Using Cloud Services to Improve Web Security

The Essentials Series

Web Security Services: Delegating Security Responsibility to the Cloud

sponsored by

Mike Danseglio

TheEssentialsSeries:UsingCloudServicestoImproveWebSecurity

MikeDanseglio

IntroductiontoRealtimePublishers
by Don Jones, Series Editor

Forseveralyearsnow,Realtimehasproduceddozensanddozensofhighqualitybooks thatjusthappentobedeliveredinelectronicformatatnocosttoyou,thereader.Weve madethisuniquepublishingmodelworkthroughthegeneroussupportandcooperationof oursponsors,whoagreetobeareachbooksproductionexpensesforthebenefitofour readers. Althoughwevealwaysofferedourpublicationstoyouforfree,dontthinkforamoment thatqualityisanythinglessthanourtoppriority.Myjobistomakesurethatourbooksare asgoodasandinmostcasesbetterthananyprintedbookthatwouldcostyou$40or more.Ourelectronicpublishingmodeloffersseveraladvantagesoverprintedbooks:You receivechaptersliterallyasfastasourauthorsproducethem(hencetherealtimeaspect ofourmodel),andwecanupdatechapterstoreflectthelatestchangesintechnology. Iwanttopointoutthatourbooksarebynomeanspaidadvertisementsorwhitepapers. Wereanindependentpublishingcompany,andanimportantaspectofmyjobistomake surethatourauthorsarefreetovoicetheirexpertiseandopinionswithoutreservationor restriction.Wemaintaincompleteeditorialcontrolofourpublications,andImproudthat weveproducedsomanyqualitybooksoverthepastyears. Iwanttoextendaninvitationtovisitusathttp://nexus.realtimepublishers.com,especially ifyouvereceivedthispublicationfromafriendorcolleague.Wehaveawidevarietyof additionalbooksonarangeoftopics,andyouresuretofindsomethingthatsofinterestto youanditwontcostyouathing.WehopeyoullcontinuetocometoRealtimeforyour educationalneedsfarintothefuture. Untilthen,enjoy. DonJones

TheEssentialsSeries:UsingCloudServicestoImproveWebSecurity

MikeDanseglio

IntroductiontoRealtimePublishers.................................................................................................................i WebSecurityServices:DelegatingSecurityResponsibilitytotheCloud........................................1 EvolvingWebThreats.......................................................................................................................................1 TodaysWebThreats.........................................................................................................................................2 EvolvingSecurityMeasures............................................................................................................................4 CloudBasedSecuritySolutions...............................................................................................................4 . Summary.................................................................................................................................................................5

ii

TheEssentialsSeries:UsingCloudServicestoImproveWebSecurity

MikeDanseglio

Copyright Statement
2010 Realtime Publishers. All rights reserved. This site contains materials that have been created, developed, or commissioned by, and published with the permission of, Realtime Publishers (the Materials) and this site and any such Materials are protected by international copyright and trademark laws. THE MATERIALS ARE PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT. The Materials are subject to change without notice and do not represent a commitment on the part of Realtime Publishers its web site sponsors. In no event shall Realtime Publishers or its web site sponsors be held liable for technical or editorial errors or omissions contained in the Materials, including without limitation, for any direct, indirect, incidental, special, exemplary or consequential damages whatsoever resulting from the use of any information contained in the Materials. The Materials (including but not limited to the text, images, audio, and/or video) may not be copied, reproduced, republished, uploaded, posted, transmitted, or distributed in any way, in whole or in part, except that one copy may be downloaded for your personal, noncommercial use on a single computer. In connection with such use, you may not modify or obscure any copyright or other proprietary notice. The Materials may contain trademarks, services marks and logos that are the property of third parties. You are not permitted to use these trademarks, services marks or logos without prior written consent of such third parties. Realtime Publishers and the Realtime Publishers logo are registered in the US Patent & Trademark Office. All other product or service names are the property of their respective owners. If you have any questions about these terms, or if you would like information about licensing materials from Realtime Publishers, please contact us via e-mail at info@realtimepublishers.com.

