Concluding their in-depth discussion of drive-by downloads, Neil Daswani and Lars Ewe provide some tips for avoiding the consequences of such infestation. These recommendations are split into specific steps webmasters should take in terms of site assessment, anti-malware monitoring, infection containment and recovery.
Neil Daswani: In addition to making sure that you conduct an assessment of your site, and that can include both a vulnerability as well as malware risk assessment, that can tell you what is the likelihood that your website could get infected by malware, and taking the preventative steps that Lars talked about, it is also important to have detection, containment and recovery services and processes in place.
The reason is there might be a number of vulnerabilities on the site that are preventable. You know, if there is a cross-site scripting issue or an SQL injection issue, you can then put that on track to fixing the code and deploying it out on the site.
At the same time, if you have a third party partner that, say, provides you with an audience measurement widget that you are using, or a video playing widget, or you are dedicating part of your website space to advertising, then those widgets at any time could get infected and there may not be anything that you can directly do to prevent it.
But if you don’t take steps to detect this kind of activity, then you can end up with a scenario in which ads are being shown on your website, and basically when, say, a search engine crawler comes by, it may identify the fact that your site served a page and there happened to be an ad on it and it ended up sending a malware drive-by download or a fake antivirus package to the user. And if that occurs, then your website can get blacklisted by the major search engines, it can get blacklisted by the browsers, so it is important.
If this is happening, even if the drive-by download wasn’t coming from any of the direct resources on your website, but was coming from one of your widgets, it’s important to have this kind of detection and containment in place.
So what you need in terms of detection is some kind of anti-malware monitoring. There is a number of organizations that can provide web anti-malware services. Basically, it typically encompasses providing your domain name and having all the URL’s on your domain enumerated, crawled and scanned using ideally a behavioral oriented algorithm that fully renders all the content and ads and all the other aspects of your site to identify these kinds of issues.
One great thing about the detection is when these kinds of issues occur, you get emailed, you get alert sent to your cell phone so that you can help lock down the issue and take appropriate steps. If you are interested in automated containment, there are also open source modules like ‘Mod Anti-Malware’ which can be downloaded and installed on your web server so that if any issue occurs pages on your site can continue being served but the malicious code automatically gets stripped out.
And then finally, to address the issue completely, the malicious code that might have been injected into some file, that might have been injected into some database – that needs to be removed. So once you employ all of these five steps: assessment, prevention, detection, containment and recovery, using some of the kinds of mechanisms we’ve talked about you can make sure that your website has a holistic process in place to address web security and security from malicious software.So now that we’ve covered the existing threats and some of the things that you can do to address these issues, we’re gonna talk a little bit about the future – where do you go from here? Depending upon what kind of organization you are, this may have different implications for you. There is a pyramid here on this next slide on risk tolerance (see image) where we’ve seen that there are different kinds of websites and different kinds of ad networks, and they have different levels of sensitivity.
So some sites require mission critical security. Military websites may for instance fall within that category. Then there are sites for which security is extremely important: you can think here about websites that might be providing an email service so you can log in and check your email. So it is important that they have security at the appropriate level. And then there is a whole bunch of other websites out there. You know, my dentist, my gardener – they all have websites, and for them it is important to have some adequate level of security. And so there are these different levels of criticality, and there are different levels of protection that are required.
So, in the mission critical section you might have military websites, you might have websites of financial institutions. For them, it may be important to have on-premise software1, and both Cenzic and Dasient have provided on-premise software to address these kinds of issues.
Managed service for both mission critical and important security websites are provided by both such companies, and an example of that is monitoring for instance. These two areas have been pretty well covered but what we’ve been finding is that there may not be enough out there for adequate security for a large number of small and medium business websites. So Lars and myself together with our teams at Cenzic and Dasient are now providing integrated vulnerability and web malware scanning from the cloud in a low cost way for this large range of websites. We are working together with a number of large web hosting providers to basically provide that level of managed in-the-cloud security to their customers.
There is a whole bunch of good reasons to do this because it is good for the web hosting providers themselves. They may have their reputation impacted if there are a lot of infected websites on their platform. And there’s a lot of small and medium size businesses that basically get hit significantly and cannot monetize their site anymore because of these kinds of issues. So together with the partnership of various web hosting providers, we are excited about helping further secure the world. So with that I am gonna turn it over to Lars, and he is gonna talk a little bit about transitioning the amount of risk over time for sites.
Lars Ewe: One of the challenges that we see with many organizations which are our customers that we work with closely is the sheer amount of sites that they have. They often go through this process and they will find out that first challenge is that they don’t know how many sites they do have. So just taking their inventory turns out to be challenging for many. So once they have the inventory, there is a sort of negative surprise effect of that, which is how many they have. And as they start to digest that, they realize quickly that they really don’t have the resources to address more than a small fraction of those.With the new offerings that we are talking about, there are better means now for these organizations to take a broader and an in-depth approach at the same time. We often refer to that as a sort of the funnel (see image). And the idea of that is no different than health check when you go to the doctor. You usually first get a quick health check, they take your blood pressure, maybe blood sample – no more than that. And then, based on the findings of that they will decide what further steps need to be taken. This isn’t any different. Think of a solution approach that scales broadly so that we can actually scan thousands and thousands of sites for you on a very regular basis. And then, based on the risk metrics that come out of that process we will determine which applications need to go through a deeper process and through more inspection if you will.
So it is really a risk management environment at the end of the day that funnels your applications based on various criteria through the funnel all the way down to the most critical, most robust applications that obviously receive a slightly different treatment than the ones at the top of the funnel. The idea here is to do that jointly, the idea is to do that both at the web application vulnerability level as well as at the malware level. You will see these offerings to be very scalable, you will see them to be very configurable, you will see them to be able to actually help you work across your entire portfolio of web assets.
1 – On-premise software (often abbreviated as on-prem software) is installed and run on computers on the premises (in the building) of the person or organization using the software, rather than at a remote facility, such as at a server farm or cloud somewhere on the Internet.