISO work overload

Disclaimer: This blog post contains strong references to Game of Thrones. Memes courtesy of ImgFlip. 

You, CISO, are a brave warrior who fights unknown threats from all corners of the digital world. You, CISO, try with all your might to manage an increasingly complex digital ecosystem of malware, exploit kits, Trojans, unwanted toolbars, annoying redirects and more. You, CISO, wrangle a shortage of security professionals and an overload of security solutions. You, CISO, have lost sleep over protecting your enterprise network and endpoints. You, CISO, are aware of the lurking threat of shadow IT, but you CISO, know nothing until you understand that your own corporate website is one of the biggest contributors of shadow IT.

Beware of your Corporate Website

Did you know it’s likely you are only monitoring around 20–25% of the code executing on your website? The remaining 75-80% is provided by third-parties who operate outside the IT infrastructure. You may think website application firewall (WAF) and the various other types of web app security tools like Dynamic Application Security (DAST), Static Application Security (SAST), and Runtime Application Self-Protection (RASP) adequately protect your website. News flash: these applications only monitor owned and operated code. In fact, they can’t even properly see third-party code as it’s triggered by user profiles. There is a dearth of security solutions that can emulate a true end user experience to detect threats.

Think about it, if there are so many traditional website security solutions available, why do websites still get compromised? This third-party code presents a multitude of opportunities for malware to enter your website and attack your website visitors–customers and employees alike–with the end goal to ultimately compromise endpoints and the enterprise network.

Shadow IT in the corporate website

Avoid the Shame!

Practical CISOs will keep these hard facts in mind:

1.  There is no true king

You could argue that marketing is the rightful king to the Iron Throne of your corporate website since it is responsible for the UX, messaging, branding and so forth. But the enterprise website requires so much more. Every department has a stake: IT, legal, ad ops (if you have an advertising-supported website), security and finance, to name a few. Each department’s differing objectives may lead to adoption of unsanctioned programs, plugins and widgets to meet their needs. As a result, the website’s third-party code operates outside the purview of IT and security. Further complicating matters, there is no one department or person to be accountable when the website is compromised. This makes it hard for security teams to detect a compromise via third-party code and easier for malware to evade traditional security tools. In the absence of ownership, the CISO is blamed.

2.  Malware is getting more evil

Bad actors continue to hone their malware delivery techniques. They use malicious code to fingerprint or steal information to develop a device profile which can be used to evade detection by security research systems and networks. Furthermore, web-based malware can also remain benign in a sandbox environment or be dormant until triggered to become overt at a later date.

3. You’re afraid of everyone’s website…but your own

You know the perils of the internet and have adopted various strategies to protect your network from the evils of world wide web. From black and white listing to firewall monitoring and ad blocking, these defenses help guard against intrusion. But what about your website?

As previously stated, everyday web-enablement programs such as a video platform or content recommendation engine operate outside the IT infrastructure. The more dynamic and function rich your website is, the more you are at risk of a breach from third-party vendor code. Below is a not so exhaustive list of apps and programs contributing third-party code:

  • RSS Feed
  • News Feed
  • Third Party Partner Widgets
  • Third Party Content MS Integrations
  • Third Party Digital Asset MS Integrations
  • Third Party ECommerce Platforms
  • Image Submission Sites
  • Ad Tags
  • Video Hosting Platform
  • Crowd Sharing Functionality
  • File Sharing Functionality
  • Customer Authentication Platforms
  • Third-Party Software Development (SD) Kits
  • Social Media Connectors
  • Marketing Software
  • Visitor Tracking Software

Stick ‘em with the pointy end

Yes, we know, what lies beyond the realm of your security team’s watchful eye is truly scary. But now that you know that your website’s third-party vendor code is a major contributor of shadow IT, you can more effectively address website security within your overall IT governance framework.

 

Guess what? Corporate websites are out of your control

Recognizing how websites and mobile apps have transformed business models

website shadow IT

Marriott. Toys R Us. Darden Restaurants. Wal-Mart. Kraft. Neiman Marcus. Dell. What do these diverse companies have in common? They are all digital publishers.

