Safer web browsing in four steps

Technology to help you reduce risk

by Chris McCormack, Product Manager, and John Metzger, Senior Product Marketing Manager

The web is now the cybercriminals favored means of attack, with a newly infected
website discovered every few seconds. Hijacked trusted sites, poisoned search
results, fake anti-virus software and phishing websites are a sample of the exploits
that hit users browsers every day. That leaves your business in a bind: Accessing
the web poses enormous risks, yet you cant afford to be isolated from the
internet and its resources. This white paper examines the latest web threats, and
recommends four best practices and a layered approach that enables your users
while also protecting your organizations endpoints, network and data.

To crush the threats without squeezing user productivity, your organization must
Safer web browsing
take generally accepted preventive steps that include rigorous software patching, in four steps:
strong passwords and user education about the hazards of browsing. As essential
1. Limit exposure on the web
as these actions are, you need more. Traditional URL filtering solutions cannot
keep up with todays risks because they are slow to update and cant catch 2. Block threats at the source
emerging threats in real time. It takes a comprehensive best practices approach
3. Reduce your vulnerabilities
to web protection to keep your users and your organization safer.
4. Prevent data theft and loss

Safer web browsing in four steps-Technology to help you reduce risk

Safer web browsing in four steps
Technology to help you reduce risk
Understanding internet threats
Organized criminals generate a steady onslaught of web-
borne threats to exploit newly discovered vulnerabilities
and to evade detection by security software. Much of their
dirty work is automated so they can perpetrate misdeeds
widely with little effort and cost. Although specific attacks
can come and go rapidly, the following four dimensions will
help you understand the problems and the harm they inflict.
Limited exposure: Where web threats lurk
Known malicious or risky websites arent the only places
where cybercriminals host their wares and scams.
Compromising legitimate sites is an increasingly common
tactic because visitors believe what they find on trusted
sites. News, technology, ecommerce, government,
military, sports, entertainment and social networking sites
all have been subverted. (Visit Sophos at www.sophos.
com/security/topic/recently-infected-sites.html for a
sampling of recent incidents.)
Files downloaded from websites present another peril
because they can be vehicles for malware. Some file
types, including .exe and .dll files, carry extra risk; they
are often disguised as something legitimate but may
harbor a virus or other malicious code.
Block them at the source and reduce your
vulnerabilities: How infections occur
For a threat to successfully infect a website visitor, that
threat needs to exploit some weakness in the users
Safer web browsing in four steps-Technology to help you reduce risk
browser, browser plug-in, application or operating
systemthat is, an unpatched vulnerability. Other threats
depend on deceiving the user, and may or may not also
exploit a technical vulnerability.
Criminals have no shortage of techniques for exploiting the
weaknesses in technology and human behavior. Whats
more, hackers often combine multiple techniques. The
drive-by download is one example common to hijacked
trusted sites and known malicious sites. Users simply have
to visit a site to download malicious code that exploits a
vulnerable browser or plug-in, without the users knowledge.
Other attacks rely on trickery. Social engineering attacks
use links on blogs, forums and social network sites to
entice users to view or download content, only to infect
them with malware or mislead them into providing
private information. Phishing is a specific kind of social
engineering where criminals sites pose as legitimate sites
to acquire sensitive data such as visitors passwords and
account numbers.
In SEO poisoning, hackers exploit search engine
optimization strategies to get their malware-laden sites
ranked highly on common search terms. To lure visitors,
blackhat SEO campaigns abuse breaking news and other
trending topics. Past examples include celebrity deaths
such as Michael Jacksons, and natural disasters such as
the Haiti earthquake in 2010.
2
Safer web browsing in four steps
Technology to help you reduce risk

Prevent data theft and loss: What Layers of web protection

happens when your computer is infected
A chain of events must occur for hackers to succeed. You
Some exploits involve browser hijacking, in which increase your opportunities to break that chain when you
malware takes over the browser and/or changes settings use layers of security, such as those listed below, in a
such as the home page to redirect users to more malware defense-in-depth strategy:
or phony sites.
Productivity filtering
Other malware scares users into thinking their computers Live URL filtering
have a virus and leads them to buy fake anti-virus Proxy filtering
software. In one notable attack, a poisoned ad stream on File type control
The New York Times website led visitors to download fake Anti-malware
anti-virus software that compromised their Windows PCs. HTTPS filtering
Application control
Data theft and financial loss occur when malware Data loss prevention (DLP)
or spyware silently steals personal information, login
credentials or account passwords. Some of these attacks
go on for years before being uncovered. Consider a An additional consideration is that todays threats are
string of incidents reported in 2008, in which drive-by complex and designed to escape detection. That means
downloads and the Sinowal Trojan compromised more only one or two layers of a security solution may have the
than 500,000 bank, credit and debit card accounts. opportunity to stop any given threat.

