According to the Breach Level Index, 13,443,149,623 data records have been lost or stolen since 2013 with more than 3-billion records compromised just in 2018. That represents a 72 percent increase over 2017. Between cybercriminals dynamically pounding on the front door of websites and new data privacy regulations enacted, companies are being squeezed from both sides. While there have been slightly fewer data breaches reported in 2018, the take for criminals for each attack has been significantly greater. Until risk and security departments at major enterprises begin to monitor and manage 3rd-party vendors on Digital Assets, these trends will continue.
In early December, confluence of Quora and Facebook enabled user data to be siphoned without Quora’s knowledge. Just a few days surrounding this announcement, other globally recognized companies had either just suffered or were about to suffer a similar intrusion. These digital break‐ins capped a year of high‐profile breaches that seemed to be growing in frequency as the year progressed. In all these incidents, a malicious third party had gained unauthorized access to their users’ data, raising the urgency to immediately discover and remove strangers who wend their way into and around an organization’s digital assets and ecosystem.
An enterprise’s website serves as the virtual “Front Door” for clients and partners. It’s the first place customers go to when they want to learn more about an enterprise and its products and services. Of course, the end goal is to have the customer conduct a transaction that generates revenue: shop, bank, make a reservation, book a flight, etc. To encourage even more growth, enterprises continue to invest vast sums of time, money and effort in their digital assets that not only attract visitors, but also entice them to return again and again.
Rendering a highly engaging, interactive website requires key contributions from many different corporate departments and functions, including web operations, brand management, marketing, legal, IT/security, and compliance. In turn, these departments rely on a myriad of third‐party vendors to provide highly specialized web services like data analytics, tag Management, marketing automation platforms as well as services enabling video, blogs, social media, Twitter feeds, job applications, etc. While none of these vendors are security and compliance experts, they often position themselves as such. And, there is no easy way to tell whether their code can be linked to site performance or security issues. Allowing these companies to provide the only security measures would make as much sense as letting the fox guard the henhouse.
An enterprise’s expansive use of these digital third‐parties, however, results in unintended security and user-experience risks. In fact, a recent Ponemon Report title “Data Risk in the Third‐Party Ecosystem” reports that 59% of survey respondents said they experienced a data breach caused by a third‐party vendor.
And the risks associated with third‐party web services are further exacerbated by enterprises’ cross-functional approach to managing the site, where no single function can be held accountable should anything go awry. Furthermore, many key contributors to the corporate website either view security as an afterthought or lack the necessary domain expertise to know they must continuously inspect all third‐party code executing on their site. Even Application Security and IT/InfoSec departments lack oversight of these digital asset issues, because rarely, if ever, do IT managers (nor the Standards they follow) require AppSec teams to inspect, control or manage third‐party code used in their own apps or the website. However, given their experience and expertise, enterprise IT is the best fit for leading the process of securing digital assets.
Standard setters like NIST, ISO, PCI, OWASP are also to blame as they have been slow to react and mostly disregard the issue entirely. These companies do not consider third party code even though 90% of all code are supplied by third parties, many of whom are unknown to the site operators. And this lack of understanding is by no means limited to companies; it reflects a shortcoming across industries, including those who set the standards. For example, industry standards such as PCI, NIST and ISO do not require companies to know, review, and analyze all third‐party code. Nor do major credit card processors like VISA, MasterCard or American Express. Meanwhile, bad actors leverage this collection of unrecognized shortcomings and vulnerabilities to launch one attack after another. A prime example of how bad actors can successfully exploit these shortcomings are the breaches attributed to CartThief-3PC, ICEPick-3PC, and Magecart, which successfully skimmed financial, device, and personal data by compromising sites.
Appsec who’s supposed to secure the site don’t think it’s their responsibility. To thwart attacks like these, boards of directors, as well as security, IT, and compliance practitioners, must recognize their digital assets’ mostly unknown third‐party code, its preponderance and its dynamic nature. The key takeaway here is that inspecting a website’s third‐party code is not a monthly, weekly, or even daily task. It’s a continuous, 24/7 process. Subsequently, constant vigilance is required.
To make constant vigilance a reality, IT/InfoSec must take the lead in developing, implementing, and enforcing IT and vendor management policies that extend to any vendor providing third‐party/nth party services for the enterprise’s digital assets. This means companies should know their entire network of direct and indirect vendors; and they should closely and continuously watch vendor activities for any that might violate their policies. Monitoring third parties’ adherence to these policies is not a periodic but continuous process.
Finally, to minimize the risk of compromised third‐party code, enterprise IT must communicate—in real time—these policies not just across the multi‐discipline teams responsible for rendering the enterprise’s digital assets but also across the enterprise’s ecosystem of third‐party vendors. They must also have the ability to detect and alert any business partner of any policy violations and have the business processes to support the tracking and archiving of each vendor’s ongoing performance. Only by doing so will they ensure 100% vendor compliance not just to their own internal policies, but also for the number of global data privacy regulations, with GDPR being the most obvious example. Insurers are taking notice that boards don’t make security of digital assets their priority
When it comes to their digital “Front Door,” today’s enterprise must simultaneously attract and repel. Two diametrically opposed objectives that require multiple corporate functions led by one team with the objective of managing a myriad of third‐party vendors to create an unforgettable yet safe user experience. To achieve both on a continuous, 24/7 basis, enterprises must not only recognize and embrace the role of third‐party code in rendering their digital assets, but also recognize the need for 24/7 visibility and control over these vendors and their code.
by CHRIS OLSON
Digital3PC.com is an independent platform that brings together the best minds from tech, government, research, and academia to shape the future of cybersecurity policy and offer best practice solutions when responding to cyber threats. The most common access point for malware spread, data breaches, IP theft, election meddling, disinformation campaigns, and cyberwarfare is malicious third-party code (3PC) that makes its way into our websites, apps, and IoT devices. The compromise of the digital ecosystem erodes user trust and the credibility of media organizations, and undermines the integrity of our democracy, economy, and public safety.