Keeping Web malware out of enterprise systems
This Security School is a free multimedia learning guide designed to help you understand and address the strategic and tactical implications of this topic.
These days, many people use the Web as a natural extension of their day-to-day lives. Whether it is socializing...
with friends, keeping up with current events, conducting ad hoc research or watching movies, they can't get enough of the Web. We are well aware that the bad guys know this, too.
IT risk managers often preach the standard Web security advice for end users -- don't click haphazardly, uninstall plug-ins, change passwords frequently, use antivirus and so on -- but it never seems to stick. So, it's no surprise that the Web has become the No. 1 source of malware infections. This realization, along with other advancements in technology, has given rise to a flurry of new Web-borne attacks. Fortunately, there are also a number of new opportunities for mitigating risks associated with Web browsing, especially the risk of getting infected by malware.
Web-borne malware: Separation and isolation
Here's the thing to remember about malware: It has to be running to be destructive. This means there must be a process in memory using the resident system's CPU to perform its nefarious deeds. With this in mind, it is not hard to realize that the notion of which system the malware resides on becomes crucial to determining the extent of the damage from any infection. Separating that process from other production services can reduce that damage.
Separation -- and its stricter form, isolation -- are long-standing techniques to reduce risk in the realm of technology risk management. The military separates classified from unclassified systems using the "air gap" of separate physical systems or sometimes separate virtual machines. Enterprises have long separated networks using firewalls and other network devices. To achieve Payment Card Industry Data Security Standard, or PCI-DSS, compliance, companies often separate out-of-scope systems at the data level using tokenization.
One means of so-called situational separation is the sandbox. A sandbox is an isolated (usually virtual) environment that confines a computing program or process, limiting or preventing it from interacting with other programs or processes. Sometimes a sandbox is used as a fishbowl of sorts to watch and assess the activity of suspicious software. Other times, it is used in production to run either important functions like online banking apps or, alternatively, the less important, often risky operations that users enjoy. In either or both cases, separating the browser from the operating environment minimizes the impact that any malware infection might have.
Web-borne malware: Hosted browsers
Given this history, it should be no surprise to find that separation is useful for browsing the Web securely. An increasingly popular form of separation on the Web is the hosted browser, which typically runs on a completely separate physical system that interacts with the Web on the front end and completes the connection to the user by mirroring the activity to the user's device on the back end. In contrast with secure Web gateways that terminate connections, run some analysis and then forward approved packets in their original form to the end user, hosted browsers transform the content and pass it to the end user via proprietary protocols similar to the remote desktop protocol, or RDP, used for desktop virtualization. Hosted browsers provide benefits similar to those of a sandbox mentioned, though in Web-only form. Right now, they are more of a complement to analytical sandboxes that typically bring more threat research and response capabilities to bear. The benefits are clear: If a malware process only has access to resources on the browser's resident system, separating that system from high-value resources significantly restricts its ability to do harm.
In addition, hosted browsers provide anonymization capabilities by providing a clean browsing environment for every session.
Products that accomplish this include Check Point's WebCheck, Authentic8's SILO, Light Point Security's Light Point Web and Spikes Security's AirGap.
Web-borne malware: The tipping point
We are at a tipping point with information security where we must recognize that traditional techniques can only go so far in protecting users from Web-borne malware infections. It is time to employ other options for mitigating risk that reduce or eliminate user involvement while still protecting them. Separation models are well understood and the technology is advanced enough to provide this opportunity.
About the author:
Pete Lindstrom is principal of Spire Security, an industry analyst firm addressing challenges in technology risk management and cybersecurity economics. In his 20+ year career, Lindstrom has held other industry analyst positions at Burton Group and Hurwitz Group, as well as enterprise positions as a security architect for Wyeth Pharmaceuticals and an IT auditor for PwC and GMAC Mortgage. Lindstrom honed his finance and technology (and rifleman!) skills in the United States Marine Corps. He is a frequent speaker and writer on information security topics and is a director of the International Systems Security Association (ISSA). He has a finance degree from the University of Notre Dame.