Web-based malware: not up to code

Web-based malware: not up to code
featured image

This article by Chris Olson, The Media Trust CEO, originally appeared in CSO on November 20, 2017.

 

Recent website attacks shattered the misconception that only disreputable or typically blacklisted websites such as gambling, or porn suffered from poor security, but this isn’t true. Throughout 2017, the media reported security incidents occurring on numerous well-known, highly-trafficked websites like Equifax, State of Ohio, hundreds of U.S. public school systems and numerous embassies and government entities around Washington, DC.

In spite of these high-profile attacks, when establishing a cybersecurity program, companies still start with textbook best practices, such as documenting technology needs and associated equipment, installing AVs, and training employees on password management. Then most firms move on to looking out for rogue devices – be it an unregistered laptop, a personal mobile device, a sneaky USB stick or even an employee moving files to a personal Dropbox account or saving to an external media source.

While these measures are valid and necessary, there’s one hidden miscreant that remains unchallenged: unmonitored third-party code rendering on the corporate website. This digital shadow IT is not only unknown to enterprise IT but also uncontrolled. While enterprises are busy running scared of the threats and risks that lurk on the internet, they often forget that their own website is a part of the same perilous landscape, too!

Camouflaged web-based malware

Recent website attacks shattered the misconception that only disreputable or typically blacklisted websites such as gambling or porn suffered from poor security, but this isn’t true. Throughout 2017, the media reported security incidents occurring on numerous well-known, highly-trafficked websites like Equifax, State of Ohio, hundreds of U.S. public school systems and numerous embassies and government entities around Washington, DC.  

Deciphering the genesis of these attacks first requires understanding the evolution of website code. Around the advent of the consumer internet 20 years ago, websites were predominantly made up of first-party code that was fully owned and operated by the website operator. Fast-forward to today and the situation is flipped. The majority of website code—anywhere from 50-75%—is provided by third parties to deliver required functionalities such as payment pages, marketing analytics, video hosting, interface personalization, social media widgets, etc. Furthermore, these third parties frequently call additional, fourth and fifth parties, thus creating a complex digital ecosystem powering everyday websites.

Digital shadow IT is an unknown and, therefore, uncontrolled risk for the enterprise. While websites have evolved radically, web appsec solutions haven’t kept pace to fully account for the plethora of third-party code operating behind the scenes. Hence, a significant portion of today’s website code operates outside the purview of IT and security departments, which means it goes unmonitored, giving threat actors the opportunity to inject malicious code. Compounding the issue is that many websites leverage open source code which can easily be compromised via extension corruption or the use of a flawed version. So, yes, even legitimate websites harbor digital shadow IT that is ripe for compromise.

Managing the unknown to stabilize digital ecosystems

The ability to manage digital shadow IT on websites and mobile apps can make the difference between surviving a high-profile attack and safeguarding your brand reputation.

Effectively, defining and mitigating digital asset risk is part of a comprehensive digital vendor risk management plan, an extensive organization-wide effort to decrease the potential business uncertainties and legal liabilities associated with third-party vendors. This plan involves collaboration among security, risk and compliance professionals to ensure continuous monitoring of consumer-facing digital assets—websites, mobile apps and social media—to identify, analyze and govern third-party digital vendor risks. Shining a light on the enterprise digital ecosystem is the only way to control for the unknown.  

Enterprises not actively managing this third-party digital risk face significant harm in the current regulatory environment around data compliance, which could turn into a C-Level and boardroom issue that could have serious ramifications for any company.