If you regularly use the computer, chances are you spend at least part of your time reading the news. And with the rise of the paywall, there's a high chance you've entered your payment information on one of these news sites. But just how secure are they?
We've taken a look at seven large news publications to see how their security cybersecurity stacks up. Many big names have low scores and a few did well.
1. Fox News
Fox News scored the highest security rating at 866/950.
These attack vectors leave leaves Fox News and its readers vulnerable to man-in-the-middle which could result in sensitive data like personally identifiable information (PII) or credit card details being stolen.
2. The Guardian
The Guardian scores a respectable 835/950.
However The Guardian has some key website risks, network security risks and brand protection risks that should be addressed.
Like Fox News, The Guardian uses an insecure SSL/TLS version leaving itself and its readers open to man-in-the-middle attacks. It also does not use HttpOnly cookies, meaning cookies can be accessed on the client which enable certain types of client-side attacks.
Its key network security risk is its lack of DNSSEC, which can lead to DNS cache poisoning.
As for brand protection, domain registry update, transfer and deletion protection are not enabled, and domain renewal is prohibited by their registrar.
3. Yahoo News
That said, Yahoo News has a number of website related risks.
It too is using an insecure SSL/TLS version, HSTS header does not contain includeSubDomains, HSTS header is not prepared for preload list inclusion and secure cookies are not used leaving them open to man-in-the-middle attacks.
Like The Guardian, It does not use HttpOnly cookies, meaning cookies can be accessed on the client, enabling certain types of client-side attacks.
4. The Washington Post
The Washington Post has a number of website, network security and brand protection risks despite its score of 752/950.
Like Fox News, The Guardian and Yahoo News, The Washington Post is using an insecure SSL/TLS version.
Its HSTS header is not prepared for preload list inclusion, and it does not use secure cookies leaving itself open to man-in-the-middle attacks.
Like The Guardian and Yahoo News, HTTPOnly cookies are not used, leaving it open to some client-side attacks.
As with The Guardian, The Washington Post could be the victim of DNS cache poisoning due to its lack of DNSSEC.
5. The New York Times
The New York Times has a number of website, email and network security risks.
They do not enforce HTTP Strict Transport Security (HSTS) and secure cookies are not used which opens them up to man-in-the-middle attacks.
Like The Washington Post, The Guardian and Yahoo News, they don't employ HttpOnly cookies leaving them open to certain types of client-side attacks.
As with The Guardian and The Washington Post, The New York Times could be the victim of DNS cache poisoning due to its lack of DNSSEC.
CNN has a number of website, email, network and brand protection risks.
Its website risks include an insecure SSL/TLS version, lack of HSTS enforcement and neither secure nor HttpOnly cookies are used.
As with The Guardian, The Washington Post and The New York Times, CNN could be the victim of DNS cache poisoning due to its lack of DNSSEC.
Finally, its domain is at risk because domain registrar deletion and update protection has not been enabled.
MSNBC fared the worst out of all the news sites we checked due to its myriad of website risks and network security issue (lack of DNSSEC).
MSNBC like many others of this list use an insecure SSL/TLS version, HSTS is not enforced and secure cookies are not used leaving it open to man-in-the-middle attacks.
It also doesn't use HttpOnly cookies, leaving its readers open to some forms of client-side attacks.
Its last issue is it has its X-Powered-By header exposed, which reveals information about specific technology used on its server. This information can be used to exploit known vulnerabilities like those listed on CVE.
There are many other facets to online media user experience: design, content, ad load and more.
These are obvious because they're part of what we see on the webpage.
Cybersecurity isn't so obvious, it happens behind the scenes but just because you can't see it doesn't mean it isn't important. Cybersecurity has never been more important.
This is why more organizations are investing in vendor risk management and cyber security ratings tools that can help them automatically monitor and assess first, third and fourth-party security postures.
These tools reduce the risk of third-party data breaches by exponentially increasing the number of third-party vendors one person can monitor and continuously scanning for leaked credentials and data exposures.
How UpGuard can improve your organization's cybersecurity
Companies like Intercontinental Exchange, Taylor Fry, The New York Stock Exchange, IAG, First State Super, Akamai, Morningstar and NASA use UpGuard to protect their data, prevent data breaches, monitor for vulnerabilities and avoid malware.
UpGuard Vendor Risk can minimize the amount of time your organization spends managing third-party relationships by automating vendor questionnaires and continuously monitoring your vendors' security posture over time while benchmarking them against their industry.
Each day, our platform scores your vendors with a Cyber Security Rating out of 950. We'll alert you if their score drops.
UpGuard BreachSight can help monitor for DMARC, combat typosquatting, prevent data breaches and data leaks, avoiding regulatory fines and protecting your customer's trust through cyber security ratings and continuous exposure detection.
If you'd like to see how your organization stacks up, get your free Cyber Security Rating.