There was a time when basic web content and URL filtering of “nasty” sites was an effective defense against web-borne threats. However, cybercriminals realized that by using only known malicious sites to propagate their malware, they were only reaching a tiny portion of the online community. They realized that it would be far more profitable (and in many cases just as easy) to compromise popular legitimate sites (or advertising networks) in order to spread their money-making malware. According to recent research, there are nearly 20,000 malicious websites identified on a daily basis. Nearly 4/5 of those are compromised legitimate sites. Over 70% of malware encountered on the web today is via legitimate websites that the typical corporate employee visits on a regular basis throughout the workday. The increasingly polymorphic and stealthy nature of web-borne attacks (particularly drive-by downloads) is rendering traditional web defenses useless. What steps should corporate IT security teams take to better mitigate the web-based risks facing their corporate data and networks?

Stop relying on outdated URL filtering and IP blacklisting technologies

URL filtering and IP blacklisting are reactive by nature and are no longer scalable or practical in the age of automated malware. In fact with the upcoming migration to IPV6, technologies like IP blacklisting (which is solely based on IPV4) will no longer function. Protection against modern web-based threats requires a layered and integrated approach leveraging multiple technologies to quickly and accurately assess web-based traffic. This can include technologies such as web security gateways, endpoint protection suites, network behavioral analysis, or data leakage prevention.

Install web security gateway (or web-filtering products)

Many newer web-security gateway product offerings aim to provide real-time security intelligence by leveraging cloud technologies. The continual sharing of security information from a community of real-time threat data allows for quicker recognition and response to new threats. In an effort to guard against drive-by downloads, some web gateways look for known exploits and known indicators of drive-by downloads through behavioral analysis or heuristics.

Gateway malware scanning alone will not save you

Recent analysis indicates that nearly 70% of new malware only appears once in the wild. In light of these revelations it seems rather trite that the security industry is still relying on signature-based scanning solutions. We are seeing effective next-gen web solutions that are capable of analyzing every element of a webpage (as opposed to only the URL). Analyzing each element on a webpage and its origins individually (such as JavaScript, ads and widgets) will go a long way in identifying and stopping malicious web components.

Ensure browser plug-ins/add-ons are regularly updated

Many web based threats attempt to exploit known browser plug-in vulnerabilities. These un-patched plug-ins increase the success rate of any drive-by download. Instead of relying on employees to regularly update their browser plug-ins, it might be worth investing in a centrally managed update mechanism for applications and browser plug-ins. On a side-note, one of my personal favourite plug-ins is No-Script for Firefox. It prevents any cross-site scripts from running unless explicitly allowed by the user.

Follow secure coding practices for company websites

Countless websites are poorly coded and are susceptible to SQL injections attacks, cross-site scripting (XSS), cross-site request forgeries (CSRF) and a slew of other security maladies. Collectively, we need to make it more difficult for cybercriminals to compromise our websites. Until “hacking” into websites stops being a low-cost/high  reward equation the problem will only worsen. Do not be part of the problem; do not allow your corporate website to be a propagator of malware. Ensure your web team is following secure coding best practices.

The ever-increasing business reliance on the web coupled with the trend of legitimate sites being compromised unabashedly means the task of battling malware will remain difficult. The goal should not be to prevent all malware from entering the enterprise but rather to mitigate the risk that web-based malware poses to your company.