Академический Документы
Профессиональный Документы
Культура Документы
sponsored by
Mike Danseglio
TheEssentialsSeries:UsingCloudServicestoImproveWebSecurity
MikeDanseglio
IntroductiontoRealtimePublishers
by Don Jones, Series Editor
Forseveralyearsnow,Realtimehasproduceddozensanddozensofhighqualitybooks thatjusthappentobedeliveredinelectronicformatatnocosttoyou,thereader.Weve madethisuniquepublishingmodelworkthroughthegeneroussupportandcooperationof oursponsors,whoagreetobeareachbooksproductionexpensesforthebenefitofour readers. Althoughwevealwaysofferedourpublicationstoyouforfree,dontthinkforamoment thatqualityisanythinglessthanourtoppriority.Myjobistomakesurethatourbooksare asgoodasandinmostcasesbetterthananyprintedbookthatwouldcostyou$40or more.Ourelectronicpublishingmodeloffersseveraladvantagesoverprintedbooks:You receivechaptersliterallyasfastasourauthorsproducethem(hencetherealtimeaspect ofourmodel),andwecanupdatechapterstoreflectthelatestchangesintechnology. Iwanttopointoutthatourbooksarebynomeanspaidadvertisementsorwhitepapers. Wereanindependentpublishingcompany,andanimportantaspectofmyjobistomake surethatourauthorsarefreetovoicetheirexpertiseandopinionswithoutreservationor restriction.Wemaintaincompleteeditorialcontrolofourpublications,andImproudthat weveproducedsomanyqualitybooksoverthepastyears. Iwanttoextendaninvitationtovisitusathttp://nexus.realtimepublishers.com,especially ifyouvereceivedthispublicationfromafriendorcolleague.Wehaveawidevarietyof additionalbooksonarangeoftopics,andyouresuretofindsomethingthatsofinterestto youanditwontcostyouathing.WehopeyoullcontinuetocometoRealtimeforyour educationalneedsfarintothefuture. Untilthen,enjoy. DonJones
TheEssentialsSeries:UsingCloudServicestoImproveWebSecurity
MikeDanseglio
ii
TheEssentialsSeries:UsingCloudServicestoImproveWebSecurity
MikeDanseglio
Copyright Statement
2010 Realtime Publishers. All rights reserved. This site contains materials that have been created, developed, or commissioned by, and published with the permission of, Realtime Publishers (the Materials) and this site and any such Materials are protected by international copyright and trademark laws. THE MATERIALS ARE PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT. The Materials are subject to change without notice and do not represent a commitment on the part of Realtime Publishers its web site sponsors. In no event shall Realtime Publishers or its web site sponsors be held liable for technical or editorial errors or omissions contained in the Materials, including without limitation, for any direct, indirect, incidental, special, exemplary or consequential damages whatsoever resulting from the use of any information contained in the Materials. The Materials (including but not limited to the text, images, audio, and/or video) may not be copied, reproduced, republished, uploaded, posted, transmitted, or distributed in any way, in whole or in part, except that one copy may be downloaded for your personal, noncommercial use on a single computer. In connection with such use, you may not modify or obscure any copyright or other proprietary notice. The Materials may contain trademarks, services marks and logos that are the property of third parties. You are not permitted to use these trademarks, services marks or logos without prior written consent of such third parties. Realtime Publishers and the Realtime Publishers logo are registered in the US Patent & Trademark Office. All other product or service names are the property of their respective owners. If you have any questions about these terms, or if you would like information about licensing materials from Realtime Publishers, please contact us via e-mail at info@realtimepublishers.com.
iii
TheEssentialsSeries:UsingCloudServicestoImproveWebSecurity
MikeDanseglio
WebSecurityServices:DelegatingSecurity ResponsibilitytotheCloud
FewreadersneedtobetoldthattheInternetisadangerousplace.AnyoneintheITfieldis awarethatviruses,spam,andmaliciousWebsitesexist.Knowledgeoftheseattacksand vulnerabilitieswasthedomainofspecializedsecuritygurusjustafewyearsago.Butthe needtounderstandcomputersecurityhasspreadbeyondthedomainofspecialists.Today, evenITendusersneedtobeawareofthreatsandcountermeasurestosomedegree. Whydoeseveryoneinthecompanyneedtounderstandcomputersecurity?Simplyput,the attackershavegottenmuchbetter,andtheygetbettereveryday.Thisisespeciallytrueof thoseconductingWebbasedsecuritythreats.
