Web protection: A flu mask for the internet
You never know what you might catch
The internet is no longer optional for organisations. It is where business lives. Unfortunately, it is also probably the worst neighbourhood on the planet, filled with cybercriminals, hacktivists, and corporate and state spies.
And the internet is both the largest and the smallest neighbourhood. All of these people live just around the corner from you. So you’d better be well protected when you go out there.
At its simplest, web protection is a technology that will watch where computers are going online and analyse them to ensure they don’t violate policies set by company administrators. Those policies can protect the organisation against various kinds of risk.
The most obvious is sites that can infect computers with malware. These may simply be malicious, designed specifically to infect computers that visit, or they may have been compromised by attackers to serve malicious files in a drive-by download.
Web protection can also filter out attacks that arrive via other channels. The classic example is email. If a phishing email contains a link to a compromised site, then the tiny minority of employees who insist on clicking the link, even after all that awareness training you did, could ruin it for everyone.
A robust web protection mechanism will go beyond simply blocking malicious sites from visitors, though. Policy options should be granular enough to set different access levels for different devices, perhaps by technical configuration, location on a subnet, or department.
For example, while computers in the marketing department might need access to a broad variety of sites – including Facebook – machines in accounting may be restricted to a narrower range of sites.
PCs used for point-of-sale terminals may have the highest level of protection and be denied access to anything other than a narrow range of IP addresses.
Setting access controls can eliminate the temptation for employees to visit inappropriate sites
These features provide benefits that will be valued by other parts of the business. Setting access controls on machines can eliminate the temptation for employees to visit inappropriate sites at work that lower productivity.
While the IT department may not want to develop those rules itself, the availability of such tools does make IT a useful ally for other business departments, such as human resources, which may have its own requirements for website permissions.
For IT departments trying to recast themselves as strategic partners for other parts of the organisation, this can be a big win.
Web protection tools enable IT administrators to carve up permissions without having to spend money on hardware to segment it into VLANs. Instead of using a managed switch to compartmentalise networks, they can set the policies via the web protection service.
Even after it has put several defensive layers in place, a company’s machines may still be infected. The employee who opens an email attachment with a zero day attack, or the person who inserts an infected USB key into the system, could pollute their own machine and perhaps others’.
Web protection can still help in these situations. More often than not, malware calls home. Remote access Trojans siphon precious data off to addresses that are hardwired (which is what happened in the recent Sony attacks). Botnets will visit IPs containing command and control servers to access their instructions.
A well-designed web protection agent can be populated with a list of such IP addresses, blacklisting them so that infected machines fail in their attempts to phone home.
This won’t completely clear up your network, but it will be an invaluable tool in containing an infection, minimising the commercial damage and giving you time to remedy the problem with other tools.
Web protection providers can use intelligence gathered about cyber-criminal operations to hone these techniques. Some malware, such as Conficker and Cryptolocker, use domain generation algorithms (DGAs) to create large numbers of gibberish domains.
Attackers can register tiny subsets of these domains and use them for command and control servers, so that infected clients stand a small chance of connecting and updating their instructions every time the domains are refreshed.
Experts can reverse-engineer these algorithms to improve the level of protection in their products. Web protection services may also throw up other signals that can help administrators to detect an attack.
Machines infected with DGA-enabled code send out thousands of requests for gibberish domains. This may happen at unusual times, when employees have no reason to be in the office at their computers.
A web protection tool may identify such traffic and take it as a sign that the originating machine has been owned by an attacker, shutting down its access.
An enabling factor in smarter web protection of this kind is cloud-based services. These offer several benefits.
Firstly, the algorithms and signatures underpinning the protection service can be constantly updated and more computing power can be devoted to the complex analysis needed to stay on top of shifting attack vectors.
Secondly, laptops configured to connect to a cloud-based service for their web protection are protected even when travelling outside an organisation’s network.
Finally, a cloud-based service can be purchased as an operational expenditure rather than a capital one, moving it off the balance sheet and also enabling IT departments to use only what they pay for.
Not having web protection online is like working in a flu lab without a vaccination or a mask. For a while, you might get away with it. But sooner or later, you will start sneezing and wish you had taken some simple precautions. ®