The web is the most formidable malware delivery mechanism we’ve seen to date, outpacing even the most prolific worm or virus in its ability to reach — and infect — a mass audience silently and effectively.

That’s from the 2013 Cisco Annual Security Report. A bit further in the paper I ran across something that is equally troubling:

Many security professionals — and certainly a large community of online users — hold preconceived ideas about where people are most likely to stumble across dangerous web malware.

That comment was of interest to me on several levels. Although I do not consider myself a security professional, I report what they say. And, I am an online user, so the comment had me wondering. Finally, the company I work for recently rolled out an enterprise-wide website blacklist. And if the people creating and selling blacklists are basing their choices on bad assumptions, the blacklist is nothing more than an annoyance.

Preconceived ideas?

Let’s see if you’re earmarked for having preconceived ideas. What websites would you select as ones most likely to serve malware? It seems logical to choose shady sites, you know, the ones selling illegal pharmaceuticals, fake Rolex watches, or p0rn sites.

If those were your choices as well, then we are both wrong. Cisco reports:

Our data reveals the truth of this outdated notion, as web malware encounters are typically not the by-product of “bad” sites in today’s threat landscape. Web malware encounters occur everywhere people visit on the Internet — including the most legitimate of websites they visit frequently, even for business purposes.

The following slide from the report shows the different kinds of websites, and their likelihood of serving malware to unsuspecting visitors.

Source: Cisco

Dynamic Content websites and Content Delivery Networks have top honors at 18 plus percent. I wasn’t sure what Dynamic Content or Content Delivery Networks meant, so I checked with Wikipedia:

  • Dynamic webpage: A dynamic web page is a kind of web page that has been prepared with fresh information (content and/or layout), for each individual.
  • Content Delivery Network: A large distributed system of servers deployed in multiple data centers in the Internet. The goal of a Content Delivery Network is to serve content to end-users with high availability and high performance.

To drive home the point, Cisco then looks at the most popular online applications (social networks and online video, for example), and the percentage of malware exposure encountered by each type.

I noticed search engines have made both slides. Hmmm.

Who’s at fault?

Cisco was quick to point out all the websites it researched were not intentionally serving malware. But, I am not willing to let the developers and website owners off entirely. The report points out:

Exploits remain a significant cause of infection via the web, and their continued presence underscores the need for vendors to adopt security best practices in their product life cycles. Organizations should focus on security as part of the product design and development process, with timely vulnerability disclosures, and prompt/regular patch cycles.

It sounds like there’s blame enough to go around. System administrators responsible for web servers, and system administrators responsible for client workstations are battling vulnerabilities, and the never-ending struggle to keep everything as up-to-date as possible.

Next target of opportunity

Cisco offered an opinion as to what most likely will be the bad guys’ next target of opportunity:

The challenge of securing a wide range of applications, devices, and users — whether in an “any-to-any” or Internet of Everything context — is made tougher by the popularity of the cloud as a means of managing enterprise systems.

The report continues, explaining why:

Addressing security challenges presented by virtualization and the cloud requires rethinking security postures to reflect this new paradigm — perimeter-based controls and old models of access and containment need to be changed to secure the new business model.

Final thoughts

What Cisco found is important. Unbeknownst to you, me, our favorite website’s developer, and the website’s owner, the website could be serving malware. And, if you happen to be vulnerable to the malware’s exploit kit, you’re going to get it.

My first run-in with website-based malware was during my research for Malvertising: Adverts that bite (June 2011). It seems the bad guys have spent the last 18 months fine-tuning their craft.

I’d like to extend my thanks to Cisco for their report, and use of slides in the report.