Some of the biggest companies including Saks Fifth Avenue, Lord and Taylor, Best Buy, MyFitness Pal, and Applebees have been the victims of breaches due to third party code. Third parties provide services around content recommendation engines, ads, customer identification platforms, data management platforms, social media widgets, and video players, to name a few.
Oftentimes, these third parties turn to their own third parties to help deliver their services. When unknown third (or nth) parties become part of a website’s support structure, they can introduce more risks than they were brought in to reduce, because they lie outside of a formal IT organization’s control. Gartner predicts these “shadow IT” will be the root cause of 33% of security problems by 2020.
Throwing light on digital shadow IT
Last year, one of the world’s largest magazine publishers was shocked to find their sites were supported by over 1,000 third parties. This year, they were able to winnow down that number to 100 of the most trusted. In July 2018, random sample of 350 of The Media Trust’s publisher clients showed that each of their domains was supported by an average of 140 third parties, which provided anywhere from 50-95% of each site’s code. For the magazine publisher and those in the random sample, most of these third parties (much less their activities) were unknown to them.
Recently, The Media Trust digital security and operations team found and foiled a malware campaign that affected close to 60 major publishers whose audiences span the globe. These publishers’ trusted digital advertising partners had unknowingly served an ad with malicious code that would replace the legitimate creatives of a globally recognized brand. The code would redirect visitors to a Facebook popup informing victims that they had won a prize and encourage them to enter personally identifying information.
What sets apart this campaign from other redirects is its scale and its targets: some of the world’s most popular online publications that deal only with reputable digital partners. While the campaign was effectively halted, it spotlights the growing challenges of managing the risks third parties and their own vendors can introduce to today’s ever-more dynamic, complex digital ecosystems.
Third-party code putting companies at risk
Third parties can pose risks in several ways. First, they tend to have weaker security measures. This makes them ideal attack vectors for bad actors. The headline-grabbing breaches of Target, Equifax, Ticketmaster, and, more recently, Adidas, prove how popular third parties are to exploit because of their vulnerabilities. In this scenario, when taking on a large organization, hackers will first target a third party and use it as a gateway to enter the larger network.
Second, third party code operate outside the website operator’s cybersecurity infrastructure. Their activities, authorized or otherwise, can neither be monitored nor remediated by the publisher’s marketing and IT departments. As a result, user experience can deteriorate and erode a publisher’s topline and reputation.
However, another, more serious consequence is the unsanctioned collection of user data, which in the EU will expose the publisher to the risk of infringing the GDPR and, soon, the ePR, whose scope is expected to be broader and penalties equally stiff. In fact, the ePR could potentially override the GDPR. Non-compliance is therefore a risk, and will figure prominently in other sought-after markets like Canada, which will enforce PIPEDA later this year, and California, which recently passed the California Consumer Privacy Act.
Reining in risk
Unless they have the tools to actively monitor third party-code, website owners will likely remain unaware of the broad range of code that execute on their sites and of how unexpectedly and frequently new, unknown code appear. The ability to identify, document and authorize these ever-changing vendors is critical to properly mitigate risk. Not only do most enterprises not know the full scale of vendors executing code, but they would be surprised at the amount of consumer data collection activity, i.e., cookie drops, pixel fires, device fingerprint, etc.
Continuous monitoring from your customers’ points of view helps IT teams pinpoint how these vendors and their actions—specifically the domains executed and cookies dropped—change according to user geography, browser, or device. Collecting this type of vendor intelligence provides clear insight into third party behavior to protect customers and brand reputation from cyber threats.
Working with third parties toward strong security posture
Third-party application security is essential for today’s IT security compliance, especially now that regulations are proliferating. Even if the security risk resulted from a third-party compromise, the legal responsibility falls on the primary organization. Therefore, it is crucial that organizations take sufficient steps to manage third-party risk and ensure a safer online environment for themselves and their users.
To do that businesses need to ensure that both their systems and those that look beyond their perimeter to third and nth party codes are secure. First, they should carefully vet all third parties by conducting a risk assessment before bringing any third parties on board. Second, they should maintain a continuously updated inventory of their direct and indirect third parties. Third, they should spell out security policies and standards and use contract clauses and SLAs to enforce them. Fourth, they should follow through by conducting periodic audits of third party security measures. Finally, they should conduct continuous, real-time scanning of their websites to identify any unauthorized code and activities and then compare their findings with what is executing on their visitors’ browsers outside their firewall.
These steps will help to mitigate risk and lock out bad actors from digital ecosystems. Taking a proactive approach to cleaning up and protecting websites will improve the company’s security posture, ensure customers’ safety and protect organizations from the high, upcoming fines of the GDPR and other regulations that follow it.
About the Author:
Chris Olson co-founded The Media Trust with a goal to transform the internet experience by creating better digital ecosystems to govern assets, connect partners and enable Digital Risk Management. Chris has more than 15 years of experience leading high tech and ad technology start-ups and managing international software development, product and sales teams.