PROTECT YOURSELF: The breach of LinkedIn and its being served with a subsequent class-action lawsuit has thrust the issue of safe web browsing into the limelight. - Reuters
WITH the news of LinkedIn being served with a potential US$5mil (RM15mil) class-action lawsuit for allegedly failing to use "basic industry standard" security practices, the issue of safe web browsing has been thrust squarely to the fore, in the public consciousness.
Here's the Top Five myths of safe web browsing, and what your organisation can do to address them:
1. Myth: Scanning downloaded files for viruses keeps us secure
Fact: While controlling and scanning downloads on the Web is a good start, it's not going to keep your users from getting infected, because of "drive-by" infections. These are a very common type of silent attack that can infect visitors to websites who do nothing else but visit a page - and they won't even know it's happened.
LinkedIn was allegedly breached via SQL injection - one of the lowest-hanging fruits on the vulnerability tree. Hackers have become expert at exploiting websites using techniques like SQL injection to embed malicious code into even the most trusted legitimate websites.
This code can be heavily masked, making it extremely difficult for traditional web security solutions to detect, and impossible for desktop antivirus to even see.
Once it is downloaded automatically by the browser, it will secretly download an exploit pack that will seek out dozens of known vulnerabilities in browsers, plugins, applications, or the OS (operating system) to install its payload.
What you can do: Make sure you have advanced multi-layered web protection to provide a co-ordinated defence. It must include essential URL filtering, but also scan all downloaded website content as it's accessed. It must be able to unmask and emulate JavaScript in real time to detect suspicious behaviour. Don't rely on signature-based malware detection - it's completely ineffective at protecting your organisation from modern web threats.
2. Myth: A strict browsing policy that only lets usersvisit trusted sites keeps us safe
Fact: There's no such thing as a trusted site anymore. 80% of infected websites are legitimate trusted sites. Hackers target mainstream,popular, trusted sites to distribute malware and infect victims.
What you can do: You need to make sure you have advanced web malware detection to scan all website content as it's accessed. This will catch the latest threats, on any site, before it can become a problem. You also need to have anonymising proxy protection in your web security solution. Ideally, the kind that can detect abuse in real time and stop rogue users dead in their tracks.
3. Myth: Using a secure browser like Google Chrome offers better protection
Fact: Even though Chrome is considered among the most secure, every browser has new vulnerabilities all the time and as a browser like Chrome becomes more popular with users, it also becomes more of a target to hackers.
What you can do: Use application control to limit the number of browsers supported in your organisation. Keep supported browsers fully patched at all times with a vulnerability management solution to keep your risk surface area to a minimum. Make sure you have advanced web malware detection working to stop threats in real time.
4. Myth: Macs are more secure than PCs
Fact: Mac OS X is a completely different operating system from Windows, and has many built-in security features. But hackers have found creative ways to infect Mac users with malware. As Macs become more popular at home and in the workplace, they will be targeted more. At Sophos we're actively tracking dozens of OS X threats daily, many of them new.
What you can do: Deploy a Mac antivirus solution. Ideally, your solution should be lightweight and easy to manage alongside your other platforms. And it should be backed by global threat analysis that actively monitors Mac threats. Make sure your Mac applications and add-ons are fully patched and up to date at all times to reduce the number of potential vulnerabilities.
5. Myth: The only way to protect offsite users is with a VPN or cloud service
Fact: That used to be true, but not anymore. In the past, you had to redirect your users' web surfing through a cloud service or back through your secure web gateway with a VPN connection to keep them secure. This can be very complex, expensive, and full of problems like latency, loss of localisation, and bandwidth consumption.
What you can do: Adopt a web protection solution that integrates web security directly into the endpoint on all your laptops - keeping your road warriors, remote workers, and other offsite users safe wherever they happen to be. You'll keep users secure while still having complete visibility and policy control over users everywhere they go.
Conclusion
A successful web protection solution combines the best elements of endpoint, cloud and gateway solutions to provide a better, more secure web experience. Look for a solution that integrates web protection into the endpoint to provide complete web protection everywhere users go.
(Stuart Fisher is managing director for Asia Pacific at Sophos, a developer and vendor of security software and hardware.)