The network blindspot & web security protection

The network blindspot & web security protection

The evolution of cyber security and the growing number of threats in recent years have caused continual problems for everyone including systems administrators, business owners and home users.

As a Network Administrator for many small businesses, cleaning up the after effects of malware and virus infections and seeing first hand the stress it places on business owners and staff members who unfortunately open up these fraudulent or malicious emails;  I have made the protection of IT systems for business owners my passion.

Recently one of our clients was infected with a piece of Malware – nothing strange here! The infection was downloaded from the web via a URL embedded and masked within a very well crafted Phishing email – again this is hardly surprising.

What was new and a first for me was the file was pulled from a HTTPS Server rather than a HTTP. For those who are not familiar with the difference, HTTPS ensures the connection between the website and your computer is encrypted to ensure the details of the exchange are not visible to anyone on the internet that may try and intercept the transaction. It is the same protocol that is used widely by banks, online payment systems, email systems and more.

In fact the use of HTTPS to try and make the internet safer is increasing rapidly – yet this customer was undone by a mechanism designed to make browsing the internet safer!

In 2016, I read several articles and blogs spruiking that HTTPS would soon become a very active attack vector as the analysis or inspection of the traffic is quite difficult and usually relies upon a hosted cloud service like Cyren or iBoss or an on-site Unified Threat Management (UTM) firewall like a watchguard.

Unfortunately cloud services like Cyren and iBoss are not available in Australia and on-site firewalls are not only expensive but many IT companies avoid dealing with the complexity and training required and merely subscribe to the defeatist attitude of “infections are part of computers and the internet and trying to stop the inevitable is pointless”.

And they could very well be right as the following report might show.

The 14th of February was the date the email arrived in the user’s inbox. I copied the URL that was displayed in the email when you hover your mouse over the link and copied it into the free URL lookup service offered by Virus Total – NO HITS!

The following day I performed the same task and bingo – only 2 on this occasion though.

https://virustotal.com/en/url/1456ca24e805df8654540979b73510cbde489e6e439118543cd50cfab7f1fc7a/analysis/1487196920/

I then uploaded the zip file containing the malware to the same Virus Total system – 4 out of 57 of the most commonly used and well known Antivirus Vendors were aware of this infection.

The good news with this incident was that the Endpoint Antivirus / Anti-Malware system Webroot detected and cleaned the infection before any serious damage could be done – a narrow escape when you consider the damage that is being caused by the surge in Ransomware.

To be as open and honest about the setup as possible, the customer was using our recommended Antivirus, Antispam and also had a Watchguard Firewall installed.

A cost effective and solid solution that will stop most threats.

So why didn’t it work?

As I eluded to earlier, the file was downloaded from a HTTPS website so a Watchguard Firewall with HTTPS Content Inspection could have decrypted the traffic, scanned the file using it’s in-built antivirus and uploaded the file for additional behavioural analysis to Lastline to detect and stop the file before it reached the user’s computer.

With this customer, the Firewall was installed when they were much smaller with less internet usage and at the time it was suitable. As the business had grown significantly and the security solution had not, enabling a CPU intensive service like HTTPS Content Inspection became unviable as the load was beyond it’s capabilities.

So how can you test your Web Security protection?

Security companies like Cyren and ZScaler offer online testing and reporting tools which are free, easy to use and can help ensure you can easily identify whether your Outsourced IT Partner is up for the challenge of trying to protect your business – try for yourself!

If they have engaged the decision makers within a business correctly and have implemented a layered security model comprising of a well configured UTM Firewall and Endpoint Security…Well see for yourself….

 

https://www-us.cyren.com/tl_files/wsd_report/pdf_report_v21.php?report_data=PRM%2BVllwOATE%2FHJYUOUJEaD0Xr9as0h25ZE8QURlnsH7jl4A%2FNIbTYkWt9j163ZfHo8Jn9EOCCoUPO7YOyIiNw%3D%3DrWElOUeJLH25yyrigYyAeAhTcFtXNeQgX8FoQb%2Fitik1WBzVgoO0gN6JFdoSiAyK3LAQjYh2HzotyUpkjexU9g%3D%3DNOiL30j66kW51Z4MdQzARjCeiSvF4jYtbZ2%2FMS3cskUYITFf1SHgb5MeVcjoSFvxd6BeRYx9jFiy%2BI%2Fa7gCLLQ%3D%3D

 

http://securitypreview.zscaler.com/zscaler/results.php?type=marketo&q=eyJ0aW1lIjoxNDg3MTk3MjYyLCJ2ZW5kb3IiOiJ6c2NhbGVyIiwicmVzdWx0Ijo3NDQwMTczfQ==

 

The results are not perfect but I am betting that right now you are collating your own results ready for your next monthly or quarterly IT Strategy discussion.

Don’t get me wrong, all the safeguards available might still not cover every attack vector or exploit attempt that hackers can engineer but there are many cost effective ways that are within reach for businesses to protect themselves.

Author: Shaun Atkinson

Shaun is the head of engineering at OtiumTech. He is passionate about Cyber-Security and finding ways to push SME’s forwards into new technologies.