ScanSafe Makes Top Web Security Predictions for 2007 - Web Threats Eclipsing Other Attacks

December 13, 2006; 09:41 AM
ScanSafe, the leading global provider of Web Security-as-a-Service, today released its top eight web security predictions for 2007.

1. Web extends its lead over email as the threat vector of choice
Perhaps more than any other year, 2006 marked the ascendance of Web threats. In fact, unlike previous years that were marked by mass-mailing worms like MyDoom, Bagle and Sober, 2006 was the year when Web-based threats, most notably the Windows Meta File (WMF) Flaw, took centre stage – eclipsing the email threats.

A recent IDC survey of businesses also supports the notion that Web surfing has surpassed email as a threat vector. It found that up to 30 per cent of companies with 500 or more staff have been infected as a result of Internet surfing, while only 20 to 25 per cent of the same companies experienced viruses and worms from emails.

ScanSafe expects this trend to continue in 2007, with more and more threats moving to the Web.

2. Malware authors continue to target Web 2.0 sites making real-time scanning imperative
As more and more users go online to take advantage of Web 2.0 applications like social-networking sites, blogs, wikis and RSS feeds, malware authors are going to be right behind them. The explosion in the popularity and use of Web 2.0 sites has made them an irresistible target for malware authors. Early signs of this were evident in 2006. In August, the ScanSafe Threat Centre found that up to one in every 600 social-networking pages host malware and in recent weeks malware on Wikipedia, MySpace and YouTube have been exposed.

Web 2.0 user-contributed content means that the content on the thousands of URLs is constantly changing. Unfortunately, many traditional Web filtering solutions rely on URL databases and honeypots and therefore, are not in a position to keep the dynamic content that characterises Web 2.0 sites. In addition, traditional anti-virus solutions that require signatures will be slow to react to zero-day threats – threats that appears before a signature or patch is made available.

“Web 2.0 and the increasing shift toward Web services makes many existing Web filtering and Web-malware solutions ineffective,” says ScanSafe’s Product Manager, Spencer Parker. “The only way to keep up with the latest Web-threats is to rely on a solution that actually scans the URL in real time every time it is requested versus just comparing it to a dated list of URLs.”

And of mounting concern is the potential for abuse of AJAX and Web 2.0 applications. Cross-site scripting worms (XSS), for example that can insert malicious code into dynamically generated Web pages could allow an attacker to change user settings, access account information, poison cookies with malicious code, expose SSL connections and access restricted sites.

3. IM increasingly leveraged by hackers to send SPIM and malware
According to a survey by the ePolicy Institute, 31 per cent of employees use IM at the office, and 78 per cent of those users downloading free IM software from the Internet. However, only 11 per cent of organisations employ IM gateway/management software to monitor, purge, retain, and otherwise control IM risks and use. The same survey found that only 20 per cent of companies surveyed have adopted a policy governing IM use and content.

Spencer Parker, explains: “The threat has shifted from email communications to IM and Web-based applications. IM is too lucrative a target for malware authors to overlook. We expect to see a meaningful increase in spam over IM, or SPIM, as well as malware targeting IM in 2007.”

4. Continued pressure on service providers to deliver clean bandwidth – including HTTP traffic
On November 28, the European Commission called for ISPs and regulators to do more in cracking down on spam, spyware and other malware. Regulators and others have long called for ISPs to take a more active role in providing clean bandwidth, in much the same way that water companies are required to provide clean water. ScanSafe anticipates that in 2007, ISPs will take a more active role pushing security into “the cloud” in an effort to deliver clean bandwidth.

“We believe 2007 is the year that more and more ISPs begin to push security solutions out into the cloud. We anticipate more and more ISPs will partner with managed security service providers to deliver clean bandwidth.”

5. Zero-Day threats continue to grow, making the need for real-time Web scanning critical
ScanSafe reported zero-day threats accounted for between 10 -15 per cent of all threats it blocked in 2006. And 2006, the Windows Meta File (WMF) flaw, discovered in December 2005 was quickly exploited by hackers, underscore the increasing importance of the zero-day. For example, between December 30, 2005 and January 3, 2006, ScanSafe reported that the percentage of customers subjected to exposure to the WMF vulnerability increased from 6 per cent to 15 per cent.

