This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe.
Most security products and services today are focused on protecting an organization's internal users and assets. Every enterprise has security at the perimeter as well as tools that monitor the network for malicious or aberrant behavior, and these are certainly critical measures to help prevent or stop serious data breaches.
What this approach lacks, however, is the ability to see threats that target a company's numerous websites and mobile apps. Oftentimes a company's web or mobile assets will be intentionally corrupted by hackers or inadvertently left at risk due to various vulnerabilities. For example, criminals often hack legitimate websites in order to host phishing attacks or to steal login credentials via SQL injection. Attackers plant fake mobile apps in various app stores, hoping to steal data from a company's customers as they attempt to do their business with a legitimate-looking application that is actually skimming credentials and account information.
Most large enterprises have hundreds or even thousands of branded or affiliated websites today, and mobile application assets are on the rise as well at a pace of 20 to 30 percent a year. It's easy to see how large companies are challenged to keep track of their legitimate mobile apps and web properties, police them for vulnerabilities and malware, and identify sites that may be impersonating their brand.
Here are just a few anecdotes that highlight the problem:
- A few years ago, a quarter million websites were at risk of a SQL injection attack due to a vulnerability in the underlying Ruby on Rails development framework.
- Just a few weeks ago, researchers identified a critical vulnerability they dubbed "Fake ID" in all versions of Android devices, from 2.1 to 4.4. The vulnerability, which deals with how apps are signed, could allow a malicious app to trick the Android security model into believing it is a trusted application and then grant it access to special privileges.
- A recent assessment of more than 27,000 websites associated with the top 5 healthcare companies in the U.S. disclosed that 16% had broken SSL certificates and 77% contained pages that were either inactive, broken or redirecting traffic.
This list could go on and on about issues affecting organizations' web and mobile properties—two areas that are often overlooked by enterprise security programs. Security vendor RiskIQ is stepping into this space to give its customers visibility into what their customers are seeing in terms of threats and other problems via mobile applications or websites.
RiskIQ operates a technology platform that deploys software-based virtual users to automatically discover and inventory websites, online ads and mobile applications that are legitimately or fraudulently linked to a company or any of its brands. These virtual users and other sensors on the Internet capture information about a company's online assets and make that information available to the company's security team. This team can then see how everything is visually displayed, how the pages render to end users, and if there are any malware, scams or other threats inside that network traffic.
The information about a company's own web properties is enhanced with global Internet threat intelligence and analytics so the company can get a broader picture of how those threats affect the assets the company is responsible for.
As an example, consider phishing attacks. An e-commerce merchant might discover that a fraudulent website is spoofing its brand and hosting malware that will be dropped on consumers' computers if they visit that fake website. RiskIQ's global intelligence can tell that organization that the same phishing campaign is also affecting three other companies at the same time. RiskIQ can provide all four companies the information necessary to join forces to take down the phishing properties and to go to law enforcement with a case for indictment of the criminal behind the attacks.
While threat intelligence is important, simply building an accurate inventory of what websites and mobile apps a company owns is also quite valuable to CISOs. In a large enterprise, new websites and mobile apps can be developed by numerous internal and third party groups, and the CISO isn't typically the first person to know about a new asset. RiskIQ's virtual user technology will alert the CISO to new inventory and new infrastructure that RiskIQ believes to belong to the organization.
RiskIQ's online monitoring extends to more than 70 mobile app stores. It's this feature that is of high value to the director of cyber intelligence for a large U.S.-based financial institution. He's using RiskIQ services to monitor online stores for mobile apps that potentially affect the bank's customers. "We saw what was happening out there where illegitimate apps were getting loaded on stores and these apps had the potential to impersonate the bank, use our trademark and service marks or name to drive traffic to their site or app, and in the worst case, steal customer access credentials," says the cyber intelligence director. "I didn't want those apps out there that were potentially targeting our customers to perpetrate fraud and we got pretty aggressive about taking them down after RiskIQ discovered them for us."
This same director uses RiskIQ's discovery services to help him find legitimate applications published by the bank or its affiliates, but which failed to go through the bank's official application validation process required by regulators. "We have an extensive internal process of vulnerability checks as well as compliance, legal and continuity of business testing," says the director. "From time to time we come across one of the bank's mobile apps that has been published without going through our internal checkout process. Perhaps the app was created by a department or third party that was unaware of the formal controls we have. RiskIQ has been very effective in identifying these apps so that we can work with the internal businesses to make sure they go through the process."
The director cites another case in which the bank was able to identify questionable marketing practices in some of the online referral programs it operates with affiliate marketers. One affiliate was violating the bank's terms of agreement and was fraudulently collecting commissions from the bank. RiskIQ turned up the information that helped the bank discover the fraud and supported the process of recovering approximately $650,000 in commissions that should never have been paid.
RiskIQ also helps in determining the operational health of websites. Is a site responsive? Does it have the proper SSL certificates? Is it requesting credentials or other information in form fields appropriately? This kind of operational information is important for managing the experience that users have when they interact with a website.
Large enterprises tend to have extensive portfolios of customer-facing websites and mobile applications. The RiskIQ platform helps companies keep track of what they have and manage the threats against those properties and the experiences end users have.