Web-based security threats: counter-measures

Cybersecurity and information security vulnerabilities may be categorised overall as arising from three possible sources: malicious activity, facilitating behaviour by end-users, and inadequate technical protection measures (Leitold, 2016; see Figure 2.9, below). The different types of defences and counter-measures may thus be classified as either technical or social. Either category may be further divided to include approaches of prevention, detection, reaction or deterrence (Fléchais, Riegelsberger, & Sasse, 2006): see Table 2.3 below. Cybersecurity is rapidly evolving: web security risks change over time as new vulnerabilities are discovered, and new defences and new versions of application frameworks, web servers, operating systems, browsers, plugins and extensions are developed (Sullivan & Liu, 2012). Vulnerabilities in browsers or browser extensions are widespread, particularly in older browsers (Cova, Kruegel, & Vigna, 2010; Grossman, 2012; McCormack, 2016).

Acrobat Reader, and which render different languages, such as Flash, have proved to be a major security concern (Hoffman, 2012; Skoudis, 2005). While browser security has generally improved, plugins (software that interfaces with the browser) which play media files, including QuickTime and Acrobat Reader, and render different languages, such as Flash, have proved to be a major security concern (Hoffman, 2012; Skoudis, 2005). The ActiveX framework within Microsoft Internet Explorer has long been recognised as a security threat, although recent versions have been “sandboxed”to a much greater extent than previously (Lambert, 2013). (A sandbox may be described as “an isolated computing environment in which a program or file can be executed without affecting the application in which it runs” (“Sandbox”, 2005)). Recently Java has been targeted extensively by hackers, leading some security researchers to recommend that the Java Runtime Environment (JRE) should be disabled on end-users’ computers unless required for business reasons (F-Secure, 2012).

Internet Explorer version 6 (IE6) was notoriously insecure, and its use was deprecated by Microsoft (Reisinger, 2011) and by the Department of Health Informatics Directorate, which, in 2010,

recommended upgrading to IE7 (DH Informatics Directorate, 2010). However, its use was continuing in parts of the NHS, no doubt because of compatibility issues with a range of critical “legacy”

applications (Arthur, 2010; NHS Networks, 2013).

Recommended security measures to reduce the risk of drive-by downloads and other web-based attacks include standardisation of browsers, applications and plugins, auto-updating of browsers and critical applications; disabling of Java except where specifically needed; blocking of inappropriate categories of web content; reputation-based URL filtering to screen out compromised or malicious websites, use of strong passwords, and control of applications at the endpoint (Sophos, 2016a).

Figure 2.9 Triunal model of cybersecurity vulnerability From Leitold (2016), p. 4, Reproduced by permission

Further defences include browser-based warning services (Firefox, Chrome, Safari, IE8, IE9); and web-hosted link checking services (Bradbury, 2010). Technical and social information security counter-measures are illustrated in Table 2.3 above, and are discussed further in Section 2.7.3 below. Technical defences against malware and unauthorised network access are of various types.

Spam filters, as the name implies, filter out spam (unwanted and unsolicited email) and suspected phishing messages, and prevent them from reaching users’ inboxes. Anti-malware (anti-virus) systems afford varying degrees of protection against known threats. They are commonly required to be installed on all desktop machines connected to the network or with access to the Internet, on servers and on mobile devices.

Category Description Examples

Technical countermeasures

Prevention Stop attacks from happening

Firewalls, secure web gateways, intrusion prevention system

Appropriate system permissions

Encryption and / or password protection of portable media and devices

Detection Notice and identify an attack

Intrusion detection systems User monitoring

Reaction Stop or mitigate an attack in progress

Automated response mechanisms linked to intrusion detection systems

Deterrence Discourage misuse Awareness / visibility of technical countermeasures, e.g.

individual user monitoring, website blocking

Social countermeasures

Prevention Stop attacks from happening

End-user information security good practice: prohibition of password sharing, use of encrypted and / or password-protected portable media and devices

Acceptable use policies

User education: detection of social engineering, basic security measures Reaction Stop or mitigate an

attack in progress

System administrators or emergency response teams

Deterrence Discourage misuse SWG warnings to users when websites are blocked Internal disciplinary sanctions

Possibility of criminal prosecution for illegal activity

Table 2.3 Technical and social information security counter-measures Based on / updated from Fléchais, Riegelsberger, & Sasse (2006), p. 1

Intrusion detection systems (IDS) work rather like burglar alarms; they monitor network traffic and log or notify of any possible malicious activity. Host-based and network-based intrusion prevention systems (IPS) are able to exercise access control to protect computers or networks from exploitation, and also have the ability to take immediate action, based on a set of rules established by the

network administrator.

The firewall is a key component of any network security infrastructure: it is a device (hardware or software) which functions in a networked environment to prevent communications forbidden by the security policy. It has the basic task of controlling traffic between different zones of trust, e.g., between the Internet (low trust) and an organisation’s internal network (high trust). There are four main classes of firewall: packet filter firewalls, stateful inspection firewalls; application proxy

firewalls, and deep packet inspection firewalls, also known as next-generation firewalls (Honan, s.d.).

All types of firewall have common characteristics in that they distinguish good from bad network traffic according to a set of criteria (Gattine, 2014). Network perimeter firewalls are unable to

prevent cyber-attacks on web applications. Next-generation firewalls , however, vary in the features they provide; they can be configured to provide control of access to websites and web applications at a detailed level, as well as bandwidth management (Ferrar, Wood, Penny, & Date, 2009; Sullivan

& Liu, 2012). Data loss prevention (DLP) solutions relate to information security specifically, they may be implemented to protect against data loss via email or social media.

An important type of security device commonly used within the NHS is the secure web gateway (SWG), a type of web proxy. The popularity of these as security devices has increased in response to the increased incidence of web-borne threats, as described above (Roiter, 2007). All web traffic has to pass through the SWG, which has two roles: 1) it performs security-related tasks such as

authorisation and authentication relating to web content requests sent from a user’s browser, rejecting requests which do not meet the configured criteria; 2) it examines the requested content for malware and other threats before sending it to the user. SWGs are able to categorise URLs and to analyse and manipulate scripts on web pages (Blue Coat Systems, 2015).

The Google, Yahoo and Bing search engines incorporate screening for compromised websites; safe sites are indicated as such in search results (Ranadive, Demir, Rizvi, & Daswani, 2010). All the browsers in common use offer extensively customisable security configuration options which can reduce the attack surface. Within an institutional network, such configuration options may be restricted by group policies. However, higher security settings may result in considerable loss of browser functionality and inability to access content or applications, thereby potentially conflicting with business need.

It should be recognised that there is no such thing as an impenetrable digital defence (Austin &

Darby, 2003): the overall aim should be to maximise network resilience (Scully, 2011). It is commonly recommended that a layered or integrated approach to network security is implemented within organisations, involving a combination of devices and strategies, to reduce the probability of cyber-attacks, mitigate their impact when they inevitably occur, and to assist recovery from them. As well as implementing security devices as described above, it is advocated, in addition, that steps be taken to reduce attack surfaces, such as standardising user applications, implementing system policy restrictions limiting downloads to approved sources, “hardening” network operating systems through restricting system permissions, and segregating applications within the network (e.g. Ferrar et al., 2009; Oltsik, 2013). Security functions may be unified within a single unified threat

management (UTM) system, or reports of security events from different systems may be integrated

via use of a security information and event management (SIEM) system. These latter are, however, expensive and complex to implement (Lawton, 2015).

Sections 2.6 and 2.7, being closely related, are summarised and synthesised together in 2.7.4.