Putting political motivations aside, why were the Washington Post, CNN.com, Time and others recently hacked? Simply put, they extended their trust perimeter to include a third party component without vetting its security properly. Extending trust is necessary in the business world but in the immortal words of Ronald Reagan, to maintain security we must “trust but verify”.
Attackers look to exploit the weak links in the security of organizations. The first weak link is the employee at their computer workstation and compromising them with phishing attacks. They second weak link is to not go after the ultimate target directly, but to instead go after their technology and content “supply chain”.
In this case, each media outlet had integrated the Outbrain component on their site to pull content, so once Outbrain was hacked, all the connected websites were breached as well. Because these major media sites have a lot of traffic and high visibility, this makes them an attractive target for groups like the Syrian Electronic Army that are looking for publicity for their cause. If the organizations had taken steps to secure the web applications on their own site, making them more secure, this would mean attacking a third party component would be the SEAs best option for breaching those sites. Even better, because so many sites trusted Outbrain, the SEA only had to successfully attack one application to breach several different sites.
It is difficult for web developers and even many security people to think about the security of third party components when building a well functioning website. The focus is normally on building a site with a positive user experience. However, small companies that are suppliers to larger organizations typically have weaker security than the primary target. By exploiting the trust the target has placed in the smaller supplier, attackers are able to compromise the data and code which the supplier creates and the target trusts. The interconnectedness of the web is growing so this trend will continue. Most web sites are an amalgamation of components and data feeds from many small organizations so the web ecosystem that organizations use, especially media companies is ripe for this angle of attack.
Organization need to make sure they have a solution against phishing and web app attacks, but what is new is that they also must make sure their suppliers have a solution as well. Organizations such as media companies need to hold their code and content suppliers to the same standards that they hold themselves to; otherwise attackers will exploit the lower security standards at the suppliers. Organizations need to audit all of their web sites to determine which suppliers they are relying on and then audit those suppliers. This has been going on for a long time with financial services companies because they are regulated. They are not allowed to transfer risk to suppliers. Their suppliers need to uphold the same standards they do. The interconnectedness of the web and the attack patterns we are seeing is going to force other industry verticals, such as media companies, to take this approach.
We recommend organizations perform a complete risk assessment of all components of a web site, whether they are built by the organization, built by a 3rd party, or the worst case, build by a 3rd party with content control by that 3rd party, such as in the Outbrain case. Trust but verify.