Kalev Leetaru
I write about the broad intersection of data and society. Opinions expressed by Forbes Contributors are their own.
As the cyber landscape has evolved, so too has its targets, from governments and large corporations to the smallest local website. From the early days of the modern web when trust was the norm, encryption and security were rare and bad actors were few, to the active cyber war zone of today, companies and private individuals must maintain constant cyber vigilance. In particular, as websites increasingly transform from static HTML pages to ever more complex dynamic data-driven online platforms with backend databases and support files drawn from across the web and powerful CMS systems, security has never been more important, yet especially when it comes to small businesses, few have the experience and expertise to build truly hardened robust security-first websites.
Thus, my interest was piqued last week when I received a call out of the blue from someone identifying themselves as a Network Solutions employee who said the company conducts security scans of all of the websites it hosts on a regular basis and that its scans had flagged one of my websites they host as being at high risk of malware infection and that if it was compromised it would be shut down without notice. Immediately suspicious this was a phishing attempt, I asked the person for more detail to identify themselves and specifically what about my site had been flagged as high risk and what the recommended next steps were. The person said they could tell me only that my site had triggered one of 500 different indicators they check for, but could provide no additional detail and as for next steps, I was told to contact a web developer for advice before my site became infected and shut down and the person abruptly ended the call.
There I sat, assuming the call must have been a poorly executed phishing attempt, yet the odd part was that the person didn’t ask for any information or try to convince me to access a particular website or subscribe to a particular service - they simply told me my site was at high risk of being infected with malware and ended the call. They couldn’t tell me even the slightest of detail about what specifically triggered their alert and given both that I had not edited that site in many months and that the person claimed they scanned sites on an ongoing basis and this alert was just triggered, I assumed that whatever the issue was, it must be something new that just happened and feared that if the call was genuine, perhaps my site had just been hacked.
This particular site is comprised of just a single static HTML page with a few images and a few locally hosted CSS, font and JavaScript files – your run of the mill self-contained single page basic informational website. Thus, there was no CMS system like WordPress that enabled external access to the site – the only way any of the files could be edited was through securely logging into the hosted server environment. After logging in and downloading a mirror copy of the entire site and confirming that none of the files had changed in any way from my last backup of the site and that all were malware and virus free and that there were no obvious risks I could see that would enable remote editing of the site, I wasn’t sure what to make of the call I had received. If it was genuine, then my site apparently had been flagged by Network Solutions as a high security risk for being compromised, yet I couldn’t see what might have been flagged as a risk given that the entire site was just a handful of routine static files and there were no CMS or other tools that could enable remote editing of the content.
After reaching out to Network Solutions for more information, a spokesperson confirmed that it had indeed been one of their employees who called me as part of a new service they are offering, but that the representative should have shared with me a PDF report that provided more detail about why my site was flagged and gone through potential next steps with me.
When asked about the security implications of acclimatizing its customers to receiving unsolicited phone calls out of the blue from unknown phone numbers relating to cyber security issues, the spokesperson noted that customers should see “Network Solutions” in their Caller ID (which did not occur in my case) and thus know that the call was genuinely coming from Network Solutions. When I noted that it is relatively straightforward to spoof Caller ID and thus this did not provide a strong measure of authentication, the spokesperson emphasized that this method of contact was only being used as part of this pilot service and that for other products they additionally provided electronic notification via their secure online customer portal.
The problem with a hosting company calling its customers out of the blue from unknown phone numbers without any prior notification or method of authenticating the call to inform them of security issues with their site, is that by getting customers accustomed to receiving such security calls, it increases the risk they might become more vulnerable to subsequent phishing attempts. Imagine a typical website owner who receives a legitimate call periodically from their hosting provider about a security risk on their site. These legitimate calls walk the user through logging into their portal and guiding them to particular settings or other informational screens or purchasing specific products. Now, one day they receive an identical call similarly out of the blue and the caller tells them there is an immediate issue with their site that will cause it to be shut down and to log into their customer portal and they will walk the person through some steps they need to perform or purchase a particular product that requires information like their credit card or site login details. Since the person is used to receiving security-related calls out of the blue from their web host they are more likely to fall for such a phishing attempt.
