In today's Web 2.0 environment, proactive security is paramount. Are you protected?Overview: Boundaries No Longer Physical, but Virtual The Internet today is a different mechanism than it once was. Widely referred to as "Web 2.0," today's Internet is a place where the boundaries of the enterprise are no longer clear and this has had a ripple effect ripple effect Epidemiology See Signal event. on network security. Applications are now enabled over the Internet and the use of corporate intranets and extranets are now critical components of business. Indeed, organizations now build their businesses on Web infrastructures, and we've even seen the proliferation proliferation /pro·lif·er·a·tion/ (pro-lif?er-a´shun) the reproduction or multiplication of similar forms, especially of cells.prolif´erativeprolif´erous pro·lif·er·a·tion n. of completely "virtual" companies that have no physical headquarters at all. Today's business Today's Business is a show on CNBC that aired in the early morning, 5 to 7AM ET timeslot, hosted by Liz Claman and Bob Sellers, and it was replaced by Wake Up Call on Feb 4, 2002. model includes inbound access for remote employees, partners, and customers. Internal employees also reach beyond the edge of the internal network to communicate and gather information across the Internet. This bi-directional aspect of IP-based application access creates significant security challenges for enterprises, however. Communication methods are both inbound and outbound, and so too, threats have also become both inbound and outbound in nature. The enterprise must be protected from malware (malicious software), regulatory compliance must be ensured, data leakage prevented, and employee productivity must be managed. These security issues exist for all IP-based traffic, whether email, VoIP, instant messaging Exchanging text messages in real time between two or more people logged into a particular instant messaging (IM) service. Instant messaging is more interactive than e-mail because messages are sent immediately, whereas e-mail messages can be queued up in a mail server for seconds or , Web access, file transfers, or other enterprise applications communicating over IP. In short, business use of the Web and Web 2.0 applications expose organizations to both inbound and outbound security threats which transcend the legacy security measures Noun 1. security measures - measures taken as a precaution against theft or espionage or sabotage etc.; "military security has been stepped up since the recent uprising" security for Web 1.0. The new generation of emerging security threats now consists of malicious attacks led by cyber (1) From "cybernetics," it is a prefix attached to everyday words to add a computer, electronic or online connotation. The term is similar to "virtual," but the latter is used more frequently. See virtual. criminals targeted at specific organizations for personal or financial gain. This paper outlines these new threats and discusses the limited effectiveness of legacy Web security solutions against those threats. It then outlines the new proactive security paradigm that is necessary for securing Web 2.0 applications and protecting the enterprises that use them on a daily basis. Inbound Security Threats Gone are the days when the primary cause for concern was a broad-based Internet virus attack. Those attacks were launched to gain notoriety with the hacker's peers. Web sites were defaced de·face tr.v. de·faced, de·fac·ing, de·fac·es 1. To mar or spoil the appearance or surface of; disfigure. 2. To impair the usefulness, value, or influence of. 3. much like graffiti is posted on a public wall or highway overpass, and political or personal messages were sometimes embedded Inserted into. See embedded system. in Web pages or disseminated to desktops. These attacks were a nuisance, required clean-up, and were often designed to embarrass embarrass /em·bar·rass/ (em-bar´as) to impede the function of; to obstruct. em·bar·rass v. To interfere with or impede (a bodily function or part). the recipient. These broad-based attacks often caused a drain on productivity, sapped bandwidth, and created potential liability problems. The attackers however, were often unsophisticated with the virtual equivalent of a spray can. Today's attackers, on the other hand, are sophisticated and organized, and financially motivated. They are cyber-criminals who use technology to commit targeted attacks against specific persons or organizations for profit. The security risk, and potential for substantial loss, is much greater. One tactic used by these cyber-criminals is to leverage their sophisticated knowledge to plant worms on host machines. These compromised machines, known as zombies Zombies Companies that continue to operate even though they are insolvent. Also known as living dead. Notes: It's advisable to avoid investing in zombies at all costs their life expectancies are highly unpredictable. , are rented out to carry out phishing, spam or other attacks (1). In addition to for-hire zombie A computer that has been covertly taken over in order to perform some nefarious task. It is estimated that millions of PCs around the world have been compromised and, under the control of a third party, routinely transmit messages unbeknownst to the user. networks ("botnets") cyber-criminals also use sophisticated tools to deploy seemingly innocent content which actually contains Trojan horses It may never be fully completed or, depending on its its nature, it may be that it can never be completed. However, new and revised entries in the list are always welcome.
