How To Protect Your Business From Malicious People And Places On The Web

Transcription

1 As dynamic rich media and user-generated content enhance the user experience on the Internet, the dangerous threats facing the enterprise network are becoming equally robust. The Web is the new threat vector of choice for hackers and cybercriminals to distribute malware and perpetrate identity theft, financial fraud and corporate espionage. This problem can be organized into three categories: Malicious People, Places and Things on the Web. Dangerous people running scams and stealing identities; dangerous places appearing at the rate of one new domain each second; and dangerous things like malicious links embedded in otherwise safe, well-known Web sites. Ultimately, the gaps in today s enterprise security leave organizations vulnerable to compromise, which can be costly to fix. The constantly evolving threats demand a new approach to security, including comprehensive protection for every Web connection into or out of the enterprise. Figure 1: Over time, the complexities of enterprise security have increased. Additionally, attacks have moved from the infrastructure to the end-user, and for those end-users, from to the more dynamic Web browsers. The first signs of widespread malicious intent on the Internet arrived in the form of virus-infected files attached to messages. Several years of advances in security products and user education have generally closed this distribution channel for malware distributors, but predictably, they have moved on to new techniques. Now, malware distributors have set their sights on exploiting vulnerabilities in software found on virtually every Internet-connected PC in the world: the Web browser. The emergence of Web 2.0 has created a fertile threat environment for malware writers and distributors to spread their wares. Unfortunately, nearly all enterprises are relying solely on decade-old technologies that are ill-equipped to deal with this new breed of threat. Additionally, social networks, blogs, wikis and other collaborative sites pose an ongoing risk of employees discussing proprietary corporate information or posting inappropriate information. 1

2 Malicious People, Places and Things on the Web The Web threats facing enterprises can be classified into three distinct categories: Malicious Places: At any given time, more than 100,000 Web sites exist with the sole purpose of distributing malware. In addition, well-known and trusted sites are regularly hacked and turned into drive-by download distributors, infecting all computers that land on them. These exploits can be devastating to businesses, resulting in compromised PCs, lost productivity, breached confidential data or even damage to the organization s reputation, which can have costly long-term effects. Malicious Things: Malware continues to increase at a rapid pace. Anti-virus vendors can t keep up, particularly with 17,000 new malware threats per day and some 5.5 million pieces of malware identified last year alone. The stealth of malware in the age of Web 2.0 is precisely what makes it so dangerous; while users remain blissfully unaware of its presence, the malware can install key loggers, steal passwords, and send critical information directly from the end-user PC to a remote host. This leaves a wide gap in the network and the organization vulnerable. Malicious People: Who is really on the other side of a Web interaction? Every day, fraud is perpetrated on Web sites such as CraigsList.org, children are targeted by predators on social networking Web sites, and job applicants submit phony resumes and personal information to thwart background checks. A person s online identity and reputation play a critical role in the overall security of today s Web 2.0 world. Malicious Places Prior to the introduction of Web 2.0 technologies, enterprise IT security was concerned primarily with protecting servers from malware distributed through spam. Web security was focused largely on preventing productivity losses due to employees wasting time on unauthorized Web sites. Now, however, the Web browser has replaced as the most dangerous attack vector for malware distributors. In the early days of the Internet, organizations scrambled to create policies guiding employee use of the Web. Because Web pages were static, risks to enterprise network security were minimal. Of course, Acceptable Use Policies (AUP) were designed to serve as reminders for employees to avoid unnecessary Web surfing, but were difficult to enforce until URL filtering and monitoring tools became widely available. Once URL filtering became considered the best option for enforcing AUPs, enterprises scrambled to implement solutions that could monitor traffic and screen out domains that were known to be inappropriate for the workplace. However, even the best-of-breed URL filtering options are restricted only to Web sites they have identified and categorized since the technology became commonplace. While URL filtering certainly is an important feature, particularly in increasing employee productivity and compliance, it cannot be considered a comprehensive security solution on its own. With a new domain registered every second, creating a truly comprehensive list is impossible. 2

3 Malicious People, Places and Things on the Web The Web threats facing enterprises can be classified into three distinct categories: Figure 2: The full range of domains present on the Internet can be broken down into two segments: the big head and the long tail. URL filtering solutions are capable of monitoring and tracking the big head which includes roughly 20 million known URLs. The long tail is comprised of the other 450 million URLs (and counting) that never have been categorized. These domains are the most dangerous, making real-time Web reputation critical to securing users on the Web. Further, these simple URL filtering solutions are based on lists of URLs that have been classified according to the type of content they contain. Chat rooms, online gambling, shopping, Webmail, and other productivity-sapping sites are blocked or restricted, but literally hundreds of millions of other sites remain unclassified. Additionally, this does not take into account the real-time activity on those sites, leaving the enterprise network perpetually at risk. In order to reach the long tail, a system must correlate Web reputation using sophisticated analysis, speed and accuracy. Traditionally, URL filtering products are software- or appliance-based solutions, requiring a capital expenditure for software licenses or server platform, and dedicated IT staff for maintenance and monitoring. Because these solutions run on in-house hardware, they are not scalable to allow for an organization to expand without purchasing additional hardware. Both of the factors make SaaS solutions attractive to a business. Malicious Things It s no secret that as applications acquire more functionality, they become more susceptible to security threats. Today, organizations have security solutions in place to protect them against traditional viruses and malware, but a gap still exists in protection against browser-based attacks. An alarming new trend in malware distribution is the infection of Web sites with massive user bases that are generally considered to be safe destinations. When a known, trusted Web site is hacked, the deficiencies of a Web security solution based solely on URL filtering are exposed. These types of attacks transform thousands of credible business pages into malware-peddling portals every single day. In fact, recent reports show that more than 70% of Web sites serving malware are actually legitimate sites that have been compromised. 3

4 Dating all the way back to November 2006, Wikipedia, one of the most widely used user-submitted information sites on the Web, was compromised. The attackers created a Wikipedia page that promised a Windows security update for a supposedly new version of the Lovesan/W32.Blaster worm, and pointed to an external site with the seemingly authentic domain. Corporations were left vulnerable when employees went to the site and clicked the link. Additionally, a new worm took advantage of a security hole in Yahoo! Mail. Using XSS and Ajax, the Yamanner worm spread itself to every person in the infected user s contact list, and sent the entire list to a remote server. Just prior to the 2007 Super Bowl in Miami, Florida, hackers compromised the Web site of the Miami Dolphins. The hackers were able to install a keystroke logger on the computer of every visitor, enabling them to steal passwords off the victims machines. This attack cost the Dolphins in both time associated with correcting the problem as well as credibility. The complex network of ad providers and ad affiliates has made it easy for attackers to surreptitiously insert malware in online ads. Webmasters frequently supplement their income with pay-per-click ads provided by third parties. Malware distributors will create banner ads directing users to Web sites supposedly offering animated emoticons, screensavers, desktop widgets or other popular downloads, and submit them to the advertising networks with links pointing to perfectly safe pages. Once the advertising network begins distributing the banner ad, the malware writers will replace the originally linked site with a new site hosting malicious content. For example, Trojan-laced banner ads displayed on high-profile Web 2.0 sites such as MySpace and PhotoBucket in 2007 required no user interaction to activate infection. In May 2008, the popular ClassMates.com networking site was infected with spyware called XPOnlineScanner. Hosted by one of ClassMates.com s advertising network servers, this particular malware self-installs on users PCs as soon as they land on the site. Once installed, XPOnlineScanner masquerades as Windows XP anti-virus software, evading end-user detection. Businesses were impacted when corporate resources were used to attack other users, and attackers potentially gained access to personal and corporate information. In other attacks, malware distributors will post a comment on a blog with a seemingly innocuous link to an external site. When readers follow the link, they are immediately infected with whichever malware that page happens to be hosting. In each of these cases, businesses were left vulnerable and in most cases, compromised. Malicious People Web 2.0 is centered on user-generated content and user-based commerce. There are unknown people posting and sending the content and unknown people behind the transactions. That said, the more you know about a user, the better decisions you can make around interacting in this environment. In the early days of Internet commerce, companies such as VeriSign and TRUSTe acted as intermediaries between end users and sellers. Early Web transactions consisted mainly of a one-to-one interaction: a single buyer and the e-commerce site offering items for sale. Web site operators went through confirmation processes with the verification services to gain a seal of approval that would give customers peace of mind in knowing that they were dealing with a legitimate entity. Today, users are flocking toward one-to-many transactions, often purchasing items directly from other individuals through sites such as CraigsList.org and other localized classified advertising sites. This creates a need for establishing an online identity or online reputation, to prevent users from being victims of fraud or other malicious activity on the Internet. Beyond traditional commerce fraud, collaboration and communication are the other two applications vulnerable to social engineering attacks. Hackers often play on the emotions of end users to gain their trust, and eventually access to their private information. This information is then used to steal identities, access bank accounts, or worse. User communities have sprung up around today's interactive sites. These communities bond based on common interests without geographical limitations, paving the way for trust between virtual strangers. This makes it easy to trick captive end-users who are more trusting, especially if an invite comes from a friend of a friend on a site. For example, Second Life (which according to an October 2007 Reuters report, logged 24 Million usage hours in Sept 2007) and other avatar-driven virtual worlds have emerged as targets for pranksters or malware authors. 4

