Is Web site filtering an obsolete security control?

I’ve often written about the benefits of using Web filtering products and services, like those offered by Websense and OpenDNS.  Over time, however, attackers have become smarter about circumventing this common enterprise security control. 

AVG reports the number of websites set up to steal your data has nearly doubled from about 150,000 per day to 300,000 since October 2008. More alarming to AVG is the fact those sites are short lived and vanish sometimes within 24 hours. These “transient threats” make maintaining lists of dangerous websites extremely hard to manage, says Roger Thompson, chief research officer for AVG.

“Security firms can no longer rely on just blacklisting sites,” Thompson says. AVG, like many other anti-virus companies, keeps track of rogue sites and updates its desktop anti-virus software with that list. But as the churn of new threats increases at an alarming rate blacklist databases become increasingly less effective.

Source: Security Firm Sees Alarming Rise in ‘Transient’ Threats (PC World), Tech.Yahoo.com, 27 January 2009

In addition to site pop-ups, attackers are increasingly planting malicious code on reputable sites.  According to the Websense report, State of Internet Security, Q3-Q4 2008,

— 70 percent of the top 100 most popular Web sites either hosted malicious content or contained a masked redirect to lure unsuspecting victims from legitimate sites to malicious sites. This represents a 16 percent increase over the last six-month period, according to new research released today from Websense Security Labs. The top 100 most popular Web sites, many of which are social networking, Web 2.0 and search sites, represent the majority of all Web page views and are the most popular target for attackers.

— In the second half of 2008 more than 77 percent of the Web sites Websense classified as malicious were actually sites with seemingly “good” reputations that had been compromised by attackers. This percentage is up slightly from 75 percent in the first half of 2008.

Does this mean filtering is no longer useful when planning how to protect the business, its employees, and its customers?  The answer is no.  As defenses strengthen, attackers must find new ways to circumvent them.  This doesn’t mean we can disregard old controls as we move to block new attack vectors.

Most security managers understand that relying completely on a strong network perimeter isn’t enough to protect our critical systems and sensitive data.  However, we wouldn’t weaken or drop perimeter defenses as we build an internal controls framework.  Similarly, we can’t disregard the value of blocking known bad sites because criminals find it easier to infect reputable sites instead of trying to stay under the radar of Web filtering and blacklist vendors.

As security managers refocus their resources on emerging threats, existing control management may inadvertently or intentionally become less important.  Defenses blocking high work factor attack vectors may weaken or simply go away.  When this happens, attackers will once again have one or more soft targets, targets that may at one time have been inaccessible.

Today, cybercriminals are using pop-up sites and infecting servers owned by reputable organizations.  When we react to these threats, they will find some other way to get to our data and systems.  Knee-jerk responses often result in dumping the old-but-reliable.  Reacting intelligently to new attack methods means augmenting existing controls or replacing them with new controls which meet both old and new challenges.