And it is not just files coming into an organization hidden in Trojans that can introduce malware. Seemingly innocent Web pages that employees may access for legitimate purposes can introduce malware or spyware into a network. This is potentially much more dangerous. Users can be educated not to click on suspicious email attachments, but malicious Web sites may contain active code that launches automatically as soon as the Web page is viewed. This is a common drawback of the Web 2.0 applications, like blogs, Wikipedia, and social networking sites A Web site that provides a virtual community for people interested in a particular subject or just to "hang out" together. Members create their own online "profile" with biographical data, pictures, likes, dislikes and any other information they choose to post. like MySpace, that allow users to post code as part of the permissible content posting. For example, in November 2006, the popular Wikipedia reference site was compromised and used to distribute malware to unsuspecting users who thought they were getting information on a security patch A fix to a program that eliminates a vulnerability exploited by malicious hackers. See vulnerability and patch. (4). One example of how signature-based anti-virus protection and category-based URL URL in full Uniform Resource Locator Address of a resource on the Internet. The resource can be any type of file stored on a server, such as a Web page, a text file, a graphics file, or an application program. filtering have become obsolete due to the dynamic nature of Web 2.0 threats, is a program now available called "eVade o'Matic Module," or VOMM for short, that automates the creation and modification of code so that it constantly changes its signature to avoid anti-virus detection while taking advantage of the same browser vulnerability. VOMM enables malicious code to literally have millions of possible signatures, so that the malware can always stay a step ahead of the anti-virus software anti-virus software n → Antivirensoftware f . In short, its purpose is to make an intrusion attempt undetectable by signature-based anti-virus protection (5). Malicious attacks are also now utilizing the very technologies that were created to provide security. For example, to secure financial transactions, encrypted HTTP HTTP in full HyperText Transfer Protocol Standard application-level protocol used for exchanging files on the World Wide Web. HTTP runs on top of the TCP/IP protocol. was created (HTTPS (1) (HyperText Transport Protocol Secure) The protocol for accessing a secure Web server. Using HTTPS in the URL instead of HTTP directs the message to a secure port number rather than the default Web port number of 80. ) to ensure that financial data was not "in the clear" on the Internet. This is now widely used for financial and healthcare information transactions. However, attackers can also use this secure connection to transmit malware, and carry out a malicious attack that is undetectable by legacy security solutions like anti-virus (6). Because most legacy security solutions cannot be applied to encrypted traffic, we refer to this portion of network traffic as the "SSL (Secure Sockets Layer) The leading security protocol on the Internet. Developed by Netscape, SSL is widely used to do two things: to validate the identity of a Web site and to create an encrypted connection for sending credit card and other personal data. blind spot." Outbound Threats In addition to inbound threats, there are also outbound data leakage threats that an organization must be aware of. Attackers aren't always outsiders in faraway far·a·way adj. 1. Very distant; remote. 2. Abstracted; dreamy: a faraway look. faraway Adjective 1. very distant 2. countries; more often they are right inside your own organization. Data thieves, industrial spies, and cyber-vandals can operate within a company's own boundaries. But outbound threats aren't always the result of an intentional attack by an insider, sometimes they occur when an employee unintentionally opens or allows a "back door to be open," by downloading a rogue application that has not been approved by IT. Outbound data leakage is a concern for two reasons: 1) risk of intellectual property loss and 2) compliance with regulatory requirements (e.g. SOX (1) (Schema for Object-oriented XML) An XML schema developed by Veo Systems and Muzino Communications, which was submitted to the W3C. SOX is based on DTD, but adds data typing and reuse mechanisms. , HIPAA (Health Insurance Portability & Accountability Act of 1996, Public Law 104-191) Also known as the "Kennedy-Kassebaum Act," this U.S. law protects employees' health insurance coverage when they change or lose their jobs (Title I) and provides standards for patient health, , GLBA GLBA Gramm-Leach-Bliley Act of 1999 (Financial Modernization Act of 1999) GLBA Gay and Lesbian Business Association GLBA Great Lakes Booksellers Association GLBA Glacier Bay National Park and Preserve , etc.). Many organizations think that filtering their email is sufficient to provide protection. While doing so is a key factor in a leakage prevention strategy, a multi-protocol approach to data leakage security, where network security administrators also pay attention to Web protocols as well is best: encrypted email traffic (HTTPS), instant messaging use (HTTP), and file transfers (FTP FTP in full file transfer protocol Internet protocol that allows a computer to send files to or receive files from another computer. Like many Internet resources, FTP works by means of a client-server architecture; the user runs client software to connect to ) (7). All of these protocols can be used to convey proprietary information out of the enterprise. Legacy Security Solutions Are an Incomplete Solution to Web 2.0 Security Threats As security threats appeared along with development and adoption