I understand why companies want to use URL shorteners such as Bitly, but can't these links redirect users to flawed...
or even malicious URLs? What ways can these shortened URLs be exposed to ensure users don't click on malicious links?
URL shorteners have a checkered past in terms of security, but not much has changed in the last couple years regarding defenses against their security pitfalls.
An enterprise could help minimize the risks from URL shorteners as attack vectors by using an internal URL shortener that allows branding (such as including the enterprise's website in the URL), or by using SSL in the URL shortener.
Enterprises should also ensure their custom or branded URL shortener isn't being used to create malicious short URLs by requiring authentication and performing a malware check on the URL prior to shortening.
Web applications have been abused in the past by shortened URLs due to insecure Web application security practices. The Open Web Application Security Project added un-validated redirects and forwards to its OWASP Top Ten list in 2013 and included guidance on how to prevent a Web application from being vulnerable.
Given the large number of ways for an endpoint to get compromised, it may be more effective to first secure the endpoint itself before trying to educate users to not click on shortened links. If an enterprise wishes, it could implement an additional control that allows users to preview shortened URLs before clucking on them.
However, it's also worthwhile to include instructions for employees to not click untrusted malicious links, or to be wary of untrusted URLs as part of security awareness training. In addition, teach employees how to identify if their computer has been compromised, since even trusted URLs can be used for malicious purposes via DNS hijacking, malicious banner ads and so on.
Ask the Expert!
Want to ask Nick Lewis a question about enterprise threats? Submit your questions now via email! (All questions are anonymous.)
View additional URL shortening risks and security best practices.
Dig Deeper on Security Awareness Training and Internal Threats-Information
Related Q&A from Nick Lewis
Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help ... Continue Reading
Many cloud providers are tight-lipped about internal security control details. Learn how to evaluate cloud security providers with certifications and... Continue Reading
Enterprises new to the cloud can write new security policies from scratch, but others with broad cloud usage may need an update. Consider these ... Continue Reading