When we think of “securing our website” from attackers, we often think of securing against hooded figures somewhere in Eastern Europe working out of a smoky office above an illegal gambling den. Not only is that probably geographically insensitive, it’s also not necessarily the best way threat to get your attention for the risk column in your next CISO briefing.
Well, you might ask, “what should I be focusing on?” The answer: There’s a growing number of issues related to third- and fourth-party scripts running on your company website, so this is a good place to start.
Waterfall chart example — click to enlarge.
Consider a classic webpage waterfall chart: This is a chart that shows you what elements of your web page are loading, and how long each of those elements is taking to load. This can help you with answering some page-optimization questions like, which of these elements can be reordered or possibly combined; or which of these particular artifacts are mandatory and which ones can be removed.
This is the area of interest that most security teams are not looking into. And I’m not talking about page-load times — I’m talking about all of those “elements” that are loading each time a user visits your website.
Let’s look at what happens when these resources and their perceived trust are abused by attackers. In 2013, a group known as the Syrian Electronic Army (SEA) compromised a marketing and recommendation partner for three of the major news outlets in the United States. Because the scripts that were sent to these three news outlets were “trusted” as part of their marketing agreement, they were promptly loaded into every page load for every user that came to visit the sites that day. And when any user clicked on a recommended news article, they were automatically taken to the website for the SEA.
The above “hack” seems like a cool way to get people to come to your website, but what else could be pulled off using similar techniques — perhaps something more malicious? And is this still a possibility today?
There have been some solid recommendations made on how to combat this problem, such as using security response headers. These can be used to communicate security policy settings for any web browser that is interacting with your website.
There are also a few sites that can scan your organizations website for free and give you a simple scorecard to get you started on your journey to correcting the script problem. A few of them are:
Additionally, the implementation of this new validation and monitoring check can be done in an ongoing manner.
We’re approaching the biggest time of the year for e-commerce activity – and for malicious card-skimming attacks as a result. By implementing some of these ideas, you can help make sure that this holiday season, your company may only be in the headlines for the right reasons.