There are a number of different ways malware can be introduced into an enterprise. According to a new study from Trustwave, conducted by Osterman Research, for most organizations Web surfing is the top entry point for malware.
The report found that 74 percent of respondents got a malware infection through Web surfing. In contrast, 64 percent said email was the route by which they had been infected by malware. Only 14 blamed social media or Web 2.0 applications for malware infecting their networks.
Mike Park, managing consultant at Trustwave, told eSecurity Planet that infections from the Web are nothing new. Many enterprises have already tried to curtail Web-based attacks by restricting where employees and inside users can surf.
How Hackers Exploit the Web
The criminals have responded by launching what are called “water hole” attacks, Park explained. “That is, they put malware and links to malware on sites business users may have legitimate reasons to access. Or, they find a flaw in the site, break in and then use a legitimate site to infect users.”
Park noted that there also may be instances in which remote or traveling users, such as executives or sales people, allow their laptops to be used by family members who unknowingly infect their laptops with malware by visiting malicious sites for games and videos.
“When these users connect back to the corporate network, the installed malware has a toehold and can spread,” Park said.
Given that the Web is the primary location for malware infections, browsing the Web could potentially be thought of as the most dangerous online activity. Because Web browsing is such an integral part of conducting modern business, it is even more dangerous. Simply put, it’s not feasible for people to entirely avoid the Web.
“The attack surface of a business is naturally increased when all of your users can access the net and use it to download Web pages, software or other data,” Park said.
The popularity of the Web as a mechanism for malware infections represents somewhat of a shift from the trends of prior years when hackers achieved success with email and phishing attacks. Park noted that information security professionals responded to the email phishing threat with better user training, better spam filtering technology and better endpoint security.
“That made using spam and email less effective and thus less profitable for the bad guys, so they changed tactics,” Park said.
Safer Web Surfing
In order to move the needle on lowering Web-based malware infections, Park suggested there is a need for better security awareness training among employees that focuses on “don’t click that link and why” and safe Web surfing practices. “The addition of better endpoint security and proxy inspection of requests can also help,” he added.
Park also sees the need for organizations to consider innovative approaches to safe surfing such as using isolated virtual machines that do not put the rest of the network at risk. He also advocates using technologies that help enable employees navigate the Web safely, such as solutions that flag and filter malicious traffic so that users are only allowed to go to safe pages.
Whether or not Web-based malware infections will remain the same in 2014, all depends on how businesses and the industry respond.
“So long as this remains a lucrative means for criminals to get malware into their target businesses, it will continue to be high,” Park said.
Sean Michael Kerner is a senior editor at eSecurity Planet and InternetNews.com. Follow him on Twitter @TechJournalist.