Recently in the news, an article on how much Web 2.0 breaches are costing companies.
From: http://www.informationweek.com/news/storage/disaster_recovery/showArticle.jhtml?articleID=227500731&subSection=News
While conceding its value to corporate initiatives, many business professionals have voiced their concerns about security threats associated with Web 2.0. This concern is perhaps with good reason, since more than 60% of those surveyed reported losses associated with Web 2.0 averaging $2 million, a new McAfee-commissioned study found.
One main reason for these breaches, which collectively totaled $1.1 billion, was employee use of social media, according to the report, which was conducted by research firm Vanson Bourne and authored by faculty affiliated with the Center for Education and Research in Information Assurance and Security (CERIAS) at Purdue University. 
In their efforts to reduce Web 2.0-related risks, almost half the organizations surveyed block Facebook, and one-third restrict employee use of social media, the study said. One-quarter monitor use and 13% completely block all social media access, the McAfee study found.
Half of the 1,000 global decision makers polled said they were concerned about the security of Web 2.0 applications such as social media, microblogging, collaborative platforms, web mail, and content sharing tools. And 60% voiced concerns about the potential loss of reputation as a result of Web 2.0 misuse, found the report, "Web 2.0: A Complex Balancing Act -- The First Global Study on Web 2.0 Usage, Risks, and Best Practices." 
"Web 2.0 technologies are impacting all aspects of the way businesses work," said George Kurtz, chief technology officer for McAfee, which  Intel recently acquired. "As Web 2.0 technologies gain popularity, organizations are faced with a choice -- they can allow them to propagate unchecked, they can block them, or they can embrace them and the benefits they provide while managing them in a secure way."
In fact, more than 75% of businesses are using Web 2.0: About half of those surveyed use Web 2.0 applications for IT functions; about one-third have adopted these technologies for sales, marketing, or customer service; and 20% are using Web 2.0 apps for human resource or public relations. Three-quarters of respondents who use Web 2.0 believe the technology could create new revenue streams for their organizations, 40% to 45% of businesses said Web 2.0 improves customer service, and 40% said it enhances effective marketing.
Despite security challenges and concerns, about 33% of companies surveyed do not have a social media policy and almost 50% lack a policy for Web 2.0 use on mobile devices, the study found.
Of those that have addressed security worries, 79% increased firewall protection, 58% added greater levels of web filtering, and 53% implemented more web gateway protection since introducing Web 2.0 applications to their companies, according to the report. Forty percent of respondents budget specifically for Web 2.0 security solutions, the study said.
"The best protections are those that don't get in the way of getting work finished, because users are not tempted to circumvent those controls. As not all information needs to be protected in the same way, and not all users are going to interact with Web 2.0 technologies in the same manner, defenses should be tailored to fit the circumstances of use," said Eugene Spafford, founder and executive director of the Center for Education and Research in Information Assurance and Security (CERIAS) at Purdue University.
Welcome to the Proxy Update, your source of news and information on Proxies and their role in network security.
Thursday, September 30, 2010
Wednesday, September 29, 2010
News Sites, Searches May Be Riskier Than Porn
A few news articles came out today on a new study that shows you're not more than two clicks away from malware and that News sites and searches are riskier than porn.
Good reason to make sure your Secure Web Gateway's malware protection is updated, and you're using proactive layered defenses! Here's one of the articles:
From: http://www.informationweek.com/blog/main/archives/2010/09/news_sites_sear.html;jsessionid=BRHLKA15WRWBVQE1GHOSKH4ATMY32JVN
Steer clear of gambling, porn and other known risky sites and related searches and you and your employees -- and your business -- are safer, right? Not according to a new Websense study which found that leading news and pop culture sites, and hot-trend search terms may be more dangerous than some of the ones you're steering clear of.
If you and your employees stick to the most popular news, game, social network sites and message boards, you're still never more than two clicks away from malware, the Websense study reports.
In other words, when it comes to protecting yourself by proscribing your company's surfing and searching habits, you're damned if you don't, but you may also be damned if you do.
The cause is a combination of increased automation and thus ubiquity on the part of the malware community, and the increased use of partner sites and links -- often not previewed, obviously -- by legit sites.
According to Websense, no more than two clicks away from malware or other dangerous content are:
"More than 70 percent of top news and media sites
More than 70 percent of the top message boards and forums
More than 50 percent of social networking sites"
Here's a startling one: more than 60% of sites linking to games also contain links to toxic sites, while less than 25% of sex-related sites contain malicious links.
(Not that this is any reason to alter your policies related to objectionable material, of course.)
Search-poisoning is just as bad. Celebrity and other hot topics have always been malware-attractors, but less newsworthy searches are becoming riskier as well. Do a search for baby bedding in London, Websense found, and a full 30% of the results returned will be poisonous.
It's not exactly breaking news that spammers and malware creators are following hot trends and popular topics, zapping the zeitgeist as it were, with toxic links. But the Websense study shows just how pervasively the bad guys are going after you and your employees via your supposedly safe surfing and searching habits.
Whatever your company's policies are regarding employee Web usage, these finding are a good reminder to remind your employees that just because a link is on a reputable site, there's no guarantee that the link isn't compromised.
Even when they're surfing and searching safely, they have more reason than ever to be careful. To be, in fact, wary, and take one or two very deep breaths before clicking anything.
And certainly before that second click.
Good reason to make sure your Secure Web Gateway's malware protection is updated, and you're using proactive layered defenses! Here's one of the articles:
From: http://www.informationweek.com/blog/main/archives/2010/09/news_sites_sear.html;jsessionid=BRHLKA15WRWBVQE1GHOSKH4ATMY32JVN
Steer clear of gambling, porn and other known risky sites and related searches and you and your employees -- and your business -- are safer, right? Not according to a new Websense study which found that leading news and pop culture sites, and hot-trend search terms may be more dangerous than some of the ones you're steering clear of.
