I understand why companies want to use URL shorteners such as Bitly, but can't these links redirect users to flawed...
or even malicious URLs? What ways can these shortened URLs be exposed to ensure users don't click on malicious links?
An enterprise could help minimize the risks from URL shorteners as attack vectors by using an internal URL shortener that allows branding (such as including the enterprise's website in the URL), or by using SSL in the URL shortener.
Enterprises should also ensure their custom or branded URL shortener isn't being used to create malicious short URLs by requiring authentication and performing a malware check on the URL prior to shortening.
Web applications have been abused in the past by shortened URLs due to insecure Web application security practices. The Open Web Application Security Project added un-validated redirects and forwards to its OWASP Top Ten list in 2013 and included guidance on how to prevent a Web application from being vulnerable.
Given the large number of ways for an endpoint to get compromised, it may be more effective to first secure the endpoint itself before trying to educate users to not click on shortened links. If an enterprise wishes, it could implement an additional control that allows users to preview shortened URLs before clucking on them.
However, it's also worthwhile to include instructions for employees to not click untrusted malicious links, or to be wary of untrusted URLs as part of security awareness training. In addition, teach employees how to identify if their computer has been compromised, since even trusted URLs can be used for malicious purposes via DNS hijacking, malicious banner ads and so on.
Ask the Expert!
Want to ask Nick Lewis a question about enterprise threats? Submit your questions now via email! (All questions are anonymous.)
View additional URL shortening risks and security best practices.
Dig Deeper on Security Awareness Training and Internal Threats-Information
Related Q&A from Nick Lewis
Enterprises new to the cloud can write new security policies from scratch, but others with broad cloud usage may need an update. Consider these ... Continue Reading
Cloud security providers need to play catch-up with the evolving advancements in cloud technology. Find out what the top CSPs offer today and which ... Continue Reading
Cloud security certifications serve to bolster security professionals' resumes and boost value to employers. Learn about the top certifications ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.