5 Additionally, millions of users flock to sites such as Facebook or LinkedIn every day, creating opportunities to meet people, collaborate and at the same time, be exposed to an increasing number of threats. For businesses, this means big problems when employees are accessing these sites from the corporate network and adequate security solutions are not in place. The bottom line is that online reputations matter, particularly as these threats are amplified with more and more people relying on the rapid spread of information between users for commerce, collaboration and communication. Pieces of the Enterprise Web Security Puzzle Given the shortcomings of URL filtering as a stand-alone security solution, what can be done to protect enterprise networks from the onslaught of Web 2.0 threats? While URL filtering is certainly an important piece of a comprehensive Web security puzzle, organizations must take an integrated layered approach to ensure their security: 1. Reputation Scoring: By monitoring Web traffic patterns around the world, a host reputation can be ascertained based on previous behavior, embedded content characteristics, geographic location and domain registration information. Unlike static URL filtering lists, reputation scoring is a fluid technology that allows Web sites to move within a continuum of dangerous to safe based on changes in behavior. Thus, a site that has been compromised and assigned a dangerous rating can be redeemed after all traces of malware have been removed. 2. URL Filtering: As previously discussed, URL filtering has its place in the big picture of Web security, although organizations also need to deploy something more proactive. While manually compiled lists are no longer an efficient option, they do provide valuable intelligence into the historic behavior of Web sites. Additionally, this is particularly useful in outbound policy and compliance control, increasing employee productivity and improving the safety of company resources. 3. Signature-Based Anti-Virus: Signature-based anti-virus provides security against previously identified viruses. While signature-based solutions are by nature less responsive than dynamic solutions, a signature-based anti-virus element with hourly updates and rapid response to new threats can prove to be an effective tool in a complete Web security suite. 4. Dynamic Anti-Malware: Because Web 2.0 threats are novel and largely unseen by signature-based tools such as URL filters and anti-virus, an effective Web security solution must contain a proactive anti-malware element. String scanning and advanced heuristic technology plays an important role in detecting and stopping unknown Web-based viruses and spyware before they can gain access to your enterprise network. 5. Browser Attack Protection: Traditional anti-virus and object-scanning malware solutions have helped keep the threats posed by viruses and worms at bay, while browser-based attacks continue to increase at an alarming pace. Today s attacks take advantage of the increased server-to-browser interaction that is central to the Web 2.0 applications that are now part of everyday life. 6. Web Acceleration: A security system that disrupts users ability to navigate the Internet due to latency becomes a detriment to productivity and encourages users to seek ways around security safeguards. The best Web security solutions offer multiple layers of caching technology to enable high performance and speed. 7. Application Control: Real-time communications tools, including instant messaging applications such as Yahoo! Instant Messenger and peer-to-peer solutions such as Skype, can leave organizations vulnerable to inbound viruses and malware as well as risks of confidential data leaks. Organizations must be able to control, block and monitor their use. 8. Mobile Device Protection: With an increasingly mobile workforce, protecting users only while in the office is insufficient. Innovative solutions offer protection for remote and mobile users, including those using devices such as an iphone, BlackBerry or Windows Mobile smartphone. 9. Remote Access Protection: The ever-increasing number of laptops in the workplace becomes a bigger threat as employees work from hotels, airports or other remote locations. Comprehensive Web security solutions offer the same level of protection regardless of physical location. 5

