Watering Holes: Chief Marketing Officers, CISOs Need to Talk


Not many organizations are using their often substantial marketing budgets to protect their brands.  Brand protection must include the protection of corporate web sites, as the incidence of watering hole attacks continues to climb thus compromising web sites and leveraging brands against the very constituencies of enterprises.

Last year we saw a 148 percent increase in watering hole attacks, according to a Trend Micro report. They have become more common as the cyber world is inundated with the Big Five exploit kits, including Sweet Orange, Angler, Magnitude, Rig and Nuclear. Here is how ISACA defines watering hole attacks:

The term “watering hole” denotes a technique whereby end users visiting a certain web site are covertly redirected to another web site that will deliver malware to the user IT environment. First identified in 2012 by RSA, a watering hole attack typically requires considerable effort in intelligence gathering and preparation.

Given the amount of preparation required to deploy a successful attack, watering holes are often directed against larger organizations and their end users, with the intent of luring as many users as possible to the watering hole. Their comparatively expensive preparation phase means that watering holes are not normally directed against individuals or the general public.
From ISACA’s Threats and Controls Tool

When a web site is compromised it hurts the brand. No longer is the issue simply about security; it is about brand protection. To protect the brand, work must be done to insulate it from watering hole attacks. That means investing the time and money required before a web site goes live to ensure the brand is protected. This can be a spendy proposition, though it pales in comparison to many marketing department budgets. The cost is substantially lower, however, than the bill to repair a damaged brand and corporate reputation.

Unfortunately, not many companies are allocating marketing dollars toward cybersecurity with the goal of protecting their brands and web sites. What has to happen—at every enterprise—is the chief marketing officer (CMO) needs to have a conversation with the chief information security officer (CISO) about what they both will do to maintain and secure their web site to keep it from becoming a watering hole.

Both need to understand critical details around protecting the web site and the brand. Who owns the web pages? Who owns any WordPress pages? Is a contractor involved in creating or maintaining the pages? Are patches being installed? Are we instituting regular updates? Have we tested for the top OWASP vulnerabilities before the site has gone live? Do we have an incident response plan for when it turns into a watering hole? Will we need to take down part or all of our web site after an attack?

These are important questions that will require contributions from CMOs and CISOs working together to address this potentially catastrophic issue. The CMO brings substantial financial resources, along with in depth knowledge of brand management, the company’s brand and its web pages. The CISO, of course, brings IT and cybersecurity knowledge.

Timely software updates, web application testing, network traffic detection and using big data analytics to correlate well-known advanced persistent threat (APT) activities can help prevent or limit watering hole attacks, but ultimately what needs to happen in organizations around the world is CMOs need to wake up to reality and collaborate with their CISOs.

Note: ISACA Now is running a series of blogs on the 10 threats covered in ISACA’s Cybersecurity Nexus (CSX) Threats & Controls tool. The threats include APT, cybercrime, DDoS, insider threats, malware, mobile malware, ransomware, social engineering, unpatched systems and watering hole. To learn more about the controls for cybercrime, as well as recent examples and references, typical patterns of cybercrime and more, visit the tool here.

Tom Kellermann, CISM, CEO, Strategic Cyber Ventures

[ISACA Now Blog]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.