Securing WEB 2.0
By Stephanie Jordan
Like email, the Web has become a mission critical application for many businesses. The Internet has offered much, and has such potential, that more and better applications are constantly being invented. This rapid pace of innovation and implementation has changed the Web to such a degree that the term Web 2.0 is being used to signify the difference from just a short time ago to now. Unfortunately, also like email, the medium is being used in ways that it was not actually built to support. These new Web 2.0 applicationsare exposing businesses to new and ever-evolving security threats. "The Web and now Web 2.0 has become so critical that businesses cannot and will not turn it off," says Mike Lange, director of marketing for Aladdin Knowledge Systems, Inc. "So what's left is to deal with the threat environment and that's where it becomes problematic. For various reasons, traditional security solutions, such as firewalls, intrusion detection / prevention, gateway anti-virus, and URL filters simply are not equipped to deal with Web-based content security threats.
According to Paul Henry, vice president of technology evangelism for Secure Computing, it used to be that organizations were concerned with virus outbreaks as the primary vehicle for delivering malware. "Today, malware is being delivered via the Internet across many Web 2.0 vectors," explains Henry. "A perfect example is the recent e-greeting card malware problem that has been part of Storm Worm." Henry goes on to describe how users received an email that itself contained no malicious attachment or payload. The email simply contained a URL that would allow the user to view a greeting card. Yet, when the user clicked on the URL, over a dozen different ActiveX exploits were launched against the user's browser in effort to find an open hole. Once the hole was found, malware was downloaded in multiple stages across multiple servers to infect the user's PC. The most common result was that a spam bot rootkit was loaded on the user's PC that made them part of the hacker's botnet army for the purposes of sending spam. "It just as easily could have downloaded a keylogger to steal the user's banking credentials in order to perpetrate identity theft," says Henry.
Generally, all experts agree that the threat vector has changed with Web 2.0. "Because external threats to networks have changed in nature from email-based worms to Web-based threats, traditional security measures like anti-virus and firewalls can't protect against these emerging Web-based threats," states Mike Wood, senior product manager for Websense, Inc. Today, organizations need proactive, intelligent protection. Another area of concern is from the internal threat. "Interestingly, the 2007 Global State of Information Security Survey from CIO and PricewaterhouseCoopers found that this year marks the first time 'employees' beat out 'hackers' as the most likely source of a security incident, continues Wood. "Most often employees are not intentionally leaking information or trying to introduce malware into the company, but with the pervasiveness of Web usage, and the sophistication of threats including social engineering techniques, it's becoming apparent to organizations around the world that they need to implement protection against internal threats too."
What Is Different?
Why the change in security risks? Henry notes that hackers have shifted their attacks up to the application layer because most security devices today still lack the ability to properly inspect that traffic. "There is an implicit trust of websites on the Internet. The vast majority of organizations simply do not inspect any of the traffic returned to an enterprise user when that person is surfing the public Internet. Back in the days when the site administrator was responsible for all of the content of a particular website, you could apply that kind of implicit trust; but today, with each of the tens of thousands of users themselves able to add content to sites (blogs, wiki sites, social networks), it is unrealistic to continue to apply implicit trust." Henry warns that the amount of user-contributed content to Web 2.0-based websites such as URLs pointing to malware hosting Web servers and actual malicious scripts that down load key loggers or root kits are increasing dramatically and will continue to for the foreseeable future.
Lange believes that because email security has evolved to the point where threats are identified and blocked effectively, that malware writers have moved to a land of greater opportunity: the Web. "Today, all malware has a Web component," says Lange "The goal of email attacks is to get people to click on a link that leads to an infected website." Lange offers a recent example from the Aladdin Content Security Response Team that uncovered a sophisticated, multi-stage attack against eBay users, which successfully obtained eBay logins. According to Lange, the attackers used a botnet consisting of infected computers to launch a brute force attack on eBay accounts. "The botnet was built using a sophisticated, multistage campaign that begins with compromised legitimate websites—at least 300 by our count, spread worldwide and in several languages," explains Lange. "The sites are compromised by SQL injection vulnerabilities, and then IFrame attack code is inserted. The IFrame code redirects visitors to other sites, which hosts a Trojan that then hijacks the PC and turns it into a zombie, or bot." Lange goes on to say that some of the tactics used to disguise their attack includes multipart malware downloads (the malware is downloaded in pieces so that it doesn't register with conventional security measures), as well as encryption, since most security tools cannot inspect encrypted (SSL) traffic. The resulting botnet is being used to call an eBay application programming interface (API) with pairs of possible usernames and passwords. The API allows the Trojan horse-infected PC—the bot—to communicate directly with the eBay database using XMLformatted code. If the database contains the username-password pair, it responds—which the Trojan horse notes for later transmission to a hacker controlled server. "With enough username-password combinations, the criminals can uncover a limited number of real credentials," says Lange. "Each bot may be using as few as six pairs of usernames and passwords in an attempt to come in under the security radar of eBay. The distributed nature of the attack made it look like a merchant sending confirmations to buyers."
