Lisa Gansky
Lisa is a security researcher and writer in New York City, serving at the Head of Digital Governance at The Media Trust.

Digital Governance 101: Beating Back Bad Actors

Bad actors are unceasingly on the hunt for vulnerabilities on websites and apps. The right tools and processes for managing third-party domains can help thwart them.

When you get behind the wheel of a car, you know there are risks. Your car could have mechanical problems—oil leaks, faulty cables, failing brakes, oh my! Then there are distracted drivers, speed demons, and other reckless types that can make driving quite the perilous experience.

Operating a website, especially for a major enterprise, is also full of risk—from internal challenges to an abundance of external threats. On average, only 5%-10% of a company’s website or app code is original, meaning ~90%-95% comes from third-party companies. That’s akin to other drivers hopping into your car and potentially distracting you (malvertising or adware), harming your passengers/customers (malware), making a mess of your upholstery (site latency), or stealing precious items (customer data, or maybe sales!).

We minimize the risks we take behind the wheel with regular inspections and maintenance, as well as defensive driving courses to prepare for unsafe behavior on the road. Just like driving, you can minimize external risks to your website. And for Security, Privacy, and Compliance Officers with best-in-class digital security programs, that starts with knowing which third parties are on their properties and what kind of tracking is being executed.

As we’re all too aware these days, the negative impacts of failing to keep track of third-party activity can lead to angry consumers, loss of revenue, damaged reputation, and sometimes even massive fines for regulatory violations—a car crash is quite the apt metaphor.

Identify the Surreptitious and Malicious

But how does one ensure that all bases are covered?

When driving, the only thing more important than your safety is that of your passenger. Every driver fears an awful fate befalling the person who trusted them to take the wheel. For an enterprise website, your customer is your passenger, and there are a lot of bad actors out there that mean to cause them harm. The headlines about enterprise website and app breaches resulting in stolen credit cards and identity theft have been way too plentiful in the last few years. Between payment fraud, skimming, and Magecart attacks, Security Professionals, Privacy Officers, and Marketers have their hands full ensuring the security of company websites and apps.

digital governance

But how does one ensure that all bases are covered?

It starts with continuous client-side surveillance of consumer-facing digital properties. Leveraging a variety of device profiles with differing geolocations and consent signals will give you an accurate, real-world idea of what your diverse customer base experiences.

App and site monitoring will also surface threat vectors, vulnerabilities, and malware infections like the dreaded Magecart—but only if your scanning partner has the most up-to-date and relevant malware data at their disposal. Employ a scanner with original-source malware data garnered from scouring the Internet for bad actors rather than a partner that relies on third-party malware lists that drive false positives. That way you can not only trust super-accurate malware data, but also communicate with the in-house malware desk and better understand why specific domains are problematic—and dangerous.

Keeping the number of overall vendors present in the page code to four or less drastically helps reduce the overall attack surface from threats such as phishing and Magecart attacks.

Too Sensitive for Third-Party Domains

Bad actors are thirsty for credit card data, so payment pages are prime targets. These kinds of sensitive pages should be limited to first-party domains and their approved tracking components where possible. Keeping the number of overall vendors present in the page code to four or less drastically helps reduce the overall attack surface from threats such as phishing and Magecart attacks. Ideally, the payment processor should be the only vendor present on the payment page.

As Domains Drift By

Unless an organization is using the open programmatic marketplace to fill ad slots, it’s unusual to see a great deal of new domains on a property month over month—what The Media Trust calls “domain drift.” Domains should fluctuate less than 1% every month, and an influx of new domains should be investigated immediately. More unknown or unauthorized domains mean a wider attack surface—far more opportunities for malware invasions, cyberattacks, or data leakage.

With the right measures in place to approve vendors before their domains are allowed on your property, you should see very minimal changes in domains month over month, and be able to quickly identify problems when domain drift is high.

Anomalous Code Begone

It happens all the time—your company stops working with a marketing platform or data management company, but a year later their beacons are still active on the flagship website, syncing data from site visitors with the vendor’s partners. Provided the opportunity, those partners will retarget your customers and likely draw them to competitor websites.

More unknown or unauthorized domains mean a wider attack surface—far more opportunities for malware invasions, cyberattacks, or data leakage.

Worst case scenario: a former vendor with code on your properties goes under and a malicious actor buys their domain to send auto-redirects or other nasty malware to your customers. We’ve seen it happen.

Avoiding these kinds of situations means instituting a process to ensure anomalous code is removed from a website or app quickly. An offboarding process for when vendor relationships end ensures you secure your business and eliminate potentially nasty surprises.

Disparate Departments Unite!

Even though danger runs rampant with driving cars, the risks seem manageable because most drivers agree to traffic laws and other rules of the road—and they look out for the safety of each other. No one wants to cause an accident, and we watch each others’ backs.

Keeping your organization and customers safe requires departments like Security, IT, Marketing, and Compliance to watch out for each other when it comes to digital governance—and that starts with inter-department communication.

Too often these departments are operating in silos—which results in decentralized vendor vetting processes, multiple tag managers, junior team members adding tracking pixels at whim, and generally poor governance that translates to pronounced attack surfaces and vulnerabilities aplenty for bad actors to exploit.

Organizations must be aware of what domains are on their website at all times, and remove (or disallow) domains that don’t generate enough value versus the risk they bring. The Media Trust recommends creating a core team responsible for vetting new partners and enforcing offboarding when the org parts ways with vendors. This team should have representatives from different divisions, including Security, Marketing, IT, and Privacy. The Security team will shoulder ultimate responsibility for implementing new site governance policies.

Most important, this core team would ensure website policies, including identifying and authorizing new vendors, are known across the company. It’s a safer road when everyone knows and follows the rules.

Look for the next entry in this series on defending against data leakage and exfiltration.