Blogs:
Rich Tehrani
Tom Keating
Greg Galitzine

Columnists: Tracey E. Schelmetic Charlotte Wolter David Sims Erik Linask Gary Kim Mae Kowalke Richard Grigonis Stefania Viscusi Tim Gray

By Yuval Ben-Itzhak

TMCnet Web Security Columnist

 

The dramatic increase in Web-borne threats, such as spyware, has become a chief concern for network administrators. As technologies continue to develop at a rapid pace and hackers are motivated by business interests, attacks are becoming more clever and stealthier in order to avoid detection.

 

Moreover, as corporations increasingly depend on the web for business applications, information access, webmail and other everyday business activities, their networks are exposed to these threats on a daily basis.

 

Today’s sophisticated web-based threats propagate through silent installations and drive-by downloads, often without end-user awareness. These threats, such as spyware, trojans, botnets and rootkits, are among the tools being used by hackers to surreptitiously take control of victim computers. Socially-engineered phishing attacks, which trick innocent people into revealing sensitive information, rose 73 percent in 2005 (Anti-Phishing Working Group).

 

Targeted attacks, aimed at stealing identities or compromising confidential information from a specific system or computer, are on the rise. These are nearly impossible to detect using traditional security tools. What is common to all of these threats is that they are driven by active content (Java Script, VB Script, ActiveX, Java Applets)--the very technologies that enable users to browse websites and run common business applications.

 

The following images show a professionally-designed and seemingly legitimate search engine available on the Web. However, analysis of the source code of this web page reveals a home-encoded script that hides a well-known exploit and patched vulnerability of Internet Explorer. This exploit tries to silently install spyware on the victim’s machine.

 

 Figure 1: Search Engine – Helpful or Harmful?

 

 Figure 2: Home Encoded -- Script in Live Search Engine Source Code

 

 

Most large organizations and corporations are not aware of the quantity and type of traffic entering through their corporate firewall, nor do they have specific security policies in place for handling active content and HTTPS-encrypted web traffic.

 

In order to fully understand the magnitude of web-borne threats, real-world data and statistical analysis of web content entering corporate networks paints the true picture.

 

The information presented below is based on actual security audits that were performed in late 2005 and early 2006 by Finjan’s Malicious Code Research Center for a financial institution and a government site. Live web content information was gathered during a period of two weeks based on the browsing activities of about 5,000 users on each site.

 

 Figure 3: Malicious Content Breakdown from Finjan Malicious Code Research Center Security Audits

 

These audits clearly show that, while Anti-Virus and URL-filtering block malicious content, these types of threats are only a small portion of the real problem. In today’s always-connected, web-centric environment, spyware and malicious behavior represent the vast majority of security incidents. More advanced security technologies are required to block them.

 

Even dedicated anti-spyware solutions are not able to detect new and unknown attacks. The FBI 2005 Computer Crime Survey indicated that while 75 percent of companies surveyed deploy anti-spyware solutions, more than 79 percent were still infected at least once by spyware.

 

According to the PWC-DTI Information Security Breaches Survey 2006, 62 percent of UK businesses had at least one security incident in 2005. For large businesses this figure reached 87 percent. The median number of incidents suffered by UK companies is eight. This is despite the fact that 98 percent of businesses surveyed deploy anti-virus software. The average cost of the worst security incident for large businesses is estimated to be 65,000 - 130,000 (mainly due to business disruption).

 

 

Web attacks increased during 2005 and this trend will continue in 2006 and beyond. Most organizations and consumers have firewalls and anti-virus applications in place, and are well protected against spam and e-mail viruses. Hackers, seeking the path of least resistance and driven by financial gain, will inevitably focus more on web-based infection techniques.

 

As technology continues to evolve, new ways of spreading malicious attacks will be developed and new vulnerabilities will continue to be discovered.

 

In order to protect themselves from this growing threat, businesses and organizations are beginning to adopt intelligent, proactive security solutions such as behavior-based analysis, on top of their traditional security infrastructure. These solutions will allow organizations to take full advantage of the web as a business tool, while controlling the content that enters and leaves their network.

 

Subscribe FREE to all of TMC's monthly magazines. Click here now.