Risk Considerations: Tracking services monitor your every move

Tracking services offer no real value to business, but they exist on networks large and small, and administrators are often unaware of them

Last month, CSO presented findings from Skyhigh Networks, which outlined the types of risky applications that exist on a given network. The study noted that many popular applications were monitored and controlled, but lesser-known applications were given free-reign for the most part.

[Research shows IT blocking applications based on popularity, not risk]

Answering a request from CSO, Skyhigh Networks examined data from some three million users across 100 organizations, to outline the types of risks that aren't really considered when it comes to application blocking or content filtering -- this week, we're looking at tracking services.

According to Skyhigh, these services offer little value to the network, but they can create a serious vulnerability thanks to users who unknowingly provide behavioral information simply by surfing the Web. Businesses can't really block all Internet traffic, and employees will surf occasionally, perhaps more so, while on the job. Content filtering helps IT lower the amount of unproductive bandwidth usage, but it isn't foolproof.

So as users surf, the behavioral data collected (or unknowingly leaked) seems harmless, but it offers detailed mapping of the entire organization, including the sites those employees frequent. Many tracking services sell their data to third-parties, which can then be easily acquired by those with less than honest intent.

"In other words, it tells an attacker which watering holes you let your users visit," Skyhigh wrote in a research note to CSO.

"This gives the adversary a map of the sites to target for infiltration. They target the most vulnerable sites, smaller companies or blogs that dont have strict security. They plant malicious code on the watering hole site. Once the trap is laid, they simply wait for users to visit the sites they have frequented in the past."

The probably of success is higher, because the data from the tracking service confirms that the site is both allowed and frequently visited. This is the key behind any watering hole attack, and why they are widely popular for criminals using crime kits such as Black Hole, Sweet Orange, or Phoenix.

"The user's computer is assessed for the right set of vulnerabilities, and if they exist, an exploit, or a larger piece of code is delivered that will carry out the real attack. Depending on the user's access rights, the attacker can now access sensitive information in the target enterprise, such as IP, customer information, and financial data. Attackers also often use the access they've gained to plant more malware into software source code the user is developing, making the attack exponentially more threatening," the research note added.

When it comes to the types of tracking services Skyhigh has observed, Google Analytics is by far and away the most common. Rounding out the top ten, you have AddThis, ChartBeat, Gigya, Mixpanel, Clicky, KISSmetrics, Feedjit, Woopra, and GoSquared.

Of those, Skyhigh says that the riskiest services are Feedjit, AddThis, and KISSmetrics.

[What kind of target are you?]

However, when it comes to blocking (either directly, or as part of a content filtering category), KISSmetrics is only blocked 27 percent of the time. That's interesting, because late last year, KISSmetrics settled a class-action lawsuit over complaints that they were "hacking users' computer software and browser tools to track their Internet activity without their knowledge."

AddThis, which isn't even in the top five of the most blocked tracking services, shares non-personally identifiable aggregated information with third-parties, Skyhigh said, without restriction. Yet, organizations seem to ignore this service in favor of services such as Kampyle, and Flag Counter.

This gap in filtering circles back to the original report, which pointed out that most IT departments are blocking applications based on brand popularity rather than risk. However, it could (and should) be argued that the risk is this case is larger for smaller organizations that cannot afford robust Web filtering. Also worth mentioning is the fact that some Web content filtering categories don't necessarily block everything, but only those known to the vendor, which alone can create problems.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitySkyhigh Networksprivacy

More about CSOGoogleOrangePhoenix

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Steve Ragan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts