Web Security Still Matters

Subscription Options

“I think the reason you continue to see that sign in front of your face is because the behavior of the user has changed over the past 10 years,” observes Samantha Madrid, Cisco IronPort product manager. “When I started in Web security eleven years ago, the whole message was ‘don’t give access to the users, you need to be cognizant of productivity loss, of potential legal liabilities, etc.’ Today that behavior has changed dramatically. We are now encouraging our users to communicate online, to collaborate, and to introduce a global voice. By sharing that data online and making it accessible to a mobile workforce it’s important that we make sure the content they’re accessing is safe and clean.”

Dr. Paul Judge, co-founder and chief technology officer of Purewire, Inc., details five fundamental shifts taking place on the Web that leave corporate networks and users vulnerable and make Web security an increasingly vital issue. The most important shift is the growth of the Web, which, Judge notes, is expanding at approximately one domain per second. Secondly, he points to the increase in AJAX-based applications that essentially turn the browser into the new operating system as another key issue. In this instance, Judge explains, “Applications simply run in the browser and users can become infected without having to click on a link to download a file or an executable. Traditional anti-virus (AV) solutions can’t help because there’s no file for them to download and nothing to scan.”

The dramatic increase in user-generated content is the third shift in the top three that Judge believes lead to increased vulnerability. “In the past there were a handful of content providers,” says Judge. “Today there are millions of consumers posting comments, feedback, links, etc. online—it becomes a question of what and whose information you can trust.” The increased mobility of the workforce ranks fourth in contributing to a vulnerable environment while an overall increase in the creativity and intelligence of criminals rounds out his list. “Rogue applications and botnets are more frequently disguising themselves as HTTP traffic in order to bypass traditional security defenses such as firewalls, which renders those traditional security approaches useless.”

Blended Threats

Shawn Eldridge, chief marketing officer at BorderWare Technologies, feels that the big change over the past few years in regards to the Web and Web security isn’t related to the threats themselves, as they have long existed. Rather, organizations need to look at how people are arriving at compromised sites that expose them to threats in the first place. “With email threats decreasing, [notwithstanding spam], and Web security getting better, a paradigm has occurred where email has become the invitation to the threat.” Eldridge cites the Web as the actual infection point. “People are sending out spam whether it’s through botnets or phishing attacks—or whatever label you want to place on it—in order to get people to visit Web sites that they have purposely infected or that have areas within them with exploited vulnerabilities. The blended threat of email as the invitation and the Web as the delivery device and infection point is the kind of the world that we live in today.”

Eldridge also believes that the same mechanisms that make Web 2.0 so powerful—collaboration, ease of use, 24/7 anywhere access—has led to an increased exposure to threats. “The reality is that when it comes to Web security the issues today still reside around protecting users against malware, worms, Trojans, and spyware.” The other side of the coin that’s not being addressed, he says, is Web content. “This is the part that isn’t being discussed as much. The reason being that it’s a much harder problem to solve and it’s the new threat area. Fortunate enough for BorderWare we have the answers along these lines because we’ve been looking at [Web security] for quite some time.”

We’re Only Human

Regardless of how savvy criminals are and how sophisticated their attack methods may be, how many viruses, Trojans, and malware end up on the network because of the users themselves? “Quite a bit!” Eldridge responds. “Users will always make certain mistakes and this is where an organization has to provide security tools that protect them because at the end of the day people aren’t going to be security experts. At a certain level, people are always going to be naturally prone to the risk and threats that are out there because they’re not experts in that particular aspect.”

Madrid finds that social engineering is still a favorite for criminals as they successfully prey on the proclivities and inquisitive nature of human beings. “When we step back and look over 2008, we see a dramatic change in the kind of options that were being presented to users. You have bot orchestrated attacks that are leveraging what’s happening in the world. We had Obama malware in which you had malware writers mimicking the America.gov Web site. When users visited the [mimicked] site to view his acceptance speech, they didn’t see anything abnormal but they were presented with a malicious, ‘By the way, you need to update your Flash player’ in order to see the speech. When Adobe starts to update their Flash player, we start to see a rise in the number of tricking tactics used by malware writers in leveraging that kind of social norm. I think a lot of times users need to take extra care not to be so trusting. When you see something, really think twice because it’s happening more and more. Malware writers are creating these bot sites and they’re mimicking legitimate sites and they’re using everyday tactics to fool the user into downloading malware.”

