External Domains: Top 5 Security Challenges
It’s no secret that the world is getting digitalized at an astonishing pace over the last few years, something that is accelerated by the ongoing COVID-19 pandemic. But while business operations like eCommerce, banking, financial services, healthcare, travel, tourism, and entertainment are being streamlined and performance metrics optimized, they face a wide range of digital threats. One of these is the use of external domains in websites. Let’s dive into this volatile aspect and learn how to steer clear of it.
The Anatomy of the External Domain Ecosystem
Today, any online business is implementing multiple digital applications such as tags and JS frameworks. These applications interact with dozens of external domains to fetch and send data that provides the end-users with a richer user experience, which has a massive impact on business metrics.
What exactly are external domains? As the name suggests, these are the 3rd-party servers that scripts in your website communicate with in order to functionalize the application installed on your website. They might be controlled by you, but most likely they are not.
In all cases, the problem is the same – CISOs and security teams have no control over these external domains and subdomains. But while they are uncontrolled, they are an inherent part of your website. This core problem is creating a plethora of security issues for online businesses today.
You can have a script running on your website that is loading data from an inactive external domain. If this domain is put up for sale and purchased by hackers for just a few dollars, you have a dangerous domain security threat coming your way. More often than not, these external domain threats are mishandled, giving hackers a clear path to your data and repositories.
Now that we have a more in-depth understanding of domains and particularly external domains, let’s introduce the most crucial risks that domains raise to your website.
Top 5 Domain Risks
Without further ado, let’s take a closer look at the top 5 external domain risks that your website and online business are facing at this very moment.
1. Supply Chain attack
A Supply Chain attack is any attack that uses external vendors to attack your organization. It could be a cleaning worker sent by a competitor to physically steal sensitive information, and it could be a domain that still communicates with the 3rd-party code on your website after hackers took control over it.
Traditional security measurements, such as Web Application Firewall (WAF) or Content Security Policy (CSP) can’t do much against the underlying risks these malicious domains introduce into your ecosystem as they’re built to block known threats, they can’t analyze the code and independently decide if its malicious or not.
In a nutshell, due to the nature of this vector of attack, it’s impossible to detect such dynamic threats by a traditional reputation-based detection system.
2. Domain-Validated SSL Certificates
With your website working with dozens of domains and subdomains at any given time, SSL certificate errors start playing a key role. Any faulty domain or subdomain can lead to a security loophole that the bad guys can exploit. Today, every online business is looking at dozens of security vulnerabilities created by certificate inconsistencies and changes.
These gaps can create a Man-in-the-Middle (MITM) attack. Just like the name suggests, the hackers intercept the communications between your website and the external domains. Once this is achieved, they determine the attack surface and create malicious code to infiltrate your ecosystem.
Additionally, SSL certificates errors can lead to broken lock issues that cause the browser to warn the user that your site is not safe, which will, inevitably, turn customers away from your website.
Certification errors expose organizations to severe security vulnerabilities exploitable by threat actors or, at the very least, turn traffic away from your website.
3. Ex-Domain Reusage
Ex-domains are another major pain point for CISOs and organizations in general. There are more and more cross-linked domains today, creating multiple dependencies under the hood of your website while their actual status is unknown.
The problem starts whenever a domain that communicates with your site expires. It could occur because a vendor changed to a new domain and forgot to update, or it could be a typo that lead to a domain that didn’t even exist in the first place. Either way, these domains may then be registered by hackers. These expired domains remain active even after they are compromised. This technique is commonly used for broadly distributed infections rather than targeted ones.
You need to be aware that your website could be using dozens of external domains right now, many of which are not even necessary for your website functionality. Regardless, these domains are constantly interacting with browsers and enable hackers to create new attack vectors. All they need to do is to take over an expired domain, and they’re in.
Once your online business has a script that is still loading information from the expired domain, its game over – you are hacked.
Related: The Risks of Ex-Domains
4. Bad Reputation Domains
All domains were born equal, but that soon changed due to the nature of their usage. Many domains gain a bad reputation due to reported misuse and spamming issues that have cropped up over the years. The bad reputation soon snowballs into blacklisting the website by antivirus databases and AppSec repositories. Do you know how many bad domains and subdomains are currently affecting your website?
Also known as IP Reputation, this phenomenon is more widespread than you may think. According to the 2020 Webroot BrightCloud Threat Report, around 97% of IP addresses were found to have at least four distinct risk factors (think spam sources). Once again, traditional Application Security tools and solutions can’t uncover these issues on your website.
Your website could be wrongfully condemned by broadly used AV tools just because it communicates with a domain that was used maliciously in the past.
5. Dynamic Data Flows
As data privacy laws are getting stricter, online businesses are being held accountable for failing to apply a layered approach to digital security. Ask British Airways; they are still feeling the heat after the infamous Magecart hack in 2018. But it goes way beyond GDPR compliance in the European Union.
Nowadays, every country has its own set of privacy protection laws. This legislation is intended to protect the end-users rights to privacy and its basic requirement is that site-owners need to know and inform their users which vendors are processing and have access to PII data, as the data controller is accountable for protecting it.
There is a difference between keeping your PII data inside your region (let us say, Europe) to exporting it outside of it (to China, for example). For that reason, it is necessary that you map the different domains outside of your geographic reach and to validate them by informing your users about them.
Unfortunately, traditional security tools simply cannot provide any insights into where does your site’s sensitive information leaks, so it cant protect you from privacy protection violations.
Ongoing Digital Security Monitoring: The Only Way
It’s crystal clear that online businesses today need to reduce the risk by hosting scripts internally and not relying on external domains. But the harsh truth is that as online enterprises scale up, it becomes harder to implement. The modern website cannot operate in a vacuum if it wants to offer the end-users a smooth user experience and give businesses the ability to achieve sustainable growth.
The amount of external domains per site is just growing and the web of connections becomes almost impossible to manage without a dedicated tool. What does this mean? You basically need to closely monitor your digital inventory, which includes all domains and subdomains that are connected to your ecosystem.