Americas

  • United States

Asia

Oceania

chrisolson
Contributor

Web-based malware: not up to code

Opinion
Nov 20, 20174 mins
Data and Information SecurityMalwareRisk Management

Enterprises not actively managing this third-party digital risk face significant harm in the current regulatory environment around data compliance.

astract code [Thinkstock]
Credit: Thinkstock

Recent website attacks shattered the misconception that only disreputable or typically blacklisted websites such as gambling, or porn suffered from poor security, but this isn’t true. Throughout 2017, the media reported security incidents occurring on numerous well-known, highly-trafficked websites like Equifax, State of Ohio, hundreds of U.S. public school systems and numerous embassies and government entities around Washington, DC.

In spite of these high-profile attacks, when establishing a cybersecurity program, companies still start with textbook best practices, such as documenting technology needs and associated equipment, installing AVs, and training employees on password management. Then most firms move on to looking out for rogue devices – be it an unregistered laptop, a personal mobile device, a sneaky USB stick or even an employee moving files to a personal Dropbox account or saving to an external media source.

While these measures are valid and necessary, there’s one hidden miscreant that remains unchallenged: unmonitored third-party code rendering on the corporate website. This digital shadow IT is not only unknown to enterprise IT but also uncontrolled. While enterprises are busy running scared of the threats and risks that lurk on the internet, they often forget that their own website is a part of the same perilous landscape, too!

Camouflaged web-based malware

Recent website attacks shattered the misconception that only disreputable or typically blacklisted websites such as gambling or porn suffered from poor security, but this isn’t true. Throughout 2017, the media reported security incidents occurring on numerous well-known, highly-trafficked websites like Equifax, State of Ohio, hundreds of U.S. public school systems and numerous embassies and government entities around Washington, DC.  

Deciphering the genesis of these attacks first requires understanding the evolution of website code. Around the advent of the consumer internet 20 years ago, websites were predominantly made up of first-party code that was fully owned and operated by the website operator. Fast-forward to today and the situation is flipped. The majority of website code—anywhere from 50-75%—is provided by third parties to deliver required functionalities such as payment pages, marketing analytics, video hosting, interface personalization, social media widgets, etc. Furthermore, these third parties frequently call additional, fourth and fifth parties, thus creating a complex digital ecosystem powering everyday websites.

Digital shadow IT is an unknown and, therefore, uncontrolled risk for the enterprise. While websites have evolved radically, web appsec solutions haven’t kept pace to fully account for the plethora of third-party code operating behind the scenes. Hence, a significant portion of today’s website code operates outside the purview of IT and security departments, which means it goes unmonitored, giving threat actors the opportunity to inject malicious code. Compounding the issue is that many websites leverage open source code which can easily be compromised via extension corruption or the use of a flawed version. So, yes, even legitimate websites harbor digital shadow IT that is ripe for compromise.

Managing the unknown to stabilize digital ecosystems

The ability to manage digital shadow IT on websites and mobile apps can make the difference between surviving a high-profile attack and safeguarding your brand reputation.

Effectively, defining and mitigating digital asset risk is part of a comprehensive digital vendor risk management plan, an extensive organization-wide effort to decrease the potential business uncertainties and legal liabilities associated with third-party vendors. This plan involves collaboration among security, risk and compliance professionals to ensure continuous monitoring of consumer-facing digital assets—websites, mobile apps and social media—to identify, analyze and govern third-party digital vendor risks. Shining a light on the enterprise digital ecosystem is the only way to control for the unknown.  

Enterprises not actively managing this third-party digital risk face significant harm in the current regulatory environment around data compliance, which could turn into a C-Level and boardroom issue that could have serious ramifications for any company.

chrisolson
Contributor

Chris Olson co-founded The Media Trust with a goal to transform the internet experience by creating better digital ecosystems to govern assets, connect partners and enable digital risk management. As CEO, Olson drives the company's vision, direction and growth plans. He has more than 15 years of experience leading high tech and ad technology start-ups and managing international software development, product and sales teams.

Prior to The Media Trust, Chris created an Internet-based transaction system to research, buy and sell media for TV, radio, cable, and online channels. He started his career managing equity and fixed income electronic trading desks for Salomon Brothers, Citibank and Commerzbank AG.

Chris regularly speaks about cybersecurity trends and best practices at industry events, including events hosted by the Financial, Media, and Retail & Commercial ISACs. He earned his B.S. degree in Finance and International Business from Georgetown University and Executive MBA in Finance and Information Systems from the NYU Stern School of Business.

The opinions expressed in this blog are those of Chris Olson and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.