Last month, CSO presented findings from Skyhigh Networks, which outlined the types of risky applications that exist on a given network. The study noted that many popular applications were monitored and controlled, but lesser-known applications were given free-reign for the most part.
Answering a request from CSO, Skyhigh Networks examined data from some three million users across 100 organizations, to outline the types of risks that aren't really considered when it comes to application blocking or content filtering — this week, we're looking at tracking services.
According to Skyhigh, these services offer little value to the network, but they can create a serious vulnerability thanks to users who unknowingly provide behavioral information simply by surfing the Web. Businesses can't really block all Internet traffic, and employees will surf occasionally, perhaps more so, while on the job. Content filtering helps IT lower the amount of unproductive bandwidth usage, but it isn't foolproof.
So as users surf, the behavioral data collected (or unknowingly leaked) seems harmless, but it offers detailed mapping of the entire organization, including the sites those employees frequent. Many tracking services sell their data to third-parties, which can then be easily acquired by those with less than honest intent.
"In other words, it tells an attacker which watering holes you let your users visit," Skyhigh wrote in a research note to CSO.
"This gives the adversary a map of the sites to target for infiltration. They target the most vulnerable sites, smaller companies or blogs that dont have strict security. They plant malicious code on the watering hole site. Once the trap is laid, they simply wait for users to visit the sites they have frequented in the past."
The probably of success is higher, because the data from the tracking service confirms that the site is both allowed and frequently visited. This is the key behind any watering hole attack, and why they are widely popular for criminals using crime kits such as Black Hole, Sweet Orange, or Phoenix.
"The user's computer is assessed for the right set of vulnerabilities, and if they exist, an exploit, or a larger piece of code is delivered that will carry out the real attack. Depending on the user's access rights, the attacker can now access sensitive information in the target enterprise, such as IP, customer information, and financial data. Attackers also often use the access they've gained to plant more malware into software source code the user is developing, making the attack exponentially more threatening," the research note added.
When it comes to the types of tracking services Skyhigh has observed, Google Analytics is by far and away the most common. Rounding out the top ten, you have AddThis, ChartBeat, Gigya, Mixpanel, Clicky, KISSmetrics, Feedjit, Woopra, and GoSquared.
Of those, Skyhigh says that the riskiest services are Feedjit, AddThis, and KISSmetrics.
However, when it comes to blocking (either directly, or as part of a content filtering category), KISSmetrics is only blocked 27 percent of the time. That's interesting, because late last year, KISSmetrics settled a class-action lawsuit over complaints that they were "hacking users' computer software and browser tools to track their Internet activity without their knowledge."
AddThis, which isn't even in the top five of the most blocked tracking services, shares non-personally identifiable aggregated information with third-parties, Skyhigh said, without restriction. Yet, organizations seem to ignore this service in favor of services such as Kampyle, and Flag Counter.
This gap in filtering circles back to the original report, which pointed out that most IT departments are blocking applications based on brand popularity rather than risk. However, it could (and should) be argued that the risk is this case is larger for smaller organizations that cannot afford robust Web filtering. Also worth mentioning is the fact that some Web content filtering categories don't necessarily block everything, but only those known to the vendor, which alone can create problems.