Organization Readiness
With these sophisticated tactics being used against corporate networks, just how prepared are organizations to combat them? "Most businesses are not prepared for Web 2.0 technology," states Wood. "The usefulness and popularity of this technology has grown quickly, with security often being an afterthought. Unfortunately we are already seeing hackers take advantage of the interactive and dynamic nature of Web 2.0—we've observed hackers use popular social networking sites, like MySpace, to launch malcode."
Henry agrees. "Businesses today, large and small, are critically unprepared for the threats of Web 2.0," he says. "Secure Computing's study with Forrester Research showed that while the vast majority of organizations see the benefit of using Web 2.0-related services, only a small minority were actually already prepared for the associated risks. Further, these findings are consistent with other research, such as the CSI Crime Report, as well as the eCrime Report from CSO, CERT and the Secret Service. The defenses reported as most popular and currently deployed across organizations that participated in the study simply lack the ability to properly defend against Web 2.0 threats. In many respects, the current blind adoption of Web 2.0 resembles the earlier Internet bubble; as organizations race to create the next hugely successful Web 2.0 portal without any regard to the inherent risks to the organization or the site's visitors, the losses will continue to mount. We might very well see a collapse of our current Web 2.0 inspired bubble." Recently, Secure Computing unveiled its new SWAT Initiative for protecting organizations from Web 2.0-related threats carried in Web and messaging protocols. The Secure Web 2.0 Anti-Threat initiative is an intensive effort to provide corporations with informative research, tools, solutions and best practices vital for companies evaluating—or re-evaluating—their approach to Web and messaging security. At its core, the initiative is aimed at identifying and highlighting the essential components required to provide the best possible protection for businesses operating in a Web 2.0 environment and beyond.
"Woefully unprepared," is how Lange responds to the Web 2.0 security preparedness question. "Gartner notes that less than 15 percent of enterprises currently have the proper perimeter security (what they define as a "Secure Web Gateway") in place to adequately address Web 2.0 risks," says Lange. "Note, too, that it's not just Web 2.0, but the 'old-fashioned' Web as well that presents risks. It's just that Web 2.0 applications offer easier entry points to infect websites through more potential browser vulnerabilities and by opening up websites to untrusted sources." According to Lange, eSafe inspects all Web Internet traffic including thorough and deep inspection of HTML code, scripts inside HTML, images (GIF, JPG, WMF, etc.), ActiveX objects, Java applets, downloaded executables and more. "What's more, eSafe inspects all HTML traffic, regardless of port. For example, eSafe can detect malware on ANY port—not only port 80," adds Lange. "If there is a phishing website that for obfuscation reasons uses port 53 (which is normally reserved for DNS queries and is open on most firewalls) to tunnel HTTP traffic, it will be detected and inspected by eSafe." This summer Aladdin announced that Aladdin eSafe 6, its comprehensive platform for spyware control, Web browsing security, application filtering, and anti-virus, offers a new option that allows organizations to inspect Secure Socket Layer (SSL) encrypted HTTP traffic (HTTPS). The new SSL content inspection technology inside Aladdin eSafe 6 answers organizations' SSL security concerns, providing constant, granular inspection of this once invisible traffic. The advanced technology allows all security policies that apply to HTTP traffic to easily apply to HTTPS encrypted traffic, halting malware from infiltrating networks through encrypted channels and closing the door to rogue applications.
Websense is also strengthening its offerings. Recently, Websense closed its acquisition of SurfControl. "Websense's acquisition of SurfControl helps accelerate Websense's strategy to lead in the Content Security Market which includes, Web security, messaging security, and information leak prevention— all core strengths of our combined solution," says Wood. "SurfControl adds email filtering and on-demand capabilities to the Websense solution set. Websense is the only company that has Intelligent Content Protection— empowering customers to access and exchange information safely within the organization, between organizations and over the Internet." With the acquisition of SurfControl, Websense has doubled its customer base to more than 50,000 organizations worldwide and now protects content for more than 42 million employees.
Key Considerations
Because the Web is so vastly different than just five years ago, organizations of all sizes need to take steps to ensure that its security addresses today's challenges. "In some ways IT administrators are being lulled into a false sense of security, because their networks are not being openly attacked and going down as once happened," says Lange. "The reason is that malware writers want the network to stay up so that infected desktops can communicate their secrets back to unauthorized servers. In short, they want to maximize their control over a network without giving away clues that they are there. Virtually every network today will have some type of malware that is 'calling home' through any available port."