iii

TheEssentialsSeries:UsingCloudServicestoImproveWebSecurity

MikeDanseglio

WebSecurityServices:DelegatingSecurity ResponsibilitytotheCloud
FewreadersneedtobetoldthattheInternetisadangerousplace.AnyoneintheITfieldis awarethatviruses,spam,andmaliciousWebsitesexist.Knowledgeoftheseattacksand vulnerabilitieswasthedomainofspecializedsecuritygurusjustafewyearsago.Butthe needtounderstandcomputersecurityhasspreadbeyondthedomainofspecialists.Today, evenITendusersneedtobeawareofthreatsandcountermeasurestosomedegree. Whydoeseveryoneinthecompanyneedtounderstandcomputersecurity?Simplyput,the attackershavegottenmuchbetter,andtheygetbettereveryday.Thisisespeciallytrueof thoseconductingWebbasedsecuritythreats.

EvolvingWebThreats
Therewasatime,notlongago,whenbrowsingtheWebwasarelativelypainlessandsafe experience.AusersimplyfiredupInternetExplorer,NetscapeNavigator,NCSAMosaic,or anyotherWebbrowser,andwenttothesiteoftheirchoicewithlittleconcernthattheir computerwouldbeattacked,letalonecompromised,bythevisitedsite. ThisperceptionofasafeWebchangedrapidlyasInternetuseexplodedinthelate1990s. Webpatronsbegantoexperiencethepopupwindowadvertisementexplosion.Whatever sitetheyvisited,itseemedlikeatleastonenewwindowwouldopenwithadedicated advertisement.Butbecausetheadsalescampaignsonlyprofitedwhenthosewindows wereclicked,theadsbecamemorelucrativeanddeceptivetousers.Thepopupwindows begantotaketheappearanceofimportantoperatingsystem(OS)messages,compelling lessexperienceduserstoclick;thewindowswouldthenquickreplacetheprevious messagewithanadvertisement. Accompanyingthispopupwindowexplosionwastherapiddevelopmentofinstallable toolbarsandActiveXcontrols.Attackersandadvertisersrealizedthatinstallingthese componentsonauserscomputerallowedtheattackersandadvertiserstocontrolmoreof thesystemthanjusttheWebbrowser.Infact,theycouldmakethecomputerdojustabout anythingspawnpopupwindowswithoutaWebsiteopen,useaspecifichomepageand searchengine,evenforceWebtraffictogothroughaspecificchannel.

TheEssentialsSeries:UsingCloudServicestoImproveWebSecurity

MikeDanseglio

TheWebbrowsersandOSsatthetimeattemptedtowarnusersandgetpermissionfrom theuserbeforeanysuchinstallations.Thesewarningswentlargelyignoredbyusersand administrators.Theresultwascomputersandnetworkssodeeplyinfectedwithmalware thattheyfrequentlyrequiredreinstallationfromscratcherasingtheharddriveand startingalloveragain,onlytohavethenowevenmoreclevermalwareauthorsreinfect thesystems.Inextremecases,theentirenetworkhadtobebroughtdownjusttocontrol thespreadofmalware. Thefinancialimpactoftheseofteninnocentseemingmalwareoutbreaksgrewyearafter year.The2008CSIComputerCrimeandSecuritySurveyreportsthatthehighestaverage lossperrespondentfigurewasreportedin2001at$3,149,000(Source:2008CSIComputer CrimeandSecuritySurvey,page16).Thisscaleoffinanciallosshasaverymeasurable,and veryreal,businessimpact,farbeyondthehomecomputerthatdisplaysanoccasional errantpopupad.Businessescannotaffordtolosesevenfiguresperyearonpreventable issueslikemalware.Andthisimpactisfeltthroughouttheworldandacrossallindustries, notjustwithinthescopeofthisreport. Theresponsewas,beginningin2002,anexplosionofthecomputersecurityindustry.The systemdefendersquicklyoutpacedtheattackersandbroughtthesituationrapidlyintoa moremanageablespace.Thereductioninmalwareoutbreaksgreatlyshrunkthefinancial opportunitiesforattackers.Malwareauthors,eventhosewithsemirespectablebusiness models,changedtheirtactics(forexample,obtainingexplicitconsent,providingtoolsfor removal)orwentoutofbusiness.Somewereslappedwithcivillawsuitsandevenarrested. Unfortunatelyfortherestoftheworld,malwareauthorsdidnotcompletelygoaway. Althoughtheirtacticschanged,theiroverallgoalofmakingmoneydidnot.Theoutbreakof emailscams,phishing,pharming,andcountlesssubtleployswasunleashedontheIT world.Theattackersreplacedwidespreadmalwareinfestationsbyscalinguptheirmore subtleattacks.Theyrealized,correctly,thatsendingmillionsofemailscostsexactlyas muchmoneyassendinghundredsofemails.Unfortunately,attackersalsorealizedthatthe Webisagreatplacefortheirattacks.

