We offer free and low-cost tips to keep your employees safe and productive when online.
If Bonnie and Clyde were alive today, they'd be quite amused at just how easy it is to make a dishonest buck. Today's criminals have swapped machine guns and getaway cars for viruses, Trojans, rootkits, and other malicious software. Financial fraud as well as identity and intellectual property theft are the crimes of choice. The Justice Department's Internet Crime Complaint Center received 336,655 complaints about online fraud last year, totaling a record $559.7 million.
While the media focuses on spectacular attacks against large companies, criminals are just as happy to target small and midsize ones. There are many technologies available to help smaller enterprises reduce risk, from data loss prevention suites to full disk encryption to vulnerability management. All have merit, but with money tight and resources scarce, we believe companies can get excellent security mileage focusing on Web-based threats. It looks like business technology and security pros at these companies agree: When asked which kinds of attacks companies with fewer than 1,000 employees anticipate in the coming year, malware is by far the winner (see chart, below).
How The Poisoned Web Works
Malware is a potent threat to your systems, turning your employees' PCs and laptops into botnet zombies, placing keyloggers on your systems to capture banking passwords, and adding back doors that will let them steal business information from your network.
E-mail has been the primary vehicle for malware delivery; companies have fought back with virus and spam filters on their mail servers. Now, malware developers have drastically stepped up attacks via the Web. Favorite tactics include corrupting legitimate sites to drop malware onto PCs and luring people to sites specifically created to compromise their machines. Social media destinations like Twitter and Facebook, where users are used to clicking on shared links, are perfect for malware distribution.
Signature-based defenses, which try to identify known attacks by detecting telltale chunks of code, aren't keeping up with the malicious attacks. Malware developers create custom code for stealthy attacks, and design viruses and Trojans that can change their code just enough to avoid detection by signature scanners. Security vendors offer behavioral analysis tools that analyze programs and block or quarantine ones that demonstrate unwanted behaviors, such as changing registry keys or uninstalling security software. However, these products can be expensive and outside the budget of many small and midsize companies.
There are other ways to keep Web-based threats at bay. What follows are five low-cost and free options that can help.
1) Use SaaS Web security
Just as you scan e-mail for spam and viruses, you should do the same for inbound and outbound HTTP traffic, looking for signs of Web-borne malware. Web security appliances that use signatures and behavioral analysis to spot unwanted programs effectively combat threats, but even low-end gear can be beyond the means of smaller companies.
Fortunately, vendors are offering Web malware filtering as a service. Web traffic is routed through the provider's cloud, where malware is stripped out in real time. Providers also usually bundle other services, such as URL filtering, which keeps employees from exploring the Web's darker corners. Companies get the same functionality that they get from on-premises products, but without the capital expense.
A service also means the IT department has one less appliance to manage, no updates to deploy, and no software licenses to track. A service can be provisioned quickly and configured to protect remote as well as office workers. Subscription costs start as low as $3 per machine per month.
2) Lock down the browser
The Web is a personal playground for many users. You may not be able to get them off the monkey bars, but you can provide a safer environment by using security controls built into the browser. For example, Internet Explorer gives you plenty of options for handling cookies. Cookies with user credentials are a popular target for online criminals, and malformed ones are used for cross-site scripting attacks that can steal credentials and redirect users from legitimate to malicious sites. IE also lets you set policies for third-party add-ons and browser plug-ins. You can count on one hand the number of add-ons that have legitimate business value, such as Acrobat PDFs. The other major browsers offer similar controls, so put them to work if your company's using multiple browsers.
3) Control user admin rights
A significant portion of your workforce has little reason to run PCs and laptops with full administrative rights. Restricting admin privileges can prevent installation of unwanted software and malware. Take advantage of Windows' User Account Control feature, which was introduced in Windows Vista and is available in Windows 7. It limits users' rights to perform functions such as changing system state, disabling the local firewall, and installing software. Doing this doesn't guarantee your employees' safety, but it helps limit the number of attack vectors to which they're exposed.
There are cases where applications might require administrative rights to run. If so, use Microsoft's Application Compatibility Toolkit, a program that fools an app into believing it is running with administrator privileges.
4) Use Windows 7 AppLocker
If you're upgrading to Windows 7, check out AppLocker, a new feature that in many ways works like an application firewall. It lets admins define which applications can execute based on a vendor's digital signature or a file revision of a particular executable, among other things. It also lets you configure group policies that prevent users from running unapproved apps.
One downside: AppLocker may result in more help desk calls. For example, it may block a minor update of a legitimate program, such as Flash for Internet Explorer. Be sure your policies are tied to a vendor's digital signature, rather than narrowly focused on specific executables or Dynamic Link Library version numbers. Keep in mind that your list of approved apps will change as users seek to install software with legitimate business purposes that haven't been approved by IT yet.
5) Turn users into allies
The Web is a war zone, and you need to enlist your employees in the battle. Educate them on threats and encourage them to speak up if something looks odd or out of place. Tell them to be leery of any outside requests that they install or uninstall an application. Encourage them to call the help desk if they're unsure of a program. Remind them that file swapping, porn, gambling, and social networking sites are havens for criminals and malware. Provide them with security best practices that they can use on their home computers, too--that will reinforce the online safety message. If you have to deny a privilege or block a site, make sure users understand the reasons why.
The Web is an integral part of how everyone communicates, collaborates, and gets their jobs done. By embracing the steps we've detailed in this article, you'll go a long way to enhancing its usability and keeping the bad guys at bay.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
IT Strategies to Conquer the CloudChances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.