EvolvingWebThreats
Therewasatime,notlongago,whenbrowsingtheWebwasarelativelypainlessandsafe experience.AusersimplyfiredupInternetExplorer,NetscapeNavigator,NCSAMosaic,or anyotherWebbrowser,andwenttothesiteoftheirchoicewithlittleconcernthattheir computerwouldbeattacked,letalonecompromised,bythevisitedsite. ThisperceptionofasafeWebchangedrapidlyasInternetuseexplodedinthelate1990s. Webpatronsbegantoexperiencethepopupwindowadvertisementexplosion.Whatever sitetheyvisited,itseemedlikeatleastonenewwindowwouldopenwithadedicated advertisement.Butbecausetheadsalescampaignsonlyprofitedwhenthosewindows wereclicked,theadsbecamemorelucrativeanddeceptivetousers.Thepopupwindows begantotaketheappearanceofimportantoperatingsystem(OS)messages,compelling lessexperienceduserstoclick;thewindowswouldthenquickreplacetheprevious messagewithanadvertisement. Accompanyingthispopupwindowexplosionwastherapiddevelopmentofinstallable toolbarsandActiveXcontrols.Attackersandadvertisersrealizedthatinstallingthese componentsonauserscomputerallowedtheattackersandadvertiserstocontrolmoreof thesystemthanjusttheWebbrowser.Infact,theycouldmakethecomputerdojustabout anythingspawnpopupwindowswithoutaWebsiteopen,useaspecifichomepageand searchengine,evenforceWebtraffictogothroughaspecificchannel.
TheEssentialsSeries:UsingCloudServicestoImproveWebSecurity
MikeDanseglio
TheWebbrowsersandOSsatthetimeattemptedtowarnusersandgetpermissionfrom theuserbeforeanysuchinstallations.Thesewarningswentlargelyignoredbyusersand administrators.Theresultwascomputersandnetworkssodeeplyinfectedwithmalware thattheyfrequentlyrequiredreinstallationfromscratcherasingtheharddriveand startingalloveragain,onlytohavethenowevenmoreclevermalwareauthorsreinfect thesystems.Inextremecases,theentirenetworkhadtobebroughtdownjusttocontrol thespreadofmalware. Thefinancialimpactoftheseofteninnocentseemingmalwareoutbreaksgrewyearafter year.The2008CSIComputerCrimeandSecuritySurveyreportsthatthehighestaverage lossperrespondentfigurewasreportedin2001at$3,149,000(Source:2008CSIComputer CrimeandSecuritySurvey,page16).Thisscaleoffinanciallosshasaverymeasurable,and veryreal,businessimpact,farbeyondthehomecomputerthatdisplaysanoccasional errantpopupad.Businessescannotaffordtolosesevenfiguresperyearonpreventable issueslikemalware.Andthisimpactisfeltthroughouttheworldandacrossallindustries, notjustwithinthescopeofthisreport. Theresponsewas,beginningin2002,anexplosionofthecomputersecurityindustry.The systemdefendersquicklyoutpacedtheattackersandbroughtthesituationrapidlyintoa moremanageablespace.Thereductioninmalwareoutbreaksgreatlyshrunkthefinancial opportunitiesforattackers.Malwareauthors,eventhosewithsemirespectablebusiness models,changedtheirtactics(forexample,obtainingexplicitconsent,providingtoolsfor removal)orwentoutofbusiness.Somewereslappedwithcivillawsuitsandevenarrested. Unfortunatelyfortherestoftheworld,malwareauthorsdidnotcompletelygoaway. Althoughtheirtacticschanged,theiroverallgoalofmakingmoneydidnot.Theoutbreakof emailscams,phishing,pharming,andcountlesssubtleployswasunleashedontheIT world.Theattackersreplacedwidespreadmalwareinfestationsbyscalinguptheirmore subtleattacks.Theyrealized,correctly,thatsendingmillionsofemailscostsexactlyas muchmoneyassendinghundredsofemails.Unfortunately,attackersalsorealizedthatthe Webisagreatplacefortheirattacks.
