Security in the cloud – the first line of defence

Dan Nadir, Vice President of Product Strategy for web security company ScanSafe, says security professionals need to take a closer look at web security.

For most companies, the days when the network had a defined perimeter, viruses existed only in email attachments, and desktops could be secured within the network perimeter are long gone. The majority of networks today do not have a defined perimeter: they are being accessed remotely by employees and contractors using PDAs, laptops and smartphones from remote offices, homes, train stations and cafes. Further, threats are more widespread, more stealthy and increasingly focused on access by employees to the Internet as a key vulnerability.

Because of this, security at the desktop or server-level, while essential, is no longer sufficient. It’s the last line of defence. Companies need to install a first line of defence. This article will explore why.

Web communications and applications proliferate in most organisations. Nine out of ten UK companies use the Internet to conduct business (source: Information Security Breaches Survey, Department for Trade and Industry) and most staff use the Internet for both business and personal reasons. With greater web connectivity, comes greater risk, and many companies are not fully aware of the potential security threats, continuing to rely on firewalls, intrusion detection and anti-virus software to protect their organisations’ critical data.

Web security risks are relatively unknown
Most money spent on web security is used to protect web servers or to enforce corporate policy through URL filtering. Most companies do not scan HTTP and FTP traffic in real time for malicious code. Yet, this is where the growing majority of threats exist. Viruses, Trojan horses, hacker tools, auto diallers, spyware and adware all exist in ‘the cloud’. Businesses have responded by putting virus scanning at the Internet Gateway. But only 35 percent of all UK businesses, and 50 per cent for large organisations, have done this, compared to more than half of all companies that have email anti-virus software at the Internet Gateway and desktop. Around 15 per cent of UK businesses deal with the problem by blocking access to inappropriate sites1.

Despite an increased adoption of anti-virus software, incidents of web virus infection are still on the rise – 165 per cent increase in new viruses in 2005 (1,423) compared to 2004’s 534, according to ScanSafe’s latest Web Security Threat Report for 2005.

Web threats are typically blended threats that combine the characteristics of Trojans, viruses, worms and hacking techniques. They can bypass anti-virus software and attack weaker areas of network security, such as Web applications – including Web browsers, RSS, Instant Messaging and so on. Web threats also include spyware, which was ranked by IDC’s Enterprise Security Survey 2005 as the second greatest threat to network security, adware and diallers. ScanSafe has seen the average number of spyware and adware blocks per company doubling every month during the second half of 2005 – from 2,280 blocks per month in August to 8,320 in November, representing an increase of 265 percent over four months.

Further, the continuing emergence of Web vulnerabilities – such as the Windows Metafile Web Browser vulnerability - is giving attackers opportunity to develop exploits that can infect a system simply by visiting a malicious web site. Even VoIP will not be immune to attacks, given the number of vulnerabilities that have been discovered to date in some VoIP software products. It is just a matter of time before attackers set their sights on this increasingly popular protocol.

This poses a serious threat to organisations, since a single critical vulnerability can result in the immediate exposure of systems that were previously considered secure. The race to release patches that fix vulnerabilities is not being won, as the Windows Metafile (WMF) flaw recently highlighted. But even if the gap between vulnerability and patch was closed, it is doubtful that most organisations would be able to test and implement it in time across all devices (desktops and laptops) anyway. And herein lies the real issue with relying solely on desktop and server-level protection – companies simply cannot keep the thousands of vulnerable user devices up to date with the latest definitions (essential to detect the threat in the first place)!

Blocking threats before they get near the network
As a result, some organisations, including Condé Nast Publications, a publisher of some of the world’s most glamorous magazine titles, are recognising the need to implement security at the Internet level to scan all web traffic going in and out of the network and its connected devices.

The increased security threats posed a huge problem for Condé Nast’s business, with staff constantly researching a variety of subjects as well as receiving and downloading files such as images from online picture galleries. It’s easy for spyware and malware to find its way onto machines.

Filtering threats at the Internet level is an efficient way to stop them before they get anywhere near the network level. It’s another layer of protection that Condé Nast felt was essential.

Lauraine Turner, IT Director at Condé Nast had tried a solution recommended by a supplier but found it was extremely slow when implemented. So she decided to outsource the security to ScanSafe. She said, “The Internet is so crucial to our business that we couldn’t afford to delay in finding a solution. With 650 machines connected to the network, ScanSafe’s managed Web Scanning service was a cost-effective and easily deployable choice.”

Keeping up to date with the latest threats and protecting the network against them is time-consuming and not something many companies can do easily or effectively by themselves.

Another example is National Express, the largest scheduled coach provider in Europe. It wanted to safeguard its web-based application, that are a crucial part of its day-to-day operations, as well as enable staff to bank online, shop and use other Web resources while they were at work. But since many of these sites are vulnerable to adware and spyware attacks and web-borne viruses were increasingly getting through Network Express’ existing layered security, it recognised the need for an additional layer of protection at the Internet level.

The company’s Head of IT, David Jones, said, “We adopt a policy that it is better to prevent email, web page borne viruses and spam from entering our systems at all rather than letting them in and dealing with them through our existing internal security systems.” The company concluded that an internal solution to provide an additional layer of security was too expensive and difficult to deploy and selected ScanSafe to provide that.

Automated, real-time analysis of a huge volume of web traffic “in the cloud” is a better indicator of threats than simply relying on desktop or server security devices (although these should continue to be used as a layered approach - it’s not a case of one versus. the other, but using them simultaneously) because unlike e-mail attacks which flood mailboxes and are relatively easy to detect and analyze, web threats lay dormant, waiting for unsuspecting users to click and infect themselves. Worse for a company is their reliance on their URL filters to protect them from malicious or annoying content like spyware or adware. While many perceive that their URL filtering products are providing active protection, the truth is that they are being protected only from known URLs – contained in static databases that can only block a site once malicious content as been discovered. This is in sharp contrast to a service that scans all content in real-time, as it is being accessed.

And, because this approach doesn’t require software or hardware installation, but is based on a managed services model, it provides virtually unlimited scale, eliminates risk, and reduces the resource drain that managing multiple security products causes today for many under resourced corporate IT departments,.

Extra layer of protection
Adding an extra layer of protection is critical, particularly when hackers and attackers will focus on the weakest areas of security. Given that use of the Internet and new technologies like IM, RSS and blogs is rising, browser vulnerabilities are continually popping up and protection for the Web is weaker relative to email, companies need to start thinking about implementing procedures to scan and filter their web traffic. Web traffic is the new threat target and desktop and server security can no longer be the only lines of defence.