Skip to content

The Interconnected Web and Shifting Target Surfaces

Water_droplet_backjet

Take a look at what’s in your browser right now. I’ll go ahead and assume you’ve got multiple tabs open. They each display a different site, which is probably pulling in code and content from at least 3 or 4 distinct ¬†sources, maybe more, not to mention the 3rd party libraries and tools that are incorporated. Right now you are connected to and interacting with dozens of logical surfaces. For example, if I hit ‘view source’ on my logged in¬†Facebook page, then simply search the page for ‘.com,’ I get:

mathtag.com
washingtonpost.com
mediamath.com
chase.com
sprint.com
turn.com
marriott.com
and more.

Keep that in mind for a minute.

Recently, a backdoor was discovered and removed in a downloadable ‘platform’ for serving ads called OpenX. Oh, wait, it may have been in the flowplayer video player that was incorporated into the OpenX software. At this point, you’re at least 4 levels removed from the actual user. I connect to a website (level 1), I get served ads (level 2), that use the OpenX software (level 3), that uses a 3rd party video player (level 4).

Another example is the use of legitimate cloud services for nefarious purposes. There are not only examples of cloud services simply being used as one might a physical server, but also more novel examples of attackers using Dropbox and WordPress to host and deliver malware.

This activity represents a shift in the target surface for the enterprise. Scratch that; shift is the wrong word. It’s really more of an expansion. You don’t get to stop worrying about the previously valid attack vectors. You just have to worry about new ones too. As we combine ubiquity of connectivity with the multi-layered model of delivering content above, and the ability of users to bring their own devices into the corporate network, it becomes a significant challenge for any organization to actually measure and monitor the surface on which their data is exposed to attack.

There’s no pithy conclusion at the end of this post. This is just a real, looming problem that I haven’t seen anyone really attempt to solve yet. Of course, solving problems that are merely looming is rarely profitable.

Post a Comment

Your email is never published nor shared. Required fields are marked *