Web Security

As email and web technologies converge, the number of security threats has grown, both in terms of creativity and effectiveness. Web-based threats are proving to be a nightmare for IT administrators and computer users. Although technology helps to counter these threats, a more holistic approach is needed, one that includes strict and enforceable policies as well as a proper awareness program.

Malware infections cause a number of problems. Machines become unresponsive or sluggish resulting in users become frustrated and administrators spending precious time trying to find the problem. When a machine is infected, some administrators often want to simply re-install the operating system, however a responsible system administrator or security analyst would want to investigate and assess the situation before doing anything else. All of these tasks take time and resources. People have to stop working, the hardware has to be replaced and so on. Additionally, some malware creates a denial of service by design, increasing the possibility of an attack on the organization’s infrastructure.

While most organizations understand denial of service very well – since it impacts productivity – many ignore the impact on confidentiality and integrity. Attackers are known to harvest sensitive information from compromised computers to carry out further and deeper attacks within the network. If they access the organization’s data they can use this to sell to third parties and make a profit. Modern malware can create an automated process to harvest information from a network that has been breached.

Once an attacker is on the inside, his or her work is significantly easier since on most networks, systems on the inside are trusted. This is what makes attacking web visitors through infected websites so attractive to the bad guys. End-users and their web browsers are already on the internal network. Unlike traditional network-based attacks, the victim connects to the attacker instead of the other way round. Even today, most defenses are still focused on preventing attackers from trying to connect to the victim, i.e. protecting the perimeter.

Prevention is certainly better than having to clean up after a security breach or web-based attack. Attacks often depend on the end-user making a mistake and clicking on attachments or links. That is why security awareness and education play an important part in the overall security of an organization’s network. If end-users are aware of the threats, understand how their actions could be a contributing factor and have clear steps to follow if they see something suspicious, then the chances are that security will improve.

Education alone is not enough. Organizations need security and user policies that can be enforced. These policies need to be reasonable and allow employees to do their job yet limiting actions that could be a security risk. This is easier said than done because many security policies and solutions impact usability. Therefore a good security analyst has a tough job finding a balance between security and helping employees to deliver and be productive. When policies are too strong, employees will find ways around the policies or become less productive – a situation that is untenable and unacceptable for a business.

Security policies are important but only effective when they are enforced and users are aware of them. It is highly recommended that businesses create acceptable user policies that every employee has to sign. Enforcement, however, is another story and requires more than just an employee’s signature on a piece of paper that they will probably never see again. Technology is key here because it allows administrators to enforce policies across the network with minimal effort.