Q: My end-users are spending a lot of time on Web 2.0 sites that use a lot of AJAX and other new technologies. Does this open any new attack vectors into our organisation?
Recent Sophos stats show that over 70% of new web-borne malware is hosted on compromised sites, often inside businesses -- not on sites deliberately set up for criminal misuse. In other words, we, the Good Guys, are collectively providing more than two-thirds of the malware delivery ammo available to web-savvy cybercmininals. And Sophos turns up an average of about 5000 new URLs hosting malware (are you ready for this?) per _day_.
(Some days it's many more than that.)
Web security begins at home. Make sure your own company's web presence is patched and safe against remote compromise, whether from without or within. An internal infection of the Psyme family of malware, for instance, can inject malicious code
- into thousands of HTML and PHP files on your servers in minutes. Keep that anti-virus and those OS/application patches up-to-date, on servers and wokstations.
Consider going for a web filtering solution which is focused on security, not just staff productivity. Blocking outward access to disallowed porn and gambling sites is probably very important. But active malware filtering of all inbound data, even from apparently legitimate sites, is a must these days. To look for malicious scripts, iframes and the like in downloaded HTML pages, or to spot exploit shellcode in apparently-innocent pictures or cursor files, you probably need specialist help from a commercial product.
This was first published in May 2007