The Proxy Update

Welcome to the Proxy Update, your source of news and information on Proxies and their role in network security.

Tuesday, October 11, 2016

A view of Symantec's acquisition of Blue Coat

I didn't notice this blog posting until today, but I have to give it thumbs up for its brashness and willingness to tell it like it is.

Check out:  https://blog.anitian.com/analysis-symantec-acquisition-blue-coat/

Thursday, October 11, 2012

Protecting yourself when an antivirus update fails

In case you hadn't heard, McAfee had two bad updates recently (one in April 2010 and one in August of 2012), and so did Sophos in September of 2012.  You'd think after the first botched update there would be procedures in place at McAfee to prevent it from happening again, and for Sophos, they would have seen what an embarassment it was for McAfee and put in procedures in their update process to make sure it wouldn't happen to them.

So how does a botched update happen?  Most likely it's complacency.  It happens to all of us, we get too comfortable with our daily routine, so much so we don't notice when something does go wrong.  With the looming possibility that a desktop antivirus update can fail and cause problems again in the future, what can you do to protect yourself?

The best defense against failure in the desktop antivirus solution is to have protection at the gateway, that's from a different vendor.  So if you're using McAfee at the desktop, make sure you web security gateway is using Sophos, Symantec, or another antivirus vendor, as it's unlikely two different vendors will have broken updates at the same time.  That way if a broken update allows malware through, you're still protected from it getting to the end-user at the gateway level.

I often get asked why you would need redundant anti-malware scanning at both the gateway and desktop.  If you're using the same vendor, then yes, it does seem a bit redundant, which is why you really need different anti-malware vendors at the gateway and the desktop.

In a conversation with one security product manager, he mentioned to me that in his analysis of their customer data, for any new malware outbreak, there was only an 80% overlap between vendors.  Meaning if you only went with one vendor, you'd only catch about 80% of the known malware out in the wild.  You really need a second vendor to close that 20% gap.

So make sure you've got an added layer of defense.  It may save you a lot of headaches the next time there's a problematic anti-virus pattern update.

Thursday, August 2, 2012

SSL Inspection, is it time yet?

I was at Black Hat in Las Vegas last week, and once again, one of the top questions I heard around web security was when and how does an organization start doing SSL inspection on web traffic.  It's a tough issue for most organizations and many until now have chosen just to ignore it by bypassing SSL traffic and leaving it uninspected.

But it's getting harder for organizations to ignore that SSL traffic now that many common websites allow users to stay completely encrypted when using that site.  This is true for Twitter, Facebook, Gmail, and other popular websites.  Encryption lets malware through to the organization and also allows users to unintentionally (or intentionally) send out company confidential information to the internet.

The reason that organizations don't have a higher rate of SSL inspection already is that it's not an easy task to get it implemented through out the organization.  First SSL inspection means breaking the SSL connection using an SSL proxy, essentially a man in the middle.  The difficulty here is of course the SSL certificate presented back to the user won't be the one from the site they're trying to connect to.  That means training the user to understand the certificate presented by the proxy is valid and to accept the warnings from the browser, or alternatively push out the certificate to all the systems in the organization so it's automatically accepted.

Then there's the fine line of determining what can be intercepted and what can't within the realms of the organizations policies around privacy.  A decent web security gateway will let you set policy so that all SSL is intercepted except for say financial sites, where privacy may dictate letting those sites be bypassed.  In addition, policy may differ by user or group, and perhaps there's different inspection even no inspection for certain users.

No matter what policy is actually implemented, it's not hard to see the writing on the wall, SSL inspection is coming to a web security gateway near you.

Monday, June 25, 2012

Zero Day, Negative Day Defenses

The buzzwords in anti-malware technology is all around getting your organization protected before something bad happens.  Especially in this day and age when malware attacks are short-lived, and there isn't much time for a "signature" to be written to protect your users.

That's why anti-malware vendors are trying to get ahead of the game with so-called "zero-day" defenses, where they use heuristics, fuzzy logic, and other technologies to determine new viruses when they arrive on your doorstep.

There's a new terminology out there now, called "negative-day" defense, and refers to blocking websites that are hosting malware before those websites get used in an attack. It turns out there are lots of websites that are in existence all the time hosting malware that aren't actively being used in an attack.  These are referred to as malware delivery networks or malnets for short.  Apparently cyber-criminals keep these malnets around as an infrastructure for their cyber attacks.  So when they do launch an attack, say on a popular website, and embed malware links, these links point back to these existing servers hosting malware in these malnets.