When asked whether the company considered it a security best practice to call its customers out of the blue regarding security issues and whether it believed this might result in increased phishing vulnerability, the spokesperson responded that this was “useful feedback” and that they would be reexamining their use of such calls.
The spokesperson then provided me the 4-page PDF report that I should have been provided on the original call. Titled “Network Solutions On-Demand Domain Scan,” it was generated using services from a third-party company called SiteLock. The report assessed my single-page website as having a “Medium” “likelihood of compromise” and that this was determined through a "high-level security analysis by leveraging over 500 variables to score a website's risk on a scale of low, medium and high” and that a Medium score meant that “vulnerabilities may be more difficult to exploit but could potentially lead to compromise.” The only detail of any kind offered by the report as to how it assessed my site at Medium risk was that 7% of the risk came from “Popularity: Number of visitors and overall social media presence,” 29% of the risk from “Presence of specific components” and 64% from “Site size and the number of distinct components.”
SiteLock’s spokespersons clarified that they narrowly define their “likelihood of compromise” risk score to assess the risk that one or more local files on a website will be modified without authorization or knowledge of the site owner, whether to infect them with malware, insert links to bad websites, deface pages or otherwise make unauthorized changes. They emphasized that typical vectors for such unauthorized modifications are vulnerabilities in CMS software like WordPress and that for specific cases like an older WordPress version or plugin that is known to contain a critical vulnerability, they will list that specific piece of software in their report, but that in most other cases they do not provide any technical detail on what precisely led to the elevated risk score.
However, given that my site is a single-page static website with just a handful of files and no CMS or other editing software, I noted that the only two vectors I was aware of that would enable the unauthorized editing of such a site was either brute force password guessing / a phishing attempt of myself or Network Solutions to retrieve or reset said password or a remote access vulnerability in the underlying server stack used by Network Solutions. The SiteLock representatives clarified that they do not check for or consider either password security or server vulnerabilities in their assessment and that their risk score is based exclusively on the characteristics of the site itself.
When asked how a remote attacker might then modify the files on a CMS-less single-page self-contained static website without either guessing/phishing/resetting the account password or finding a vulnerability in the server stack, a representative initially said they would work with their engineering team to send me some examples of how such a site could be compromised, but later said they would not be commenting further and did not respond to two subsequent requests for additional comment.
Similarly, when asked about the 29% of the risk score that stemmed from the “Presence of specific components,” the company said it could not comment on what specific components triggered that alert or provide any detail of any kind. When asked which of its 500 indicators triggered for my site, the company said it does not offer any detail beyond these summary categories.
When I noted that my entire site was comprised of a single web page and a handful of static files and asked how such a small site would have contributed 64% to the Medium risk score along the dimension of “Site size and the number of distinct components,” the company again said it could not comment. When asked whether this meant that every single-page website would be scored as Medium risk if a single HTML page and a few files were enough to contribute to a Medium score, the company again said it could not comment. Network Solutions similarly said it could not comment on what percent of its customers had been sent Medium or High-risk reports, citing that such information was proprietary. When asked whether all Network Solutions customers with single-page static websites had received Medium risk scores, the company again noted that it could not comment due to that information being proprietary.
