Rethinking Web Browser Security

New and ever-changing Web-borne threats necessitate a change in practices and technology.

With Web-borne threats and drive-by downloads becoming the most troublesome form of malware today, enterprise IT administrators and users alike need to reconsider the tools and practices they prescribe and employ to protect computers and data-particularly as otherwise legitimate Web sites become the primary vector for malware transmission.

We've seen a two-fold approach to malware as evil doers attempt to monetize their evil doings.

The first form stems from the phishing business, where malware authors create new domains and Web sites so fast that URL filtering and signature databases cannot keep up. The goal here is to score a few victims before the security companies can generate new signatures.

The second form consists of hijacked Web sites-sites that are otherwise legitimate but have been corrupted in a way that leads its visitors to malicious content.

An example of the interplay between these two types of Web threats is the Asprox botnet. The botnet originally derived from phishing attempts to draw unwitting users to malware via short-lived Web sites, but, in the last few months, Asprox has morphed into SQL injection attacks against legitimate sites. In automated fashion, the botnet leverages Google to find and exploit Web sites with vulnerable Active Server Pages injecting an IFrame into the assailable site that redirects site visitors to exploit code elsewhere on the Web.

According to some sources, legitimate Web sites now comprise the majority of pages currently hosting malware. In its July 2008 Security Threat Report Update, Sophos Labs declared that 90 percent of the infected Web pages it detected in the first half of 2008 originated from legitimate Web sites that were hacked in some form. The report also stated that Sophos Labs found, on average, more than 16,000 new infected pages each day during that time.

The changes in the way malware is propagated necessitate changes in the way IT managers secure corporate assets and give advice to users on keeping safe.

If the legitimate Web sites a user visits regularly, such as banks, merchants or social networks, can no longer be trusted to be clean, the old "spam-oriented" rule-not clicking on links in e-mail-becomes less relevant.

Indeed, when legitimate Web sites are the major source of malware, and users cannot readily tell whether a site is trustworthy by looking at it, there needs to be a technological solution to fill the breach and provide some assurance to users that the sites they visit are safe at this very moment-not five months ago, not an hour ago, but now.

Security providers have been trying out many new technologies to combat the problem of Web threats, as older, signature-based detections of the file system performed by anti-virus platforms have proven ineffective against new types of threats. (I've been trying out some of these systems; see how they've fared here.)

Newer technologies layer on Web reputation validation, in-line Web traffic scanning and script-blocking technologies to a browser's extended capability set, while anti-virus vendors augment their own platforms with more heuristic and behavioral analysis features.

Most of these browser add-on technologies have been targeted squarely on the Wild West that is the consumer's Microsoft Windows-based PC. Corporate customers, to date, have not suffered as much from Web threats, as enterprise administrators have deployed a tiered phalanx of both network- and host-based security solutions to combat all types of threats.

For example, intrusion prevention appliances or an in-line Web gateway appliance can detect and block both outbound traffic that looks like botnet activity, and inbound, malware-laden Web traffic. However, network-based solutions will not protect users as they go mobile, outside the corporate network perimeter.

Makers of security solutions geared toward enterprise customers have made strides to improve their built-in detection and analysis of Web network traffic-blocking code from touching a protected system by examining the way it behaves or identifying its similarities to known threats before it touches the file system.

There are different approaches that administrators will need to evaluate before making any kind of deployment decision. Some products plug into the browser to specifically examine how things such as ActiveX or JavaScript behave, while others perform a more holistic HTTP scan that determines whether a Web request was made from a browser, e-mail application or other source. Other solutions, meanwhile, are baked into enterprise security platforms.

Some security companies are also changing the model by which malware is identified. Trend Micro, for example, is moving from a signature push model-where signatures need to be updated frequently all over the network-to a request-time pull for threat information from the cloud.

With the latter method, when a Web request is made, Trend Micro's detection software (be it in a network appliance or an OfficeScan endpoint) polls a real-time database in the company's threat assessment network to compare the request and detected traffic to an up-to-date database of threats. With this approach, Trend Micro claims a 15-minute response time to new threats in its service-level agreement.