TodaysWebThreats
ManyusersandITprofessionalsstillsurfWebsiteswithimpunity.Thelistofprotective measuresisstaggeringhardwareandsoftwarefirewalls,virusscanners,browser protection,morevigilantWebsiteadministration,andUserAccessControl,justtonamea fewsohowcouldanymalwarepossiblygettothecomputer,muchlessinfectit?The realityisthatattackersareonlyconcernedwithonegoal:makingmoney.Foraslongas thereismoneytobemadebyattackingcomputers,attackerswillfindawaytodoso.

TheEssentialsSeries:UsingCloudServicestoImproveWebSecurity

MikeDanseglio

Interestingly,thereisevenmoremoneyavailablethanbackintheearlydaysofInternet attacks.Ourworldwideeconomyknowsnoboundaries.Thatmeansanattackercanmake justasmuchprofitfromasuccessfulattackinNorthAmericaasshecanwithsuccessin Asia,Europe,oranywhereelse.AndthepervasivereachoftheInternetenablesherto attackanyoftheseplacesfromanywhereintheworld.AfreeInternetconnectionata coffeeshopinOmahaisjustasprofitableasadedicatedhighspeedlinkdirectlyintothe backbone. Thetargetsforattackhavealsoevolved.Today,anysuccessfulcompromisecanbe profitable.Ofcourse,therearecertainlymoreopportunetargets.Attackerstendto gravitatetowardcompaniesthatmayyieldinformationthatcanbesold(forexample, creditcardrecords,competitivedata)orusedforblackmail(forexample,unfiledpatents). Buttheabilityofattackerstoprofitoneventhemostunexpectedorleastinterestingdata shouldnotbeunderestimated. TopTwoProfitableDataElementsASurprisingStatistic Listsofvalidcreditcardsareoftensoldbetweenattackers.Theirvalueis fairlyobviousanddoesntrequireexplanation.Butyoumightnotknowthat thesecondmostvaluablepieceofdatathatanattackercansellisaWorldof Warcraft(WoW)account.Forthepastseveralyears,attackershavetargeted homeusersandtheirWoWaccountinformation.Peraccount,theyareworth morethan100timesacreditcard.Thishasledtoextensivesecurity measuresbyBlizzard(thepublisherofWoW),includingtwofactor authentication,centralizedaccountauditing,andWoWspecificmalware scanners. Luckily,thistypeofdataisrarelykeptonbusinesscomputers.Butyou shouldconsiderthatifdatafromanonlinegameaboutOrcsandElvescanbe highlyprofitable,yourbusinessdatacanaswell. Akeybehavioralchangeforattackersisthewaytheyexploitcomputers.Ingeneral, attackersseektheweakestsecuritylinkinachaintoperformtheirattacks.Forexample,a useratacorporatedesktopreceivesanemailfromFacebookthatafriendhasanewphoto, sotheuserclicksthelinkandtakesalook.Therearemanyactionsthathappenduringthat onesimplecheck: Thelinkwithintheemailcanbeafake(phishingorspearphishing) TheemailcancontainawormdisguisedasaFacebooklink ThespecificFacebookservercouldbesubjecttoaDNSredirectionattack, sendingtheusertoafalseserver TheFacebookpagecouldbecompromisedandhostingabrowserbasedattack TheadvertisementsonFacebookcouldbecompromisedandhostingFlash basedattacks

