In today's Web 2.0 environment, proactive security is paramount. Are you protected?
The Internet today is a different mechanism than it once was. Widely referred to as "Web 2.0," today's Internet is a place where the boundaries of the enterprise are no longer clear and this has had a ripple effect on network security.
Applications are now enabled over the Internet and the use of corporate intranets and extranets are now critical components of business. Indeed, organizations now build their businesses on Web infrastructures, and we've even seen the proliferation of completely "virtual" companies that have no physical headquarters at all. Today's business model includes inbound access for remote employees, partners, and customers. Internal employees also reach beyond the edge of the internal network to communicate and gather information across the Internet. This bi-directional aspect of IP-based application access creates significant security challenges for enterprises, however. Communication methods are both inbound and outbound, and so too, threats have also become both inbound and outbound in nature.
The enterprise must be protected from malware (malicious software), regulatory compliance must be ensured, data leakage prevented, and employee productivity must be managed. These security issues exist for all IP-based traffic, whether email, VoIP, instant messaging, Web access, file transfers, or other enterprise applications communicating over IP.
In short, business use of the Web and Web 2.0 applications expose organizations to both inbound and outbound security threats which transcend the legacy security measures for Web 1.0. The new generation of emerging security threats now consists of malicious attacks led by cyber criminals targeted at specific organizations for personal or financial gain. This paper outlines these new threats and discusses the limited effectiveness of legacy Web security solutions against those threats. It then outlines the new proactive security paradigm that is necessary for securing Web 2.0 applications and protecting the enterprises that use them on a daily basis.
Inbound Security Threats
Gone are the days when the primary cause for concern was a broad-based Internet virus attack. Those attacks were launched to gain notoriety with the hacker's peers. Web sites were defaced much like graffiti is posted on a public wall or highway overpass, and political or personal messages were sometimes embedded in Web pages or disseminated to desktops. These attacks were a nuisance, required clean-up, and were often designed to embarrass the recipient. These broad-based attacks often caused a drain on productivity, sapped bandwidth, and created potential liability problems. The attackers however, were often unsophisticated with the virtual equivalent of a spray can. Today's attackers, on the other hand, are sophisticated and organized, and financially motivated. They are cyber-criminals who use technology to commit targeted attacks against specific persons or organizations for profit. The security risk, and potential for substantial loss, is much greater.
One tactic used by these cyber-criminals is to leverage their sophisticated knowledge to plant worms on host machines. These compromised machines, known as zombies, are rented out to carry out phishing, spam or other attacks (1).
In addition to for-hire zombie networks ("botnets") cyber-criminals also use sophisticated tools to deploy seemingly innocent content which actually contains Trojan horses with malicious functions. These targeted Trojan horses present a threat to the organization in that on the surface, they appear harmless and innocuous, and may even take the form of a useful application or an entertaining game. Often these attacks utilize commonly used productivity tools like MS Office files transmitted via work email or via personal email that employees access via encrypted Web mail. Once opened by the recipient, the Trojan is released, opening the door for corporate data espionage, data theft, and the release of additional malware. Traditional anti-virus (A/V) solutions are ineffective in stopping the attack because there is no known signature. Targeted attacks are increasingly brief in duration and small in number of samples sent out. Often it consists of malware that is designed to by-pass the targeted company's signature-based anti-virus protection. Since the attack can end in just a few hours, your data may have already been stolen before anyone knows it has happened. (2,3)
And it is not just files coming into an organization hidden in Trojans that can introduce malware. Seemingly innocent Web pages that employees may access for legitimate purposes can introduce malware or spyware into a network. This is potentially much more dangerous. Users can be educated not to click on suspicious email attachments, but malicious Web sites may contain active code that launches automatically as soon as the Web page is viewed. This is a common drawback of the Web 2.0 applications, like blogs, Wikipedia, and social networking sites like MySpace, that allow users to post code as part of the permissible content posting. For example, in November 2006, the popular Wikipedia reference site was compromised and used to distribute malware to unsuspecting users who thought they were getting information on a security patch (4).
One example of how signature-based anti-virus protection and category-based URL filtering have become obsolete due to the dynamic nature of Web 2.0 threats, is a program now available called "eVade o'Matic Module," or VOMM for short, that automates the creation and modification of code so that it constantly changes its signature to avoid anti-virus detection while taking advantage of the same browser vulnerability. VOMM enables malicious code to literally have millions of possible signatures, so that the malware can always stay a step ahead of the anti-virus software. In short, its purpose is to make an intrusion attempt undetectable by signature-based anti-virus protection (5).
Malicious attacks are also now utilizing the very technologies that were created to provide security. For example, to secure financial transactions, encrypted HTTP was created (HTTPS) to ensure that financial data was not "in the clear" on the Internet. This is now widely used for financial and healthcare information transactions. However, attackers can also use this secure connection to transmit malware, and carry out a malicious attack that is undetectable by legacy security solutions like anti-virus (6). Because most legacy security solutions cannot be applied to encrypted traffic, we refer to this portion of network traffic as the "SSL blind spot."
