The Cybersecurity Effects of Fourth-Parties on websites
What are fourth-parties on websites?
Most code today is no longer developed from scratch. It is based on open-source, “shelf” products and vendors who offer solutions that can integrate with other platforms. That makes everything faster and cost-effective. This is what created web third-parties and therefore web fourth-parties can be found everywhere third-parties are used.
If we use your website as an example, that goes two ways: what happens on your website and what happens at your vendors, who also have third-parties of their own. Every move or modification on your vendors’ vendors (or even their vendors…), can easily affect your site. You cannot control it and there’s a small chance that you’ll be able to track modifications. The outcome can be horrific and should be a red flag for every cyber-security team out there.
But we’ll get to it later…
To begin with, let’s understand that in the user’s browser, a script – is a script. The meaning of it is that each running script can do almost anything to a web-page, including loading other scripts. Yes, just like that.
In other words, even if you inserted a script from your most trusted partner, this very script can do whatever it wants on the given page. As an example, we’ll use the most popular tag manager in the world, AKA Google Tag Manager or GTM. Behind the scenes, a tag manager is a smart third-party script with “credentials” to load additional scripts to a page or the website. In fact, we can now understand that a tag manager, this case GTM, is a loader of fourth-parties in an organized way. But this is just one example, and in the real world every third-party can just load to your website, any fourth-party it wants.
Fourth-parties by numbers
To get a more accurate view, let’s look at the numbers. An average website today uses approximately 50 to 80 third-parties vendors in total. According to our data, based on more than 4K financial and e-services site analysis, the average ratio is 30% of Fourth-parties. When we examine ecommerce sites or news sites, the ratio becomes higher and so are the definite numbers.Third–and fourth-parties expansion on commercial websites 2016-2020 (prediction)
To show how fourth-parties are used and to demonstrate the risks it present, we’ll refer to how several advertising giants are using ComScore’s media measurement and analytics tools. ComScore is an authority and ad products are almost bound to use it. For these advertising products ComScore is a third-party, an analytics tool for them. For your website, ComScore is a fourth-party.
Here’s another example, let’s assume you are running a marketing site. As part of your marketing efforts, you use an embedded YouTube clip to present your product. But did you know that Google have installed a Double-Click pixel on your website? It did it since YouTube belongs to Google, and because Google uses its advertising platform – Double-Click to monitor who is watching your YouTube video. So now you have a Double Click pixel on your website. But it doesn’t stop here. Accurate counting is also important, and for that reason you will also find an installed anti-bot tools on your website, just to make sure no one is “spamming” the video or watch count, and the data gathering in the process.
So yes, from an “innocent” video clip, you got yourself several unattended fourth-parties that are now running on your site. Well, this maybe a legit example, but as cyber-security professional you must always remember, it wasn’t you to decide. And that can be a problem, especially if you consider its GDPR / CCPA implications or possible supply-chain attacks. From an end-user point of view, the fourth and third parties are both data processors. Furthermore, both have the same authorization level and ability to provide the same privacy rights stated by the regulation. You, as the website security owner, need to validate it.
Those are relatively simple cases, according to what we see on our day-to-day analysis, most cases are more complex and involve a structured process of commercial data sharing. Like other supply chain processes, without proper monitoring tools, this instance would be almost impossible to track. The privacy and security consequences are clear cut. Be aware!Are you aware of your third-and-fourth party vulnerabilities?
Fourth-parties on websites from cyber-security perspective
If we go back to where we just started, all these “friends”, are running on the user’s browser. Therefore, they are identical to the user, with no way to distinguish between them, i.e., client-side code. In practice a third-party vendor can load other’s vendor scripts to a page, without your users even notice it. From a cyber-security point of view that is a very big WOW!
If you consider supply chain attacks, the role of fourth-parties becomes clearer and so does the need to address it as an evolving risk factor – especially for the web ecosystem. Hacking fourth-party vendor scripts on YOUR site almost equals to hacking your site, and for a CISO there’s a big but here: in most cases there’s no way for cyber-security teams to monitor these new “friends” that just settled on your site.
The point is that fourth-parties are hard to discover. From an attacker point-of-view, it’s a strategy. Like third-parties, an attacker can hack more websites thorough a single hub, but the same attacker can also hide your tracks more effectively.
How to handle your web fourth-parties and control them?
Well, when everyone today focuses on privacy regulations and deals with the uncompromising requirement to know your data processors, fourth-parties are severe and immediate potential breach. Just recently, the new EBA guidelines stated that every major financial institution in the European Union should reveal its critical fourth-party vendors. For the first time, banks are demanded to due diligence and monitor their fourth parties. However, do they have the ability to detect them? How can financial institutions actually monitor them?
The common third-party security practice involves due-diligence processes, questioners, seasonal vendor surveys, penetration-testing and even intelligence tools. But when it comes to fourth-parties on websites, this is hardly the case.
Now, here’s the problem with fourth-parties: these are not your vendors, these are your vendors’ vendors! Within the regular cyber-security course, these are hard to track. Fortunately, when we refer to websites there are some great tools (and Reflectiz is one of them) that allow security teams identify the presence of fourth-parties and what’s beyond them.
Once discovered, an effective cyber-security process needs to be carried out in order to avoid unnecessary fourth-parties privacy and security risks. This should include adding fourth-parties to the relevant third-party due-diligence process, fourth-party tracking, technology funnel identification, and a notification mechanism that alerts of any related abnormality according to its severity. But the most important mission is first to discover your fourth-party and to create baseline for modification detection.
This is just a quick summary that gives you a hint of how security team should refer to fourth-parties. If you or your colleagues want to hear more, you are warmly welcome to contact us.