SiteLock argued strongly that many website owners find these reports extremely useful and emphasized that its Medium score did not indicate that there were any actual vulnerabilities in the site, but rather that it had an elevated risk of its files being modified without authorization. When pressed again as to how a one-page website with no CMS could have its content modified without either the password being guessed/phished/reset or there being a server security vulnerability, the company stood by its assessment that such a site could be at elevated risk of unauthorized modification. When I noted this meant the company was asserting that a static site with no CMS could be subject to unauthorized modification without password guessing or a server vulnerability, the company said it would not be providing any further comment and did not respond to two subsequent requests for information as to how it saw this being possible. If a one-page static website with no CMS or other editing software installed is considered at Medium risk for unauthorized modification, it is unclear what precisely would constitute a Low score and the company declined to comment on what factors might reduce a site’s score from Medium to Low or what percent of its site assessments yield a Low score.
When asked what a company could do to reduce their risk score, Network Solutions noted that it offers two subscription monitoringservices by SiteLock that scan a customer’s site each day, alerts them if their site has been compromised and automatically removes selected malware from infected files. The premium offering adds several basic vulnerability scanning options including SQL injection and application scanning. When asked how a company might work to reduce their risk score from Medium to Low in the absence of any technical detail as to which of the 500 indicators were triggered for their site and if their subscription vulnerability scans did not reveal a known vulnerability, SiteLock offered that it has a commercial professional services team that can be hired in a consulting arrangement to review a site and determine if there are any concerns with its architecture or technical design.
Network Solutions noted that this was a relatively new partnership with SiteLock to offer basic risk scanning to its customers and its spokesperson emphasized that the company does not take any adverse action against sites which score at the highest risk level. Yet, at the end of the day if a simple static one-page website is enough to trigger a Medium warning and the company declines to provide any detail as to which of its 500 indicators it considered to be the main risk factors of the site, it is unclear how a site owner might make use of this report other than to purchase one of SiteLock’s monitoring packages through Network Solutions or hire its professional services division and assume that whatever triggered the Medium score will be caught by either of these options. Given that the company declined to comment on how it saw a CMS-less static site being compromised without password guessing/phishing/reset or server vulnerability, it is unclear whether either of these options would actually help reduce the risk score to Low.
In short, SiteLock’s “Risk Assessment Score” operates as an opaque black box that offers no actionable insights as to what caused an elevated risk score or how to mitigate it. Customers who wish to understand why they have a high score or want to reduce that score are simply told to purchase a subscription to the company’s scanning software or engage its professional services team to examine their site, but that otherwise the company does not provide any detail as to how it arrived at that Medium score. The company strenuously emphasized that it believes such a score is very useful and that many companies have found it of great use to them, but declined to provide more detail as to what companies have done with that information beyond simply subscribing to SiteLock’s products.
In contrast, other cloud providers eschew abstract concepts of "risk" to focus on the more actionable issues of common website attack vectors, from XSS to SQL injection to full application fuzzing to identify more subtle vulnerabilities. These packages either perform vulnerability scans, act as firewalls to filter out common attack vectors or both, offering detailed technical overviews of the vulnerabilities they locate and remediation strategies. Google’s free Cloud Security Scanneroffers one-click fuzzing/scanning for XSS, Flash injection, mixed content and insecure library usage. The company also partners with an array of third party scanning and firewall offerings and, according to a spokesperson, “work[s] with a number of security partners, such as Qualys, Dome9, and others, that visualize and inspect for vulnerabilities, security and compliance risks in cloud applications or services, and assist with remediation.” Similarly, Amazon offers a number of scanning and filtering products in its AWS Marketplace and its WAF service. Rather than opaque “risk” scores devoid of any context that might help a company understand how to reduce their score, these offerings focus on specific actionable technical risk factors from outdated libraries to dangerous input assumptions to broader design vulnerabilities and offer concrete mitigation strategies and next steps.
