Are you managing risk from third-parties?

November, 2018
3 mins read

Business risks introduced by third parties is not new; Petya/NotPetya was a third-party attack and Dragonfly (AKA Energetic Bear/Crouching Yeti) targeted the energy sector through supply chains. The list of victims hit by third party risks will increase, so we look at what you can do to protect your business.

Compliance or a false sense of security?

Content security policies and compliance seals of approval don’t necessarily offer peace-of-mind when third-party scripts are on the page. In fact, many of the websites we’ve identified as compromised by Magecart attacks carry a logo/seal claiming to be secure, so clearly something is not working.


We looked at a random sample of ecommerce site homepages and found an average of four different third-party scripts on each. The security posture of all of these websites is reliant on the security of any one of these third parties – which demonstrates how simple it would be for an attacker to monitor high-traffic sites and choose a common denominator to economise an attack.


Simple monitoring to manage your third-party risk

File integrity monitoring is a simple and non-intrusive way to manage risk from third-party scripts. Subresource Integrity Checks (SRI) are great for enabling browsers to verify remotely that included JavaScripts are not modified from expected content – if an SRI check fails because the third-party JavaScript has been maliciously modified, it simply won’t load.  


Beyond JavaScript, think about the libraries you use, like jQuery, Dojo Toolkit and Midori, and also consider your web frameworks – are you assessing changes and monitoring vulnerabilities there? What about the third parties which enable your business to run smoothly, such as your IT services, payroll system or expenses platform – how do you monitor security and ensure they meet your standards?


Is it time to think bigger about your customers’ security?

In the Magecart attacks, JavaScript skimmers were used to capture payment card details from unsuspecting customers. In the end, it’s the card issuers who foot the huge bills for the fraud resulting from skimming attacks. If an attacker can monitor the software used across ecommerce sites for vulnerable versions, surely the organization picking up the bill can be doing this too?


Looking for vulnerabilities that will affect your customers could pay dividends, whether they’re hosted in your infrastructure or not. When next year’s Apache Struts vulnerability comes out, a quick email to your suppliers that you know are using it might be the thing that saves yours and many other people’s payroll records from landing in the wrong hands.  


Leading organizations are already doing this – Google’s Project Zero team continuously researches vulnerabilities in the technologies Google customers use because ensuring their customers are secure makes business sense to Google.  


What impacts your customers? What do they rely on? And what can you do to enhance the security of those technologies?

Accreditations & Certificates

F-Secure Consulting (F-Secure Cyber Security (Pty) Ltd) is a level 4 contributor to B-BBEE with a procurement recognition level of 100%. Learn more and download our B-BBEE certificate. Click here to read the press release.

Follow us
@fsecure_consult F-Secure-Consulting f-secure-foundry fsecurelabs