Another sort of exploit hijacks PCs into a botnet to serve

up malware and spam campaigns on command, while
users remain unaware.

Safer web browsing in four steps-Technology to help you reduce risk 3

 Safer web browsing in four steps
Technology to help you reduce risk
1. Limit your exposure on the web
The first defense is limiting your exposure, while giving
end users access to the tools and information they need to
do their jobs.
Productivity filtering: Prohibiting access to illegal,
inappropriate or non-business-critical web content is a
standard practice for businesses that should continue.
Many organizations blacklist site categories such as
adult, gambling, sports and finance. Productivity filtering
is important for optimizing your staff productivity and
network performance, but is not enough to combat threats
now that web malware isnt confined to questionable sites.
Learn more about productivity filtering.
Live URL filtering: URL filtering historically has been
associated with productivity filtering, which blocks
categories of questionable sites. Security vendors are
now combining reputation-based data with URL filtering
to stop users from accessing sites known to be infected,
or sites that repeatedly host malware or other unwanted
content. Reputation-based URL filtering that performs
real-time lookups against the security vendors database
is especially effective at blocking the thousands of new
malware sites, SEO poisoning attacks and hijacked
trusted sites that pop up daily. Learn more about Live
URL filtering.
Proxy filtering: Anonymizing proxies are portals that
let users anonymously browse any site. When they do,
users bypass your organizations web security and control
mechanisms. That exposes your organization and your
users to unlimited security risks, liability issues and
productivity losses. Vast numbers of anonymizing proxies
Safer web browsing in four steps-Technology to help you reduce risk
appear all the time and many are quite obscure, which
makes it impossible for IT administrators to identify all
of them.
You can shut down anonymizing proxy use by pairing two
techniques: a reputation-based service that actively seeks
out new proxies, and a real-time proxy detection engine
that inspects traffic for signs of being routed through a
proxy. Learn more about proxy filtering.
File type control: This form of content filtering analyzes
file downloads to identify the nature of traffic coming
back from a website. You can permit the content or not,
depending on your organizations policy. You are able to
disallow content types that tend to carry malware, which
significantly reduces exposure to infection. In addition,
blocking resource-hungry content, such as streaming
video and audio, will help you prevent unwanted files and
media from depleting network bandwidth.
The ability to scan actual file content to determine
its true nature is an advantage. Otherwise, malware,
unauthorized information and illegal content can slip
through by masquerading as a permitted file type. Learn
more about file type control.
2. Block threats at the source
Limiting exposure is fundamental. But modern threats
try to dodge detection by morphing themselves, hiding or
both. That calls for an additional set of safeguards.
Anti-malware: A real-time malware scanning engine is
perhaps the single most essential component in a web
4
Safer web browsing in four steps
Technology to help you reduce risk
security solution. Anti-malware scans all web traffic,
including trusted content, to identify known threats as
well as new zero-day exploits. Every time a user accesses
a site, the scanning engine inspects the traffic using a
combination of anti-malware signatures and behavior-
based techniques. Online, real-time lookups against
the security vendors database provide the most timely
defense against emerging threats.
Malware authors increasingly use obfuscation to morph
and hide their malicious code. An effective anti-malware
solution helps you fight back by detecting hidden suspect
code; for example, by deobfuscating and emulating
JavaScript before it is executed. Learn more about
anti-malware filtering.
HTTPS filtering: Web applications and protected websites
use Secure Sockets Layer (SSL) protocol to encrypt the
communication of sensitive content including payment
transactions. That creates an unintended blind spot for
traditional web security solutions. Proxy sites, phishing
exploits, fake anti-virus sites and other malware threats
abuse this point of entry. Its also a hole for data leakage,
unwanted downloads and bandwidth-hogging traffic.
HTTPS filtering lets you balance user privacy and your
organizations security needs. You can have certificate
validation performed for sites such as financial institutions,
while traffic in other HTTPS sessions can be scanned and
proxied. Learn more about HTTPS filtering.
Safer web browsing in four steps-Technology to help you reduce risk
3. Reduce your vulnerabilities
Criminal hackers look for easy prey. For that reason,
modern malware uses exploit packs to probe for
weaknesses with a variety of vulnerability testers, site
redirectors and malware code.
Application control: Although your business depends
on a variety of end-user applications, unnecessary and
unauthorized applications expand the attack surface area
by exposing more potential targets. Applications such
as web browsers, PDF readers, media players, tool bars,
instant messaging (IM) clients and peer-to-peer (P2P)
clients have been exploited. These applications introduce
possible productivity, legal and data loss issues, besides
increasing the number of applications that IT must
manage and patch.
Application control cuts your security risk and
management overhead by stopping users from installing
non-business-related software on their machines. But
your organization may find a blanket application control
policy to be overly restrictive. Users will resort to
workarounds when they dont have the applications they
need and want.
Granular application control offers the flexibility to enable
different policies that are appropriate for different groups
of users. That way, you can ensure applications are
managed to keep everyone productive and protected.
Learn more about application control.
5
Safer web browsing in four steps
Technology to help you reduce risk