In addition to inbound threats, there are also outbound data leakage threats that an organization must be aware of. Attackers aren't always outsiders in faraway countries; more often they are right inside your own organization. Data thieves, industrial spies, and cyber-vandals can operate within a company's own boundaries. But outbound threats aren't always the result of an intentional attack by an insider, sometimes they occur when an employee unintentionally opens or allows a "back door to be open," by downloading a rogue application that has not been approved by IT.
Outbound data leakage is a concern for two reasons: 1) risk of intellectual property loss and 2) compliance with regulatory requirements (e.g. SOX, HIPAA, GLBA, etc.). Many organizations think that filtering their email is sufficient to provide protection. While doing so is a key factor in a leakage prevention strategy, a multi-protocol approach to data leakage security, where network security administrators also pay attention to Web protocols as well is best: encrypted email traffic (HTTPS), instant messaging use (HTTP), and file transfers (FTP) (7). All of these protocols can be used to convey proprietary information out of the enterprise.
Legacy Security Solutions Are an Incomplete Solution to Web 2.0 Security Threats
As security threats appeared along with development and adoption of the Internet, point solutions were developed to address those threats. "Viruses" appeared in the late 1980s and anti-virus vendors began to appear in the early 1990s. The first anti-virus solution became available in 1991, when a medical doctor (Peter Tippett) applied the same approach to attacking human viruses to viruses that were attacking computers: identify the virus by its behavior and then 'inoculate' against it. The first viruses were identified by what they would do (e.g. attack the boot sector) and this was called their signature.
The first anti-virus engine worked by using a list of virus signatures (8). These programs were designed as client solutions to protect the desktop from virus infection that was commonly passed via the exchange of portable media (like 5.25 and 3.25 inch diskettes). Initially, this worked well, because the total number of viruses was not as large as it is today. These anti-virus solutions are still used today to protect the desktop even though computers are networked. Gateway versions of these anti-virus (A/V) solutions are now available from these vendors in both software and appliance form factors. Their primary approach to providing security remains the same reactive, signature-based model first invented by Dr. Tippett. Unfortunately, with new viruses (and mutations of old ones) appearing by the thousands, this reactive model can no longer keep up, and a more proactive solution is required.
One threat not detected by signature-based A/V solutions is spyware. Spyware, software that collects user information without their consent and sends it to the spyware creator, usually for marketing purposes, is a term that was coined in 1995 but not widely used until 2000. One version of spyware, called adware, displays advertising, typically as a pop-up window, and installs itself to send information back to the advertiser on the infected machine's Web usage and the user's Web surfing habits. The first anti-spyware solution became available in early 2001 and an entire segment of the security industry was born, all providing point solutions to stop the spyware threat. Spyware vendor software is typically a desktop installation and works on the same paradigm as anti-virus software: once spyware is identified, a signature is created and those signatures are downloaded to the desktop installation of that vendor's software. The desktop anti-spyware software then is run to remove the spyware.
The widespread adoption of instant messaging (IM) applications (AOL, Yahoo, MSN, etc.) has created another set of problems for organizations that legacy security solutions cannot address. IM applications open organizations up to infections from malware and to data leakage from message and attachment content transfer. Since files can be easily transferred via IM, it has largely replaced FTP as the preferred method of file sharing amongst individuals. The downside to this is the increased chance of data leakage and a wide open door for malware to transmit any file on a user's hard drive without their knowledge or consent. Now, distributors of viruses, Trojans, and other malicious applications do not have to rely on email as a means of dissemination, they can instead push malware through using HTTP-based instant messaging. To address these new threats, a slew of vendors with new point solutions to this problem emerged in late 2004 (9).
It is clear from the events of the last 15 years that as threats emerge, vendors with new solutions are created and they find success in the marketplace selling point solutions to these threats. Often these solutions started as desktop applications and, as the cost of networking hardware has dropped over time, they have been ported first as gateway server software and now as dedicated gateway based appliances. The result in 2007 is organizations with lots of point solutions from lots of vendors with lots of user interfaces. These point solutions lack inter-application integration and policy has to be implemented by IT in multiple places. Yet in spite of all this complex infrastructure, the threat from malware is still not addressed, since the signature-less targeted attack and the "SSL blind spot" are not adequately addressed by this cornucopia of point solutions.
Meeting Web 2.0 Security Threats Head on with Comprehensive Web Gateway Security
In order to address the security threats posed by targeted malware, spyware, adware, and outbound data leakage, a new paradigm of proactive, reputation-based security needs to be applied to Internet traffic entering and leaving the enterprise. This new approach needs to reduce the number of point solutions deployed, which in turn results in lower support, subscription, and employee training costs. It needs to overcome the limitations of other point solutions with a proactive approach that can detect both known, signature-based and unknown attacks before they can penetrate the network.
