The New Zealand Honeynet Project, which produced Capture-HPC (mentioned here last week), also produced an excellent white paper about using Capture-HPC to identify malicious Web servers. On the group's Web site, you'll find that paper, the captured data, and the tools for anyone to inspect and replicate.
[ RogerGrimes's column is now a blog! Get the latest IT security news from the Security Adviser blog. ]
The New Zealand Honeynet Project inspected more than 300,000 URLs (nearly 149,000 hosts) for three weeks and found 306 malicious URLs served from 194 malicious servers. Here are the most interesting points, to me:
1. The highest percentage of malicious Web servers were tied directly to adult content. No surprise here. But all types of content (e.g. news or sponsored links) were nearly as bad. It's not like you can just avoid adult sites and be safe.
2. Many of the malicious Web sites turn non-malicious, and vice versa, all the time. I've talked about this in previous columns, but essentially many malware writers are taking great pains to make sure an infected Web site serves up malicious content to any given IP address only once. That strategy defeats additional inspection by anti-malware researchers and honeyclients.
3. Only 12 percent of malicious URLs appeared on a blacklist. Nevertheless, counterintuitive as it may seem, blacklists were highly effective at blocking a large percentage of attacks. This is because the blacklists often blocked the main back-end computers serving up most of the malware. In today’s Web-intertwined world, most of the infected Web sites actually point to a smaller number of “super server” hosts. Block them, and the original infected site is defanged.
4. Fully patched computers blocked 100 percent of the malicious attempts (for the study, the project used Internet Explorer 6 SP2 instead of the better-defended Internet Explorer 7).
5. The study includes analysis of several real Web sites and exploits.
6. Many of the exploits attempted to steal log-on names and passwords.
7. Most attacks used JavaScript to initiate the exploitation.
The paper ends with several defense recommendations, including:
* Keep fully patched, both OS and applications.
* Blacklists are effective.
* Don’t run as root or admin in browser sessions.
* Host-based firewalls offer additional protection.
I encourage any computer security defender to download and read this honeyclient paper.
This whitepaper explains the terminology and concepts behind Data Replication technologies and establishes some sizing rules through worked examples. Learn the new paradigm in disaster tolerance—protect data anywhere.
Download now »
Server virtualization is a popular option for dealing with mounting datacenter costs. Another equally promising approach is the use of an Application Delivery Controller. Citrix NetScaler provides a low-cost way for organizations to reduce their server count and accrue cost savings from a reduction in space, cooling, power and personnel.
Download now »
The emergence of WLANs has created a new breed of security threats to enterprise networks.
Included in HP ProCurve WLAN solutions is security technology that alleviates threats from WLANs through:
* Monitoring wireless activity inside and out of the enterprise
* Classifying WLAN transmissions into harmful and harmless
* Preventing transmissions that pose a security threat to the enterprise network
* Locating participating devices for physical remediation
Effectively address data protection challenges, implementing solutions that help store and protect business–critical data while cutting costs and improving efficiency and reliability.
Download now »
Sign up to receive Security Resource Alerts
This white paper provides guidance on how to develop a strategic approach to managing and monitoring logs, a key function required for compliance with many regulatory mandates and a critical defense against security threats.
Download now! »
Learn about the processes and technologies that support security information management (SIM) operations, as well as the business case for SIM. The series examines different options for implementing SIM and gives you evaluation criteria for selecting the best option for your organization.
Download now! »
Learn the strategies, actions, and capabilities that Best-in-Class organizations employ and technologies they choose to obtain superior performance against various security performance metrics. This report provides guidelines for identifying which security solutions to consume as a MSS and defines best practices for choosing and managing MSSPs.
Download now! »
3 Recommendations
