Preventing Attacks Through the Web

The Web is a dangerous place. A recent Osterman Research survey found that 73% of mid-sized and large organizations have had malware infiltrate their corporate networks through the Web during the previous 12 months. By contrast, malware has successfully infiltrated through email in 59% of organizations and through social media in 17%. Our data is corroborated by Palo Alto Networks’ research that finds 90% of malware attacks come through Web browsers.

What should you do to protect your corporate network from the bad stuff that can be (and probably will be) delivered through your Web browser? The traditional approach is to adopt a defense-in-depth approach of intrusion detection, intrusion prevention, URL filtering, anti-virus, sandboxing and other technologies that will create something of a gauntlet through which bad stuff must pass before reaching users. This works to a great extent, but is by no means a guarantee that all malware will be stopped.

Another approach is offered by Spikes Security, a new company that isolates Web traffic in a centralized server. Instead of trying to detect malware or pass through only “safe” content to Web users, the solution makes the assumption that all content is bad and so passes through nothing. Instead, the AirGap solution converts Web traffic to compressed and optimized pixels that are then delivered to users who view them through a lightweight client that the company claims installs easily, requires no special configuration, and offers good video and audio performance. In essence, Web users are simply viewing a video feed of Web content instead of the actual Web content itself. AirGap provides end-to-end encryption for Web traffic and claims that its proprietary client/server protocol cannot be compromised by malware. Each user session is isolated via a hardware-assisted virtual machine.

Pricing for AirGap ranges from $5.13 to $9.00 per user per month depending on the number of users (sessions) and the length of the software license.

The concept of AirGap is a simple one and should be completely effective at preventing attacks that come through Web browsers. The only downside – and it might be a significant one for some organizations – is that at this point only the AirGap client can be used to view Web traffic, not individual browsers via a plug-in. While this won’t be a showstopper for most organizations, it could be for some that depend on plug-ins for some Web functionality.

All in all, AirGap is a fairly elegant approach to the increasingly perilous issue of Web-borne malware.

Are you asking – and can you answer – some important questions?

Obviously, information security and risk management are critical issues for any organization, regardless of its size or the industry in which it participates. But maintaining the security of your information and others’ information that you possess, as well as mitigating the risk associated with data breaches, is difficult and getting tougher all the time. This is particularly true in an era in which employees and contractors increasingly use their personal devices and applications to create and store corporate content.

There are some important questions about your organization’s information security status and practices that you should be asking – and that you should be able to answer quickly:

  • Do you know how many users in your organization have installed and are using Dropbox, Microsoft OneDrive, Google Drive or a similar solution to store work-related documents? If so, do you know what data they are storing there? If so, does your corporate IT department have ready access to this content if, for example, an employee leaves the company?
  • Are some of your employees sexually harassing other employees or sharing ethnic jokes through the corporate email system, instant messaging or social media? If so, can you readily identify these people in real time or near real time and take appropriate steps to ensure that it stops immediately?
  • Are any of your employees sending sensitive or confidential information to your competitors?
  • When the corporate email system goes down, do your employees use their personal Webmail accounts to continue sending work-related emails? If so, are these emails and their content easily recoverable by your IT department so that they can be scanned and archived in compliance with corporate policies?
  • When employees leave the company, is there a formal and reliable process for decommissioning their access to corporate resources, including their access to personally managed repositories that store corporate content?
  • Do ex-employees still have access to your corporate systems and/or data assets?
  • Do users employ very strong passwords to access corporate resources? Do they change them periodically? Are corporate passwords managed by IT?
  • When users need to send files that are larger than can be sent by your corporate email system, do they use a corporate-managed solution to do this?
  • Do users encrypt emails when necessary, such as when sending customers’ personal financial information or employees’ protected health information?
  • Have employees received formal training about protecting themselves and the organization from phishing or spearphishing attacks? If so are they tested periodically to determine if the training has been effective?
  • Is your organization archiving business records to satisfy eDiscovery, regulatory or other obligations? If so, are you archiving them in email only, or in every venue they might be found, such as instant messaging, social media, Dropbox, Salesforce Chatter, etc.?
  • Is the content from employee’s smartphones and tablets – whether company or personally owned – archived on a continuous basis?

These questions are the just the tip of the iceberg with respect to the types of questions you need to be asking – and that you should be able to answer quickly and accurately.

Organizations’ Plans for Archive Migration

In late May 2014, Osterman Research conducted an in-depth survey of 164 organizations and their archiving system migration plans. We surveyed primarily mid-sized and large organizations across a wide range of industries. Key findings from the research include the following:

  • The typical archiving solution has been in place four years and eight months (median is 36 months).
  • There is not a high level of satisfaction with current archiving solutions. For example, only 60% of organizations are “pleased” or “extremely pleased” with the current archiving solutions’ ability to place legal holds on content, only 52% are this pleased with the speed of the solution’s search performance, and only 44% are this pleased with the ability to delete content when necessary.
  • Moreover, we found significant differences in the level of satisfaction with archiving solutions based on their age. For example, organizations with archiving systems that are more than three years old are nearly twice as likely “not to be pleased at all” with their ability to place legal holds on content (14.5% for older systems vs. 7.6% for more recent systems), the ability to establish different retention policies (16.7% vs. 11.0%), and the scalability of the system (15.2% vs. 11.2%).
  • We also discovered a significant difference in the penetration of cloud-based archiving based on the age of the system: organizations with an archiving solution no more than three years old have placed 33.4% of their archived content in the cloud compared to only 13.2% for older solutions.
  • Finally, we found that 7.6% of the organizations will “definitely” replace their archiving solution over the next 18 months while another 27.2% will “probably” do so, as shown in Figure 1. Not surprisingly, organizations with older archiving solutions in place are much more likely to definitely or probably replace their archiving solutions during the next 18 months (39.8% vs. 30.1%).

We published a white paper that goes in-depth on archiving migration that you can download here.