We’re facing a Web security gap.
The Web has become the primary source of infections in enterprises, surpassing e-mail. Although most enterprises do some form of URL filtering on their Web traffic, it’s proven to not be an adequate security solution alone. Only 15 percent of organizations are performing the deeper inspection and blocking on Web traffic necessary to protect their employees, according to Gartner.
And the problem is growing, with over 9,000 Web sites hosting malicious code being added each day. With everything moving to the Web — our enterprise applications, our desktop software, our communications — this means that our most sensitive data is flowing through our least protected channel.
Why the Web and Why Now?
The increased prevalence of Web-borne malware and the corresponding increased risk level is driven by several converging factors.
First, enterprises’ security focus has resulted in more secure corporate e-mail gateways and firewalls, forcing hackers and the criminal community to look for alternative attack vectors. has also been transformed from a static information delivery mechanism to a much more dynamic application environment, requiring numerous browser extensions and client software. This trend provides attackers with more surface area to take advantage of and more potential software vulnerabilities to exploit.
With Web 2.0, there has been a fundamental shift of content creation from trusted sources to anonymous collaborations such as wikis, blogs and social networking sites. This mashup of content sources makes it very difficult to make definitive decisions about the trust level of a particular site.
Finally, the rise in adware and the tricks used to spread these programs illustrates the inherent weaknesses of the Web’s security environment, and has served to educate the more malicious hackers on covert methods for distributing malware.
The result is that HTTP has become the new IP — the path through which threats enter and hide.
Anatomy of Web Threats
The sophistication of Web exploits increases exponentially in relation to the value of financial reward they can generate. In other words, the more money an attacker can make, the more clever he gets.
Today’s most serious threats include:
- Targeted/limited distribution malware that is unlikely to be detected by file signature systems or URL filters.
- Malware that does not require an operating system or application vulnerability to succeed, and thus can evade many intrusion prevention filters that stop vulnerability-seeking attacks.
- Rapidly morphing malware and adware that use malware randomizers to evade signatures.
- Zero-day threats that exploit vulnerabilities for which there is not yet a patch.
- Tenacious threats that are good at hiding in a system (e.g. rootkits), and very difficult to remove (e.g. self-protecting).
- Malware that is co-mingled with legitimate content (e.g. MySpace, Flickr, wikis, blogs).
One example of a modern threat is a botnet — a collection of software “robots” running on compromised computers that can be controlled remotely via a C&C (command and control) mechanism. Botnets have grown in sophistication, leveraging techniques from both malicious and non-malicious programs to become one of the most difficult threats to detect and stop today.
First-generation bots were trivial to detect and shut down once identified — they communicated to a single C&C server over IRC (Internet relay chat) and therefore could be blocked with simple port control and IP blacklisting. Second-generation bots became harder to stop as they hopped between different ports and protocols to communicate back to the C&C. Today’s bots are harder still to stop, adding peer-to-peer capabilities to build a more resilient C&C structure.
One of the most famous botnets — Storm — was first detected in January 2007 and has still not been shut down nearly two years later. Storm started like most bots, with recruitment spam, typically very topical and personal. A user clicks a URL in the spam e-mail and gets infected through any number of exploits. The infected PC then joins the Storm network as a node and begins IP scans of the network to see what other machines it can reach and exploit. A little while later, the node gets its first job, typically spam scams like pump-and-dump stocks or Canadian pharmacy spam (the No. 1 spam money maker).
If the node has access to enough machines, port and protocol egress points or bandwidth, it becomes a “SuperNode” and takes a more active role in the botnet hierarchy. However, it remains careful to avoid detection, since a noticed bot is a failed bot.
What You Can Do About It
Like most security challenges enterprises have faced, there is no silver bullet to stop Web threats. A combination of heterogeneous, multilayer defenses, real-time user education, and regular desktop and server systems patches is the best approach.
For your first line of defense, the gateway, you should complement or replace your URL filter with what research firm Gartner calls a “Secure Web Gateway” (SWG). These devices combine URL filtering, Web malware protection and application control on a single, scalable platform without compromising browser performance for end-users. Make sure the malware protection at the gateway comes from a different vendor than what you use on the desktop to maximize your chances of catching and stopping threats. Also, your SWG vendor should allow you to choose and pay for only what you need today so you can make an investment in the platform and the capabilities you require right now, but not be forced into buying more than you need.
Instead of adding a second (or third or fourth) desktop client, consider upgrading to the latest desktop protection suite that includes anti-spyware and, in some cases, anti-botnet technologies. Also consider SWG solutions that can pinpoint infected PCs and dispatch different cleanup agents, allowing you to deliver targeted remediation on-demand without adding to the IT department’s workload.
Regular user education on security policies is important, but the most effective education is real-time reinforcement, when employees are performing unsafe actions. By telling a user in real-time that their activity goes against corporate policy, you can change behavior. Users suddenly become aware that their activities are being monitored and most will change behavior immediately, resulting in an immediate improvement in your organization’s overall security posture.
Finally, security is a journey, not a destination. In order to get as protected as possible and stay there, you need to audit your network, put policies in place to block threats and unacceptable use, repair infected systems and, as the shampoo bottle says — “rinse and repeat.”
Doug Camplejohn is the founder and CEO of Mi5 Networks, a vendor of Web security gateways.