An interesting study released this week shows that about 1.3 million malicious ads are being viewed online everyday. Most of these malvertisements are pushing drive-by downloads and fake security software. Some of the key findings in the report include:
- Users are twice as likely to get infected by a malware ad on a weekend
- The average lifetime of a malvertisement is 7.3 days
- 97% of Fortune 500 websites are at a high risk due to their external partners (JavaScript widget providers, packaged software providers etc.)
- 69% of Fortune 500 companies use external JavaScript to render portions of their sites
- 64% of Fortune 500 companies are running outdated web applications
This study drives home the point that everybody is exposed. Whether it’s a consumer hitting an ad on a website that’s got malware or an attack targeting the person running the grid, the fact is as long as there’s a human being in the loop malware is going to get deposited.
What I find interesting is that malvertisments targeting consumers take the same payload-type approaches as APTs that are specifically designed to go after the top government or corporate information, but just not in the same highly targeted, sniper-type fashion. But whatever approach is taken, the cornerstone to every one of these types of attacks that deposit some type of targeted malware is the payload.
This brings me to a poll question I’d like to ask you: What’s the most important step to stopping malware payloads? Said differently, if you could only do ONE thing to stop these attacks, which approach would you take? I’d love to get your feedback on it.
http://www.networkworld.com/newsletters/sec/2010/052410sec2.html?source=NWWNLE_nlt_security_2010-05-28
Daniel Kennedy, Master of Science in Information Assurance (MSIA) from the School of Graduate Studies of Norwich University and co-created the information security blog PraetorianPrefect, which received a nomination for Security Blog of the Year at the RSA Conference, recently become a contributor to a blog at Forbes Online, The Forbes Firewall.
He stated, My goal is to relate current stories in information security to the everyday challenges facing people in companies, universities, and government agencies. ‘Why did this event occur?’ and ‘What might have prevented or mitigated its negative effects?’ are the types of questions I intend to provide some analysis on for reader thought and discussion.
One of his blogging goals is to educate readers that before they hire a vendor, demand answers as to how personal data is protected. Before installing a specialty vendor product, ask about the last time it underwent a security test and to see the results.
Kennedy wants to reduce the number of people treating information security concerns as an afterthought or minimizing its importance. He confirms the enormous gap between those who have their act together and those who do not.
This sounds like a good opportunity for Toney & Co to enter that Forbes blog discussion with expert contributions a la Bouncer by CT and application whitelisting, and thereby help to close that chasm between those who understand and those who don’t that Kennedy writes about.
If implement Bouncer is the one thing you would for security if you only could do one thing, then it follows it’s also the one thing you would not want to leave out of your security systems.