Increasingly, companies are looking to stop Web attacks before they get to the end user. Some companies filter the content employees can access online based on URL and domain reputation. That's a tricky corporate policy matter, but it does have a real security benefit. Of the more than 100 million Web requests that Symantec's hosted services blocked for clients in an average week of 2010, 99.96% were blocked for policy reasons, such as preventing access to gambling, entertainment, and porn sites. Only 0.04% of requests were blocked because they were malicious. That number may seem small, but a single infection can become the beachhead that lets an attacker get into your company's network.
Blocking malicious sites used to be easier: In many cases, the sites were in Russia, the Ukraine, and China. If you didn't do business in those countries, you could protect your systems by blocking traffic to those parts of the Internet. But that's all changed as the bad guys have moved their sites to the United States and Canada where they can't be easily blocked, says Websense's Runald.
It's also important to monitor traffic in both directions to catch threats coming into a company and infected machines trying to move data out. You must assume your company has been compromised and work from there.
Don't look at detection as an admission of failure; instead, make it a key part of your defenses. "The average company is far more infected than they realize," Sutton says.
The assumption that Web threats will get in suggests another defense: Use internal network segmentation to put a firewall between users and critical business assets. Otherwise, if employees have unrestricted access to important servers and data, a successful attack against one employee can easily turn into a company-wide data breach. Additional security around these assets can prevent that from happening.
"All user space is basically now exposed," says RedSeal's Lloyd. "You don't want that over in your fixed assets [such as servers] where you keep your data."
When dealing with Web threats, remember that the attackers are benefiting from many of the same advantages that you get from cloud services, particularly agility and economies of scale. For attackers, this means they can quickly gather information on targets to create more convincing lures, develop better malware, and tailor that malware to evade detection.
The best way to counter the trend toward more effective Web-based attacks is to be aware of the hacker's technology and strategy, and understand how they're helping attackers better defeat security measures. Then, be ready to counter the attacks with layers of responses discussed in this article that make it harder for attackers to penetrate your corporate network. That way, if the crooks do get in, you might at least keep them away from your most valuable servers and data.
Sidebar: URL Shortening Services Get Malicious
In the past, malicious links in email and on the Web were relatively simple to identify: If the link didn't match the domain that you were expecting to go to, it could be malicious. But the popularity of URL shortening services has done away with that easy check.
Shortened URLs make it "a lot harder for the user to discern whether it's something they want to go to or not," says Anne Aarness, a McAfee product marketing manager.
In late 2010, both McAfee, an Intel subsidiary, and Symantec identified URL shortening services as a potential problem. By May of last year, Symantec detected the first spammer-run URL shortening services operating under Russian domains. These early services were basic, just redirecting links to malicious sites.
Since then, criminals have improved their URL shortening scams by redirecting victims to multiple services and often starting with a legitimate shortening service. This approach makes it difficult to track down the bad guys and easier for them to circumvent efforts to shut them down. When a victim clicks on a legitimate shortened link in a spam email, the link is translated by the legitimate service into another link. The second redirect leads to the spammer's own URL shortening service, and possibly several more services, until finally being redirected to the malicious download site.
In July, Symantec documented a banking Trojan attack that used links from five different services in spam emails to convince users to go to a malicious website.
Attackers also use the identifier included in the shortened URL to track what content caused victims to click. Tracking these click rates could lead to improved spam campaigns.
Two-thirds of links posted to social network sites, like Facebook and Twitter, are shortened URLs, Symantec says. But most Twitter links aren't a problem. Another security company, Zscaler, scanned more than a million links and found only 773 were malicious. Only 0.06% of all the URLs tested were a security risk, says Julien Sobrier, a senior security researcher at Zscaler. That's much lower than some searches on Google, where Zscaler has identified 15% to 20% of the top 100 results as malicious. --Robert Lemos