TheEssentialsSeries:UsingCloudServicestoImproveWebSecurity

MikeDanseglio

Thelistofpotentialattacksforthisscenariogoesonandon,asdothevariantsonthe scenario.Andmostoftheseattacks,includingtheonesthataremosteffectivetoday,are Webbased. ManyattackershavefollowedthetrendofusersWebsurfingatworktocompromisethese users.TheyknowthatsocialnetworkingsitesandserviceslikeFacebook,Twitter,and MySpacearefrequentedbyusersfromtheworkplace.Thesesitesarealsobecomingmore workrelatedovertime.ManycompaniesuseFacebookandTwittereffectivelyfor legitimatecorporatecommunicationsandbuildingproductcommunities.ButtheseWeb siteswerentbuiltaroundstrongsecurity.Theywerebuiltforsocialnetworking.Security flawsshouldbeexpectedinsiteslikethis.Attackersknowthisandknowthatsuchsitescan beaweaklink.

EvolvingSecurityMeasures
Therearemanywaystodefendagainsttheseattacks.Manyorganizationshavedeployed largeonsitesecurityinfrastructuresoverthepastseveralyears.Theseinfrastructures oftenincludemalwarescanningsoftwareoneachcomputer,centralizedfirewalls, dedicatedemailscanners,applicationspecificmalwarepreventiontools,andmore.Some areselfmanagingwhileothersrequirecentralizedoperationandmonitoringtoremain effective.Thevarietyoftoolsavailableisvirtuallylimitless,asistheoperationalcost, effectiveness,andimpactonuserandITstaffproductivity. Protectingagainstthedynamicchangingattacklandscapeinthemostcostefficientand seamlessmanneristhegoalofanysecuritysolution.Thisgoalisactuallyachievablewith thevarietyofflexibleapproachesinthemarket.Butyouneedtounderstandtheavailable approaches.Mostofthemarewellunderstoodandhavebeenaroundforyears.Buta newerapproach,cloudbasedsecurity,hasrecentlyemergedandshownthepotentialto addressanumberoftodaysevolvingWebbasedthreats.

CloudBasedSecuritySolutions
Theideaofcloudcomputingisnotnew.OffloadingaportionofITtaskstoaservice providerisaconceptthathasbeeninuseforyears.Thishasbeenespeciallytruefor processinglargevolumesofdataorcrunchingnumbers.Inrecentyears,technologyhas evolvedtoallowvirtuallyanytasktobeoffloadedinthisway.Taskssuchasword processingandemailcanbehandledascloudbasedservicestodaywheretheywere inflexiblejustashorttimeago.

TheEssentialsSeries:UsingCloudServicestoImproveWebSecurity

MikeDanseglio

Liketheseothertechnologyservices,securityisnowavailableasahostablecloudservice. Cloudsecurityapproachesarebeingquicklyrecognizedasahighlyeffectivedefense mechanism.Handlingsecurityviacloudbasedsolutionshasanumberofbenefits: Fewerattacksreachthecorporateresources,reducingtheriskofanysecurity gapsorflawsbeingexploited Reducedtimetoimplementsecuritymeasures Reducedstrainoncorporateresources(forexample,lessWebtrafficreduces networktraffic) Constantlyupdateddetectionmethodsthatcatcheventhemostcurrentattacks withoutonsiteITintervention Corporatepolicyenforcement(forexample,Websitefiltering)implementedby aneutralthirdparty,reducinganimositywhileenforcingpolicyandsecurity Implementationbywellknownsecurityfirmsthathavereputationsfor trustworthiness

Summary
Websecurityisacomplexproblemtoaddress.Theeverchangingdemandsofcorporate usersdontallowITprofessionalstosimplyturnoffWebaccess,eventositesthatareoften consideredunrelatedtowork.ButITmuststillenforcesecuritymeasurestoprotect corporateassets.Intodaysconstantlychangingsecuritylandscape,thisrequirementis moreofachallengethaneverbefore. CloudbasedWebsecurityoffersanumberofbenefitsinaddressingthesechallenges.Most ofthesebenefitsresultinareducedtotalcostofownership(TCO)whilemaintainingthe functionalityandflexibilitythatusersdemand.