Which Online News Site Has the Best Cybersecurity?

Last updated by Abi Tyas Tunggal on January 15, 2020

scroll down

If you regularly use the computer, chances are you spend at least part of your time reading the news. And with the rise of the paywall, there's a high chance you've entered your payment information on one of these news sites. But just how secure are they?

We've taken a look at seven large news publications to see how their security cybersecurity stacks up. Many big names have low scores and a few did well. 

1. Fox News

Fox News scored the highest security rating at 866/950. 

That said, it still has some key website risks, namely an insecure SSL/TLS version, a HSTS header that doesn't contain includeSubDomains and a HSTS header not prepared for preload list exclusion. 

These attack vectors leave leaves Fox News and its readers vulnerable to man-in-the-middle which could result in sensitive data like personally identifiable information (PII) or credit card details being stolen. 

2. The Guardian

The Guardian scores a respectable 835/950. 

However The Guardian has some key website risks, network security risks and brand protection risks that should be addressed.

Like Fox News, The Guardian uses an insecure SSL/TLS version leaving itself and its readers open to man-in-the-middle attacks. It also does not use HttpOnly cookies, meaning cookies can be accessed on the client which enable certain types of client-side attacks.

Its key network security risk is its lack of DNSSEC, which can lead to DNS cache poisoning.

As for brand protection, domain registry update, transfer and deletion protection are not enabled, and domain renewal is prohibited by their registrar. 

3. Yahoo News

Yahoo News scores a decent score of 798/950, which is not bad given Yahoo's history of data breaches. In fact, Yahoo tops our list of the biggest data breaches

That said, Yahoo News has a number of website related risks.

It too is using an insecure SSL/TLS version, HSTS header does not contain includeSubDomains, HSTS header is not prepared for preload list inclusion and secure cookies are not used leaving them open to man-in-the-middle attacks.

Like The Guardian, It does not use HttpOnly cookies, meaning cookies can be accessed on the client, enabling certain types of client-side attacks.

4. The Washington Post

The Washington Post has a number of website, network security and brand protection risks despite its score of 752/950.

Like Fox News, The Guardian and Yahoo News, The Washington Post is using an insecure SSL/TLS version.

Its HSTS header is not prepared for preload list inclusion, and it does not use secure cookies leaving itself open to man-in-the-middle attacks.

Like The Guardian and Yahoo News, HTTPOnly cookies are not used, leaving it open to some client-side attacks.

As with The Guardian, The Washington Post could be the victim of DNS cache poisoning due to its lack of DNSSEC.

5. The New York Times

The New York Times has a number of website, email and network security risks.

They do not enforce HTTP Strict Transport Security (HSTS) and secure cookies are not used which opens them up to man-in-the-middle attacks. 

Like The Washington Post, The Guardian and Yahoo News, they don't employ HttpOnly cookies leaving them open to certain types of client-side attacks.

As for email security, The New York Times has lenient SPF filtering which could result in their domain being in email spoofing-based phishing and spear phishing campaigns. 

As with The Guardian and The Washington Post, The New York Times could be the victim of DNS cache poisoning due to its lack of DNSSEC.

6. CNN

CNN has a number of website, email, network and brand protection risks. 

Its website risks include an insecure SSL/TLS version, lack of HSTS enforcement and neither secure nor HttpOnly cookies are used.

Like The New York Times, CNN has lenient SPF filtering which could result in email spoofing or their domain being used as part of phishing and spear phishing campaigns. 

As with The Guardian, The Washington Post and The New York Times, CNN could be the victim of DNS cache poisoning due to its lack of DNSSEC.

Finally, its domain is at risk because domain registrar deletion and update protection has not been enabled.

7. MSNBC

MSNBC fared the worst out of all the news sites we checked due to its myriad of website risks and network security issue (lack of DNSSEC).

MSNBC like many others of this list use an insecure SSL/TLS version, HSTS is not enforced and secure cookies are not used leaving it open to man-in-the-middle attacks.

It also doesn't use HttpOnly cookies, leaving its readers open to some forms of client-side attacks. 

Its last issue is it has its X-Powered-By header exposed, which reveals information about specific technology used on its server. This information can be used to exploit known vulnerabilities like those listed on CVE

Conclusion

There are many other facets to online media user experience: design, content, ad load and more. 

These are obvious because they're part of what we see on the webpage. 

Cybersecurity isn't so obvious, it happens behind the scenes but just because you can't see it doesn't mean it isn't important. Cybersecurity has never been more important

And remember, these results only cover their primary domain and not their third-party vendors who could introduce far more cybersecurity risk in the form of third-party risk and fourth-party risk

This is why more organizations are investing in vendor risk management and cyber security ratings tools that can help them automatically monitor and assess first, third and fourth-party security postures

These tools reduce the risk of third-party data breaches by exponentially increasing the number of third-party vendors one person can monitor and continuously scanning for leaked credentials and data exposures

How UpGuard can improve your organization's cybersecurity

Companies like Intercontinental Exchange, Taylor Fry, The New York Stock Exchange, IAG, First State Super, Akamai, Morningstar and NASA use UpGuard to protect their data, prevent data breaches, monitor for vulnerabilities and avoid malware.

We're experts in data breaches and data leaks, our research has been featured in the New York Times, Bloomberg, Washington Post, Forbes, Reuters and Techcrunch.

UpGuard Vendor Risk can minimize the amount of time your organization spends managing third-party relationships by automating vendor questionnaires and continuously monitoring your vendors' security posture over time while benchmarking them against their industry. 

Each vendor is rated against 50+ criteria such as presence of SSL and DNSSEC, as well as risk of domain hijacking, man-in-the-middle attacks and email spoofing for phishing.

Each day, our platform scores your vendors with a Cyber Security Rating out of 950. We'll alert you if their score drops.

UpGuard BreachSight can help monitor for DMARC, combat typosquatting, prevent data breaches and data leaks, avoiding regulatory fines and protecting your customer's trust through cyber security ratings and continuous exposure detection. 

If you'd like to see how your organization stacks up, get your free Cyber Security Rating

Book a demo today.


Related posts

Learn more about the latest issues in cybersecurity