If you and your employees stick to the most popular news, game, social network sites and message boards, you're still never more than two clicks away from malware, the Websense study reports.
In other words, when it comes to protecting yourself by proscribing your company's surfing and searching habits, you're damned if you don't, but you may also be damned if you do.
The cause is a combination of increased automation and thus ubiquity on the part of the malware community, and the increased use of partner sites and links -- often not previewed, obviously -- by legit sites.
According to Websense, no more than two clicks away from malware or other dangerous content are:
"More than 70 percent of top news and media sites
More than 70 percent of the top message boards and forums
More than 50 percent of social networking sites"
Here's a startling one: more than 60% of sites linking to games also contain links to toxic sites, while less than 25% of sex-related sites contain malicious links.
(Not that this is any reason to alter your policies related to objectionable material, of course.)
Search-poisoning is just as bad. Celebrity and other hot topics have always been malware-attractors, but less newsworthy searches are becoming riskier as well. Do a search for baby bedding in London, Websense found, and a full 30% of the results returned will be poisonous.
It's not exactly breaking news that spammers and malware creators are following hot trends and popular topics, zapping the zeitgeist as it were, with toxic links. But the Websense study shows just how pervasively the bad guys are going after you and your employees via your supposedly safe surfing and searching habits.
Whatever your company's policies are regarding employee Web usage, these finding are a good reminder to remind your employees that just because a link is on a reputable site, there's no guarantee that the link isn't compromised.
Even when they're surfing and searching safely, they have more reason than ever to be careful. To be, in fact, wary, and take one or two very deep breaths before clicking anything.
And certainly before that second click.
Tuesday, September 28, 2010
DLP in a Proxy World
DLP (Data Leakage Protection) seems to be gaining more steam in the last year.  While DLP was relegated to those organizations that had requirements for DLP due to government compliance issues (like HIPAA, Sarbanes-Oxley, Graham-Leach-Bliley, and others), today many organizations are starting to look at DLP to prevent data theft, accidental data loss, and just the prevention of possibly embarrassing incidents.
It's impossible to implement DLP without bringing the proxy or Secure Web Gateway into the picture. That's because the proxy handles all the outbound web traffic in a typical network architecture. DLP relies on the proxy to determine what outbound traffic needs to be relayed to the DLP device for inspection to determine if the data is sensitive or if it's okay to be sent out of the organization. This conversation between the DLP device and the proxy occurs over the ICAP protocol discussed here. Unlike anti-malware which inspects inbound web traffic, DLP is primarily interested in outbound traffic, also known as request-mod in ICAP.
DLP of course isn't limited to the proxy and outbound web traffic. There's also outbound email traffic, IM traffic, other outbound network traffic and physical device security, typically implemented as a client on PCs and laptops. There's also Network Discovery to determine what and where sensitive information is stored on the network. Each organization is going to differ in which of these pieces of DLP is more important, but it's important to recognize that a complete DLP solution requires a bit of thought, and implementing and integrating with multiple existing services, including the web proxy.
It's impossible to implement DLP without bringing the proxy or Secure Web Gateway into the picture. That's because the proxy handles all the outbound web traffic in a typical network architecture. DLP relies on the proxy to determine what outbound traffic needs to be relayed to the DLP device for inspection to determine if the data is sensitive or if it's okay to be sent out of the organization. This conversation between the DLP device and the proxy occurs over the ICAP protocol discussed here. Unlike anti-malware which inspects inbound web traffic, DLP is primarily interested in outbound traffic, also known as request-mod in ICAP.
DLP of course isn't limited to the proxy and outbound web traffic. There's also outbound email traffic, IM traffic, other outbound network traffic and physical device security, typically implemented as a client on PCs and laptops. There's also Network Discovery to determine what and where sensitive information is stored on the network. Each organization is going to differ in which of these pieces of DLP is more important, but it's important to recognize that a complete DLP solution requires a bit of thought, and implementing and integrating with multiple existing services, including the web proxy.
Monday, September 27, 2010
Browse the Web Using Encryption
In case you missed it, this past May of 2010, Google rolled out the beta of SSL Search.  At first they put it at https://www.google.com, but it quickly caused problems for schools and other organizations that were trying to enforce web browsing policies, so they created a separate website, https://encrypted.google.com and had https://www.google.com redirect to the new site.  This allowed the school admins and other sites that weren't running an SSL proxy to just block https://encrypted.google.com.
According to Google, SSL Search is just beta for now, but it could move to the mainstream and even replace the basic search mechanism, except for the fact that most IT admins probably aren't ready for it. Meaning that encrypted search would probably break all their web browsing policies on their Secure Web Gateway or their proxy, because they haven't yet implemented an SSL proxy on their Secure Web Gateway.
The very fact that Google has introduced an SSL search should be a wake up call to any IT admin that is running a Secure Web Gateway with browsing policies that it's time to implement an SSL proxy (and associated malware protection that's necessary as we discussed in a previous article), otherwise the IT admin caught unaware is going to be letting users bypass their policies, and also let in malware through the SSL backdoor.
According to Google, SSL Search is just beta for now, but it could move to the mainstream and even replace the basic search mechanism, except for the fact that most IT admins probably aren't ready for it. Meaning that encrypted search would probably break all their web browsing policies on their Secure Web Gateway or their proxy, because they haven't yet implemented an SSL proxy on their Secure Web Gateway.
The very fact that Google has introduced an SSL search should be a wake up call to any IT admin that is running a Secure Web Gateway with browsing policies that it's time to implement an SSL proxy (and associated malware protection that's necessary as we discussed in a previous article), otherwise the IT admin caught unaware is going to be letting users bypass their policies, and also let in malware through the SSL backdoor.