of the Internet, point solutions were developed to address those threats. "Viruses" appeared in the late 1980s and anti-virus vendors began to appear in the early 1990s. The first anti-virus solution became available in 1991, when a medical doctor (Peter Tippett) applied the same approach to attacking human viruses to viruses that were attacking computers: identify the virus by its behavior and then 'inoculate' against it. The first viruses were identified by what they would do (e.g. attack the boot sector Reserved sectors on disk that are used to load the operating system. On startup, the computer looks for the master boot record (MBR) or something similarly named, which is typically the first sector in the first partition of the disk. ) and this was called their signature. The first anti-virus engine worked by using a list of virus signatures (8). These programs were designed as client solutions to protect the desktop from virus infection that was commonly passed via the exchange of portable media (like 5.25 and 3.25 inch diskettes). Initially, this worked well, because the total number of viruses was not as large as it is today. These anti-virus solutions are still used today to protect the desktop even though computers are networked. Gateway versions of these anti-virus (A/V) solutions are now available from these vendors in both software and appliance form factors. Their primary approach to providing security remains the same reactive, signature-based model first invented by Dr. Tippett. Unfortunately, with new viruses (and mutations of old ones) appearing by the thousands, this reactive model can no longer keep up, and a more proactive solution is required. One threat not detected by signature-based A/V solutions is spyware. Spyware, software that collects user information without their consent and sends it to the spyware creator, usually for marketing purposes, is a term that was coined in 1995 but not widely used until 2000. One version of spyware, called adware, displays advertising, typically as a pop-up window pop-up window n (Comput) → Popup-Fenster nt , and installs itself to send information back to the advertiser on the infected machine's Web usage and the user's Web surfing Refers to jumping from page to page on the Web. Just as in "TV channel surfing," where one clicks the remote to go from channel to channel, the hyperlink on Web pages makes it easy to jump from one page to another. habits. The first anti-spyware solution became available in early 2001 and an entire segment of the security industry was born, all providing point solutions to stop the spyware threat. Spyware vendor software is typically a desktop installation and works on the same paradigm as anti-virus software: once spyware is identified, a signature is created and those signatures are downloaded to the desktop installation of that vendor's software. The desktop anti-spyware software then is run to remove the spyware. The widespread adoption of instant messaging (IM) applications (AOL (A division of Time Warner, Inc., New York, NY, www.aol.com) The world's largest online information service with access to the Internet, e-mail, chat rooms and a variety of databases and services. , Yahoo, MSN (1) (MicroSoft Network) A family of Internet-based services from Microsoft, which includes a search engine, e-mail (Hotmail), instant messaging (Windows Live Messaging) and a general-purpose portal with news, information and shopping (MSN Directory). , etc.) has created another set of problems for organizations that legacy security solutions cannot address. IM applications open organizations up to infections from malware and to data leakage from message and attachment content transfer. Since files can be easily transferred via IM, it has largely replaced FTP as the preferred method of file sharing Copying files from one computer to another. See peer-to-peer network, file sharing protocol and file and printer sharing. amongst individuals. The downside to this is the increased chance of data leakage and a wide open door for malware to transmit any file on a user's hard drive without their knowledge or consent. Now, distributors of viruses, Trojans, and other malicious applications do not have to rely on email as a means of dissemination, they can instead push malware through using HTTP-based instant messaging. To address these new threats, a slew of vendors with new point solutions to this problem emerged in late 2004 (9). It is clear from the events of the last 15 years that as threats emerge, vendors with new solutions are created and they find success in the marketplace selling point selling point n. An aspect of a product or service that is stressed in advertising or marketing. Noun 1. selling point - a characteristic of something that is up for sale that makes it attractive to potential customers solutions to these threats. Often these solutions started as desktop applications and, as the cost of networking hardware Networking hardware typically refers to equipment facilitating the use of a computer network. Typically, this includes routers, switches, access points, network interface cards and other related hardware. has dropped over time, they have been ported first as gateway server software and now as dedicated gateway based appliances. The result in 2007 is organizations with lots of point solutions from lots of vendors with lots of user interfaces. These point solutions lack inter-application integration and policy has to be implemented by IT in multiple places. Yet in spite of all this complex infrastructure, the threat from malware is still not addressed, since the signature-less targeted attack and the "SSL blind spot" are not adequately addressed by this cornucopia cornucopia (kôr'ny  kō`pēə), in Greek mythology, magnificent horn that filled itself with whatever meat or drink its owner requested. of point solutions.
