In the early days of the web, online surfers knew where the dangers were. Seedy sites in the darkest corners of the web were rife with malicious pages, so smart small business IT security departments simply blocked them. Today, the whole web is a dangerous neighbourhood, and visiting even the most innocent-looking site can infect a computer with devious malware. The results can disrupt entire companies. Here’s how it happens, and how those running IT security for small business can cope with it.
The scariest thing about today’s web-based attacks is that in many cases, victims simply have to visit a site to be infected. No other action is required. Major news sites are among those that have been compromised in the past, infecting their visitors indiscriminately.
How are these sites targeted? One of the most popular methods is malvertising. Website publishers typically display digital advertisements using a digital window on a web page, giving an advertising network permission to put whatever it wants there. These networks typically allow advertisers to bid in real time for their ads to be displayed. Attackers posing as advertisers bid using booby-trapped ads, which are displayed instantly on publishers’ pages when the algorithms running the networks accept them.
Malvertising has affected many legitimate sites, including Forbes, the BBC and the New York Times. Universities, retailers and others have also been hit, which means that millions of visitors have been infected.
Attackers can also infect sites running popular open source software such as Wordpress. Vast numbers of sites based on the open source content management software have been compromised in the past, often using unpatched plugins that publishers have used to enhance their Wordpress sites. These sites compromised sites can either download code directly to the victim’s machine or, more commonly, instruct the browser to a visit a malicious site controlled by the attacker – all without the visitor seeing anything. This site uses an exploit kit such as Angler to probe their computer and find out what software they’re running. The exploit kit will then deliver an attack crafted for their particular platform.
How can users protect themselves against these attacks? While clearly good advice, simply not visiting suspect sites isn’t going to be enough any more. Neither is relying entirely on malware scanning products, because many drive-by malware attacks are tested against the latest antivirus updates before they are released. Use them, but don’t rely on them as your sole source of defense.
Turning off any access to your operating system that you don’t regularly need is a good start, as it reduces malware’s ability to establish a foothold. This means not using an administrator account for regular access on Windows machines (instead, create a ‘User’ account that has restricted privileges). Patching all of your software is also crucial, including your operating system and other applications such as Adobe products and Java.
The other way to protect your system is to try and head off attacks before they ever reach you, by relying on a cloud-based security service. These will typically not only check the traffic that your computer is downloading but will also monitor the domains that your computer is trying to download from, stopping any that show up as suspicious on their lists.
None of these methods can guarantee you 100% IT security for small business, but layer them together, and they significantly reduce the risk. One technique may catch what another doesn’t. Even if malware gets through, a well-configured system is far safer than an unpatched one with total administrative access.
Take these precautions now and you will stand a better chance of avoiding web compromise. After all, a small business IT security team has to be lucky every time. An attacker only has to be lucky once.