Why is this so important? Perhaps the greatest danger here is that if opaque cyber security “risk” warnings become as commonplace as daily SEO “website scans” and “Google ranking risk” notifications, they will essentially become spam, relegated en masse to the trash folder and causing actionable urgent security risk notifications to be lost. If website owners start to become barraged with regular calls and emails from myriad companies saying they’ve performed a free scan of their website and found serious cyber risks but can’t offer any detail on what they found - just subscribe to their services now and they’ll protect you - then instead of being treated as a legitimate business risk that should be properly resourced and mitigated, cyber security will become like SEO: an overused buzzword that goes right to spam. Moreover, by delivering such reports through unsolicited phone calls from unknown numbers out of the blue, they may actually significantly increase their customers’ phishing risk, by acclimating them to accepting out-of-the-blue phone calls as legitimate.
When it comes to risk, context is everything. If I’m a small business owner and my hosting company offers me a cyber risk report that shows my website is at elevated risk of being hacked because it is very high profile due to all the traffic it receives and that high profile sites are attractive to hackers, that is a risk factor I’m likely prepared to accept. It could be useful to some businesses to be reminded that they should monitor their sites more regularly if they are high profile, but most companies would likely place this in the acceptable risk category, given that increasing website traffic is often a goal of many companies. If the report indicates that my small business is at elevated risk because I use WordPress and that even though my site is currently fully patched and set to automatically install security updates, I should keep a watchful eye out for WordPress vulnerabilities, that may be a useful piece of information to non-technical users who may not be familiar with software patching and vulnerability alerts. Perhaps my site embeds JavaScript libraries from multiple major CDNs – it might be worth notifying me of elevated risk that one of those could go away or be corrupted, leading to parts of my site not working or the possibility of rogue code being injected into my site. If I’m embedding from leading CDNs like Google, I might accept that risk and assume that the likelihood of Google’s CDN servers being hacked is low enough to be a tolerable risk to my business. Each of these is a reasonable and useful warning depending on the technical sophistication of the website owner, but without breaking these out as explicit metrics on the report, there is no way of knowing which of the 500 indicators were triggered for my site.
On the other hand, if my site has a critical SQL injection vulnerability or uses an outdated library with known vulnerabilities that could allow an outside attacker to download my customer data right now, that would be something I would need to address immediately.
The problem is that risk reports that summarize all of these hundreds of factors into a single Low, Medium or High risk score make it impossible to know if the perceived risk may be acceptable to my business (high traffic bringing increased attention from hackers), something to consider for the future (minimizing our use of WordPress plugins and using a staging site and manual approval of production changes) or immediate danger (active SQL injection vulnerability) and thus how much attention I should pay to it.
In short, we need to separate out “future potential risk” (a high traffic website will be a more attractive target to hackers regardless of its security posture) from “current exploitable risk” (a critical SQL injection vulnerability could be leveraged at any moment), reporting those as separate risk categories and offering customers more information about how a given risk score was determined. The major cloud vendors like Google and Amazon have focused on the latter – building tools and establishing partnerships with companies that specialize in scanning websites and identifying active vulnerabilities and providing clear actionable mitigation paths forward. The former are also highly valuable insights to non-technical users, but such users still need contextual information to make a choice as to whether that risk is acceptable to their business. On the other hand, if cyber risk becomes opaque black box metrics that just assign a score like “Medium” without any context or detail to help a customer understand whether that elevated risk is acceptable or where the unacceptable risk is located, that transforms cyber risk from something actionable to something abstract that doesn’t have easy connections back to business operations. If, instead of a single score, such cyber risk reports had separate sections for active vulnerabilities (XSS or SQL injection issues), medium term concern (heavy use of large number of WordPress plugins creating an extended attack surface that requires vigilant monitoring) and long term considerations (high traffic sites are attractive targets and thus businesses should assess their overall security posture, from the plugins they use on their site to securing their social media accounts with two-factor authentication), they could make a real difference to many site owners and the cost of providing such scans could be justified by hosting providers by the reduced risk profile to their networks.
In the end, improved cyber security is critical to the future of our online world and the more information we can provide website owners and ordinary users about their cyber risk profiles and concrete actionable steps they can take to protect themselves, the better we can do at ensuring a safe online experience for all.
No comments:
Post a Comment