Don't Filter Out Reputation-Based URL Filters Yet

The growth in the number of legitimate sites that are hosting malware doesn't mean reputation-based URL filters don't still have an important role to play in security, analysts and others say.

While the number of legitimate Web sites hosting malware continues to rise, reputation-based URL filters still can serve an important role in network security, analysts and vendors claim.

Such filters have become a familiar part of a layered defense against security threats. But as a study released Jan. 22 by Websense shows, hackers are increasingly using legitimate sites to infect unwitting users.

According to Websense, some 51 percent of the Web sites the company classified as malicious were compromised-meaning they were legitimate sites infected by hackers. Because compromised sites have a good reputation, such methods can pose a serious threat to enterprises relying too heavily on reputation filters, the study notes.

Websense, a prominent player in the URL filtering market, is by no means down on reputation-based filtering, and as Gartner analyst John Pescatore noted, if 51 percent of the malicious Web sites found by Websense were legitimate, that still means 49 percent were rogue sites.

"Plus, even legitimate sites can get on the bad reputation list if they are found to be hosting malware," Pescatore told eWEEK. "This means that if the Miami Dolphins' site is hacked and the Web Security Gateway folks ... detect it, the Dolphins Web site will be on the blocked list-so reputation services are still effective."

What's ineffective, he said, is a lot of the anti-phishing mechanisms in place.

Phishing drills teach employees to dodge the hook. Read more here.

"What this all means is that Web site security is still weak. ... The servers are becoming the weakest link in the chain again," he said. "Enterprises need to focus again on making sure their sites aren't vulnerable. When worms were hitting IIS left and right, Web server security went way up, but there haven't been those high-visibility attacks, and the discipline has been going down and lots of new technology-such as Web 2.0, blogs and the like-are being used on business Web sites that open up many new vulnerabilities."