Friday, September 24, 2010
What You See Isn't Always What You Get
In any discussion about proxies or Secure Web Gateways, there's always a discussion about how effective and complete a vendor's URL categorization happens to be.  This is important because an organization's policy enforcement, and the prevention of malware into the company is dependent on this categorization.  It's not surprising then, that various vendors continually seek out ways to show up one another in the URL filtering realm, with missed URLs or incorrectly classified URLs.  
It's hard not to be taken in when you're shown a popular URL and then told, by the way a particular vendor doesn't classify it correctly. Recently I was told that Blue Coat mis-categorized the URL, "http://www.facebook.com/playboy#!/playboy?ref=ts" as only Social Networking and missed the category Adult/Mature Content, but of course correctly identified "http://www.facebook.com/playboy" as both categories.
While it's true if you plug in just the URL "http://www.facebook.com/playboy#!/playboy?ref=ts" into a test for Blue Coat's URL categorization, you'd only get Social Networking, you actually have to dig a little deeper to see the truth behind this statement. If an end-user actually tried to visit this URL through a browser, that's not really the site they would visit, that's because when you go to this URL, you're actually visiting (courtesy of AJAX) "http://www.facebook.com/playboy?ref=search&__a=4&ajaxpipe=1&quickling[version]=293384%3B0", a URL that is categorized correctly (and blocked correctly if you have Adult/Mature Content blocked), even though the address bar will continue to show "http://www.facebook.com/playboy#!/playboy?ref=ts".
All this just goes to show, you need to take what one competitor says about another with a grain of salt and do your own testing to make sure the solution you pick fits your needs.
It's hard not to be taken in when you're shown a popular URL and then told, by the way a particular vendor doesn't classify it correctly. Recently I was told that Blue Coat mis-categorized the URL, "http://www.facebook.com/playboy#!/playboy?ref=ts" as only Social Networking and missed the category Adult/Mature Content, but of course correctly identified "http://www.facebook.com/playboy" as both categories.
While it's true if you plug in just the URL "http://www.facebook.com/playboy#!/playboy?ref=ts" into a test for Blue Coat's URL categorization, you'd only get Social Networking, you actually have to dig a little deeper to see the truth behind this statement. If an end-user actually tried to visit this URL through a browser, that's not really the site they would visit, that's because when you go to this URL, you're actually visiting (courtesy of AJAX) "http://www.facebook.com/playboy?ref=search&__a=4&ajaxpipe=1&quickling[version]=293384%3B0", a URL that is categorized correctly (and blocked correctly if you have Adult/Mature Content blocked), even though the address bar will continue to show "http://www.facebook.com/playboy#!/playboy?ref=ts".
All this just goes to show, you need to take what one competitor says about another with a grain of salt and do your own testing to make sure the solution you pick fits your needs.
Wednesday, September 22, 2010
Country-coded Malware
From: http://www.bluecoat.com/blog/country-coded-malware
Late last week, we were tracking a spike in exploit server activity. The majority of traffic was being driven by compromised OpenX ad servers (sound familiar?)... This is most likely due to a critical security flaw in current and older versions of this software. (For details on the flaw, see here.)
An examination of the malicious JavaScript code injected by the compromised server shows that:
1. Cookies must be enabled for the browser to be relayed to the attack site. [Not too exciting. --C.L.]
2. If the user's language has a two-letter region code that is on a "safe" list, then the malicious iFrame that points to the attack site is NOT created. [But this is cool! --C.L.]
As the Bad Guys are normally indiscriminate in the selection of their victims, their decision to give some users a break merits further examination.
Language is often a key feature in tailoring an attack to potential victims. No sense showing a fake AV site in Russian to an English-speaker, or vice-versa. However, as this particular exploit server invisibly attempts to compromise the user's browser while they are busy looking at a legitimate site, language-tailoring does not seem to be the motivation in this case.
One variant of the conficker malware famously checked for a Ukrainian-language keyboard on the victim's computer, and refrained from infecting that system if it was found. The general presumption at the time was that they did this to keep the local police off their case -- it's always harder to catch and prosecute a computer criminal in another country. Again, that doesn't seem to be the case here, since the list is so large.
So we're open to suggestions!
Here's the list of "do not attack" countries:
 
ae UNITED ARAB EMIRATES
al ALBANIA
az AZERBAIJAN
ba BOSNIA AND HERZEGOVINA
be BELGIUM
bg BULGARIA
bo BOLIVIA
br BRAZIL
by BELARUS
ci COTE D'IVOIRE
cn CHINA
cr COSTA RICA
cz CZECH REPUBLIC
dk DENMARK
do DOMINICAN REPUBLIC
dz ALGERIA
ec ECUADOR
ee ESTONIA
eg EGYPT
ge GEORGIA
gf FRENCH GUIANA
gp GUADELOUPE
gr GREECE
gt GUATEMALA
hk HONG KONG
hr CROATIA
hu HUNGARY
id INDONESIA
il ISRAEL
iq IRAQ
ir IRAN
jo JORDAN
kw KUWAIT
lk SRI LANKA
lt LITHUANIA
lv LATVIA
ma MOROCCO
md MOLDOVA
mk MACEDONIA
mt MALTA
my MALAYSIA
om OMAN
pa PANAMA
pk PAKISTAN
pl POLAND
pr PUERTO RICO
ps PALESTINIAN TERRITORY
pt PORTUGAL
qa QATAR
re REUNION
ro ROMANIA
rs SERBIA
ru RUSSIAN FEDERATION
sa SAUDI ARABIA
si SLOVENIA
sk SLOVAKIA
sv EL SALVADOR
th THAILAND
tn TUNISIA
tr TURKEY
tt TRINIDAD AND TOBAGO
tw TAIWAN
ua UKRAINE
uy URUGUAY
vn VIET NAM
Late last week, we were tracking a spike in exploit server activity. The majority of traffic was being driven by compromised OpenX ad servers (sound familiar?)... This is most likely due to a critical security flaw in current and older versions of this software. (For details on the flaw, see here.)
