Concerned about keeping your analytics-derrived strategy safe? When planning security for said strategy, a description of your security plan should include one of the following words: Chrome, Firefox, or Internet Explorer.
Using an update web browser can be one of the first lines of defense against a cyber-attack. Phishing attempts are learning how to attack data entry points onto the cloud - that ultimately means methods for attacking a web browser.
One attack technique is cross site scripting. Cross site scripting occurs when phishing code replaces bits of intended client-side code that instruct browsers how to render and send webpage elements. The end result is that site users input data thinking that the data is being sent to a trusted site, but in fact the data is being sent to the phishing site.
Cross site scripting used to be an arcane attack method, meant to manipulate Javascript code and insert phishing sites unsuspiciously. But with more applications and websites deploying data visualization to the cloud - with visualization from Javascript-based libraries - Javascript has become more valuable - and cross site scripting has become less arcane as a result.
Here are a few preventative tips to keep in mind, not only for reviewing analytic data in a browser but for client-side applications, particularly when data input is involved.
- The most basic step is keeping your web browsers updated - doing so can impact your analytics access. Adobe, for example, announced that it will no longer provide Adobe Analytics support for Internet Explorer 8 after April 17th, 2014. So an update can ensure that your analytics team is not distracted by browser incompatibility problems.
- Also, where applicable, update plugins associated with popular programs. Periodic update checks will eliminate vulnerabilities that take advantage of outdated or unsupported programming. Browse Happy, a site sponsored by WordPress, can check and update your browser, be it Chrome, IE, Firefox, or Opera.
- Audit if the client-side data is sensitive or proprietary. Doing so can frame the urgency of potential exposure concerns.
- Most analytic platforms are pretty well managed so that a phishing copycat of, say, Adobe Analytics, is unlikely. But it is a good practice to be familiar with an online cloud solution's badges and descriptions so that recognizing an official site over a phishing site is clear.
- Be alert for website pages which expose awkward URLs when the page is requested. That can occur on 404s for example. Unformatted URLs can be a backdoor portal for cross stripping attacks - phishers use these to append addition script to the URL to initiate the redirect.
- Understand the personnel in your organization who regularly receive email alerts. Cross stripping hackers also rely on inserting URL with nefarious scripts at the end of links in an email. Understanding who typical sends alerts regarding analytics systems can heighten awareness of fraud emails that contain suspicious links.
- Finally, make sure applications include cross scripting prevention libraries. Ask your tech team to verify measurement apps that use an HTML Sanitation library for data input and security encoding framework for scripts and supporting programming. Using an app that seen as “safe” within the organization can help eliminate possible script attacks through poorly developed apps.