Solved

Mitigations for tagging & aggregator sites to our site

Posted on 2016-08-04
4
113 Views
Last Modified: 2016-09-25
https://www.gobear.com.sg/
https://get.com/sg/credit-cards/
http://www.moneysmart.sg/credit-cards
https://www.singsaver.com.sg/credit-card/best-deals

Q1:
Any security risks comments on the above 'aggregator' sites will be much appreciated.

Q2:
Also, Credit Cards customers will be directed from above sites to our secure webpage:
what are the precautions to watch out for?  Any possibility of MITMA (but they are
using ssl ie https, so already mitigated against MITM?) or spoofed redirects to our page?

Q3:
We are getting external provider to do 'tagging': the external vendor will
 1.  implement tagging on above 4 sites to track the no. of leads directed : 1st tag
 2.  implement tagging at our secure site to track the no. of leads directed: 2nd tag
 3.  implement tagging at our secure site to track the no. of leads directed:  3rd tag
No passwords/credit card/PII info will be stored in above tags, what other precautions
or mitigations we have to watch out for/put in place in the above process or how
do we assess the tags & the tagging process?

Q4:
Is it crucial to have WAF at our secure site prior to implementing the above & tagging?
Is there any specific IPS signature/filter & secure coding to put in place (in case it is
prone to XSS & injections) ?

I heard in our case, the tags used are likely to be javascripts.


http://www.signal.co/resources/tag-management-101/

Above link lists some risks, so  I'll need to know if the tagging we are going to implement with
respect to the four aggregators sites will have the following issues & how to mitigate them:

•Control and Ownership: When a site owner puts third-party code on their site, control over the data collection process is ceded to the third-party provider. The more tags, the more third parties with control over the site owner’s data.

•Privacy: Multiple tags on a website put privacy at risk because third parties have access to the data collected on the site (see Control and Ownership above). Also, many brands must adapt their sites to comply with privacy regulation across markets and geographies which becomes increasingly difficult when data collection is in the hands of third parties.

•Data loss: Sometimes tags fail to fire. For every failed tag, data is not collected and revenue opportunities may be lost.

•Piggybacking: It is possible for tags to be chained together through a process called “piggybacking.” This enables tags to be appended to existing tags already in place on the website without making any changes to the page code. Piggybacking can add dozens of tags to a site and introduce services that the site owner may not be aware are on the site. Read more about the history of tags, tag containers and piggybacking on the “History of Tags” page of our website. Control and Ownership: When a site owner puts third-party code on their site, control over the data collection process is ceded to the third-party provider. The more tags, the more third parties with control over the site owner’s data.
0
Comment
Question by:sunhux
  • 2
4 Comments
 
LVL 12

Expert Comment

by:William Nettmann
Comment Utility
Wow, you certainly want a lot of free consulting! I would suggest a Gig, but you have indicated that wouldn't be acceptable.

Would you be prepared to do all the research and reporting to answer all of those questions for a small piece of a tee-shirt?
0
 

Author Comment

by:sunhux
Comment Utility
EE first started free, then it went to about US$10 per month & now more, so it's not exactly free
0
 
LVL 12

Accepted Solution

by:
William Nettmann earned 250 total points
Comment Utility
That may well be, but please understand that the people answering the questions do not get paid - we get the occasional free tee-shirt.

If you answer a few questions and earn 3000 points a month, you will have free access to ask as many questions as you need to - I guess that is where the idea of Experts EXCHANGE comes in, it is a platform for exchanging information.

I am seriously considering giving up being an "expert" on EE because so many people see me as a free resource, and when people don't pay for something, they consider it worthless - and I do not believe I am worthless, and I am sure worth more than a free tee-shirt now and again.

If you attach any value to the answers to your questions (and you have a whole lot of them in this post) - you should be prepared to pay a bit for them, either by answering other people's questions, or offering a few hundred dollars for someone to do the research and write a report as a Gig.

If the question meets any of the criteria below, recommend it be posted as a project in Gigs:

The asker does not have the skills to carry out the solution provided
The asker prefers that someone else carry out the work
The question can only be solved by remotely accessing a machine
The question requires several hours of work which you can’t do for free

This " requires several hours of work which you can’t do for free".
1
 
LVL 108

Assisted Solution

by:Ray Paseur
Ray Paseur earned 250 total points
Comment Utility
I recommend Gigs.  I see from the question that you have ruled that out, and I urge you to reconsider!
0

Featured Post

Network it in WD Red

There's an industry-leading WD Red drive for every compatible NAS system to help fulfill your data storage needs. With drives up to 8TB, WD Red offers a wide array of solutions for customers looking to build the biggest, best-performing NAS storage solution.  

Join & Write a Comment

Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now