I could become an innocent bystander in my own home. I was not safe inside all that brick and mortar. The first thing that came to mind was: 'What are the chances of that?' closely followed by, 'I live in a lightning-prone area' and 'I need the phone to communicate.' This was the choice of communication methods before the ubiquitous mobile phone and the pervasive Internet. So I ran to my mother and demanded that we get lightning surge protectors as fast as humanly possible. How could I survive without a telephone? I was a teenager.
On the Internet, computers are to homes as browsers are to telephones.To be able to communicate between houses, you need to use your browser. Some would say the Internet is somewhat 'lightning prone.' You browse around as normal until unsuspectingly hitting an intentionally malicious or even legitimate site that had been compromised, and your computer is compromised. How does not using the Internet for security reasons sound to you? Could you do it or would you sprint out and get the first 'surge protector' you could find?
'But I have a firewall,' cries the recently recruited member to the latest fashionable botnet. Unless your firewall can stop you connecting outbound to a compromised site, then it is useless against this threat. Last I checked, I was not blocking my browser from connecting to the Internet. That would defeat the purpose.
'But I only visit safe sites,' cries the latest attack vector into a corporate network after being compromised by the penetration testing team. Man-in-the-middle attacks can come from fake or compromised wireless access points or Internet cafes, even on the LAN if the opportunity arises. No Wi-Fi? I think not, Sir!
'But I have antivirus,' cries the IT Manager as he explains to the CIO how he just lost a stack of confidential records. Kernel rootkit injection and core library replacement through an unpatched vulnerability had left him open long enough to get the data and leave without writing the files that AV definitions would easily identify.
The truth of the matter is browser security is the new file and network security. Even legitimate Web sites fall prey to zero-day vulnerabilities, cross-site scripting and SQL injection attacks. If not the sites themselves, then the advertising engines posting advertisements for their parent sites. This is assuming you are surfing from a safe network, let alone the added risks of unprotect wireless networks and the hacker-friendly, man-in-the-middle opportunities they present.
This is lightning down the wire all over again, only on a grander scale with exponentially more lightning.
The moral of this story is simple to elucidate but difficult to implement: Make yourself a smaller target, install your lightning protectors, patch your browsers and if you cannot patch them, use ones that are not vulnerable, use Intrusion Prevention Systems (IPS), Host Intrusion Prevention Systems (HIPS), Layer-7 aware Web Application Firewalls (WAFs), use a secure VPN from public Wi-Fi hotspots, block unnecessary outbound communications, or at a minimum monitor them.
(Caretower Limited is exhibiting at Infosecurity Europe 2010, the No. 1 industry event in Europe held on 27th-29th April in its new venue Earl's Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit www.infosec.co.uk)