Surfing Through Muck, Safely
Surfing the 'Net may foster images of cool people on surfboards riding the crest of a wave on a beautiful day. In reality, the Web is full of muck. There's no free ride, and anything that is free needs careful consideration, evaluation, and validation.
In a previous No Jitter post, "Security Fixes -- Duct Tape Doesn't Cut It," I shared several strategies on how end users can avoid security nightmares from the book "Online Danger" by Dr. Eric Cole, longtime security executive. Every IT department knows that users remain vulnerable through their own devices and click-happy habits. Instant gratification of wanting information, a file, an image, a movie or best price tends to outweigh everything else at the time. Security becomes an afterthought of, "Oh, I wish I'd...."
Privacy gives way to marketing and metrics, including how many miles and how much drive time to my next predicted destination when I'm in the car with my smartphone. Ads bombard users and cookies litter desktops. Junk mail appears on the Web in many forms besides unsolicited email.
In a recent deployment of just 30 days, I observed traffic from a customer site and reviewed traffic statistics using a security appliance from Barracuda Networks (as shown below). Prior to deployment of this appliance, the ratio of blocked traffic over allowed was approximately 30%. Three areas of vulnerability stood out:
- No SSL traffic inspection
- File downloads allowed with no inspection
- Expired firmware and aged product meant lack of updated features and an inability to adequately filter and block malicious traffic
The screen capture below reveals almost 56% of blocked traffic over allowed traffic. Of course this includes ads and popups, but it shows that employees make themselves vulnerable as well as corporate data assets.
In examining the logs after deployment couple of weeks with the appliance in place, we noted "unauthenticated" traffic from several IP addresses. Setting a new rule, we began blocking all unauthenticated traffic by any device attempting Internet access so we could see legitimate and illegitimate traffic. In this case, employees attempted to circumvent the security appliance.
In front of this solution is a mail filtering system that detects malicious and spoofed email, as well as spam. An exception report is generated and emailed directly to each user. In one instance a user allowed delivery of a quarantined email from a known sender. The file contained malicious code, but the Barracuda solution blocked the file through its onboard advanced threat protection feature. What I'm still pondering is why the outside mail filtering system that detected the malicious file would allow the user to override the containment? Luck was on the side of this enterprise on this one instance thanks to its use of the Barracuda appliance.
Take these suggestions into account when planning your own security strategies:
- Over-buy on your security solution. Example: SSL packet inspection and other deep packet inspection features take processing power and the more bandwidth, well, the more processing
- If in doubt, block it. Let the business make a case why the blocking is unnecessary
- Review the logs. Otherwise you'll miss out on what's going on in your network
- Remember: Don't rely on technology to solve everything and keep Dr. Cole's advice in mind: "Nothing is completely secure."
- Read this warning about SSL inspection
You can believe in luck, fate, karma, or anything else, but numbers speak for themselves. And if the numbers are true as shown above, then no amount of luck is going to keep an enterprise safe from the perils of the Web -- it's laden with muck.
Follow Matt Brunk on Twitter!