Some things change with the passage of the New Year, and some do not.
When it comes to the problem of Web-based malware, it would seem that more organizations than ever before are aware of, and focused on addressing the issue - but clearly many people still have no idea what they should do, specifically in the face of rapidly growing worker mobility and unfettered Web access.
According to a new piece of research conducted by Ostermann, and sponsored by hosted security management vendor Purewire, most IT shops are well versed in the problem of Web-driven malware by now, but whether or not that concern is translating into successful defense against the threats certainly remains to be seen.
One of the biggest issues influencing the problem remains the growing rate of telecommuters who can avoid many corporate security policies when working remotely, and thereby greatly increase the scope of online risks, the report said.
Based on Ostermann's Nov. 2008 survey of 139 IT pros responsible for securing their company's Web sites and online applications:
â¢Some 46 percent said that Web-based attacks accounted for the majority of their malware infections last year, compared to 25 percent who said that e-mail remains their leading source of malware. â¢Roughly 76 percent of respondents said that they remain "very concerned" about the threat of Web-driven attacks. â¢In a nod to botnet threats, 55 percent indicated that they are "very concerned" about the impact that online malware has on networking bandwidth. â¢Some 49 percent are "concerned" or "very concerned" about enforcing Web usage and Web security policies for employees that work remotely, such as ensuring that they do not visit banned URLs. â¢Roughly 48 percent are "concerned" or "very concerned" about supporting remote workers with various Web applications. â¢Of all organizations that had remote workers' computers infected with malware, spyware or related problems during the previous year, 46 percent estimates that these infections came from users visiting infected Web sites.
Of course, vendors like Purewire want to become in-the-cloud security filtering providers for the types of companies answering the survey. By blocking suspicious URLs and other online attacks before end users can access the source of the threats - whether they are in the office or not - the risk of Web-borne malware can be significantly mitigated, the thinking goes.
However, most companies have not yet gone down that road, and in the meantime:
â¢Some 79 percent have established corporate policies against downloading certain types of Web files. â¢About 76 percent have deployed systems that will actively block downloads of certain file types. â¢Nearly 40 percent of those surveyed had no URL filtering solutions in place. â¢Some 69 percent have implemented tools to control the use of Web applications. â¢Roughly 46 percent lock down employee desktops so that users cannot install certain Web applications. â¢Some 39 percent do so for employee laptops.
"Organizations have generally been fairly responsive in terms of establishing policies that are designed to protect their organizations from Web-related threats, but have generally not been as quick to implement effective tools to protect their infrastructure," Ostermann researchers said in the report. "Many of the solutions that have been implemented are simply not adequate to meet the growing number or dynamic nature of current threats."
So there you have it, people know about the problem, most organizations have even gone to great lengths to create policies that aim to help address the problem... but many are still not doing whatever they can to actively enforce policies and stop the problem.
As a result it would seem that until companies are more willing to take greater control of their assets, both those within their own networks and those they hand out to remote workers in the field, the issue of Web-driven malware isn't going to diminish anytime soon.
One only has to wonder what the tipping point will be.
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.