To conduct this research, Dasient ran automated, passive malware risk assessments against the websites of Fortune 500 companies, Quantcast Top 1000 sites and other highly trafficked websites to determine which vertical markets (publisher/media, financial, ecommerce, traditional retail, high-tech manufacturers, travel/entertainment/leisure, consumer packaged goods, business services, manufacturing, and healthcare) were most at risk of having their websites infected with web-based malware due to structural vulnerabilities.
According to the report, structural vulnerabilities fall into three categories: third-party widgets such as polls, analytics or other sharing capabilities; external advertisements that could be serving malicious ads (malvertising); and third-party applications. These third-party resources are necessary for enterprises to provide functionality to users, but they can be exploited to distribute malware.
Some of the key findings include:
- More than 4 out of 10 of all websites rely on third-party advertising and publishers are twice as likely to use third-party ads. Across all verticals, 42 percent of websites used some third-party advertising on their sites and 89 percent of publishers already use third-party ads. In the retail and high-tech sectors, over 50 percent of sites used third-party ads. Surprisingly, 41 percent of financial institutions also use third-party ad-related resources on parts of their websites where financial advice is being exchanged among online communities.
As part of the report, Dasient offers the following best practices for enterprises to protect their websites against the threat of structural vulnerabilities:
- Vet your third-party partners to be sure they have good security practices in place. Determine if your third-party partner has control over their own secure software development lifecycle (SDLC).
- Proactively monitor your website and contain malware infections – monitoring will help organizations find out about an infection before search engines and customers learn about it and before the site could get blacklisted, which would result in significant revenue and brand loss and reputation damage.
- Prevention alone is not the solution and is not effective for structural vulnerabilities – Dasient recommends detection and remediation Web Anti-Malware (WAM) services that provide end-to-end protection by monitoring websites for and automatically containing Web-based malware infections.
“Websites today are being turned into malware distribution vehicles and when a site includes code from other places, it naturally increases the risk and attack surface, resulting in the creation of these significant structural vulnerabilities,” says CTO and Co-Founder Neil Daswani. “The best way to mitigate the risks from structural vulnerabilities is to monitor websites for malware infections and automatically contain them.”