Tuesday, October 23, 2012

AV Updates - Where Do You Fit In?

Since my last post about AV, I've had some more discussions with industry peers, vendors, friends, and family. I've re-read my post today and want to clarify a few points.

First of all, AV is critical. If you read any sort of undertone in the AV thread indicating AV was not essential or effective, I'd like to correct that. It's a must for everyone. If you look at modern threats and those that are highly pervasive, AV is extremely successful at prevention - keeping you from being compromised or infected. Highly pervasive malware detection leveraging signatures is where AV vendors tend to average about the same in terms of effectiveness. Where they begin to separate out is when you move from the highly pervasive/common malware into the variants, targeted malware, and deeper levels of sophistication. So there is direct correlation between who you are, what you do, and what you need. If you are only exposed to highly pervasive threats, then standard/free AV is good for you. If you are a potential target (small business owner, public facing for your employer, executive etc.), you need to move beyond free protection.

During a brief at the McAfee security conference in Las Vegas this week, I saw a report from NSS labs that listed Kaspersky, McAfee, and Trend as 100% effective against HTTP based detection of pervasive threats. AVG was about 50% effective. But if you think in terms of the pervasive threats and what the average home user will be exposed to, I maintain that free solutions like AVG and Microsoft Security Essentials will remain largely effective - better than the 50% indicates. The reason I maintain that position is the threats you will likely be exposed to will fall within that 50% coverage. I'm also extremely nervous about anything that says 100%...because that's just not possible in my world. There is some arbitrary cut-off level which defines this list which I believe is subject to debate. So in terms of the home user experience...I give free AV better than 50%, and commercial AV less than 100%. The cautions home user who thinks before they click will be well protected with free AV products.

Among the pervasive threat category, McAfee contends (and I agree) that to get closer to that 100% you need a combination of signature based detection (AV) and Threat Intelligence (identification of malicious hosts/websites or website reputation scoring). This combination will provide a comprehensive and extremely high fidelity protection set. To get the most of this...you'll need a paid for product like Kaspersky or McAfee. Typically these come advertised as AntiVirus, AntiSpam, AntiSpyware.

The next tier of threats require some additional capabilities for detection, specifically around behavioral analysis, which sort of takes free AV off the table. To combat this category of threat, you'll need a commercial or "full suite" host-based solution. These are going to be your expensive AV products or from the AVG world, you'll need to pay up for the additional features. However, this category of threat is not as pervasive and the average home user is much less likely to be exposed to these sorts of threats, unless you are browsing around bad areas of the Internet. If you do a lot of social media where you're clicking on lots of links from Facebook friends, or mass forwarded emails etc., then look to a more feature rich solution. If you do online gaming, or watch lots of flash video...same applies. This tier combines AntiVirus, AntiSpam, AntiSpyware, AntiMalware, and Website Reputation or Categorization.

The final tier is customized and targeted malware which has a broad variation in terms of attributes, behaviors, and evasion capabilities. This final tier is where you need commercial solutions...but beyond AV. However a full featured host-based security suite will go a long way. So who needs this at home? If you are running a business from your laptop and have any sort of sensitive information on it...then go this path. This final tier includes the capabilities of the previous lists, but adds thinks like AntiRoot kit.

So here's a breakdown which may be overly simplified:


  • Free AV (AVG, Microsoft): best for home users who are cautious about their Internet use, check email carefully, browse a small number of "known" websites, and don't do a lot of social media interaction or limit it to only people you trust. Online banking is ok here...if you are also very cautions. Capabilities include:
    • AntiVirus
    • AntiSpyware
  • Full AV (McAfee, Kaspersky, Trend): best for home users who venture out of the box a little, perform extensive Internet searches/browsing, view lots of online videos, connect to lots of people via social media and email, and tend to be click happy (you like to click around the Internet), play games online etc. Capabilities include
    • AntiVirus
    • AntiSpyware
    • AntiMalware
    • AntiSpam
    • Website Reputation
  • Commercial AV: if you do any home based business on your system, go the commercial route. Most vendors have Small Business solutions that incorporate some additional features. Leverage them...remember you are storing other people's information or information about yourself that can lead to identify theft or stolen information.
    • Full AV
    • AntiRoot kit
    • Application white listing

