Web 2.0 – New threats need shared defences

By Nigel Hawthorn, VP EMEA Marketing, Blue Coat Systems

The boundary between home and work is blurring – workers take home corporate laptops or access work email and data through their mobile phones, while employers understand that allowing employees to perform some personal activities while at work keeps them motivated and in the office. There are now millions of people downloading music from the Web or visiting other recreational sites on their work desktops and with the potential for content and their personal information to spread virally; they're a scammer's dream. This year we have seen threats distributed via Twitter, Facebook and other social networking sites. Faced with the growing severity of these Web-based threats, as well as new threats that are appearing every few seconds, organisations should undertake a number of important defensive measures to protect their users, networks and data.

It is clear that organisations must look at ways to protect themselves from malicious content that can be delivered via downloads, however, they must also protect themselves from unmanaged employee use of applications such as unauthorised peer-to-peer file-sharing systems, consumer-oriented instant-messaging clients, consumer voice-over-IP applications and the like that can be the conduit for loss of sensitive corporate information.

Cybercrime is big business, and like any enterprising organisation, cybercriminals follow the money. As more people are drawn to the intensely collaborative and interactive nature of Web 2.0 for business and personal use, so too are the criminals. Web 2.0 technologies, such as Twitter, Facebook, LinkedIn & YouTube create a rich experience and open environment where everyone can contribute. But this opens more doors to security risk, by creating additional surface areas for attack and punching holes in traditional security boundaries.

Focus on the final link, not the initial problem

However the threat is initially delivered, there's a common weakness. "With Web 2.0, threats can hide anywhere, but the malware is always behind a web link. There's always a final URL that downloads the executable" says Mikko Valimaki, Chief Scientist at Blue Coat Systems.

Some vendors have released reports on the number of legitimate sites that have been infected, sometimes even blocking these sites though the real threat is elsewhere. It is important to reduce the problems of site infections, but blinding blocking anything that may unfortunately have been compromised has led to businesses going offline without necessarily stopping the real source of the threat; the final web page that these infections point to.

What can organisations do?

Companies should deploy a variety of tools in a multi-layered architecture to monitor, manage and control the use of a growing variety of applications that are used in the workplace. As threats are constantly changing, the system must also be able to provide instant reviews of new web pages so that a new threat is identified even for the first potential victim. A layered defence should be deployed that gathers together reputation, web text inspection, malware scanning and the sharing of threats from organisations that understand spam and those that understand web content. The ultimate goal is to keep users safe and advise them on threats to the organisation of data leakage while ensuring compliance with corporate, legal and other policies.

Employ a community based Web infrastructure

Deploying a neighbourhood watch-based approach has distinct advantages over conventional centralised web-spider crawling for bad pages. As we know; web pages can be infected at a moment's notice, so a daily crawl from a single vendor leaves web sites unprotected except at the instant that the crawler inspects the page. Phishing sites may be active for no more than a few minutes – the criminals can set up a page that looks like a bank and send out a million emails, as soon as a few customers have been caught, take down the site, empty the victim's accounts and repeat. 

You can't defend against these threats alone. A large group of users can access tens or hundreds of millions of Web pages daily, providing a constant stream of fresh information about Web pages and therefore more readily detect new infections. As an example, Blue Coat's WebPulse cloud service gathers knowledge from more than 55 million users in large organisations, over 50 million users on ISP and mobile networks and around 1 million consumers – each user adds to the knowledge of the whole when surfing the web and WebPulse therefore receives over a billion requests and updates a week.

Shared defences are stronger defences

Organisations should ask their supplier how they gather further information and inspect pages for threats. Does the organisation cooperate with other vendors and use multiple technologies to inspect the web? As most email spam now contains a link to the real source of the threat on the web – email and web companies should be sharing their knowledge for the greater good. Online malware scanning and feeds from Google of known bad or questionable sites also increase defences from the single-vendor solutions. The key for such a defence is a significant volume of traffic analysed repeatedly by multiple anti-malware defence, machine analysis and human raters to provide reliable feedback on threats. Volume provides visibility and repetition provides timeliness across a large volume of web content which no one organisation can analyse.

Employ granular management and check the validity of old policies

It is clear that organisations need to enable certain web 2.0 applications to realise the productivity gains they offer for their employees. For example, LinkedIn is good to find business contacts. However, organisations need to continue to protect their users from the myriad threats. Granular policies can allow text and graphics content while blocking applications, deliver warnings and advice to users and allow the organisation to define policies in the grey-areas of the web where malware may reside. As an example, IT can implement policies that deny all executable downloads from sites that are currently unrated, stopping dead in their tracks malicious downloads from brand new threats. Even if a PC is compromised, defensive policies can deny the malware from communicating back to the home site. 

Keep users safe both inside and outside the organisation

A lot of emphasis over the last decade has been on keeping users safe while inside the organisation's own network, but today with laptops and mobile devices, data and Internet access are often not completely under the organisation's control. Happily, vendors are now delivering the same type of defences for remote users – keeping data and systems safe even when employees surf from home using corporate devices. Some vendors, such as Blue Coat, are even delivering remote device defence free of charge to customers who buy their office-based systems. As someone who works remotely most of the time, I feel safer in the knowledge that technology is constantly being updated to defend me from the latest attacks.  The key is to be able to monitor and control access to critical technologies while protecting users and networks from malware, everywhere.