RealTime IT News

The Dangers of Web Access

A Web survey of companies with an average of 1,000 employees conducted by Osterman Research on behalf of PureWire, a Web security software as a service (SaaS) vendor, found the majority of the 139 respondents concerned about the Internet.

Fears that the Internet is an entry point for malware topped their list of concerns, with the impact of the Web and Web security on network bandwidth coming in second and enforcement of Web usage coming in third.

While many companies have established corporate policies against downloading certain types of files and have deployed systems that will block such downloads, they are not adequate solutions, the survey found.

The security problem is partly due to the outdated enterprise approach to Web security and partly due to Web 2.0 technologies, Paul Judge, chief technology officer at PureWire, told InternetNews.com.

Seventy-six percent of the respondents to the survey expressed concern over the Web as an entry point for malware, 55 percent worried about the impact of the Web and Web security on network bandwidth, and 44 percent about employee productivity losses from Web surfing.

The remote workforce is a source of worry -- 49 percent of the respondents were concerned about enforcing Web usage and Web security policies for their remote workforce, and 48 percent were concerned about supporting remote workers with various Web applications.

Those fears about remote workers are well founded, as they often engage in risky behavior, a study sponsored by Cisco (NASDAQ: CSCO) has found.

"The Web and Web applications pose a serious conundrum - the productivity gains and cost savings from the use of these tools can be significant and will become more important given the pressures resulting from the current economic crisis, but these tools create enormous risk for organizations of any size," the survey concluded.

That conclusion has a point. Browser add-ons, or plug-ins, such as Adobe (NASDAQ: ADBE) Flash, are becoming a growth industry, and Microsoft (NASDAQ: MSFT) has said that these are becoming a favorite target for attackers.

Browsers remain a target

Meanwhile, IBM (NYSE: IBM) is betting on the browser as an application platform, a move which will increase corporate exposure to the Web.

And the browsers themselves are not so safe, either. Mozilla and Microsoft both had to issue patches for their respective browsers earlier this month.

"Attackers have moved from e-mail to the Web because the traditional approach to the Web is outdated and new developments like Web 2.0 introduce challenges to Web security," PureWire's Judge said.

Enterprises are trying to do something about the security threat from the Web. The Osterman Research survey found that 79 percent of its respondents have established corporate policies against downloading certain types of files, 76 percent have deployed systems that selectively block downloads of certain file types, 69 percent of them use tools to block or monitor the use of Web applications at the firewall, and 31 percent use a Web security gateway to monitor the use of Web applications.

In addition, 46 percent of respondents lock down employee desktops to prevent users from installing certain Web applications and 39 percent do the same for employee desktops.

However, their attempts are not enough. Sixteen percent of the respondents said they were not completely successful in locking down employee desktops and 12 percent said they were not completely successful in locking down laptops against Web threats.

The problem could be partly due to the outdated approach to controlling the Web in the enterprise. "Most controls in the enterprise were put in place 10 years ago, when the main concern was controlling access to pornographic sites," PureWire's Judge said. "Today, it's a question of security - how do I prevent users from accessing malicious Web sites - and there's a gap there which attackers recognize and exploit."

The shift to Web applications is another part of the problem. "Antivirus applications scan files and determine if the executables they contain are good or bad, but in Web 2.0 applications like Google spreadsheets, you're not downloading executables to the desktop, you're running them between the browser and the Website so antivirus doesn't work," Judge said. "You need something that understands what the Website is trying to do to the browser."

Another issue lies in the nature of Web 2.0 technology itself, which encourages user-generated content. "Ten years ago, content providers were Web sites and you'd establish online trust by giving them certificates from someone like VeriSign (NASDAQ: VRSN)," Judge said.

"In today's world, when it's millions of users generating the content, how do you know whether the content is legitimate? There's the absence of a trust model that can deal with this."