Saturday, October 6, 2012

Web Browsers

Introduction

In my last post (AntiVirus at home), I mentioned one tool (AV) you can use at home to help defend against criminals who want to deliver malware onto your computer. Email and web browsing were the two primary delivery vectors I discussed in that post. The topic for today also addresses malware delivery but this time via your web browser. The question for this post is "which web browser should I use?" I've heard incorrect assumptions from friends and family who heard from someone they respect that "they will be secure if they use...." or "using ... means I'm not secure." Well, let's dive into that.

Definitions

First off, your web browser is the application on your computer you are using to view this blog. They come in many shapes and sizes and many web enabled applications today contain web browser features. Your apps on your smartphone or tablet for example - many of those which display content to you from the Internet are essentially web browsers. Quite simply a web browser is an application that interacts with Internet languages and protocols to display stuff to you. Internet content such as movies, animated graphics, or documents are usually opened via another program on your computer upon request from your browser. That's why you have to install things like Flash Player, Shockwave, and PDF Reader. These aren't browsers, but more on that in a minute.

Flavors

There are too many to mention here, but some of the primary web browsers include Microsoft Internet Explorer (IE), Mozilla FireFox, Google Chrome, Apple Safari, Opera, Camino, and Netscape Navigator. Microsoft IE and Apple Safari are likely the most commonly used among home users since they come pre-installed in Windows and OSX respectively. Within corporations, typically Internet Explorer or Mozilla Firefox are the "approved" browsers with exceptions for "Safari" on Apple computers.

Plugins

Web browsers render website code written in programming languages such as HTML, XML, or PHP to display the contents in attractive formats. However additional applications on your computer that integrate with your browser (called plugins) are used when the website content (usually media) cannot be displayed. This most commonly includes active media content written for Java or Flash or specially formatted documents in PDF. When a browser encounters content in these non-HTML/XML codes, they call the local application that can display the code and the results are usually rendered within your browser. Youtube is a great example of this since the website is HTML, but the videos are in Flash (.swf) format. Many websites include active code like PHP which will inspect attributes of your computer to determine which format active content should be displayed to you. A video may be served in Java or Flash or some other type depending upon your configuration.

Exploitation

A browser can't be used to exploit your computer unless there is a vulnerability in the browser, a vulnerability in one of the "plugins" mentioned above, or in how the browser uses a plugin. Usually it's one of these plugins that is actually used to compromise your computer, not the browser itself. The browser becomes the medium by which the exploit or malicious code is transferred to the vulnerable application on your computer. Take the Blackhole exploit kit as an example. It is one of the most widely used kits around there that leverages weaknesses in active content plugins (Flash or Java) to serve you malware. Your browser hits a page which includes an embedded Java applet. Your browser calls up the Java application on your computer, and loads the Java code. The malicious Java code exploits a flaw in that software to automatically connect to another website to download and launch a malicious file. In many of these cases, it's not your browser's fault - it's the plugin that put you at risk. Probably the most common browser targeted exploits used today include cross-site scripting and iframe vulnerabilities. You can read about those at Wikipedia if you'd like, but essentially the process is the same; embedded code causes your browser to load malicious content.

Vulnerabilities

I summed up the past 2 months of vulnerabilities related to web browsing according to the United States Computer Emergency Readiness Team (US-CERT):

Adobe Flash: 3
Adobe Acrobat Reader: 21
Adobe Shockwave: 5
Apple Safari: 3
Google Chrome: 24
Internet Explorer: 9
Mozilla Firefox: 31
Perl: 1
PHP: 2
Opera: 2

Based on this sample set from the past 2 months, Google Chrome and Mozilla Firefox had the most vulnerabilities followed by Internet Explorer, Safari, and Opera respectively. This might surprise you but statistics of new vulnerabilities in a browser show that FireFox alone averages about 44% of all web browser bugs. It has a horrible record. However, the Adobe, Perl, and PHP applications listed above are plugins which interact with each browser. So, even if your browser had 0 vulnerabilities, it's likely that with this set of application vulnerabilities you would still be at risk.