As highlighted in a recent article, Dell spends millions of dollars each year developing content for their public-facing website. From placing advertisements to writing stories about women in technology to creating informative videos, Dell recognizes the power of digital content as an important part of the sales process. And their public-facing website serves as the primary communication channel to their most valuable asset—the customer. Dell isn’t alone.

Once relegated to traditional media companies, the concept of a digital publisher has morphed to encapsulate any organization that uses digital channels to promote their business—either directly with coupons, product reviews and ecommerce capabilities or indirectly via promotional videos, polls and recipes. In effect, any firm with a digital property—website or mobile app—should consider themselves a digital publisher.

Digital content is outside your control

Digital content and the channels through which it is acquired and delivered requires a new approach to security.

High-quality, informative websites and mobile apps attract visitors, and this attention draws evildoers. Looking to capitalize on your hard-won customers and website traffic, these bad actors mine for poor web code to exploit. They redirect visitors outside your page, launch malware downloads, and steal valuable visitor data, to name a few actions that no reputable business wants. In fact, online and mobile channels are the primary vectors for malware, with 85% of all malware distributed via the web.

Securing public-facing digital properties should be easy, right? The challenge is that most of the code delivering the interactive and engaging user experience that renders on the site visitor’s browser is from a third party and therefore outside your control. As a matter of fact, third-party code makes up more than 78% of the code found on Fortune 1000 websites. Think about it. Almost every corporate website uses video, blog, talent acquisition and social media tools in addition to the standard backend data analytics and marketing platforms. Though incorporated into your website design, these third-party providers execute outside your website’s technical operation thereby minimizing your ability to control their security or activity. And they are often compromised. (Read more about third-party code providers.)

Responsibility of Securing public-facing digital properties

Viewed from a digital publisher lens, strategic business growth depends on delivering a top-notch user experience to website visitors and mobile apps users—customers and employees. Securing these digital properties means closely monitoring third-party activities to ensure they are not dropping malware, collecting unauthorized user data or negatively impacting site performance.

With digital publishing comes responsibility. Embrace it.

SEA attack is no surprise

Ecommerce website losses estimated in the millions of dollars.

Boom! There it is. As expected, someone took advantage of the holiday season to make a statement, and hacking into media and corporate brand websites is one way to get the world’s attention.

Early yesterday morning at 6:38 a.m. EST, The Media Trust was the first security company to detect a pop-up screen stating the Syrian Electronic Army (SEA) had hacked a website, first in mobile and then online environments. The ongoing, 24/7 scanning of more than 25,000 websites through our Media Scanner services allowed us to quickly detect the hack and prepare our clients for battle.

Upon detection of this pop-up message, The Media Trust’s Malware Team immediately analyzed the code and determined it stemmed from a call made by Gigya, a customer management platform used by more than 700 leading brands. The Malware Team immediately contacted affected clients so they could quickly remove and then block the malicious file, thereby helping clients avoid the time-consuming hassle of tracking down the issue’s source.

This was an indirect attack, because it compromised the DNS server at gigya.com, which is hosted by GoDaddy. The SEA did not gain access to the Gigya servers; instead they redirected Gigya’s Internet traffic to its own servers and then served a file called “socialize.js” which displayed the SEA’s message.

As with their past attacks, the SEA targeted media outlets and focused exclusively on websites and was not related to any ad content. The SEA attack did not distribute malware and was designed as an effective publicity stunt. Yet, what’s to stop them from doing something worse the next time? And, let’s be honest, even without the presence of malware, a message on an ecommerce site stating that it has been hacked, even for a few hours, results in lost transactions – those few hours translate into millions of dollars of unrecoupable revenue.

The lesson learned is that brand and corporate websites are just as vulnerable to attack as ad content. As The Media Trust cautioned in last week’s blog post, the holiday season is when the online ecosystem experiences a surge in attacks, and no business or organization is immune.

The best defense is to be on constant alert, a security posture that is difficult for most to assume. That’s why many firms leave it up to the experts to continually scan their online and mobile ecosystem. Keep in mind that The Media Trust’s Media Scanner detected this attack before Gigya. Do you want to know about your website being comprised so you can take action before the world knows? Think about it.