Traditional security systems will not protect against all web-borne threats

by Ian Kilpatrick

The time we spend using the web in a work situation has increased hugely and is now part of the daily routine of most companies. Yet, many people are still unaware that simply browsing the web can leave you susceptible to malware - a term which covers a multitude of security threats such as Trojans, spyware, key loggers, worms, viruses, phishing, hacking and other forms of malicious activity. Simply clicking on a web site page, can result in acquiring these undesirable additions to your network.

Many people also believe that they are protected against such infection from web browsing because they are using URL filtering, anti-virus or anti-spyware software, or because they have a firewall. Unfortunately, this is not necessarily the case.

The danger on the web comes from something called active content. While active content can be non-malevolent and is used by companies on a daily basis, malicious active content can cause real damage and is growing at an extremely rapid rate. Companies need to take proactive steps to protect against this type of dangerous active content, whilst ensuring these measures do not hamper the efficient running of the business.

What is active content?

Active content refers to components that are embedded in an electronic document and which can carry out or trigger actions automatically (and dynamically), often without the user's consent or even knowledge. This content is delivered to the user's computer while browsing the web, enabling web sites to provide increased functionality, such as interacting dynamically with visitors, delivering animation and interactive applications, and much more.

Non malevolent active content technologies (e.g., Java applets, ActiveX controls, macros, JavaScripts and executable files) are commonly used for regular business practices such as CRM, ERP, web conferencing, e-commerce, webmail, etc. JavaScript and other forms of active content are not always dangerous, but they are commonly used as tools by attackers.

Most web pages contain one or more types of active content, which is sometimes referred to as mobile code. It can also be delivered via email, instant messaging and other means of communication.

Attacks by active content using malicious code are growing exponentially and account for the vast majority of today's malware. These attacks can affect a company's profitability, because of the time and resources spent dealing with them, as well as a reduction in productivity and lost revenue. The results of malicious active content can also mean company confidential information is exposed or stolen.

Why not traditional security solutions?

Why aren't traditional security systems effective against active content attacks? The reason is that systems such as anti-virus and intrusion detection/prevention, are designed to protect against known threats and are ineffective against unknown threats and complex blended attacks, which may use multiple technologies to infiltrate your network.

Traditional security solutions were first designed to protect email attachments from threats which were much less sophisticated than those delivered by active content. Today's new generation of malware attacks take advantage of vulnerabilities in web browsers, which offer more opportunities for malicious or inappropriate behaviour.

• Firewalls
  Firewalls are capable of protecting networks against packet level attacks but may not detect malware or malicious content entering the network via web traffic, and firewalls cannot understand how the content will behave as a whole (at the application level) once it reaches the end user. Firewalls are no longer sufficient for preventing today's malicious code.

  Spyware and phishing attacks may also bypass firewalls, using open ports in the firewall. The foremost of today's complex threats enter the network via port 80 (HTTP) and port 443 (HTTPS). In most organisations, opening port 80 is vital to the productivity of the users.

  Email transportation also opens the door to many threats, and the combination of both web and email transportation is highly exploited by various types of threats, such as phishing. The ineffectiveness of firewalls against such threats is evidenced by the rapid increase in worm penetration despite the extremely wide deployment of firewalls.

  
  
• Anti-virus
  Traditional solutions block known viruses and worms by comparing content against signature databases, which need to be updated each time a new virus is discovered. They do not protect against newly released threats. These reactive solutions are not sufficient for combating unknown and targeted attacks such as spyware, phishing, worms, trojans, viruses, or blended threats.

  Company networks are at risk from the time a new vulnerability is published or an attack is launched until the time a signature update or patch to combat that virus is delivered and installed. And even with the latest anti-virus update, enterprises are still vulnerable since virus attacks can be modified using compressors, and mutations can be released.

  Even once a patch is issued, it may be some time before it is installed. So, it is hardly surprising that companies without proactive protection against new, unknown attacks are in danger of compromising their network security and valuable business assets.

  
  
• Intrusion detection/prevention systems
  Intrusion detection systems and intrusion prevention systems are similarly not effective against complex attacks driven by active content. Because they operate primarily at the packet level, they cannot know how a given web page will behave when loaded into a browser or email application, because they never see the web page - they only see individual packets. This type of security can only be achieved by application-level solutions.
  
  
• Heuristic technology
  Heuristic-based technologies detect infections by scrutinising a programme's overall structure, its computer instructions and other data contained in the file. The heuristic scanner then makes an assessment of the likelihood that the program is malicious based on the logic's apparent intent.

  Anti-virus engines often use heuristics to identify variations of known viruses. However, since these schemes don't actually observe full execution of the scanned software, they often fail to detect new infections; there are simply too many ways to obfuscate malicious code, and often the only way to know content is malicious is to watch it run in real-time. This accounts for the high rate of false-positives when using such heuristic-based systems.

Protecting against malicious active content

To protect themselves against malicious active content, companies need solutions that can deal with threats the first time they attempt to strike, not some time after a signature or patch has been issued. An approach is necessary which analyses the actual behaviour of the active content to decide if it is malicious or inappropriate and needs to be blocked; or to decide that it is appropriate and can be allowed in uninterrupted.

One company offering a solution to these issues is Finjan, which has developed its own patented behaviour-based technology. Finjan's solution inspects the application-level traffic (i.e., the active content objects) that might carry the malicious mobile code which can infect the network, and analyses the behaviour of the code before it arrives and begins to run on the target computer.

This technology is able to identify the combinations of operations, parameters, script manipulations and other exploitation techniques, and can determine that a piece of mobile code is trying to exploit one or more types of vulnerabilities. Then, in line with each organisation's specific security policy, the system decides whether to pass, block or neutralise the content.

This behaviour-based technology can prevent new and previously unknown viruses, spyware, malicious code and complex attacks from entering the network. It can also reduce the 'false positives' that heuristics-based techniques are prone to. As companies become more aware of the risks they are facing, using this type of system can result in a more educated, better-defined security policy. Another useful benefit is that it can expose the type of malware that tries to extract private information and publish it to the internet.

Conclusion

It is in the very nature of computer security that new threats continue to emerge and challenge our defences. The dangers of malicious active content picked up by web browsing is a growing problem which is not adequately dealt with by traditional security solutions such as firewalls, anti-virus, intrusion detection/prevention, anti-spyware, etc. Signature based solutions and patches leave company networks exposed when new malware first emerges.

The effective way to tackle these issues is to install a solution which uses behaviour-based technology and can actually analyse the behaviour of all types of active content coming into the network. That solution should be able to decide, without affecting the efficient running of the business, whether the active content is malicious and should be banned, or benign and allowed in so business can continue as normal and employees can use the Internet safely.

About the Author:
Ian Kilpatrick is chairman of security specialist Wick Hill Group. The company is exhibiting at Infosecurity Europe 2008, Europe's number one dedicated Information security event. Now in its 13th year, the show continues to provide an unrivalled education programme, new products & services, over 300 exhibitors and 11,700 visitors from every segment of the industry. Held on the 22nd - 24th April 2008 in the Grand Hall, Olympia, this is a must attend event for all professionals involved in Information Security. www.infosec.co.uk.