Which is the Most Secure?

That's a very difficult question to answer and I won't bore you with the background, but I give a toss up between Google Chrome and Internet Explorer. By itself, Chrome has been built with security at the front and Google is very quick to release updates when flaws are discovered. Microsoft is hands down the best at addressing new vulnerabilities and the latest versions of IE along with Windows 7 prove difficult to exploit. FireFox comes next. It is constantly being updated to fix newly discovered bugs, but they do a solid job of releasing updates. Apple Safari is at the bottom of the list for me because Apple is notoriously slow to fix vulnerabilities. It's common that a flaw will be discovered and Apple will take weeks and sometimes months to release an update leaving users exposed to compromise for long periods. Just Google "Apple slow to patch" and you'll see what I mean.

Rumors and Confusion

All of these web browsers are advertised as "the safer and faster way to browse the Internet." Or something like that. It became very trendy a few years ago to drop IE and use FireFox. This trickled out from those in the IT vocation to friends and family and the next thing I knew people were telling me they were secure at home because they don't use IE anymore...they use FireFox. Sorry to say, that's actually wrong.

Choosing a Browser

Before you take the plunge and commit yourself to a browser (by the way, I have 5 of the above installed on my laptop), you need to weigh your planned use, compatibility, risks, and threats.

Planned Use

So, what do you do with your web browser and what is the most important about your browsing experience? Personally I prefer simplicity, ease of use, and speed. Those are my top three. My planned use is...well...surf the web effectively and securely and enjoy the content websites offer. To that end, my go-to is Google Chrome. But, I often find cases where Chrome simply doesn't work right. In those times I switch back to the most stable and consistent browser, Internet Explorer. Some of the websites I use often simply don't render correctly in FireFox or Safari so rather than spend time getting frustrated, I just stick to Chrome and IE.

Risks

So your favorite browser is FireFox and you just browse the Internet to read news and check email. Are you at risk? Yes. However, risk assumes there is a vulnerability in your software, an exploit which can take advantage of that vulnerability, and that exploit is delivered to you. Unfortunately exploit code is spread all over the Internet on various websites including totally legitimate ones. The Russian Business Network (RBN) for example is run by Cyber criminals who network resources and offer Internet services to other criminals. They also use their network for legitimate purposes and serve web banners and ads on common websites. If you hit one of these sites, you could be exposed to exploit code. There's also tons of malicious code hosted through websites that serve illicit content and online games. There are also some Cyber criminals who monitor web trends (the things people search for on Google) and create malicious websites dedicated to those topics to get you to browse to them and expose yourself the malicious code. Needless to say, the risk of exploitation is very high. If there's a new trend or breaking news story, chances are there are websites being created by criminals that will serve you information about the topic, and along with that malicious code for your browser.

Protection

Take a look at the vulnerability and exploit sections of this post and you'll also see why I chose Chrome and IE. But consider this when browsing the Internet. Sorry Apple, but I warn all of you Mac users out there to stay away from Safari. You're better off installing Chrome on your Mac.

As I mentioned in my post about AntiVirus, your best defense is to patch your browser and related plugins regularly and at least check for updates weekly. Microsoft releases updates every Tuesday (if there are any to be released) and Google releases them when they are ready. Apple seems to release them when they eventually get around to it (bad Apple, bad!). Next, read those warnings from your browser and listen to their advise. If the browser says you are loading potentially unsafe content, stop! If you have to bypass a security feature to browse the content, think about that before you click. If your computer asks permission to open a file, make sure you trust the source. Finally, don't mess with your Browser's security settings. One thing all the providers have in common is they will push security features to you in patches. So again, patch!

Be safe!