NEWS

WIRES

OTHER

Dasient Unveils New Research on the Impact of Structural Vulnerabilities on Enterprise Websites

To conduct this research, Dasient ran automated, passive malware risk assessments against the websites of Fortune 500 companies, Quantcast Top 1000 sites and other highly trafficked websites to determine which vertical markets (publisher/media, financial, ecommerce, traditional retail, high-tech manufacturers, travel/entertainment/leisure, consumer packaged goods, business services, manufacturing, and healthcare) were most at risk of having their websites infected with web-based malware due to structural vulnerabilities. According to Dasient's report, structural vulnerabilities fall into three categories: third-party widgets such as polls, analytics or other sharing capabilities; external advertisements that could be serving malicious ads (malvertising); and third-party applications. These third-party resources are necessary for enterprises to provide functionality to users, but they can be exploited to distribute malware.

"In today's online world, it is highly unlikely that enterprises will rely completely on using all their own software on their websites - they depend on third parties to supply widgets, applications and ads to offer functionality and interactivity for many parts of their websites," said Daswani. "Even while maintaining high security standards for the parts of the web site that they directly manage, many enterprises have much less control over the security practices of these third-party providers, offering attackers easy, backdoor access to legitimate websites. If any of these third parties become compromised or infected, the entire website can be turned into a vehicle for the distribution of web-based malware, significantly damaging the enterprises' business."

Some of the key findings of Dasient's research include:

• There is an increased reliance on third-party JavaScript across all verticals. 75 percent of websites use some form of third-party JavaScript widgets. The highest category of vertical using widgets was travel, entertainment and leisure at 99 percent. Publishers came in second at 95 percent; high-tech was a close third at 94 percent; and financial institutions at 89 percent.
• More than 4 out of 10 of all websites rely on third-party advertising and publishers are twice as likely to use third-party ads. Across all verticals, Dasient found that 42 percent of websites used some third-party advertising on their sites and 82 percent of publishers already use third-party ads. In the retail and high-tech sectors, over 50 percent of sites used third-party ads. Surprisingly, 41 percent of financial institutions also use third-party ad-related resources on parts of their websites where financial advice is being exchanged among online communities.
• Many websites today are running outdated, vulnerable third-party applications. Across all verticals, Dasient found that up to 91 percent of businesses had outdated software applications (such as a content management, blogging or shopping cart systems) powering their websites. Three verticals were tied, at 97 percent, for having the highest percentage of websites with outdated software applications: consumer packaged goods, publishers and high-tech websites. Interestingly, some of the verticals that had a lower percentage of sites with external JavaScript or ads actually ranked higher for having outdated applications.

Added Daswani, "Websites today are being turned into malware distribution vehicles and when a site includes code from other places, it naturally increases the risk and attack surface, resulting in the creation of these significant structural vulnerabilities. The best way to mitigate the risks from structural vulnerabilities is to monitor websites for malware infections and automatically contain them."

As part of the report, Dasient offers the following best practices for enterprises to protect their websites against the threat of structural vulnerabilities:

• Vet your third-party partners. Dasient recommends that enterprises vet third-party partners to be sure they have good security practices in place. Determine if your third-party partner has control over their own secure software development lifecycle (SDLC).
• Proactively monitor your website and contain malware infections. Monitoring will help organizations find out about an infection before search engines and customers learn about it and before the site could get blacklisted, which would result in significant revenue and brand loss and reputation damage. Dasient's mod_antimalware offering can strip out infections in websites in real-time or block infected pages from being served to users altogether.
• Prevention alone is not the solution and is not effective for structural vulnerabilities. Dasient recommends detection and remediation Web Anti-Malware (WAM) services that provide end-to-end protection by monitoring websites for and automatically containing Web-based malware infections.

Dasient is also releasing a new white paper at Black Hat this week on mod_antimalware that discusses the importance of using a containment technology to mitigate infections from structural vulnerabilities. To download a copy of Dasient's mod_antimalware paper, please visit: http://info.dasient.com/mod-anti-malware.html

About Dasient

Dasient is an Internet security company that protects businesses from web-based malware attacks. It is the first to develop a complete Web Anti-Malware service that can monitor, automatically identify, and quarantine malware on websites before it can infect visitors and cause a loss of traffic, reputation, and revenue. Dasient was founded by former Google engineers Neil Daswani and Shariq Rizvi and former McKinsey strategy consultant Ameet Ranadive. They are backed by a group of investors who include Floodgate, Benhamou Global Ventures, and Radar Partners. More information about Dasient can be found at www.dasient.com and www.twitter.com/dasient.

About Dasient WAM

The Dasient WAM services are built on a set of behavioral analysis technologies that continually crawl customer sites and the web, identifying new web-based malware infections. The monitoring and diagnostic components are provided to customers as a web service, and the quarantining technologies are made available as web server modules that can be installed by customers or web hosting providers.

Merritt Group for Dasient
Michelle Schafer
Cell: 703-403-6377
schafer@merrittgrp.com