Posted by: Ken Harthun
downloads, Secure Computing, Secure Search, security myths, Security practice, sophos
Sophos recently issued a whitepaper called “The 10 Myths of Safe Web Browsing.” It covers everything I have been saying to my clients all along.
The problem with security is often one of complacency (see Why People Are Complacent About Security); no visible infections or problems are manifest, so as far as anyone knows, nothing is wrong. Truth is, nothing could be further from the truth. Most infections these days are invisible. Look at this way: Burglars don’t want to be detected. The vast majority of malware these days is designed to steal valuable information and the more it can get, the better. The crackers don’t want you to know they are stealing your stuff–cuts into their profits–so the malware is very stealthy.
What follows in two parts is my commentary on Sophos’ myths.
Myth #1: The web is safe because I’ve never been infected by malware. Yeah, right. That’s the same illogic as “I’ve never been sick, so I don’t need to live a healthy lifestyle.” Sooner or later, it catches up to you. There are many examples of perfectly healthy athletic individuals collapsing while doing their exercise routines. Likewise, people don’t know their computers have been infected with malware until their bank account balance goes to zero or their credit cards get maxed out.
Myth #2: My users aren’t wasting time surfing inappropriate content. Wanna bet? I’m not going to give specifics here, but I have seen firsthand that nearly half of the users in any given organization have accessed inappropriate content. Without adequate web filters in place, you just don’t know about it. One organization I worked for had excellent web filtering and still failed to spot a third of the inappropriate content being accessed by its employees.
Myth #3: We control web usage and our users can’t get around our policy. Good luck with that. All you have to do is search for “bypass web filter” to find that you’re really up against the wall. According to Sophos, “Anonymizing proxies make it easy for employees to circumvent your web iltering policy and visit any site they like. Anonymizing proxies are readily available and regularly exploited by school kids and employees alike. Hundreds of new anonymizing proxies are published daily. . .”
Myth #4: Only porn, gambling, and other “dodgy” sites are dangerous. Yeah? Well, don’t tell my wife, but I’ve tested this myth on a PC with no antivirus and no antimalware protection with no hardware or software firewall. After a surfing session of more than 50 “dodgy” sites, I ran a malware scan and found nothing more than cookies and a small adware application. The truth is, “Hijacked trusted sites represent more than 83% of malware hosting sites,” according to Sophos. Makes sense, though, doesn’t it? It’s part of the overall deception. What better site to infect than one that is “trusted.” The best double agents are trusted by both sides, aren’t they?
Myth #5: Only naive users get infected with malware and viruses. Another illogical statement. Naivete has nothing to do with it. “Malware from drive-by downloads happens automatically without any user action, other than visiting the site. Therefore, it doesn’t matter what level of computer expertise you have,” says Sophos. “The fact is, if you are visiting sites on the internet, you are at risk.” I recently found some suspicious files on my machine during a routine scan. I have no idea where they came from; they hadn’t been executed. The fact is, I’m not even close to being a “naive” user. I must have gotten the files during a download.
We’ll cover download infections and more in Part 2.