These Web 2.0 security threats are addressed with an appliance-based platform that offers protection in the following areas: next-generation reputation-based Web filtering, gateway anti-virus, proactive anti-malware, data leakage protection, and scanning of SSL traffic. This solution must include a unified administrative interface with common policy management and enterprise class reporting on all functionality along with an executive dashboard providing "at a glance" status on network security and system health. This appliance-based solution is referred to as Web Gateway Security.
The Major Components of Web Gateway Security: What Is Required?
Each of the following protective measures are required to ensure complete, comprehensive Web Gateway Security.
Reputation-Based Web Filtering
Just as legacy anti-virus solutions that utilize signatures are not adequate to stop malware, legacy URL filtering solutions that rely only on categorized databases of URL entries that update a few times a day are also not adequate to protect organizations from Internet threats that occur as the result of employee Web use. What is needed is a "reputation system" that assigns global reputations to URLs, and works alongside the categorized databases for the ultimate protection.
This Reputation System provides a mechanism for determining the risk associated with receiving data from a particular Web site. This reputation can be used in conjunction with categories in an organization's security policy, allowing them the ability to make the appropriate decision based on both category and reputation information. This reputation-based URL filtering solution needs to be global in scope and internationalized to handle Web sites in any language. This is especially true considering the global nature of the Internet security threat (10). In addition to reputation-based filtering, real-time classification of uncategorized Web sites is required as well as the ability to enforce the "safe search" feature of the leading search engines. Lastly, it is important to block access to Web sites based on the content of the URLs themselves. This is called expression filtering and is vital in preventing access to sites that serve as anonymizers and proxies. These sites present security risks to the organization as they circumvent filtering of access to sites known to host malware, spyware, and other security threats.
Proactive Behavioral-Based Anti-Malware Protection
Organizations should not rely solely on either a pure client or pure gateway solution. The typical boot sector virus that used to reside on a floppy is extinct--because there are no more floppy drives. The risk of a virus being present on USB memory devices (or on CDs/DVDs) still remains and therefore there is still a need for anti-virus protection at the client. In addition, client-based protection is recommended as a second layer of protection, in the rare event that a known virus should break through the gateway anti-virus protection layer. However, the need to address the gateway itself is becoming more important as it is the primary entry point for malware. It is widely agreed that enterprises should deploy a client side anti-virus solution and deploy gateway anti-virus as well. But these solutions are reactive (signature-based) and don't scale to meet the multi-protocol malware threats posed by deployment and use of Web 2.0 applications.
When adding anti-malware protection at the gateway, it is important to insure that a wide range of protocols are covered. All application protocols entering a network need to be under close scrutiny. Most enterprises today have some form of anti-spam and anti-virus combination for email--but what about protecting the Web gateway? It is as valuable as a mail gateway. In addition to standard HTTP traffic, encrypted HTTPS traffic, instant messaging, Peer-to-Peer applications, and Web mail, which are increasing in traffic volume, are also vulnerable and must be protected and controlled. For more information on Webwasher's Anti-Malware solution, please see our Stopping the Targeted Attack white paper (http://www.securecomputing.com/Webform.cfm?id=81&sourcecode=wgswp).
SSL Traffic Scanning
A Web Gateway security solution should offer the following features to ensure security and prevent data leakage via SSL tunnels:
Effectively securing and managing enterprise networks requires an understanding of the status, trends, and events relating to all network activity, and the ability to generate reports to meet both internal and external requirements. A Web Security Gateway requires reporting that provides a full breakdown of cache, streaming media, and Web usage in your company and it must scale to the largest of enterprises--20 GB of daily log files and more! Web Gateway reporting should support a customer's choice of enterprise class RDBMS in use, and require virtually no maintenance from IT staff by offering robust automated log file collection, report generation, and distribution. Furthermore reports should be easily customizable and also conform with data privacy legislation throughout the world. Lastly but most importantly, it must provide "at a glance" information on network security and Web gateway performance through a dashboard interface that immediately informs administrators of any problems.
Today's Internet is vastly different than it was 10 years ago, or even 2 or 3 years ago. Web protocols like HTTP and HTTPS are being used today by Web 2.0 applications in ways never envisioned when these protocols were developed. These new Web 2.0 applications expose the enterprise to new and fast evolving security threats. Traditional reactive, signature-based approaches to filtering and malware are inadequate to meet this new challenge. Reputation-based security, including malware detection and URL filtering, are needed to meet this challenge.
Web Gateway Security
|Printer friendly Cite/link Email Feedback|
|Title Annotation:||White Paper|
|Date:||Sep 1, 2007|
|Previous Article:||Footnote: even the security experts get hit.|
|Next Article:||Between a rock and a hard place: why 93% of telecoms CIOs fear complex data migrations.|