Here are some scary statistics from Gartner: 60 percent of the top 100 US Web sites contain malware, and 75 percent of the Web sites that serve malware are legitimate sites which deliver it unknowingly. That means that you can’t rely on blacklists to protect your network from “drive by” infections, because users can pick something nasty up from almost anywhere on the Web.
The majority of organizations are highly susceptible to attack via the Web, because few have put adequate Web gateway security measures on place. That’s the view of Peter Firstbrook, a research director at Gartner. Speaking at the Gartner Information Security Summit 2009 in London, he said that although most organizations have implemented effective e-mail gateway security systems to sanitize messages before they are allowed on to the corporate network, Web gateways have been neglected. And because of this, it’s the Web which is now the primary attack vector used by malicious hackers.
Google’s safebrowsing tool illustrates this rather well. In case you haven’t come across this useful tool before, it can be used to view the malware history of Web sites: you can check any site by visiting http://google.com/safebrowsing/diagnostic?site=<sitename>
Look at the results we get when we check the highly reputable New York Times’ nytimes.com Web site:
What happened when Google visited this site?
Of the 10696 pages we tested on the site over the past 90 days, 1 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-10-05, and the last time suspicious content was found on this site was on 2009-09-12.
Malicious software is hosted on 1 domain(s), including protection-check07.com/.
3 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including tradenton.com/, sex-and-the-city.cn/, harlingens.com/.
MySpace’s myspace.com, a community site, yields even scarier results:
What happened when Google visited this site?
Of the 26531 pages we tested on the site over the past 90 days, 58 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-10-06, and the last time suspicious content was found on this site was on 2009-10-05.
Malicious software includes 70 scripting exploit(s), 5 trojan(s), 2 worm(s).
Malicious software is hosted on 38 domain(s), including mspwiz.com/, ake.kz/, sockslab.net/.
27 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including imandd.com/, mspwiz.com/, bidresponse.com/.
Despite this manifest prevalence of Web-borne malware – and Gartner believes the volume of malware on the Web is doubling every year – less than a third of organizations are protecting their users with secure Web gateways. The result is that between 3 percent and 5 percent of all enterprise PCs are infected, Firstbrook believes, and that number is likely to rise. Taking steps to secure the Web gateway then is an essential priority for any organization that hasn’t done so, he says. “By doing this you will get a huge bang for your (security) buck compared to updating your anti-virus systems and so on,” says Firstbrook.
So what can be done to secure the Web gateway? Before answering that, it’s important to understand why many steps that many organizations are currently taking – namely URL filtering, desktop anti-malware software, and network intrusion prevention – are helpful, but by themselves inadequate.
URL filtering can’t protect mobile users outside the corporate network, and blacklists can never be comprehensive – not least because malware makers are smart: many can recognize anti-malware vendors’ Web spiders, and don’t serve malware to them so the spiders can’t detect that a site is malicious. These spiders also can’t get past authentication pages.
Anti-virus and anti-spyware software can only protect against known threats and also fails to be proactive, while network intrusion prevention systems can’t protect against social engineering tricks that con users in to installing malware.
So Firstbrook believes a “next generation” secure Web gateway needs to have three components:
- URL filtering (and reporting)
- Malicious code filtering
- Web application control (for at least the more popular applications)
While URL filtering is a reasonable starting point, the emphasis needs to be on malicious code filtering, and in particular organizations need to start filtering their outbound Web traffic in earnest. It’s only by doing that that companies will be able to detect the signatures of key logging software sending information out of the organization, or of other types of malware “phoning home” to command and control centers to pick up instructions. Firstbrook also believes effective Web gateway security systems will need to focus on dynamic, non-signature based techniques to recognize bad code coming in from Web sites that users visit.
What will these dynamic techniques look like? Essentially, they’ll involve the ability to decompose each Web page that comes in into its basic elements, and then to analyze these elements. For example, they’ll check and block URLs contained in the page based on some sort of reputation score: a URL pointing to a site which is only a few days old and contains only a couple of pages shows classic signs of being malicious, as does a site which contains content purporting to be from a well known bank if the site is not registered to that bank. They’ll also check for the signatures of malicious toolkits such as Neosploit, and for code that has been obfuscated. Finally, they’ll also need to carry out the dynamic analysis of scripts in real time.
“Generally, vendors that provide a cocktail approach will be the most adaptable to changing attack techniques. Vendors that have a extensive malware research capability, the ability to crawl the Web looking for threats, and the infrastructure and scale to support real time updates to end nodes will generally offer better protection,” Firstbrook says.
Companies including FaceTime www.facetime.com and BlueCoat Systems www.bluecoat.com offer Web gateway security devices, but companies that have multiple-branch offices and site-to-site VPNs, as well as companies with a high population of remote and mobile workers, should look at a secure Web gateway delivered as a SaaS (software as a service) solution, Firstbrook believes.
The benefits of a SaaS solution include lower administration costs, faster deployments, zero capital costs, zero data center footprint, and protection for off-LAN endpoints. But against this has to be balanced the possibilities of higher latency, higher overall costs, the usual reduced customization possibilities of a service, and the fact that logs may only be preserved for a limited period of time.
Today only about4 per cent of US-based organizations are using SaaS-based secure Web gateway solutions, but Firstbrook believes that this will increase dramatically: Gartner forecasts that SaaS-based solutions will account for about 25 per cent of secure Web gateway revenue by 2013. “It’s a very exciting area: these services are good for mobile users, and they can respond to new threats very quickly. A SaaS-based secure Web gateway should be a consideration for any larger company,” he concludes.