Brands are powerful. Corporations invest significantly in them, ensuring that the image is correct and “on message” to the target demographic.
Brands are nurtured, cherished and jealously protected. Brands are often the most valuable assets of an organisation. Brands proliferate in the web presence of many organisations.
It may come as a surprise to many people that online brands may be exposed to significant risk from an attack technique known as “cross-site scripting”.
In the pure form of cross-site scripting, a malicious user provides carefully constructed input to a system that subsequently affects another innocent user accessing the same system.
The system itself, often a website, is not affected and merely acts as the messenger. The computer used by the innocent party is the target of the attack.
If an attacker can run their program on anyone’s computer, then the attacker can gain control over that computer. Cross-site scripting vulnerabilities provide attackers with the means to do just this.
Security incidents can have a serious and negative impact on customer confidence and so it is important to understand the risks to brands from this form of attack.
Among the common uses of cross-site scripting are identity theft and malware infection. Malware includes viruses, worms and software that can use the victim’s machine to send spam e-mail, often without the victim’s knowledge.
Nobody ever willingly clicks on something that reads, “Click here to have your machine infected with viruses and your online identity stolen!” However, they probably would click on a link to a well-known online presence.
These are not just theoretical risks: the exploitation of cross-site scripting vulnerabilities often plays a key part in “Phishing attacks” that are used to steal online identities.
A couple of subtleties underlie the effectiveness of cross-site scripting attacks.
The first subtlety in the attack is that although the vulnerability exists in an organisation’s online presence, the organisation is not the one that is hacked. Rather, their online presence is the unwitting party that allows proverbial “bad things” to happen to members of the public, often without the victims being aware that this is happening.
The reason such attacks are so effective is that the innocent user trusts the intermediate website as an information resource.The trust is usually based on confidence in the brand.
In essence, the bad guys are exploiting two weaknesses. One is a technical vulnerability in the online presence that, on first sight, appears a minor technical issue.
The second weakness is the trust that the public places in the brand. The damage to the brand is based on abuse of this trust and the fact that this abuse is apparently associated with a website operated by the company owning the brand.
Although the vulnerabilities are technically in the user’s browser, this is not the way a user – or the media – will see itnor is it the way it will be reflected in the publicity if a large number of customers are affected through a website.
It is instructive to use an analogy with the much older and much more widely understood threat from computer viruses. Today companies ensure that they clean mail of viruses before sending it out. A key driver for this is that giving a customer or partner a virus associates the organization with bad practice and is detrimental to the organization’s brand.
One reason that mail borne viruses are successful is that they appear to come from trusted sources. In a similar way, websites are used to distribute content and should provide protection to trusting parties.
In the same way that companies protect their customers and trading partners, and ultimately, themselves, by ensuring that e-mail is scanned for malware, brand owners should take steps to ensure that the trust that the public place when communicating with their brands cannot be exploited.
Surprisingly, it seems that for many organisations the penny still hasn’t dropped.
One reason for this is that discussion of the vulnerability has been couched largely in technical terms.
We’ll spell it out in business terms: cross-site scripting can seriously damage your brand. The users are your customers. The trust abused is their trust.
Security Matters was written by Mark Higgins of Pentest, a security company offering independent consultancy services in Europe and the US. www.pentest.co.uk