Meeting Web 2.0 Security Threats Head on with Comprehensive Web Gateway Security In order to address the security threats posed by targeted malware, spyware, adware, and outbound data leakage, a new paradigm New Paradigm In the investing world, a totally new way of doing things that has a huge effect on business. Notes: The word "paradigm" is defined as a pattern or model, and it has been used in science to refer to a theoretical framework. of proactive, reputation-based security needs to be applied to Internet traffic Internet traffic is the flow of data around the Internet. It includes web traffic, which is the amount of that data that is related to the World Wide Web, along with the traffic from other major uses of the Internet, such as electronic mail and peer-to-peer networks. entering and leaving the enterprise. This new approach needs to reduce the number of point solutions deployed, which in turn results in lower support, subscription, and employee training costs. It needs to overcome the limitations of other point solutions with a proactive approach that can detect both known, signature-based and unknown attacks before they can penetrate the network. These Web 2.0 security threats are addressed with an appliance-based platform that offers protection in the following areas: next-generation reputation-based Web filtering Blocking access to unwanted Internet content. Businesses can block content based on traffic type. For example, Web access might be allowed, but file transfers may not. Content can also be blocked by site, using lists of URLs cataloged by content that are updated frequently. , gateway anti-virus Gateway Anti-Virus allows applications across the enterprise to check files for viruses by providing a SOAP-based virus scanning web service. Client applications attach files to SOAP messages and submit them to the Gateway Anti-Virus web service. , proactive anti-malware, data leakage protection, and scanning of SSL traffic. This solution must include a unified administrative interface with common policy management and enterprise class reporting on all functionality along with an executive dashboard providing "at a glance" status on network security and system health. This appliance-based solution is referred to as Web Gateway Security. The Major Components of Web Gateway Security: What Is Required? Each of the following protective measures are required to ensure complete, comprehensive Web Gateway Security. Reputation-Based Web Filtering Just as legacy anti-virus solutions that utilize signatures are not adequate to stop malware, legacy URL filtering solutions that rely only on categorized cat·e·go·rize tr.v. cat·e·go·rized, cat·e·go·riz·ing, cat·e·go·riz·es To put into a category or categories; classify. cat databases of URL entries that update a few times a day are also not adequate to protect organizations from Internet threats that occur as the result of employee Web use. What is needed is a "reputation system" that assigns global reputations to URLs, and works alongside the categorized databases for the ultimate protection. This Reputation System provides a mechanism for determining the risk associated with receiving data from a particular Web site. This reputation can be used in conjunction with categories in an organization's security policy, allowing them the ability to make the appropriate decision based on both category and reputation information. This reputation-based URL filtering solution needs to be global in scope and internationalized to handle Web sites in any language. This is especially true considering the global nature of the Internet security ''This article or section is being rewritten at Internet security is the process of protecting data and privacy of devices connected to internet from information robbery, hacking, malware infection and unwanted software. threat (10). In addition to reputation-based filtering, real-time classification of uncategorized Web sites is required as well as the ability to enforce the "safe search" feature of the leading search engines. Lastly, it is important to block access to Web sites based on the content of the URLs themselves. This is called expression filtering and is vital in preventing access to sites that serve as anonymizers and proxies. These sites present security risks to the organization as they circumvent filtering of access to sites known to host malware, spyware, and other security threats. Proactive Behavioral-Based Anti-Malware Protection Organizations should not rely solely on either a pure client or pure gateway solution. The typical boot sector virus that used to reside on a floppy is extinct--because there are no more floppy drives. The risk of a virus being present on USB memory See USB drive. devices (or on CDs/DVDs) still remains and therefore there is still a need for anti-virus protection at the client. In addition, client-based protection is recommended as a second layer of protection, in the rare event that a known virus should break through the gateway anti-virus protection layer. However, the need to address the gateway itself is becoming more important as it is the primary entry point for malware. It is widely agreed that enterprises should deploy a client side anti-virus solution and deploy gateway anti-virus as well. But these solutions are reactive (signature-based) and don't scale to meet the multi-protocol malware threats posed by deployment and use of Web 2.0 applications. When adding anti-malware protection at the gateway, it is important to insure that a wide