Blue Coat Systems is tracking malnets using their Webpulse cloud technology, and users of this technology get to block malnets before they get used in a live attack.  Based on their statistics Blue Coat determined that approximately two thirds of all attacks in 2011 used malnets that Blue Coat was already aware of to deliver their malware.  Blue Coat describes malnets and specific cases in their 2012 Web Security Report, including the case of the Urchin attack which lasted only 10 days, and in which only 4 out of 44 anti-malware vendors were able to produce a signature by the time the attack ended.  Blue Coat customers were protected prior to the attack and during the attack, because Blue Coat was already blocking the malnet used to host the attack.

In Blue Coat's prediction for 2012, they predicted malnets will continue to be used in cyber attacks, and blocking known malnets seems like an easy way to protect yourself from at least a good portion of attacks on the web.

Monday, June 18, 2012

Is BYOD worrying you yet?

Among the latest buzzwords in the IT industry is the phrase BYOD.  It stands for Bring Your Own Device and refers the burgeoning number of devices that employees are bringing into the office from home and attaching to the organization's network.  It includes tablets, smart phones and home laptops.  It's estimated by one analyst group that the average employee will own seven internet connected devices by 2015.

If the security risk of putting non-corporate owned devices on the network hasn't got you worried, think about the increased traffic trying to access the internet.  If your employee only had one device and by 2015 they'll have seven, that's a significant bandwidth increase requirement for your infrastructure.

And of course we shouldn't toss aside security so quickly.  Since these devices don't have any mandates from the corporate IT department on them, and have accessed networks other than the corporate ones, they're likely targets for malware, not to mention data loss.

The other fun statistic I saw recently was that it's estimated the average smartphone has 65 applications installed on it.  That's an incredible number.  Who has time to use 65 different applications?  And what if any controls does the corporate IT department have over what applications can do and access?

So if you haven't started a BYOD initiative in your IT department, it's really time you started.  It's more than just the web gateway security issues, but that's not a bad place to start.

Wednesday, May 30, 2012

Almost 20 percent of US PCs have no A/V protection

A new study from McAfee is claiming that 17 percent of PCs around the world have no antivirus protection and in the U.S. that number is even higher at 19 percent.  The study counted as unprotected machines those that had no antivirus protection installed, or whose antivirus subscription had expired. In the U.S., 12 percent of PCs did not contain any antivirus program, and 7 percent had software that was expired.  


Along with BYOD (Bring Your Own Device), organizations that allow their employees to hook up their own devices to the corporate network should be making sure all users on the network (regardless of whether it's a personal or corporate owned device) are protected by a secure web gateway / proxy.  With a high likelihood the device itself may not be protected, there really needs to be some line of defense, and it's the secure web gateway.  In addition many proxies can also protect infected devices from uploading personal or corporate owned information back to hacker owned servers in the network that are trying to collect personal and corporate data.

Monday, May 21, 2012

Why is SEP the number one vector for malware?

SEP (Search Engine Poisoning) is the number one vector for malware according to Blue Coat's 2012 Web Security Report.  More people attempted to access malware through SEP than any other method in 2011.  Blue Coat also writes a lot about SEP in their security blog.  Some of the reasons SEP remains a popular choice among hackers include the breadth of reach (everyone uses search engines), how easy it is to infect search engine results, and the likelihood the end-user will trust the result and get infected as a by-product of selecting an infected search result.

One of the interesting things about Blue Coat's research is that celebrity searches and "big event" searches aren't nearly as dangerous as common search terms.  The reason for this is with celebrity and "big event" searches there's an overwhelmingly large repository of "good results" to choose from, it's unlikely a cyber criminal will get a hit, whereas a common every day search may have fewer results, and it's easier for a hacker to get a result on the primary results page.

So what's the solution to SEP?  Obviously an up to date web security gateway with real-time rating helps.  But also user training is important.  Users need to understand what looks like a bad URL, what looks like a shady site, and users also need to learn not to ignore warnings generated by the secure web gateway or their browser.   It may even help to use a safe search tool like k9safesearch.com in place of regular search engines.