An examination of the malicious JavaScript code injected by the compromised server shows that:
1. Cookies must be enabled for the browser to be relayed to the attack site. [Not too exciting. --C.L.]
2. If the user's language has a two-letter region code that is on a "safe" list, then the malicious iFrame that points to the attack site is NOT created. [But this is cool! --C.L.]
As the Bad Guys are normally indiscriminate in the selection of their victims, their decision to give some users a break merits further examination.
Language is often a key feature in tailoring an attack to potential victims. No sense showing a fake AV site in Russian to an English-speaker, or vice-versa. However, as this particular exploit server invisibly attempts to compromise the user's browser while they are busy looking at a legitimate site, language-tailoring does not seem to be the motivation in this case.
One variant of the conficker malware famously checked for a Ukrainian-language keyboard on the victim's computer, and refrained from infecting that system if it was found. The general presumption at the time was that they did this to keep the local police off their case -- it's always harder to catch and prosecute a computer criminal in another country. Again, that doesn't seem to be the case here, since the list is so large.
So we're open to suggestions!
Here's the list of "do not attack" countries:
ae UNITED ARAB EMIRATES
al ALBANIA
az AZERBAIJAN
ba BOSNIA AND HERZEGOVINA
be BELGIUM
bg BULGARIA
bo BOLIVIA
br BRAZIL
by BELARUS
ci COTE D'IVOIRE
cn CHINA
cr COSTA RICA
cz CZECH REPUBLIC
dk DENMARK
do DOMINICAN REPUBLIC
dz ALGERIA
ec ECUADOR
ee ESTONIA
eg EGYPT
ge GEORGIA
gf FRENCH GUIANA
gp GUADELOUPE
gr GREECE
gt GUATEMALA
hk HONG KONG
hr CROATIA
hu HUNGARY
id INDONESIA
il ISRAEL
iq IRAQ
ir IRAN
jo JORDAN
kw KUWAIT
lk SRI LANKA
lt LITHUANIA
lv LATVIA
ma MOROCCO
md MOLDOVA
mk MACEDONIA
mt MALTA
my MALAYSIA
om OMAN
pa PANAMA
pk PAKISTAN
pl POLAND
pr PUERTO RICO
ps PALESTINIAN TERRITORY
pt PORTUGAL
qa QATAR
re REUNION
ro ROMANIA
rs SERBIA
ru RUSSIAN FEDERATION
sa SAUDI ARABIA
si SLOVENIA
sk SLOVAKIA
sv EL SALVADOR
th THAILAND
tn TUNISIA
tr TURKEY
tt TRINIDAD AND TOBAGO
tw TAIWAN
ua UKRAINE
uy URUGUAY
vn VIET NAM
Tuesday, September 21, 2010
Do Acquisitions Help or Hurt the Proxy?
In the Secure Web Gateway space there seems to have been quite a bit of consolidation over the last few years.  Ironport got acquired by Cisco, Secure Computing was acquired by McAfee who in turn is being acquired by Intel, and Finjan was acquired by Marshal8e6, now M86 Security.  SaaS offerings of Secure Web Gateway offerings have also been moving in the same direction with the acquisition of ScanSafe by Cisco and MXLogic by McAfee.
It seems all the big players want to play in the Secure Web Gateway space. Only Websense and Blue Coat remain independent players in this market focusing specifically on Web Security. The good news about an acquisition is that the offering is part of a larger company with more resources, so it's less likely the company or the product will fail. The bad news about an acquisition is the product is now part of a larger offering and often times there's less focus and less knowledge about that specific product as the employees become more generalists that have to understand a broader range of products.
A great example of this is Ironport's acquisition by Cisco. For a while Cisco let Ironport continue on as a separate entity which was the best of both worlds for Ironport's customers. A dedicated sales and support team with all the backing of a giant company. But in the last year, Cisco moved sales to their general sales team a group responsible for all of Cisco's products, and more recently the Ironport support team was swallowed whole into Cisco's support infrastructure. Can this be good for the customer that only has Ironport, and uses some other networking vendor for their gear?
While Blue Coat and Websense may not have the giant size of Cisco, at least they still have the specialization and expertise to help out their customers specific issues associated with web gateways and proxies. Personally, I'll go for the specialization over the size of the company any day.
It seems all the big players want to play in the Secure Web Gateway space. Only Websense and Blue Coat remain independent players in this market focusing specifically on Web Security. The good news about an acquisition is that the offering is part of a larger company with more resources, so it's less likely the company or the product will fail. The bad news about an acquisition is the product is now part of a larger offering and often times there's less focus and less knowledge about that specific product as the employees become more generalists that have to understand a broader range of products.
A great example of this is Ironport's acquisition by Cisco. For a while Cisco let Ironport continue on as a separate entity which was the best of both worlds for Ironport's customers. A dedicated sales and support team with all the backing of a giant company. But in the last year, Cisco moved sales to their general sales team a group responsible for all of Cisco's products, and more recently the Ironport support team was swallowed whole into Cisco's support infrastructure. Can this be good for the customer that only has Ironport, and uses some other networking vendor for their gear?
While Blue Coat and Websense may not have the giant size of Cisco, at least they still have the specialization and expertise to help out their customers specific issues associated with web gateways and proxies. Personally, I'll go for the specialization over the size of the company any day.
Monday, September 20, 2010
On Box or Off Box Anti-virus?
We've discussed the importance of anti-virus (anti-malware) scanning in other posts on this blog, so I won't go over that ground again, just suffice it to say you don't have enough protection if you aren't doing anti-malware scanning on your Secure Web Gateway.  Today I'm going to tackle a slightly different question, and that's where the anti-virus scanner should go.  There's two schools of thought on this one.  Some vendors recommend running the anti-malware engine directly on the Secure Web Gateway, while other vendors recommend running a separate anti-malware box, using a protocol called ICAP to transfer data between the Secure Web Gateway and the anti-malware device.
The question is which one of these is right for your environment? The question really has to do with size. For smaller organizations where you have limited bandwidth to the internet and smaller numbers of users, having anti-malware on your Secure Web Gateway probably doesn't affect the performance of the box significantly, so running the anti-malware directly on box is probably the right answer in terms of performance, lower costs, and less use of rack space.
For larger organizations, with larger bandwidth requirements and large numbers of users that are taxing the Secure Web Gateway, you really want to keep the anti-malware separate. It has the added benefit of making sure your Secure Web Gateway is delivering web pages as quickly as possible to time-sensitive end-users. It may seem like there's an added cost due to having to purchase additional anti-malware systems, but in actuality you're probably buying the same amount or less boxes than having the anti-malware on-box. The performance drop by having the anti-malware on box would easily double or more your box requirements.
So if you're a larger organization, and response time for web pages is key due to the mission critical nature of your web applications, then remember, keeping the anti-malware off box is probably the right answer. If you're a smaller organization and aren't taxing your Secure Web Gateway, then you can probably run your anti-malware on box.
The question is which one of these is right for your environment? The question really has to do with size. For smaller organizations where you have limited bandwidth to the internet and smaller numbers of users, having anti-malware on your Secure Web Gateway probably doesn't affect the performance of the box significantly, so running the anti-malware directly on box is probably the right answer in terms of performance, lower costs, and less use of rack space.
For larger organizations, with larger bandwidth requirements and large numbers of users that are taxing the Secure Web Gateway, you really want to keep the anti-malware separate. It has the added benefit of making sure your Secure Web Gateway is delivering web pages as quickly as possible to time-sensitive end-users. It may seem like there's an added cost due to having to purchase additional anti-malware systems, but in actuality you're probably buying the same amount or less boxes than having the anti-malware on-box. The performance drop by having the anti-malware on box would easily double or more your box requirements.
So if you're a larger organization, and response time for web pages is key due to the mission critical nature of your web applications, then remember, keeping the anti-malware off box is probably the right answer. If you're a smaller organization and aren't taxing your Secure Web Gateway, then you can probably run your anti-malware on box.
Friday, September 17, 2010
APT - Advanced Persistent Threat
One of the latest buzzwords in the security world is APT, also known as Advanced Persistent Threat.  If you live in the Bay Area, and you've been listening to news reports, you've heard this buzzword quite a bit in the last couple of weeks in response to Senator Dianne Feinstein's announcement that Cyber threats are the number one issue for her.  A number of commentators on Senator Feinstein's news, all industry veterans have brought up the topic of APT.  It makes you wonder if this something new you should be worried about.
The truth is that APT doesn't refer to any new malware, trojan or virus. Instead it refers to the application of cybercrime and hacking to a specific targeted group. So consider it a fancy new way to talk about cyber threats that are targeted at individuals or groups of individuals, where the hacker has some knowledge about that person or group of people.
In relation to the web and web security, this could be a group of people targeted because they are all friends of one person, whose facebook account has been hacked, and they all receive notices that their friend is in trouble and needs help, or that friend has shared a video they should watch, etc, all leading to different types of cyber crime, typically none of which is new, but rather malware or phishing schemes that have been around for years.
In relation to Senator Feinstein's comments, APT also refers to the government or specifically specific groups within the government to get either information, or to cause problems with the network or infrastructure.
So what can any organization do about APT? The key is to remain diligent about web security, and of course that involves the Secure Web Gateway and the proxy, the subject that's the prime purpose of this blog. Keep up to date with the latest technologies for security for your proxy with anti-malware, real-time ratings, SSL inspection, and other newer threat detection mechanisms. The other side of this is of course, web application security for your existing web servers. This is the purpose of the reverse proxy or web application firewall, a topic for discussion in a future blog post.
The truth is that APT doesn't refer to any new malware, trojan or virus. Instead it refers to the application of cybercrime and hacking to a specific targeted group. So consider it a fancy new way to talk about cyber threats that are targeted at individuals or groups of individuals, where the hacker has some knowledge about that person or group of people.
In relation to the web and web security, this could be a group of people targeted because they are all friends of one person, whose facebook account has been hacked, and they all receive notices that their friend is in trouble and needs help, or that friend has shared a video they should watch, etc, all leading to different types of cyber crime, typically none of which is new, but rather malware or phishing schemes that have been around for years.
In relation to Senator Feinstein's comments, APT also refers to the government or specifically specific groups within the government to get either information, or to cause problems with the network or infrastructure.
So what can any organization do about APT? The key is to remain diligent about web security, and of course that involves the Secure Web Gateway and the proxy, the subject that's the prime purpose of this blog. Keep up to date with the latest technologies for security for your proxy with anti-malware, real-time ratings, SSL inspection, and other newer threat detection mechanisms. The other side of this is of course, web application security for your existing web servers. This is the purpose of the reverse proxy or web application firewall, a topic for discussion in a future blog post.
Wednesday, September 15, 2010
Sizing and the Secure Web Gateway
Sizing always seems to be a touchy issue when talking to appliance vendors.  It seems to be no different with Secure Web Gateway vendors who seem to exaggerate their numbers of supported users on a platform.  Whether the vendor is Blue Coat, McAfee (Secure Computing), Websense or Cisco (Ironport), the number of users claimed always seems to surprise me, perhaps less for some vendors than others.
Let's start with an obvious culprit. Websense is the newest to the appliance game, introducing their V10000 appliance a little more than a year ago. As the name seems to implicate and what some Websense documents allude to, is the support for 10,000 users. 10,000 users for a system that's running a virtual operating system hosting multiple virtual images. It sounds high to me, but I could be wrong, so I'd like to hear from any real users as to whether they're able to get 10,000 users on a system in proxy mode (not SPAN port as we've discussed elsewhere in this blog)
Next we move to McAfee, who smartly decided to remove the user count labels when they introduced their high end WG5000 and WG5500 platforms. But if you look at their lower end platforms, like the WW1100E the old marketing materials claimed support for 8000 users. Yes, 8,000 users on a low-end platform. Once again, it leaves an IT professional to wonder if there's anyone who gets that many users on a WW1100E or even WG5000 or WG5500 (the new high-end platforms), and once again in a proxy deployment?
Cisco's Ironport offering isn't any less boastful about their claims. For their high-end S660 platform, they claim over 10,000 users, leaving the sub-10,000 user count to their mid-range platform the S360. Without too much effort it's easy to tell that the Cisco, McAfee and Websense offerings are all Dell based platforms, so wonders how much juice can you put under the covers? So I ask once again, if anyone has a deployment of over 10,000 users in proxy mode for a Cisco Ironport S660?
Blue Coat is the one company that actually manufactures their own hardware rather than using something off the shelf, so maybe they can actually juice up their platforms a little more than the competition, but enough to claim unlimited users? Yes, that's right, for the high-end platforms, the user count claim is unlimited. But if you actually ask, you'll find the more reasonable numbers. They're just not published on the website. And yes their numbers are in the same range as Websense, Cisco and McAfee's high-end platforms.
So, I'm asking readers of this blog, which numbers do you believe in? Which of you are supporting 10,000 users on a single platform deployed as a forward proxy? Help us out and let's see who's exaggerating and who's telling the truth.
Let's start with an obvious culprit. Websense is the newest to the appliance game, introducing their V10000 appliance a little more than a year ago. As the name seems to implicate and what some Websense documents allude to, is the support for 10,000 users. 10,000 users for a system that's running a virtual operating system hosting multiple virtual images. It sounds high to me, but I could be wrong, so I'd like to hear from any real users as to whether they're able to get 10,000 users on a system in proxy mode (not SPAN port as we've discussed elsewhere in this blog)
Next we move to McAfee, who smartly decided to remove the user count labels when they introduced their high end WG5000 and WG5500 platforms. But if you look at their lower end platforms, like the WW1100E the old marketing materials claimed support for 8000 users. Yes, 8,000 users on a low-end platform. Once again, it leaves an IT professional to wonder if there's anyone who gets that many users on a WW1100E or even WG5000 or WG5500 (the new high-end platforms), and once again in a proxy deployment?
Cisco's Ironport offering isn't any less boastful about their claims. For their high-end S660 platform, they claim over 10,000 users, leaving the sub-10,000 user count to their mid-range platform the S360. Without too much effort it's easy to tell that the Cisco, McAfee and Websense offerings are all Dell based platforms, so wonders how much juice can you put under the covers? So I ask once again, if anyone has a deployment of over 10,000 users in proxy mode for a Cisco Ironport S660?
Blue Coat is the one company that actually manufactures their own hardware rather than using something off the shelf, so maybe they can actually juice up their platforms a little more than the competition, but enough to claim unlimited users? Yes, that's right, for the high-end platforms, the user count claim is unlimited. But if you actually ask, you'll find the more reasonable numbers. They're just not published on the website. And yes their numbers are in the same range as Websense, Cisco and McAfee's high-end platforms.
So, I'm asking readers of this blog, which numbers do you believe in? Which of you are supporting 10,000 users on a single platform deployed as a forward proxy? Help us out and let's see who's exaggerating and who's telling the truth.
Malware quieter, more malicious
From: http://www.post-gazette.com/pg/10255/1086646-467.stm
Did you notice we haven't heard from Melissa lately? Or any of her evil friends -- trojan horses and viruses that we used to see all the time.
That, according to David Perry, global director of education at Trend Micro, is because the types of malware that we're seeing these days (or not seeing) are different and more sinister.
Mr. Perry, whose participation in the antivirus market dates back to 1990 with the Peter Norton Co. and McAfee, tells us the majority of the malware attacks on computer systems and networks in recent memory have been trying to run silently, unlike those of Melissa's ilk which tried to get your attention to prove their creators were macho megalomaniacs.
Mr. Perry quotes statistics showing there are more than 200,000 new malware threats everyday; and on one date the number of new threats even reached 500,000. That compares with three to five per month that sprang up in the 1990s.
The real issue is not the number of threats but the stealthiness of the threats, the rapidness with which they attack each system then leave and the actual intention of the malware developers.
He suggests that organized crime has a major stake in these new threats, and that the sole purpose is to steal your vital information, including your credit card numbers, your passwords and any other information that can be used to steal your ID.
That's enough to scare me.
But I've always been a little bit more cautious about protecting my data than most people. Unfortunately, there are only so many things we can do to protect ourselves. Mr. Perry says there are so many places a hacker can get into your system that it is impossible to protect it in the traditional way.
Hackers use key loggers, session recorders and screen scrapers to find out and record what you're typing. They get to your data from inside your system, not from the outside, and they don't necessarily use it immediately -- if at all. He suggests that they're more likely to sell the data in massive doses than to use it themselves.
That's where organized crime comes in. According to Mr. Perry, it could be two years before they use that stolen credit card number they took from you; and the stolen data might've passed through several hands before somebody finally uses it. He says there's even a market on the Internet to a buy and sell this type of data.
His company, Trend Micro, is so convinced traditional antivirus techniques will no longer put a dent into the threat, that on Sept. 8, the company was scheduled to release a consumer product to keep you from going to dangerous websites instead of just trying to fix a problem on your system.
Those websites might only be dangerous because a bad guy turned them against you -- not because the website operator is evil. That makes it hard to protect you against yourself.
Mr. Perry's new service puts up warnings that a silent threat might be awaiting you if you continue to the site. It lets you go there if you really want to. Just keep your fingers crossed.
Read more: http://www.post-gazette.com/pg/10255/1086646-467.stm#ixzz0zXgq6sTl
Did you notice we haven't heard from Melissa lately? Or any of her evil friends -- trojan horses and viruses that we used to see all the time.
That, according to David Perry, global director of education at Trend Micro, is because the types of malware that we're seeing these days (or not seeing) are different and more sinister.
Mr. Perry, whose participation in the antivirus market dates back to 1990 with the Peter Norton Co. and McAfee, tells us the majority of the malware attacks on computer systems and networks in recent memory have been trying to run silently, unlike those of Melissa's ilk which tried to get your attention to prove their creators were macho megalomaniacs.
Mr. Perry quotes statistics showing there are more than 200,000 new malware threats everyday; and on one date the number of new threats even reached 500,000. That compares with three to five per month that sprang up in the 1990s.
The real issue is not the number of threats but the stealthiness of the threats, the rapidness with which they attack each system then leave and the actual intention of the malware developers.
He suggests that organized crime has a major stake in these new threats, and that the sole purpose is to steal your vital information, including your credit card numbers, your passwords and any other information that can be used to steal your ID.
That's enough to scare me.
But I've always been a little bit more cautious about protecting my data than most people. Unfortunately, there are only so many things we can do to protect ourselves. Mr. Perry says there are so many places a hacker can get into your system that it is impossible to protect it in the traditional way.
Hackers use key loggers, session recorders and screen scrapers to find out and record what you're typing. They get to your data from inside your system, not from the outside, and they don't necessarily use it immediately -- if at all. He suggests that they're more likely to sell the data in massive doses than to use it themselves.
That's where organized crime comes in. According to Mr. Perry, it could be two years before they use that stolen credit card number they took from you; and the stolen data might've passed through several hands before somebody finally uses it. He says there's even a market on the Internet to a buy and sell this type of data.
His company, Trend Micro, is so convinced traditional antivirus techniques will no longer put a dent into the threat, that on Sept. 8, the company was scheduled to release a consumer product to keep you from going to dangerous websites instead of just trying to fix a problem on your system.
Those websites might only be dangerous because a bad guy turned them against you -- not because the website operator is evil. That makes it hard to protect you against yourself.
Mr. Perry's new service puts up warnings that a silent threat might be awaiting you if you continue to the site. It lets you go there if you really want to. Just keep your fingers crossed.
Read more: http://www.post-gazette.com/pg/10255/1086646-467.stm#ixzz0zXgq6sTl
Tuesday, September 14, 2010
'Here You Have' Spam Outbreak Leaves Enterprises Reeling
From: http://www.esecurityplanet.com/news/article.php/3903241/Here-You-Have-Spam-Outbreak-Leaves-Enterprises-Reeling.htm
While the source of the "Here you have" virus that spread like wildfire throughout corporate email servers around the globe may have finally been shut down, enterprise IT departments are still dealing with the fallout from one of the most virulent and fast-moving viruses in recent history.
According to security researchers at Cisco's (NASDAQ: CSCO) IronPort division, the "Here you have" email worm peaked Thursday when the sneaky "download-and-run" malware accounted for a staggering 14.2 percent of all spam messages circulating the Internet -- or more than 42 billion individual spam messages.
Security software firm Sophos, which identified the malware as W32/Autorun-BHO, said the U.K.-based website responsible for spreading the Windows-based virus was shut down sometime Friday, bringing an end to the upheaval.
In the interim, however, the "Here you have" virus clogged corporate email servers around the world. Researchers at Cisco and Sophos reported that outbreak disrupted email systems at large companies, including Comcast, Wells Fargo, Coca-Cola and Google.
Despite its destructiveness, the "Here you have" virus is actually just a new take on an old socially engineered malware scam, according to Sophos security analyst Graham Cluley -- a scam that conjures up memories of the infamous Anna Kournikova spam that devastated email servers some eight years ago.
Similarly to the Kournikova virus, the new W32/Autorun-BHO works by duping users into clicking on an infected email with either the "Here you have" or "Just for you" subject titles. The email then provides a link to what it promises are important PDF documents or pornographic WMV videos.
Instead, those foolish enough to click on the link got an executable file that immediately tried to shut off any legitimate security software applications running on their computer or mobile device.
The virus then sends spam messages to all of the contacts in the victim's address book, helping it to spread geometrically and giving "Here you have" even more currency because the next crop of potential victims thought the infected email they received had been sent by a trusted contact.
"The intention of the attack appears to be to steal information," Sophos security analyst Graham Cluley wrote in a blog post. "The malware downloads components and other tools which extract passwords from browsers (Firefox, Chrome, Internet Explorer, Opera), various email clients, and other applications. [It's] clearly sensitive information, which you don't want falling into the wrong hands."
Blast From the Past
Considering that 90 percent of all email traffic -- 300 billion messages a day -- is spam, the fact that this one variant of spam managed to account for more than 14 percent of the total spam traffic attests to the surprising appeal of what are really old-school malware tactics, security researchers said.
In May, another particularly virulent worm weaseled its way into the Yahoo Messenger community, infecting an unknown number of users after tricking them into clicking on a link masquerading as "foto" or "fotos" from someone in their contact list.
Email viruses of this type figure to become more and more common as hackers continue to find opportunities in social networks, such as Twitter and Facebook where large pools of like-minded or similarly interested potential victims gather to share pictures, links and ideas.
"That doesn't surprise me, as this is something of a return to the malware attacks of yesteryear where hackers didn't care whose computers they hit," Cluley wrote. "They just wanted to infect as many as possible." "Worms like this don't discriminate, deciding their next victim purely by scooping up a list of its next targets from the user's email address book," he added.
While the source of the "Here you have" virus that spread like wildfire throughout corporate email servers around the globe may have finally been shut down, enterprise IT departments are still dealing with the fallout from one of the most virulent and fast-moving viruses in recent history.
According to security researchers at Cisco's (NASDAQ: CSCO) IronPort division, the "Here you have" email worm peaked Thursday when the sneaky "download-and-run" malware accounted for a staggering 14.2 percent of all spam messages circulating the Internet -- or more than 42 billion individual spam messages.
Security software firm Sophos, which identified the malware as W32/Autorun-BHO, said the U.K.-based website responsible for spreading the Windows-based virus was shut down sometime Friday, bringing an end to the upheaval.
In the interim, however, the "Here you have" virus clogged corporate email servers around the world. Researchers at Cisco and Sophos reported that outbreak disrupted email systems at large companies, including Comcast, Wells Fargo, Coca-Cola and Google.
Despite its destructiveness, the "Here you have" virus is actually just a new take on an old socially engineered malware scam, according to Sophos security analyst Graham Cluley -- a scam that conjures up memories of the infamous Anna Kournikova spam that devastated email servers some eight years ago.
Similarly to the Kournikova virus, the new W32/Autorun-BHO works by duping users into clicking on an infected email with either the "Here you have" or "Just for you" subject titles. The email then provides a link to what it promises are important PDF documents or pornographic WMV videos.
Instead, those foolish enough to click on the link got an executable file that immediately tried to shut off any legitimate security software applications running on their computer or mobile device.
The virus then sends spam messages to all of the contacts in the victim's address book, helping it to spread geometrically and giving "Here you have" even more currency because the next crop of potential victims thought the infected email they received had been sent by a trusted contact.
"The intention of the attack appears to be to steal information," Sophos security analyst Graham Cluley wrote in a blog post. "The malware downloads components and other tools which extract passwords from browsers (Firefox, Chrome, Internet Explorer, Opera), various email clients, and other applications. [It's] clearly sensitive information, which you don't want falling into the wrong hands."
Blast From the Past
Considering that 90 percent of all email traffic -- 300 billion messages a day -- is spam, the fact that this one variant of spam managed to account for more than 14 percent of the total spam traffic attests to the surprising appeal of what are really old-school malware tactics, security researchers said.
In May, another particularly virulent worm weaseled its way into the Yahoo Messenger community, infecting an unknown number of users after tricking them into clicking on a link masquerading as "foto" or "fotos" from someone in their contact list.
Email viruses of this type figure to become more and more common as hackers continue to find opportunities in social networks, such as Twitter and Facebook where large pools of like-minded or similarly interested potential victims gather to share pictures, links and ideas.
"That doesn't surprise me, as this is something of a return to the malware attacks of yesteryear where hackers didn't care whose computers they hit," Cluley wrote. "They just wanted to infect as many as possible." "Worms like this don't discriminate, deciding their next victim purely by scooping up a list of its next targets from the user's email address book," he added.
Tuesday, September 7, 2010
Overblocking in a Web 2.0 World
In today's Web 2.0 world, the concept of a web page is kind of a misnomer.  Most are already aware that a single web page is actually made up considerably more embedded links, and in some cases hundreds of embedded links providing information to display a single unified page.  Any one of those hundreds of links could contain malware, while the other hundreds of links could contain information necessary to complete an organization's users task or job at hand.
For most, the secure web gateway is the device in the network that handles protecting the end-user from the malware by blocking the specific embedded URL that contains the malware. But often it's not that simple. In today's sophisticated attacks, which take advantage of SEO (Search Engine Optimization) poisoning and link farms, where tens of thousands of links are created to a few handfuls of malware sites, it's hard for security to devices to determine where the good sites are and which sites may just contain an embedded link to a malware site (often hosting good content at the same time). The challenge is of course not to block the websites that only contain links to other links that contain links to malware. Blocking at a level that's too high will inadvertently cause end-users to miss content they need, and produce an effect known as over-blocking.
One of the problems with over-blocking is that it may make your secure web gateway solution look like it's doing a great job, but without doing the work to see if there really is a malware on a link, you don't know if your solution has just prevented you from reaching important information. While over-blocking is a well known problem it's harder to determine whether it's occurring until an end-user complains about access to information. Part of the test in finding out whether your secure web gateway solution is over-blocking is finding out what they do to prevent over-blocking. Understanding how the solution works, and what causes a site to be blocked is the first step in preventing over-blocking in a Web 2.0 World.
For most, the secure web gateway is the device in the network that handles protecting the end-user from the malware by blocking the specific embedded URL that contains the malware. But often it's not that simple. In today's sophisticated attacks, which take advantage of SEO (Search Engine Optimization) poisoning and link farms, where tens of thousands of links are created to a few handfuls of malware sites, it's hard for security to devices to determine where the good sites are and which sites may just contain an embedded link to a malware site (often hosting good content at the same time). The challenge is of course not to block the websites that only contain links to other links that contain links to malware. Blocking at a level that's too high will inadvertently cause end-users to miss content they need, and produce an effect known as over-blocking.
One of the problems with over-blocking is that it may make your secure web gateway solution look like it's doing a great job, but without doing the work to see if there really is a malware on a link, you don't know if your solution has just prevented you from reaching important information. While over-blocking is a well known problem it's harder to determine whether it's occurring until an end-user complains about access to information. Part of the test in finding out whether your secure web gateway solution is over-blocking is finding out what they do to prevent over-blocking. Understanding how the solution works, and what causes a site to be blocked is the first step in preventing over-blocking in a Web 2.0 World.
Subscribe to:
Comments (Atom)
 
 
 
 Posts
Posts
 