Again, in September hackers were quickly able to exploit a Vector Mark-up Language (VML) vulnerability discovered in Microsoft’s OS. Within days, the vulnerability resulted in exploits, including malware hosted on porn sites as well email lures driving users to compromised sites, including one Web page masquerading as a seemingly benign Yahoo! greeting card. This VML example is further evidence that hackers and malware authors are quick to take advantage of vulnerabilities to seed what are called zero-hour exploits – threats that appear before a patch or anti-virus signature becomes available.

“The day and age of solely relying on signature-based protection to provide protection from Web-based threats is over. The sophistication of threats and the pace at which new vulnerabilities are exploited demands a multi-layered approach that supplements anti-virus signatures with heuristics and real-time scanning that detect zero-hour threats and deliver protection from them in the critical hours between the emergence of the threat the release of an anti-virus signature.”

6. The death of the perimeter: remote and roaming users pose significant challenges to traditional notions of perimeter security
2006 was riddled with stories of security breaches resulting from mobile devices. Even more concerning is that according to the Business Performance Management Forum, 40 per cent of enterprises do not have policies to secure mobile devices and that IDC expects that the number of global mobile employees will grow beyond 878 million by 2009.

IT managers can no longer rely on out-dated notions of perimeter security, because there is no perimeter. Expect malware authors to continue to take advantage of improperly secured PCs of remote and roaming users.

7. VOIP emerges as a real threat vector
ScanSafe believes that in 2007, companies will begin to open up SIP gateways and make them accessible on the Internet. While this will result in lower costs for telephony, it will also open companies up to a wide variety of threats that are not necessarily being contemplated because many companies still don’t perceive a VoIP phone as a “computer”. The result is that both VOIP devices and servers will be subject to the same to same type of vulnerabilities as any other computer including denial of service attacks, theft of service, fraud and phishing attacks.

8. Vista and IE7
No list of 2007 Web security predictions would be complete without a reference to Vista and IE7.

Will Vista improve security for consumers? Probably. But it’s less certain that it will do the same for corporate users because Vista will probably not see widespread deployment in enterprises in 2007 (Gartner) and because it is not designed for centralised management or reporting, meaning corporate users will remain the weakest link in the chain.

We saw a similar pattern when Microsoft released a “personal firewall” in Windows XP. While it certainly did help to protect users, it was not the panacea that some predicted would lead to the death of 3rd party security providers.

While Vista can block malware at the system level, it won't necessarily stop users from installing malware. Given the barrage of warnings and pop-ups, we expect that many users will simply disable the most relevant security features of Vista, negating any potential security benefit. In addition, any malware that leverages social engineering will likely trick users into installing it.

The net result for IT managers will simply be an increase in support calls and no meaningful decline in Web threats.

About ScanSafe
ScanSafe is the leading global provider of Web Security-as-a-Service, ensuring a safe and productive Internet environment for businesses. The easy-to-use service requires no hardware and delivers real-time, complete protection from the latest Web threats. ScanSafe’s solutions keep viruses and spyware off corporate networks and allow businesses to control and secure the use of the Web and instant messaging applications.

Powered by its proactive Outbreak Intelligence heuristic technology, ScanSafe processes more than five billion Web requests and blocks 10 million threats each month for customers including Rothschild, Condé Nast and BMW.

Since pioneering the market for Web Security-as-a-Service, ScanSafe continues to deliver innovative Web security solutions, including the introduction of Scandoo - the world’s first free secure Internet search tool that classifies search results based on the presence of malware and unwanted content.

With offices in London and San Mateo, California, ScanSafe is privately owned and financed by Benchmark Capital. The company received the 2006 Info Security Global Product Excellence Award for Best Managed Security Service, and was named one of Red Herring’s Top 100 Technology companies. For more information, visit www.scansafe.com.