Criminals have been quick to take advantage of the current economic situation, masquerading as potential employers with job offers—luring desperate users into giving up their personal information or downloading malicious code. Under normal circumstances these scams would be fairly transparent, but times are hard and people are hurting, a job offer from anywhere sounds like a good thing right about now. Madrid says that attacks are very socially timed and leverage what’s going on in the world today. On the verge of tax time, the IronPort Cisco threat center is seeing scams relating to filling out tax forms. “The timeliness of the messages makes it very hard for users to differentiate between threats and reality.”

“There are many opportunities for users to become infected, especially as the Web becomes more dynamic and users are accessing the Web and the corporate network from beyond the corporate perimeter,” adds Judge, “There will always be some level of human “error” particularly as attackers, for example, become more sophisticated with using social engineering. To illustrate Judge offers the recent Waledac attack, which started out delivering specialized coupons. Recently the malware has begun using localization for more effective propagation. Similar to how Google localizes its search page depending on the geographic location you’re coming from, Waledac automatically calculates and changes the city in its social engineering campaign to make the attack more compelling. “For example, if a bomb blast went off in Tokyo, you might not be that concerned,” says Judge. “However, if it’s in your city, the story might be sufficiently compelling to get you to ‘download the video’ (which is, of course, Waledac malware). The distribution sites are the same, but instead of coupon books, the sites are now offering a ‘video’ of a bomb blast, which occurs in the city corresponding to your IP address. Waledac is using geolocation to enhance its social engineering attack. Attacks such as these make it infinitely easier for criminal hackers to be successful.”

URL Filtering Is Dead

Judge feels that Web users are more vulnerable today than ever before. “There’s a significant gap in what traditional Web security solutions offer. URL filtering is dead and businesses must take that seriously in order to adequately protect their users browsing the Web. As attackers become more sophisticated, so do the threats they propagate and it is a perpetual game of cat and mouse. The security industry as a whole needs to embrace the changes happening on the Web in order to effectively protect users and keep the Web a place where those users can be productive and safe.”

Although we may be bored of hearing it, awareness and vigilance are still our best defenses against corporate and personal Web-based attacks. Eldridge also believes that user and corporate reliance on Web filtering is a misplaced trust. Traditional URL filtering, once used to address productivity and compliance issues, doesn’t come close to handling the magnitude of the modern Web. “Today’s reality is that the largest URL filtering databases in the world only contain some 60 odd million URLs. 60 million Web sites have been categorized, but the problem is Google came out a couple months ago and said that it’s indexing over one trillion URLs,” explains Eldridge. “Obviously you don’t have to be a mathematician to figure out that there’s a massive gap there between the sheer magnitude and dynamic nature of the Web and what URL filtering and malware prevention can provide.”

“I definitely think it’s a partnership between the company and the user in protecting themselves from malware,” says Madrid. “The fundamental thing is that malware writers are looking for users’ personal information for financial gain. So the user definitely needs to remain concerned and diligent in their online behavior because the malware writer is installing Trojans onto the user’s desktop that are looking for credit card numbers, and using keyloggers to get passwords, and they’re doing it so that they can turn around and steal that data and sell it.”

Judge puts it succinctly when he says that it’s time to wake up. “Traditional security approaches obviously are not adequate in the face of today’s security challenges. Just ask the CIO who has a URL filtering solution in place—and then runs a test to find out that there are bots on the local network. Ask the security administrator who has desktop AV in place, only to find that users have been attacked by a browser or script-based attack and she will have to spend hours cleaning the machines. Or ask the young professional who believes they have received a friend request on Facebook from the most talented, intelligent or beautiful contact they’ve met, only to find it’s a fake profile designed to deliver malware. The threats are real. Organizations—and the community as a whole—need to understand the complete threat landscape and make strides to keep users safe as they are engaging and interacting online.”

Bookmark/Search this post with: