Enabling a safer internet: The positive approach to web security

With one new infected webpage discovered every 4.5 seconds, there is no longer any such thing as a trusted website. As the internet becomes an increasingly missioncritical tool, new media such as blogs and social networking sites are a necessary part of business. This paper describes todays new web threats, highlights the need for a positive security model to replace yesterdays access-blocking approach, and describes the three pillars of protection organizations need to safeguard their systems and resources.

A Sophos white paper

April 2009

A Sophos white paper

Enabling a safer internet: the positive approach to web security

Enabling safer surfing: The positive approach to web security

Web-based malware: the new weapon
With one new web page infected every 4.5 seconds,1 the web is now the number one vector of attack for cybercriminals. Taking advantage of web infrastructure vulnerabilities, particularly the ever-increasing capability for user-submitted content, hackers are able to covertly inject malicious code into more and more legitimate sites. This web-based malware is then able to exploit social engineering tactics or browser vulnerabilities to infect visitors, the intention being to surreptitiously steal confidential information directly, install further malicious code or, worse, silently recruit the host system into a botnet a network of hijacked computers for distributing further malware, spyware, or spam. Thousands of systems are infected in this way every day and the activity is particularly lucrative for the criminals a single compromised computer can give access to thousands of confidential

records. This significant security risk can be extremely costly to businesses, with some estimates for a data breach estimated at millions, and even billions, of dollars.2 In addition to significant security and financial risks, organizations are having to deal with the legal implications of security breaches. Organizations can be legally liable if their computers are used to view pornography or hate material or to incite illegal behavior. There are also ramifications if users violate third-party licenses through illegal MP3, film and software downloads. At the same time uncontrolled web browsing can have serious productivity implications with unauthorized surfing potentially causing network slowdown, staff inefficiency and further security (and legal) risk if sensitive company or personal data is posted online.

Exploiting legitimate, trusted brands

Hackers dont tend to discriminate between websites. Large, more established brands with high traffic volumes are very attractive to cybercriminals but smaller organizations are equally likely to fall victim. The only criterion is that the website has vulnerabilities that the hacker can exploit. The techniques used continue to evolve rapidly and this paper now looks at what the hackers are up to today.

One newly infected webpage is discovered every 4.5 seconds.

Sophos security threat report 20091

A Sophos white paper

Enabling a safer internet: the positive approach to web security

Infecting trusted sites with SQL injection attacks

One of the main threats comes from SQL injection attacks. Such attacks exploit security vulnerabilities and insert malicious code (in this case script tags) into the database running a site. When user input, for instance via a web form, is not correctly filtered or checked, the code peppers the database with malicious instructions. Websites that have been attacked in this way include:

launching pad for mass-distributing malware attacks and spam.6 In August 2008, Facebook admitted that up to 1800 users had had their profiles defaced by an attack that secretly installed a Trojan while displaying an animated graphic of a court jester blowing a raspberry.7 One particularly active threat is Koobface, a family of worms, and its rapid evolution demonstrates the wide range of social networks that are vulnerable.8 Initially targeting Facebook and MySpace, Koobface now targets a more diverse set of social networks, including MySpace, Bebo, hi5, GeoCities, Friendster and Tagged.9 The malware works by directing your friends on your socialnetworking site to click on a link to another site purporting to contain a video clip. If they are tricked into downloading an executable to watch the video at the third-party website, a message is displayed: Error installing Codec. Please Contact Support. The malware then accesses Facebook/ MySpace/etc to spread itself further.10 The websites to which victims are directed use a script to check which of these social networking sites has sent them there. The aim is to serve up malware specifically tailored to the networks of which youre known to be a member (though in fact to date these links all result in the same executable). Blogs, micro-blogs and hackers Hackers are also targeting other social media such as blogs. In much the same way that they set up malicious pages on fake websites and then use social engineering techniques to lure visitors to them, they are using free blogging services to create infected blogs. Unsuspecting victims then receive emails with links to the blog, from which malicious software is downloaded.

BusinessWeek magazine one of the 1000

busiest websites which attempted to download malware from a Russian-based server.3

An area of the Adobe website designed to

offer support to video bloggers, which tried to download spyware.4 at risk from a scareware attack.5

Sonys US PlayStation website, putting visitors

Recovery from a SQL injection attack can be difficult, and there are numerous cases of website owners cleaning up their database only to be hit again a few hours later.

New gateways for cybercrime

The new freedoms opened up by the web, blurring the lines between work and social interaction and offering easy ways to share information, have opened up new loopholes for cybercriminals to exploit. Social networking sites A favorite target for todays hackers are social networking websites. People who have learned to be suspicious of email links are on the whole less savvy about links posted on Facebook and the like. Hackers have found value in compromising Facebook accounts, stealing usernames and passwords, and then using the profiles as a

A Sophos white paper

Enabling a safer internet: the positive approach to web security

At the same time, vulnerabilities in common legitimate blogging platforms just like any other platform can be, and are, exploited by criminals. Of note is the micro-blogging site, Twitter, which has begun to be targeted. In January 2009, Twitters internal systems were hacked and the accounts of Britney Spears, Fox News and Barack Obama, among others, were broken into.11 Two months later hundreds of Twitter users were hit when messages were sent from compromised accounts trying to drive traffic to a pornographic website.12

Gaming community The Valve Steam network Paypal An unusual type of phishing attack
spammed out malware within a RAR attachment.16

was targeted by a phish offering add-ons for the new zombie shooter Left 4 Dead.15

HMRC The passing of the deadline for

submitting tax returns to HM Revenue & Customs in the UK prompted a phish.17

The risks posed by anonymizing proxies

Many organizations have responded to the growing web threat by using URL filtering to curtail internet browsing. This has motivated many users to respond by using anonymizing proxies which disguise the true nature of a website in order to trick an organizations web filter into allowing access. Anonymizing proxies are big business in the underground economy, driven by advertising revenues and subscription fees. Hundreds of new anonymizing proxies are created daily and distributed via blogs, forums, and dedicated websites. There is also a growing number of unknown private anonymizing proxies setup and maintained by individuals or small groups for their own use. This makes it extremely easy for users to access any site they want through an anonymizing proxy, but a difficult, tedious, and time-consuming task for administrators to track and block them. Anonymizing proxies hold significant risks for organizations:

The spread of the phishing net

Phishing attacks whereby unsuspecting users are directed to to a bogus login page which requests their username and password continue to be a significant threat. A common misconception is that phishing is just a banking problem. It remains, of course, a banking problem but it is now also a problem for social networking sites, such as MySpace, Facebook, Bebo and a wide range of other networks and enterprises. A handful of examples from February and March 2009 alone demonstrate the scale of the problem.

Google A phishing campaign spread via the

Google Talk chat system.13

iStockphoto a phishing attack was perpetrated

across iStockphotos online forums and via the sites mail system.14

Security: If users are browsing via anonymizing

proxies, then in addition to bypassing URL filtering, they might also be circumnavigating content scanning at the perimeter, which dramatically increases the chance of infection. There are even anonymizing proxies that are themselves, either accidentally or deliberately, infected with malware.

Anonymizing proxies bypass URL filtering and create enormous security vulnerabilities.

A Sophos white paper

Enabling a safer internet: the positive approach to web security

Liability: Unrestricted access to inappropriate

material or illegal downloads could have serious legal ramifications for an organization, as could the sharing of confidential information over the internet. their organizations web filter means they could spend all day on, for example, social networking sites rather than working, and consume valuable network bandwidth.

pillar one

Reputation-based filtering
Reputation-based filters are the first critical component in the fight against web-based threats. They prevent access to a catalog of sites that are known to have hosted malware or other unwanted content, by filtering URLs based on their reputation as good or bad, and are an established and proven tool for successfully protecting against already known and located web-based threats. As well as providing this basic form of preventive protection, they help optimize network performance and staff productivity by blocking access to illegal, inappropriate or nonbusiness-critical web content. Although traditional URL filters often connect to vast, regularly updated databases of sites known to host malware or suspicious content, they have several significant shortcomings. In particular, they offer no protection against malware hosted on legitimate, previously safe, sites that have become hijacked. Neither do they protect against malware on newly created websites. Cybercriminals are well aware of, and readily exploit, the fact that traffic from these sites is not blocked and that malware, whether new or old, will be allowed into an organization. Another significant shortcoming of traditional URL filters is that they often lack an effective solution to deal with the enormous issue of anonymizing proxies. To prevent users from bypassing filtering controls, the following two components are critical in forming a defense against anonymizing proxy use:

Productivity: The ability for users to bypass

The three pillars of modern web protection

Internet access creates a dilemma for network administrators on the one hand, the risks presented by allowing unfettered access to the web are enormous, yet the internet is undeniably becoming a mission-critical business tool. Social networking sites, blogs, forums and media portals have all become important instruments for employee recruitment, viral marketing, public relations, customer interaction, and research they cannot be blocked without seriously impacting business productivity and effectiveness. A new approach to web security and control is required that fully supports the needs of business, equipping users with the tools they need to be more effective while eliminating the associated risks of potential infection from trusted legitimate sites. In addition to good preventive practices, such as rigorous patching and educating users about the risks of browsing, it is vital that organizations implement a comprehensive web security solution, comprising three key pillars of protection:

Reputation-based filtering Real-time predictive malware filtering Content-based filtering.

A reputation-based service that actively seeks

out new anonymizing proxies as they are published and updates the filtering database at frequent, regular intervals automatically inspects traffic for signs that its being routed through a proxy, effectively closing the door on private proxies or other proxies not identified through the reputation service.

A real-time proxy detection engine that

A Sophos white paper

Enabling a safer internet: the positive approach to web security

Key questions to ask a prospective vendor

pillar two

Real-time predictive malware filtering

Real-time predictive malware filtering goes a long way to closing the gap left by reputationbased filters. All web traffic passes through a scanner designed to identify both known and newly emerging zero-day malware. The malware engine is optimized for low-latency scanning and whenever a user accesses a website, irrespective of its reputation or category, the traffic is scanned using a combination of signatures and behaviorbased technologies. It is worth noting that this type of real-time scanning has a further advantage over traditional URL filters, in that the filtering is, almost by definition, bi-directional both the user request to, and information returning from, the web server are scanned. In addition to detecting known malware as it moves across legitimate sites, this bi-directional filtering can also provide protection against new threats regardless of where they are hosted. The use of real-time predictive threat filtering remains uncommon amongst many of the leading web filtering security solutions in the market today. Many security vendors are currently relying on signatures alone. Others who are fairly recent entrants to the market claim comprehensive solutions but lack the evidence to prove they are delivering fully proactive protection.

Does the URL database used for your

reputation-based filtering have global coverage? cover new threats? identified daily? in real-time?

How frequently is your product updated to How many new threat-hosting sites are Do you scan all incoming traffic for malware Do you use your own technology for malware
scanning or rely on third-parties?

Is your malware scanning engine signaturebased or does it use behavioral analysis? malware filtering? malware filtering? catalog daily?

Is there an additional cost for real-time Is there a performance impact for real-time How many anonymizing proxies do you Does your solution identify anonymizing
proxy use in real time?

Do you analyze the true content of files, or

rely on the extension or the MIME-type?

Do you scan HTTPS-encrypted traffic? Can you demonstrate real research expertise
in web threats?

Do you have independent statistics of your

proactive web threat detection rates? see how easy it is to use?

Can I see a demo of the admin console to Are there on-board monitors to track How are issues reported to the
software, hardware and traffic health? administrator? Via email? Via phone call? to assure the system is available 24/7?

pillar three

Content-based filtering
Content-based filtering analyzes all web traffic on the network to determine the true filetype of content coming back from a website and can allow or disallow this traffic, based on corporate policy.

Do you provide real-time uptime monitoring

A Sophos white paper

Enabling a safer internet: the positive approach to web security

Content filters scan the actual content of a file, rather than simply looking at the file extension or the MIME-type reported by the web server, and so can identify and block files that are masquerading as innocent/allowed filetypes but really contain unauthorized content. A file might, for example, have a .TXT extension but in fact be an executable file. By enabling enforcement of only businesstype content, this pillar of protection enables organizations to create policies around a variety of content types that can be used to send malware, thereby reducing the risks of infection. For example Windows executables or screensavers might be disallowed. Content-based filtering also improves bandwidth optimization by blocking large or resource-hungry content, such as streaming video.

Users can also be encouraged or required to report unusual behavior, such as their computer suddenly becoming slow, or the homepage changing when they open their browser with no input from them, or they open a file that does nothing.

Conclusion
Every minute of every day, cybercriminals are looking to exploit web traffic for commercial gain, and since web browsing is integral to most businesses day-to-day activities, the web gateway must be equipped with a security solution that enables business and users to be productive while providing the security essential to ensure a riskfree experience. Organizations looking to protect against the growing threat of web-based malware need a solution that above all demonstrates its security attributes and combines powerful site and content controls with low-impact, effective administration. At the same time end-user expectations and requirements for speed, efficiency, and open access to the tools and sites they need must be met. Solutions which fail to meet these demands for security, control, performance, and accessibility will ultimately fail the organization.

User education as a tool for defense

Many businesses have successfully educated users about how to spot email-borne threats, and while the fight against web-based threats relies much more heavily on sophisticated technology, users can and should be engaged in the fight. Many firms already have procedures in place that define which websites are considered appropriate, but few have updated these to include guidance on how to avoid infection whilst surfing the net. A good policy will dictate that:

Employees must never open spam emails Employees must never click on links included
in emails sent from unknown senders browsers are patched at all times

IT must ensure that the organizations web Employees should minimize their nonwork-related browsing for both security and productivity reasons.

A Sophos white paper

Enabling a safer internet: the positive approach to web security

Sources
1 Sophos security threat report, 2009. secure.sophos.com/sophos/docs/eng/marketing_material/sophos-security-threat-report-jan-2009-na.pdf 2 www.infowatch.com/threats?chapter=162971949&id=207784708 3 www.sophos.com/blogs/gc/g/2008/09/15/hackers-infect-businessweek-website-via-sql-injection-attack 4 www.sophos.com/pressoffice/news/articles/2008/10/adobe-infection.html 5 www.sophos.com/pressoffice/news/articles/2008/07/playstation.html 6 www.sophos.com/blogs/gc/g/2008/09/17/facebook-malware-is-a-real-threat 7 www.sophos.com/blogs/gc/g/2008/08/07/more-malicious-links-seen-on-facebook 8 www.sophos.com/security/analyses/viruses-and-spyware/w32koobfagen.html 9 www.sophos.com/security/blog/2009/02/3215.html 10www.sophos.com/blogs/gc/g/2008/08/04/facebook-and-myspace-malware 11www.sophos.com/blogs/gc/g/2009/01/07/celebrity-twitter-accounts-hacked 12www.sophos.com/blogs/gc/g/2009/03/06/chatwebcamfree-attack-hits-twitter-users 13 www.sophos.com/blogs/gc/g/2009/02/25/gmail-users-hit-viddyho-phishing-chat-attack 14www.sophos.com/blogs/gc/g/2009/03/04/istockphoto-struck-phishing-attack 15www.sophos.com/security/blog/2009/02/3426.html 16www.sophos.com/security/blog/2009/02/3287.html 17www.sophos.com/security/blog/2009/02/3071.html

Sophos solution
The Sophos Web Appliance, part of Web Security and Control, blocks spyware, viruses, phishing, malware and unwanted applications at the gateway, searching for and blocking anonymizing proxies, and enabling comprehensive web access control for safe, productive web browsing. It features an innovative, fullspectrum scanning engine that detects all threats through a unique combination of reputation-based filtering, real-time predictive threat filtering, and content-based filtering. Its easy-to-use management console and powerful reporting tools that deliver rapid insight into web traffic, threats and user behavior, enable secure browsing without the complexity of traditional web filters. As a managed appliance, the Sophos Web Appliance features remote heartbeat monitoring and on-demand remote assistance, ensuring it delivers the most dependable web security in the industry.

Visit www.sophos.com/products/enterprise/free-trials for a free 30-day trial.

Boston, USA | Oxford, UK

Copyright 2009. Sophos Plc. All rights reserved. All trademarks are the property of their respective owners.
tr/090320