<< Back to Business Solutions

The Problem of Web-born Threats Is Not Theoretical:

Millions of users have been impacted and the threat is getting worse.

After email, the World Wide Web is among the most important tools available to people who use a computer as they perform their job. It offers a ready source of current information, an infrastructure for developing various types of content, and a platform for communications and collaboration.

However, the Web is also fraught with risks, such as malware that can be downloaded to a network or an individual’s computer by doing nothing more than simply visiting a Web site. Furthermore, even Web sites that are legitimate for use in a business context can serve as a source of these threats – there are thousands of examples of otherwise valid Web pages and entire sites that have become a source of malware ranging from simple keystroke loggers to much more malicious content.

Today, Web threats are more numerous and more virulent than those that are delivered in email, and it is easier to be infected by them. Furthermore, blended threats which link to malicious web sites are delivered in email, instant messages, or through social networking sites. It has become more popular to make the simple act of Web surfing a potentially devastating threat to corporate networks and security.

The Problem Is Going To Get Worse For Two Reasons:

• Most Web pages and sites are not adequately protected from infection, such as SQL injection attacks or cross-site scripting, leaving them vulnerable to exploitation by malware authors.
• Defenses against Web-born threats are not as extensive as those protecting organizations from threats delivered through email. When presented with a threat delivered through email or instant messaging, users generally have to do something, such as clicking on a link in a message. With Web based threats, nothing more than visiting a Web page is required to become infected.

What Should You Do?

Clearly, every organization must do something to protect itself against these threats. Among the many things that can be done, it is important to implement any of the growing number of Web security capabilities that are available. While on-premise solutions are available that will provide robust protection against Web threats, hosted solutions offer some unique advantages, including lower costs, more proactive threat protection, lower impacts on bandwidth and storage, and the ability to free IT staff for activities that might provide more value to an organization.

The Web Represents a Growing Threat Platform

For the past several years, email has represented the most serious threat platform for organizations of all sizes – viruses, worms, and other forms of malware have all been delivered via email for many years. However, Web-born malware is now more common than malware that enters an organization through email as demonstrated by the following statistics from MessageLabs Intelligence Reports:

• Email-born malware dropped from 0.85% of all email in 2007 to 0.70% in 2008.
• The number of Web sites that carry malware increased from 1,068 new sites discovered per day in January 2008 to 5,424 per day in October 2008, an increase of more than 400% in just nine months.
• In July 2008, 83.4% of all the Web-based malware intercepted was newly discovered as a result of an increased number of SQL injection attacks.

One of the fundamental problems with Web-based attacks is that literally hundreds of thousands of Web sites can serve as infection points – even legitimate Web sites can infect a network. For example, the Web sites of Business Week, the Miami Dolphins, Audi Taiwan and the United Nations have all been infected during the past few years, infecting visitors who do nothing more than view the content on these sites.

Furthermore, new Web sites are created every day and search engines can make virtually countless numbers of Web sites available in real time that will not be pre-screened by many conventional Web-filtering solutions. For example, on March 9th 2009, more than 125,000 new domains came online, representing the potential for well over one million new Web pages, any of which could have been harboring an infection that could impact corporate networks and individual computers.

There Are a Variety of Negative Impacts

What can happen as a result of an infection that originates from simply visiting an infected Web page? The quite serious consequences include:

• Malware can be downloaded automatically that can intercept keystrokes or other sensitive content. The result can be loss of login credential and consequent use by hackers, loss of financial information or trade secrets, and otherwise compromised network security.
• Bandwidth and network performance can become strained as malware, bots and other malicious programs use bandwidth in the corporate network. The result can be poor network performance, slow email delivery, and slow Web access.
• Storage costs increase because of spyware downloads and other malicious programs occupying space on the corporate network.

Furthermore, mobile and remote users are making the problem worse. Many of the endpoints, such as mobile devices or home computers access corporate networks. They are not adequately protected against Web-born threats and so represent an ingress point for all sorts of malicious content.

What Can You Do About the Problem?

There are a variety of things that organizations can do to address the growing problem of Web-based threats. Although, some of the practices and procedures that organizations can implement will be more effective than others.

ESTABLISH POLICIES FOR EMPLOYEE USE OF THE WEB

One of the first and most important things that organizations should do to address the Web threat problem is establish formal and detailed policies for their employee’s use of the Web. Many organizations do not have adequate Web-use policies, if they have them at all. Any employee-focused policy on use of the Web should address the types of Web sites that employees are allowed to visit and those that are not permissible. Obviously, gambling and pornographic sites will be banned in most organizations, although some organizations may also want to ban non-business sites, as well. Various studies over the years have found that employees spend inordinate amounts of time visiting non-business Web sites, particularly around the time of significant events like the Super Bowl, World Cup, and the like.

ESTABLISH WEB ANTI-VIRUS AND ANTI-SPYWARE PROTECTION

However, policies for appropriate use of the Web – no matter how specific they are, how well they are followed or how well they are enforced – cannot prevent most malware from entering a corporate network. As noted earlier, even legitimate, business-oriented Web sites have been subject to SQL injection attacks and other forms of infection, and so antivirus and anti-spyware tools must be deployed throughout the network. Preferably, these capabilities will be deployed both at the server or gateway level and also at the end user level. Deploying these capabilities on individual desktop machines, laptops and mobile devices will provide the added benefit of protecting against threats that might enter via a USB storage device or from a CD-ROM that a user brings from home.

BLOCK NON-BUSINESS-RELATED WEB SITES

Another option that should be considered is the deployment of URL filtering tools that will block access to non-approved Web sites. Many organizations have deployed these filters, albeit with varying levels of success. While URL filters can be useful, they can rarely keep up with the new threats that enter the Web on an hourly basis and for which no signature has been created in the tool. Furthermore, URL filters can generate significant levels of false positives – blocking Web sites that appear to be suspicious but might have a legitimate business purpose.

FILTER CONTENT FOR UNWANTED FILE TYPES

Another capability that can be implemented in an effort to block Web-based threats is content filtering designed to block unwanted file types. Blocking file types based on their content can be useful in preventing some types of Web threats from entering a network, particularly files that are traditionally known to be associated with malware, such as .scr or .pif. These systems can also block file types that are generally not used in a legitimate business context, such as .mp3, .jpg or .mov files. In addition to preventing some Web threats from entering a network, content filtering tools provide the added benefit of storage and bandwidth savings by blocking audio, video and other files that can consume large quantities of both.

USE A COMBINATION OF APPROACHES

No one solution will be the “best” approach to the problem of addressing Web threats. For example, a policy-only approach will simply not protect an organization from employees who forget the policy or choose to ignore it. Similarly, a systems-only approach without a clear, well-understood and well-enforced policy to support it could create confusion and anger among employees. Instead, organizations should use several different methods in a layered approach to ensure the highest level of protection.

Summary

Web threats, such as keystroke loggers and other malware that is downloaded from infected Web sites have surpassed email as the primary threat platform, with which most security-oriented decision makers must contend. The problem is worse than with email and will continue to become a more critical problem over time. To protect against threats that are delivered via the Web, organizations should do a number of things. Developing policies focused on acceptable use of the Web, deploying capabilities that will block the URLs of malicious Web sites, and filtering content for various threats are a few preventative methods. They can deploy on-site systems that offer the advantages of fast control and good threat protection, or they can opt for a hosted Web security model that can be more proactive in blocking real-time threats.