Posted by: Ken Harthun
downloads, Secure Computing, Secure Search, security myths, Security practice, sophos
Here is my commentary on the remaining myths from Sophos’ recently issued whitepaper, “The 10 Myths of Safe Web Browsing.”
Myth #6: You can only get infected if you
download files. Well, that used to be the case, but these days, most infections are via the “drive-by” download. No one is safe from this because the code is injected into the web page and it executes automatically when the page is viewed. For example, I once visited a site that has funny pictures of cats and was immediately infected by an adware trojan. The pop-ups took over my browser. A hard shutdown and start up scan fixed the problem. That site is fixed, but there are many others that aren’t.
Myth #8: When the lock icon appears in the browser, it’s secure. This one can get you in trouble fast. All that lock means is that there is an SSL encrypted connection between the browser and the server. The information still flows. A real disadvantage to this type of connection is that any malware coming along will also be encrypted and could possibly bypass security scanners. Recently, spoofed SSL certificates have made it possible for hackers to give what appear to be valid SSL connections to fake bank, credit card, and PayPal sites.
Myth #9: Web security requires a trade-off between security and freedom. I’m going to disagree with their calling this a myth. Security always involves some trade-off with freedom. In their context, a suitable web security solution ( meaning their product, of course) gives the freedom to grant access to sites people need for business while keeping the organization secure. A rather vague argument in favor of making this one a myth.
Myth #10: Endpoint security solutions can’t protect against web threats. Again, their calling this a myth is simply expedient to their promotion of their web filtering product. As long as scripts can pass through to the browser–which is what has to happen or you’ll break most of the web sites–endpoint security solutions can’t do much.
As in all whitepapers, license is taken to put a spin on certain terms to make one’s product look more favorable. Sophos’ whitepaper does this with their calling those last two statements myths. However, they have given real value in their paper with the publication of the other eight myths.