range of protocols are covered. All application protocols entering a network need to be under close scrutiny. Most enterprises today have some form of anti-spam and anti-virus combination for email--but what about protecting the Web gateway? It is as valuable as a mail gateway. In addition to standard HTTP traffic, encrypted HTTPS traffic, instant messaging, Peer-to-Peer applications, and Web mail, which are increasing in traffic volume, are also vulnerable and must be protected and controlled. For more information on Webwasher's Anti-Malware solution, please see our Stopping the Targeted Attack white paper (http://www.securecomputing.com/Webform.cfm?id=81&sourcecode=wgswp). SSL Traffic Scanning A Web Gateway security solution should offer the following features to ensure security and prevent data leakage via SSL tunnels: Gateway anti-virus, anti-malware, and anti-spyware scanning: Encrypted content has traditionally been impossible to scan at the gateway, making SSL a dangerous virus carrier. By decrypting HTTPS content at the gateway and scanning for viruses, companies can leverage the same anti-malware protection offered by the Web gateway for HTTP and FTP traffic, while still enjoying the benefits of HTTPS. Outbound content scanning to stop intellectual property loss and support regulatory compliance: By first decrypting HTTPS file transfers and applying filtering policy, enterprises can filter files and media types which previously passed freely in and out of their network. Media type and content filtering: Many organizations seek to enforce policies for media file (MP3) sharing, and downloading of executables, ActiveX, JavaScript, or other potentially malicious content-- regardless of which network protocol these threats use. As the amount of content transmitted via SSL grows, bandwidth and content filters become as important for HTTPS as they are for HTTP. Certificate management: Centralizing certificate policy at the gateway removes the burden of this decision from employees (as well as the potential for costly mistakes), and allows administrators to enforce a consistent policy. Flexible policy enforcement: While in general all SSL encrypted traffic should be inspected, most businesses will want to deploy flexible policies on exactly what traffic is decrypted or for which user range. For example, executive level management might be completely exempt from SSL scanning, while for the general user, only SSL scanning to certain trusted banks or trusted categories of Web sites is deactivated. Enterprise Reporting With the dramatic expansion of information technology, and the desire for increased competitiveness in corporations, there has been an increase in the use of computing power to produce unified reports which join different views of the enterprise in one place. Effectively securing and managing enterprise networks requires an understanding of the status, trends, and events relating to relating to relate prep → concernant relating to relate prep → bezüglich +gen, mit Bezug auf +acc all network activity, and the ability to generate reports to meet both internal and external requirements. A Web Security Gateway requires reporting that provides a full breakdown of cache, streaming media See streaming audio, streaming video and digital media hub. , and Web usage in your company and it must scale to the largest of enterprises--20 GB of daily log files and more! Web Gateway reporting should support a customer's choice of enterprise class RDBMS (Relational DataBase Management System) See relational database and DBMS. RDBMS - relational database in use, and require virtually no maintenance from IT staff by offering robust automated log file collection, report generation, and distribution. Furthermore reports should be easily customizable and also conform with data privacy legislation throughout the world. Lastly but most importantly Adv. 1. most importantly - above and beyond all other consideration; "above all, you must be independent" above all, most especially , it must provide "at a glance" information on network security and Web gateway performance through a dashboard interface that immediately informs administrators of any problems. Summary Today's Internet is vastly different than it was 10 years ago, or even 2 or 3 years ago. Web protocols like HTTP and HTTPS are being used today by Web 2.0 applications in ways never envisioned when these protocols were developed. These new Web 2.0 applications expose the enterprise to new and fast evolving security threats. Traditional reactive, signature-based approaches to filtering and malware are inadequate to meet this new challenge. Reputation-based security, including malware detection See antivirus, antispam and IDS. and URL filtering, are needed to meet this challenge. www.securecomputing.com Web Gateway Security www.securecomputing.com 1. http://news.com.com/2102-7349_3-5772238.html?tag=st.util.print 2. http://news.com.com/2102-7349_3-6125453.html?tag=st.util.print 3. http://www.itpro.co.uk/security/news/99467/2006-the-year-of-targeted-malware.html 4. http://www.toptechnews.com/story.xhtml?story_id=101003HCTOK6 5. http://www.itsecurity.com/features/news-feature-metasploit-vomm-102906/ 6. http://www.windowsecurity.com/whitepaper/info/misc/tricks.html 7. http://itmanagement.earthWeb.com/secu/article.pho/3464021 8. http://en.wikipedia.org/wiki/Anti-virus 9. http://www.network.com/news/2005/060605-data-leaks.html 10. http://www.trustedsource.org/zloc.php |
|
||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion