There was a time when basic web content and URL filtering of "nasty" sites was an effective defense against web-borne threats. However, cybercriminals realized that by using only known malicious sites to propagate their malware, they were only reaching a tiny portion of the online community. They realized that it would be far more profitable (and in many cases just as easy) to compromise popular legitimate sites (or advertising networks) in order to spread their money-making malware. According to recent research, there are nearly 20,000 malicious websites identified on a daily basis. Nearly 4/5 of those are compromised legitimate sites. Over 70% of malware encountered on the web today is via legitimate websites that the typical corporate employee visits on a regular basis throughout the workday. The increasingly polymorphic and stealthy nature of web-borne attacks (particularly drive-by downloads) is rendering traditional web defenses useless. What steps should corporate IT security teams take to better mitigate the web-based risks facing their corporate data and networks?
Stop relying on outdated URL filtering and IP blacklisting technologies
URL filtering and IP blacklisting are reactive by nature and are no longer scalable or practical in the age of automated malware. In fact with the upcoming migration to IPV6, technologies like IP blacklisting (which is solely based on IPV4) will no longer function. Protection against modern web-based threats requires a layered and integrated approach leveraging multiple technologies to quickly and accurately assess web-based traffic. This can include technologies such as web security gateways, endpoint protection suites, network behavioral analysis, or data leakage prevention.
Install web security gateway (or web-filtering products)
Many newer web-security gateway product offerings aim to provide real-time security intelligence by leveraging cloud technologies. The continual sharing of security information from a community of real-time threat data allows for quicker recognition and response to new threats. In an effort to guard against drive-by downloads, some web gateways look for known exploits and known indicators of drive-by downloads through behavioral analysis or heuristics.
Gateway malware scanning alone will not save you
Ensure browser plug-ins/add-ons are regularly updated
Many web based threats attempt to exploit known browser plug-in vulnerabilities. These un-patched plug-ins increase the success rate of any drive-by download. Instead of relying on employees to regularly update their browser plug-ins, it might be worth investing in a centrally managed update mechanism for applications and browser plug-ins. On a side-note, one of my personal favourite plug-ins is No-Script for Firefox. It prevents any cross-site scripts from running unless explicitly allowed by the user.
Follow secure coding practices for company websites
Countless websites are poorly coded and are susceptible to SQL injections attacks, cross-site scripting (XSS), cross-site request forgeries (CSRF) and a slew of other security maladies. Collectively, we need to make it more difficult for cybercriminals to compromise our websites. Until "hacking" into websites stops being a low-cost/high reward equation the problem will only worsen. Do not be part of the problem; do not allow your corporate website to be a propagator of malware. Ensure your web team is following secure coding best practices.
The ever-increasing business reliance on the web coupled with the trend of legitimate sites being compromised unabashedly means the task of battling malware will remain difficult. The goal should not be to prevent all malware from entering the enterprise but rather to mitigate the risk that web-based malware poses to your company.
Dominic Vogel is currently a security analyst for a financial institution in beautiful Vancouver, British Columbia.