4. Prevent data theft and loss Layered protection in action

Intellectual property and other business data are the
crown jewels of every organization. Its hardly surprising
that criminals scheme to acquire this sensitive data, as
they did in the Operation Aurora attack that targeted
Google and other prominent companies in late 2009.
And with data privacy and confidentiality laws getting
tougher in jurisdictions around the globe, your business
must also safeguard customer data and enforce data
protection rules that extend to mobile computers, USB
devices, removable media, email and Web 2.0 applications.
The penalties are unforgiving: steep fines, damaging press
coverage, loss of businesseven prosecution.
Data loss prevention: Protect against data theft and
leaks with data loss prevention (DLP) software that
scans for sensitive content, such as credit card numbers,
personally identifiable information (PII), bank account
information, national identification numbers and more.
The idea is to help authorized users do their work without
being tripped up by data loss or exposure.
Layered web protection is the best defense against
complex web threats. Consider a scenario of a blended
attack that employs multiple methods to spread, roughly
similar to Operation Aurora:
When a user clicks on a link to a compromised website,
live URL filtering would stop the user from reaching the site.
Then proxy filtering would block the user from trying to get
around the website block if he or she attempted to access
the compromised website through an anonymizing proxy.
Should the user manage to reach a compromised site,
anti-malware would detect malicious code and block the
malware from executing in the users browser. HTTPS
filtering would catch the presence of encrypted malware.
Application control would limit potential entry points for
threats by preventing the installation of applications with
known vulnerabilities.

You can use DLP software to warn the user, or block the
file transfer, before privileged information moves from the
users PC into removable media, a USB device, an email
or an internet-enabled application. When sensitive content
must be sent outside your organization, ensure the files
are encrypted first so data isnt exposed or misused. Learn
more about DLP.

Safer web browsing in four steps-Technology to help you reduce risk 6

Safer web browsing in four steps
Technology to help you reduce risk

Users often find VPN connections to be slow, which

frustrates them and stifles their productivity.
Gateway, endpoint or both?
Just as important, endpoint protection blocks attacks and
Today you need web protection that enables both local data losses that target desktops and laptops, or are able
and remote users, while safeguarding your organizations to sidestep the security on your organizations network, by
endpoints, your network and your data. That is why providing an added layer of protection. For instance, an
pairing gateway and endpoint web security has become infected USB drive plugged into an unprotected PC will
the most effective approach. drop malware on that endpoint.

Gateway protection alone was once the standard, and
its no less important today. Using a web appliance
for security at the network gateway is highly efficient
for protecting users and data inside your organization.
Its also the way to mitigate threats introduced by any
vulnerable, unmanaged or unmanageable endpoints on
your network (e.g., unpatched computers and guests
laptops).
Endpoint protection delivers a line of defense beyond the
gateway. First of all, endpoint security keeps mobile and
remote users protected without forcing them to go back
through your organizations virtual private network (VPN)
every time they need internet access outside the office.
As internet threats have grown more widespread and
destructive, they have outpaced the capabilities of
traditional web protection solutions. An updated approach
is required in order to keep your organization connected
while your endpoints, your network and your data stay
safer. You need a strong set of best practices supported by
gateway and endpoint security technologies that provide
multiple layers of defense. Then you will have effective,
affordable and sustainable web protection that enables
your business.

Sources
http://www.sophos.com/security/topic/security-report-2010.html
http://www.sophos.com/pressoffice/news/articles/2010/03/seo-attacks.html
http://www.sophos.com/blogs/gc/g/2009/09/14/fake-antivirus-attack-hits-york-times-website-readers
http://voices.washingtonpost.com/securityfix/2008/10/virtual_bank_heist_nets_500000.html
http://www.nytimes.com/2010/04/20/technology/20google.html?sudsredirect=true

Boston, USA| Oxford, UK

Safer web browsing in four steps-Technology to help you reduce risk 7
Copyright 2009. Sophos Plc. All rights reserved.
All trademarks are the property of their respective owners.