6 10. Centralized Management and Reporting: No security system is complete without a comprehensive set of reporting options to notify administrators and other interested parties of security breaches and system alerts. Multiple file formats and notification options should be available to ensure that all recipients receive the reports in a timely manner, and in a file type compatible with their client. 11. Flexible Rule Management: Administrative options should include the ability to create policies based on a per-user or per-group basis. Custom block pages should also be standard fare to ensure that individual organizations can tailor which messages, if any, that their users receive when security issues are identified. Barracuda Purewire Web Security Service As the Internet and its users have matured, opportunities to serve applications over the Web have presented themselves to businesses in every field. Contact management suites from GoldMine and ACT! have found strong competition from Web-based providers like SalesForce.com. Appliance-based security providers IronPort and Secure Computing continue to lose market share to security-as-a-service offerings. Microsoft Office applications now have comparable Web-based competition from Google Apps. Barracuda Purewire Web Security Service provides the most complete protection against Malicious People, Places and Things on the Web, regardless of device or physical location. The Barracuda Purewire Web Security Service, a cloud-based secure Web gateway, protects users from malware, phishing, identity theft, and other harmful activity online in effect, providing a pure wire to the Internet. The service sits between a company s network and the Internet to protect the company s users as they conduct business-critical activities on the Web. Specifically, it: Inspects outbound Web traffic for safety and compliance Analyzes Web site response traffic for malicious programs and untrustworthy users Provides global visibility through comprehensive and flexible reporting to the user level Protects users accessing the Web in the workplace, on laptops and via mobile devices All administrative functions are handled via a standard Web browser, reducing the load on your IT resources. In addition, the licensing structure allows you to purchase only the licenses you need, and is infinitely scalable in both directions to allow your business to grow without necessitating expensive hardware or software upgrades. Why Web Security SaaS? Several industry analysts and independent consultants have conducted research showing the trend and benefits of organizations moving to SaaS solutions. For example, IDC predicts that SMBs will leverage the same SaaS benefits they have gotten from over to Web, with Web security SaaS having the highest planned adoption rate of 14% for SMBs and it becoming a very interesting investment in large enterprises too. Additionally, Gartner predicts that the market for secure Web gateway SaaS is expected to grow by 2500% over the next three years. Finally, Brivo Systems conducted research recently showing that the SaaS model for security platforms is the clear operational and financial winner, with the SaaS solution having nearly a 76% advantage over the server-based solution. To summarize, businesses benefit from implementing their Web security as a service solution through: 6

7 To summarize, businesses benefit from implementing their Web security as a service solution through: Lower administrative overhead, no expensive equipment to maintain, update or replace No hardware requirement Protection of off-lan PCs Predictable pricing on per-user subscription basis Low barrier to switching Competitive SLAs Real-time updates and access to innovation for continuously improving the service on the fly Figure 3: Barracuda Purewire protects users no matter where they are or from what device they are accessing the Web. Best-of-Breed Management and Administration About Barracuda Networks Barracuda Networks Inc. combines premise-based gateways and software, cloud services, and sophisticated remote support to deliver comprehensive security, networking and storage solutions. The company s expansive product portfolio includes offerings for protection against , Web and IM threats as well as products that improve application delivery and network access, message archiving, backup and data protection. Coca- Cola, FedEx, Harvard University, IBM, L'Oreal, and Europcar are among the more than 100,000 organizations protecting their IT infrastructures with Barracuda Networks range of affordable, easy-to-deploy and manage solutions. Barracuda Networks is privately held with its International headquarters in Campbell, Calif. For more information, please visit All administrative functions are handled via a standard Web browser, reducing the load on your IT resources. All critical reports and policy settings are accessible with just a few mouse clicks. Policies can be set globally, applying to every user in the organization, or on a group or user basis, depending on the needs of individual practice groups. For organizations with LDAP or Active Directory servers already in place, Barracuda Purewire will use the groups previously identified as the basis for user- or group-based policy settings. Organizations that do not utilize either LDAP or Active Directory can save their group settings and reporting preferences online directly with the service, eliminating the need to install additional servers for managing groups. The Dashboard is at the heart of the service s administrative functionality. From here, administrators can view up-to-the-minute information on all Web traffic emanating from, or directed to, the enterprise network. Rule setting and reporting features are the best in the industry, with CSV file export capabilities and SMTP alerts. The Dashboard displays an overview of the interactions between the Web service and user Web traffic on a single page. Additional tabs provide one-click access to rule-setting and additional reports. 7 Barracuda Networks 3175 S. Winchester Boulevard Campbell, CA United States info@barracuda.com