TodaysWebThreats
ManyusersandITprofessionalsstillsurfWebsiteswithimpunity.Thelistofprotective measuresisstaggeringhardwareandsoftwarefirewalls,virusscanners,browser protection,morevigilantWebsiteadministration,andUserAccessControl,justtonamea fewsohowcouldanymalwarepossiblygettothecomputer,muchlessinfectit?The realityisthatattackersareonlyconcernedwithonegoal:makingmoney.Foraslongas thereismoneytobemadebyattackingcomputers,attackerswillfindawaytodoso.
TheEssentialsSeries:UsingCloudServicestoImproveWebSecurity
MikeDanseglio
Interestingly,thereisevenmoremoneyavailablethanbackintheearlydaysofInternet attacks.Ourworldwideeconomyknowsnoboundaries.Thatmeansanattackercanmake justasmuchprofitfromasuccessfulattackinNorthAmericaasshecanwithsuccessin Asia,Europe,oranywhereelse.AndthepervasivereachoftheInternetenablesherto attackanyoftheseplacesfromanywhereintheworld.AfreeInternetconnectionata coffeeshopinOmahaisjustasprofitableasadedicatedhighspeedlinkdirectlyintothe backbone. Thetargetsforattackhavealsoevolved.Today,anysuccessfulcompromisecanbe profitable.Ofcourse,therearecertainlymoreopportunetargets.Attackerstendto gravitatetowardcompaniesthatmayyieldinformationthatcanbesold(forexample, creditcardrecords,competitivedata)orusedforblackmail(forexample,unfiledpatents). Buttheabilityofattackerstoprofitoneventhemostunexpectedorleastinterestingdata shouldnotbeunderestimated. TopTwoProfitableDataElementsASurprisingStatistic Listsofvalidcreditcardsareoftensoldbetweenattackers.Theirvalueis fairlyobviousanddoesntrequireexplanation.Butyoumightnotknowthat thesecondmostvaluablepieceofdatathatanattackercansellisaWorldof Warcraft(WoW)account.Forthepastseveralyears,attackershavetargeted homeusersandtheirWoWaccountinformation.Peraccount,theyareworth morethan100timesacreditcard.Thishasledtoextensivesecurity measuresbyBlizzard(thepublisherofWoW),includingtwofactor authentication,centralizedaccountauditing,andWoWspecificmalware scanners. Luckily,thistypeofdataisrarelykeptonbusinesscomputers.Butyou shouldconsiderthatifdatafromanonlinegameaboutOrcsandElvescanbe highlyprofitable,yourbusinessdatacanaswell. Akeybehavioralchangeforattackersisthewaytheyexploitcomputers.Ingeneral, attackersseektheweakestsecuritylinkinachaintoperformtheirattacks.Forexample,a useratacorporatedesktopreceivesanemailfromFacebookthatafriendhasanewphoto, sotheuserclicksthelinkandtakesalook.Therearemanyactionsthathappenduringthat onesimplecheck: Thelinkwithintheemailcanbeafake(phishingorspearphishing) TheemailcancontainawormdisguisedasaFacebooklink ThespecificFacebookservercouldbesubjecttoaDNSredirectionattack, sendingtheusertoafalseserver TheFacebookpagecouldbecompromisedandhostingabrowserbasedattack TheadvertisementsonFacebookcouldbecompromisedandhostingFlash basedattacks
TheEssentialsSeries:UsingCloudServicestoImproveWebSecurity
MikeDanseglio
Thelistofpotentialattacksforthisscenariogoesonandon,asdothevariantsonthe scenario.Andmostoftheseattacks,includingtheonesthataremosteffectivetoday,are Webbased. ManyattackershavefollowedthetrendofusersWebsurfingatworktocompromisethese users.TheyknowthatsocialnetworkingsitesandserviceslikeFacebook,Twitter,and MySpacearefrequentedbyusersfromtheworkplace.Thesesitesarealsobecomingmore workrelatedovertime.ManycompaniesuseFacebookandTwittereffectivelyfor legitimatecorporatecommunicationsandbuildingproductcommunities.ButtheseWeb siteswerentbuiltaroundstrongsecurity.Theywerebuiltforsocialnetworking.Security flawsshouldbeexpectedinsiteslikethis.Attackersknowthisandknowthatsuchsitescan beaweaklink.
