Project Management

IT security strategies for mitigating web-based risks

Dominic Vogel offers some tips on mitigating web-based threats. What works and what doesn't in the fight against malware?

There was a time when basic web content and URL filtering of "nasty" sites was an effective defense against web-borne threats. However, cybercriminals realized that by using only known malicious sites to propagate their malware, they were only reaching a tiny portion of the online community. They realized that it would be far more profitable (and in many cases just as easy) to compromise popular legitimate sites (or advertising networks) in order to spread their money-making malware. According to recent research, there are nearly 20,000 malicious websites identified on a daily basis. Nearly 4/5 of those are compromised legitimate sites. Over 70% of malware encountered on the web today is via legitimate websites that the typical corporate employee visits on a regular basis throughout the workday. The increasingly polymorphic and stealthy nature of web-borne attacks (particularly drive-by downloads) is rendering traditional web defenses useless. What steps should corporate IT security teams take to better mitigate the web-based risks facing their corporate data and networks?

Stop relying on outdated URL filtering and IP blacklisting technologies

URL filtering and IP blacklisting are reactive by nature and are no longer scalable or practical in the age of automated malware. In fact with the upcoming migration to IPV6, technologies like IP blacklisting (which is solely based on IPV4) will no longer function. Protection against modern web-based threats requires a layered and integrated approach leveraging multiple technologies to quickly and accurately assess web-based traffic. This can include technologies such as web security gateways, endpoint protection suites, network behavioral analysis, or data leakage prevention.

Install web security gateway (or web-filtering products)

Many newer web-security gateway product offerings aim to provide real-time security intelligence by leveraging cloud technologies. The continual sharing of security information from a community of real-time threat data allows for quicker recognition and response to new threats. In an effort to guard against drive-by downloads, some web gateways look for known exploits and known indicators of drive-by downloads through behavioral analysis or heuristics.

Gateway malware scanning alone will not save you

Recent analysis indicates that nearly 70% of new malware only appears once in the wild. In light of these revelations it seems rather trite that the security industry is still relying on signature-based scanning solutions. We are seeing effective next-gen web solutions that are capable of analyzing every element of a webpage (as opposed to only the URL). Analyzing each element on a webpage and its origins individually (such as JavaScript, ads and widgets) will go a long way in identifying and stopping malicious web components.

Ensure browser plug-ins/add-ons are regularly updated

Many web based threats attempt to exploit known browser plug-in vulnerabilities. These un-patched plug-ins increase the success rate of any drive-by download. Instead of relying on employees to regularly update their browser plug-ins, it might be worth investing in a centrally managed update mechanism for applications and browser plug-ins. On a side-note, one of my personal favourite plug-ins is No-Script for Firefox. It prevents any cross-site scripts from running unless explicitly allowed by the user.

Follow secure coding practices for company websites

Countless websites are poorly coded and are susceptible to SQL injections attacks, cross-site scripting (XSS), cross-site request forgeries (CSRF) and a slew of other security maladies. Collectively, we need to make it more difficult for cybercriminals to compromise our websites. Until "hacking" into websites stops being a low-cost/high  reward equation the problem will only worsen. Do not be part of the problem; do not allow your corporate website to be a propagator of malware. Ensure your web team is following secure coding best practices.

The ever-increasing business reliance on the web coupled with the trend of legitimate sites being compromised unabashedly means the task of battling malware will remain difficult. The goal should not be to prevent all malware from entering the enterprise but rather to mitigate the risk that web-based malware poses to your company.

About

Dominic Vogel is currently a security analyst for a financial institution in beautiful Vancouver, British Columbia.

1 comments
JCitizen
JCitizen

I also suggest we start using utilities that can foil the mission of the criminals by working well in an infected environment, and be resistant to manipulation; usually by working at close to the operating system kernel level. Your HIPs suggestion is good, and I also recommend a good password encryption manager, and a keyboard/video scrambler to thwart the spies you will inevitably contract from normal web existence. I have no affiliation with Keyscrambler but it is the only one I've tested that blocks every spy engine scheme that is known. Rapport is gaining a good reputation for providing a good browser "bubble" that is resistant to same, but also blocks several types of attempted browser manipulation; up to and including SSL session riding. For merchant sites that wish to reduce the kinds of problems that can happen in today's threat environment, it can't hurt to provide a rock solid multi-factor authentication scheme also. One of the most simple and creative of these I've seen in a while is [i]Passwindow[/i], which seems to have a lot going for it - even for mobile devices - and I quite frankly think it has "chip-and-pin" beat, in this arena. Once again I will state that I have no affiliation with any of these companies, and my opinion is simply one of experience and observation.

Editor's Picks