Another threat is data leakage. According to Forrester Research, more than 70 percent of all leaks are accidental. "With email autofill for the intended recipient on nearly every computer, it is easy to see how accidental emails get sent out of the corporation," concedes Wood. "Organizations should engage in a two-pronged approach combing training and education, with information leak prevention technology. Employees need to know and understand their companies' corporate policies. While, organizations should deploy information leak prevention technology, such as our Websense Content Protection Suite, which helps discover and fingerprint sensitive information, monitor as it is in use and then prevent it from leaving the organization through common communication vectors including, instant messaging, email, and Web mail."
Organizations of all sizes must remain diligent in security efforts for the Web and Web 2.0. "Business use of the Web and Web 2.0 applications expose organizations to both inbound and outbound security threats," states Henry. "The new generation of emerging security threats transcend the legacy security measures for Web 1.0. Today, the threat is dramatically more complex and uses multiple threat vectors." SJ/TMP
Recommendations for the Enterprise
A commissioned study, conducted by Forrester Consulting on behalf of Secure Computing, which surveyed 153 IT professionals and security decision-makers in companies with at least 1,000 employees, found that while Web 2.0 usage is already prevalent in enterprises, organizations are not prepared to deal with the potential threats associated with the technology. The study further notes a lack of risk awareness, user training and consistent policies. The study suggests that about half of the organizations surveyed spent more than US$25,000 in the last fiscal year on malware remediation. It was therefore not surprising to learn that businesses are wary of Web 2.0 usage and associated threats. While 97 percent of all enterprise IT staff consider themselves "prepared," 79 percent have reported frequent attacks from malware. In addition, 79 percent of those surveyed are concerned about viruses, and 77 percent about Trojans, but only 12 percent were concerned about botnets even though bot networks have been growing rapidly as demonstrated by the recent estimate that over one million computers in a single botnet propagated the storm threat. These findings confirm that the majority of today's enterprises are still concerned—to a considerable degree—about Web 2.0 threats in their organizations. Given the complexity of the current threat and technology environments, Forrester and Secure Computing recommend that organizations look beyond a simple filtering solution, and:
- Employ next-generation Web filtering technologies, with enterprise-grade performance, scalability, and support for management. "Next-generation" capabilities include reputation services, blended threat protection and behavior-based detection. Additionally, outbound content control such as data leakage and application control is essential.
- Re-examine the adequacy of security policies and protection capabilities. Report data shows that most organizations are confident that their protection policies and mechanisms are adequate; yet still face problems due to malware and data leakage. Organizations should re-evaluate policies and protection mechanisms in the face of the latest trends of Web-borne threats, especially those connected with Web 2.0 applications.
- Improve user awareness and training on Web 2.0 and Web-borne threats. The first rule of thumb for improving security protection is considering people and process, alongside with technologies. Organizations should implement systematic and comprehensive training to communicate the magnitude and extent of Web threats to users. TMP
Source: Secure Computing
Recommendations for Small- to Mid-Sized Businesses
SMBs and mid-sized companies are often short-staffed when it comes to IT and security—though they face similar security threats and in many ways are more vulnerable than the enterprise. A recent study commissioned by Websense found that small and medium sized businesses fail to take adequate steps to reduce the risk of data loss from Web-based security threats. The 2007 SMB State of Security (SOS) survey of 450 IT managers and employees within the United States shows that while 46 percent of SMB IT managers say they have software to protect company confidential data, 81 percent do not use software to block the use of peer-to-peer applications, block USB devices (80 percent), control the use of instant messaging (76 percent), or stop spyware from sending out information to external sources (47 percent)—all growing vectors of confidential data loss. "We think that SMBs need to protect themselves," says Mike Wood, senior product manager for Websense, Inc. "But the security solutions have to be within their budget and easy to deploy, yet effective. We recently launched a new product for the SMB market called Websense Express to meet what we believe is a vastly underserved market. The goal with Websense Express was to provide a powerful Web filtering and Web security solution that anyone could use and manage."
Additional Survey Findings
Despite the risk of data loss, 20 percent of SMBs do not use Internet security software other than firewall and anti-virus products, as they mistakenly feel these are sufficient. Additionally, 12 percent of IT managers admit, while they have an Internet usage policy, they have no way of enforcing it. The study also found that business-owned computers are left vulnerable to security threats for more than 21 days, on average, despite the daily updates promoted and offered by operating system and anti-virus vendors. In fact, only 4 percent of SMB employees have daily security updates on their work PC, while 11 percent of employees say the security software on their work PC has never been updated. On the bright side, 94 percent of SMBs claim to have an Internet use policy in place, and 67 percent say that all companies should have equal levels of protection from Internet security threats, irrespective of their size. TMP
Source: Websense