EvolvingSecurityMeasures
Therearemanywaystodefendagainsttheseattacks.Manyorganizationshavedeployed largeonsitesecurityinfrastructuresoverthepastseveralyears.Theseinfrastructures oftenincludemalwarescanningsoftwareoneachcomputer,centralizedfirewalls, dedicatedemailscanners,applicationspecificmalwarepreventiontools,andmore.Some areselfmanagingwhileothersrequirecentralizedoperationandmonitoringtoremain effective.Thevarietyoftoolsavailableisvirtuallylimitless,asistheoperationalcost, effectiveness,andimpactonuserandITstaffproductivity. Protectingagainstthedynamicchangingattacklandscapeinthemostcostefficientand seamlessmanneristhegoalofanysecuritysolution.Thisgoalisactuallyachievablewith thevarietyofflexibleapproachesinthemarket.Butyouneedtounderstandtheavailable approaches.Mostofthemarewellunderstoodandhavebeenaroundforyears.Buta newerapproach,cloudbasedsecurity,hasrecentlyemergedandshownthepotentialto addressanumberoftodaysevolvingWebbasedthreats.
CloudBasedSecuritySolutions
Theideaofcloudcomputingisnotnew.OffloadingaportionofITtaskstoaservice providerisaconceptthathasbeeninuseforyears.Thishasbeenespeciallytruefor processinglargevolumesofdataorcrunchingnumbers.Inrecentyears,technologyhas evolvedtoallowvirtuallyanytasktobeoffloadedinthisway.Taskssuchasword processingandemailcanbehandledascloudbasedservicestodaywheretheywere inflexiblejustashorttimeago.
TheEssentialsSeries:UsingCloudServicestoImproveWebSecurity
MikeDanseglio
Liketheseothertechnologyservices,securityisnowavailableasahostablecloudservice. Cloudsecurityapproachesarebeingquicklyrecognizedasahighlyeffectivedefense mechanism.Handlingsecurityviacloudbasedsolutionshasanumberofbenefits: Fewerattacksreachthecorporateresources,reducingtheriskofanysecurity gapsorflawsbeingexploited Reducedtimetoimplementsecuritymeasures Reducedstrainoncorporateresources(forexample,lessWebtrafficreduces networktraffic) Constantlyupdateddetectionmethodsthatcatcheventhemostcurrentattacks withoutonsiteITintervention Corporatepolicyenforcement(forexample,Websitefiltering)implementedby aneutralthirdparty,reducinganimositywhileenforcingpolicyandsecurity Implementationbywellknownsecurityfirmsthathavereputationsfor trustworthiness
Summary
Websecurityisacomplexproblemtoaddress.Theeverchangingdemandsofcorporate usersdontallowITprofessionalstosimplyturnoffWebaccess,eventositesthatareoften consideredunrelatedtowork.ButITmuststillenforcesecuritymeasurestoprotect corporateassets.Intodaysconstantlychangingsecuritylandscape,thisrequirementis moreofachallengethaneverbefore. CloudbasedWebsecurityoffersanumberofbenefitsinaddressingthesechallenges.Most ofthesebenefitsresultinareducedtotalcostofownership(TCO)whilemaintainingthe functionalityandflexibilitythatusersdemand.