Monday, January 9, 2012

Ten Mistakes in Web Security

Web-based threats are constantly changing, yet I see people who's installations and policies have stayed the same for years, ageing and providing poor overall defences.  So, the beginning of the year seems a good opportunity to review the mistakes I see time and again, let's hope you read this and say that you aren't suffering from any of them.

1. I have desktop anti-virus, that is enough.  Well, hopefully enough information has been shared to remove this misunderstanding.  Employees can be fooled by phishing attacks, can inadvertently send out confidential information and sadly the constantly-chaning nature of malware means that anti-malware systems are constantly playing cat-and-mouse to try to keep up with changes from the bad guys.

2. Web filtering if for blocking only.  Web categorisation systems can block, but can also report, coach users, IT can set priorities based on categories, users can be redirected to other sites and can selectively identify and control particular aspects within a category (such as allowing reading but no downloading of executables from untrusted sites).

3. I only need one simple policy.   The "One size fits all" advocates can often set a simple policy (Eg. block adult content, phishing and known malware) and then leave it for years.  Almost all organisations have different users who need different access and policies should be reviewed regularly to make sure that they are up to date.  Suppliers tend to add new categories and enhancements each year, make a note now to review your policies every few months.  (Such as block all older browsers that have known vulnerabilities - go on, do it now).  With thousands of application within Facebook, some for business and many not - you can define policies that see inside social networking and give you the control you need.

4. Reputation systems are enough.  Security systems based on reputation are good, for email!  Looking up an email sender is a great way to start reviewing whether an email is likely to be spam or infected.  However, web pages are so dynamic that reputation systems can only offer one of many pieces of information needed to review content.  In tests, those systems based on reputation have performed poorly on real-life web threats.

5. I don't need to warn/train my users.  Making a new employee sign an Internet Acceptable Use Policy when they have many other concerns on their mind is hardly going to change behaviour and even irregular update courses don't achieve much.  But make sure that users receive splash pages when they access the internet and warning pages when they attempt to access a page with restrictions and they have a constant reminder of the organisation's policies.

6. My organisation isn't a target.  Every organisation has confidential information in it, every employee can be a target even if just for their own knowledge or personal data.  We are all targets.

7.  I cannot control remote users, so I won't try.  With almost every user taking company information outside the offices on tablets, phones or laptops - every organisation has to work out what to do for their mobile workforce.  Encrypt devices, sure, but also look at the policies that can be implemented on mobile devices, make this year the year you investigate all the mobile security options, you know you want to... :-)

8.  There's too much in the logs, so we just keep them in case anyone asks.  Your logs can be very useful information, showing users behaving oddly (how many hundreds of MB downloaded from your cloud-based CRM system?) the most popular categories of the web, the loading at particular times of day or week and this can help you plan new policies, advise users and design a better, stronger network.  Just one example; logs can show which PCs are already infected and a policy implemented to take them off the network and the user informed when they run the browser "Go and get your PC cleaned".

9.  IT define all the policies on their own. Appropriate policies should be designed together with senior management, employee or user advocates, legal and HR departments together.  Get together and ask each other "what-if" questions, the flexibility available now to define policies by group, by office, by time, different policies based on applications within web sites means you really can target appropriate policies.

10.  New applications and systems make it impossible to keep up.  You can't just throw up your hands and say that you can't control Facebook, Twitter, LinkedIn, Foursquare, Skype and all the other newer social networking applications - there are many different controls that can be implemented.

Web control is all about balance - allowing users to access those areas that they need to, but keeping them safe online from those areas they shouldn't.  But the security target is constantly moving, keep yourselves up to date and your users will be safe, your data will be secure and employees kept productive.

Anyone can reuse this top ten list as long as I am quoted as the source.

No comments:

Post a Comment