9 ways to use web proxies to limit Internet exposure
- By (ISC)2 Government Advisory Council Executive Writers Bureau
- Nov 19, 2015
The web has been central to the information age over the past 26 years, fundamentally changing how billions of people around the world communicate. While web use and dependence on the Internet have continued to grow, adversaries have also increasingly leveraged the web for cybercrime, including espionage, fraud, intelligence gathering and a number of financial schemes. According to Menlo Security’s State of the Web 2015 report, more than 33 percent of the top 1 million Internet websites are considered “risky.”
The web is used in a variety of attacks, ranging from phishing messages with an embedded link to poisoned Internet search results. Also common are watering hole attacks, in which a valid website is leveraged to either compromise visitors directly or redirect users to another malicious website. Adversaries can easily create their own malicious site or compromise a legitimate site in order to exploit visiting users.
Even sites that are not directly compromised can be used to serve up malicious content to users in the form of advertisements. Malvertising has more than tripled over the past year, according to a recent study by Cyphort, and has continued to impact a number of high-traffic sites over the past several months, including Forbes, Realtor.com and Match.com.
Government agencies can protect their own systems, networks and data by reducing exposure to Internet resources. Leveraging the following web proxy and gateway technologies can limit exposure to potentially dangerous Internet resources while maintaining and enabling access to the content needed to support business processes.
1. Limit default Internet access
Full Internet access from government and corporate networks should be based on business requirements, not granted as a default privilege for every employee. While the majority of employees will likely have legitimate needs, there should be no reason why security guards or mail clerks require the same level of access to web resources as IT specialists. Agencies should have processes and procedures in place to request and approve user access to web resources. In an Active Directory environment, this policy could be enforced by placing approved users in an “Internet” group, and allowing these users access through the web proxy systems. Isolated guest or public networks can also be set up to provide Internet access from employees’ personal devices or on a temporary basis without impacting internal systems and networks.
2. Prevent access from privileged accounts
If a user running as administrator visits a malicious site, successful exploitation essentially provides adversaries with the same full administrative access to the system. Accessing the same malicious site as a non-privileged user substantially limits potential damage and may prevent successful exploitation entirely. Therefore, organizations should never allow administrative access to Internet resources and should restrict such access via web proxies. This can be accomplished in an Active Directory environment by ensuring only unprivileged accounts are placed in an “Internet” group that allows Internet access.
3. Inspect SSL/TLS
Although encrypted SSL/TLS communications provide valuable data integrity and confidentiality, these communications also present a risk to organizations if not properly inspected. Most web proxy technologies can be configured to proxy encrypted web communications so that such web communications can be inspected and monitored entering and leaving the enterprise. A recent GCN article titled “Removing the blindfold to inspect encrypted communications” provides additional recommendations for gaining the necessary visibility into SSL/TLS communications.
4. Restrict by categorization
Web proxy technologies have built-in or third-party URL categorization services that should be implemented to not only enforce organizational policies but also to prevent access to known malicious or other risky categories of content. In addition to static categorization of websites, some vendors offer dynamic categorization/classification services for URLs not previously assessed.
5. Implement dynamic/custom blocks
Vendor categorizations of URLs can prevent access to known risky content. However, URL categorization is often a cat-and-mouse game with sophisticated adversaries that leverage new techniques and new domains that may not have been properly categorized. Because of this, agencies should also establish custom categories for organization-specific policies or override vendor categorizations when needed. Administrators can also develop regular expressions to look for specific URL characteristics based on known indicators of compromise or patterns used by adversaries.
6. Restrict by user agent
Internet browsers not maintained or supported by the enterprise and other unauthorized client software can be restricted from accessing the Internet by assessing the user agent string and allowing only those that are explicitly approved. This approach can also be used to prevent exposure to the Internet from unpatched, vulnerable software versions. For example, requests from out-of-date Java versions can be blocked -- not only to limit the external exposure, but also to provide additional incentive or instructions for the client to upgrade. It’s important to note that this is a useful but not an infallible solution on its own, because a given application could modify the user-agent string the proxy would see.
7. Restrict by media type
Over the past year, there have been a number of zero-day vulnerabilities leveraging Flash. Google and Apple have taken a firm stance opposing the support of Flash, and agencies can do so as well by restricting Flash or other risky media types at the proxy. By looking at the URL file extension, mime-type from HTTP headers and results from proxy programs such as libmagic that identify file types, undesired content can be effectively identified and blocked to limit organizational exposure. This technique can also be used to prevent the introduction of unapproved executable content from the web. If needed, exceptions can be granted for specific websites while preventing exposure to the Internet at large.
8. Restrict by top-level domain
Unless there is a business need, exposure to significant portions of the Internet can be restricted by blocking TLDs by default to significantly reduce the attack surface. Exceptions can be made where necessary, but default blocks can be implemented for many country code TLDs (e.g., .cm for Cameroon or .cn for China), ICANN-era generic TLDs (e.g., .review or .science) and internationalized/punycode TLDs (e.g., domains using Arabic or Chinese characters). As noted in a recent analysis and report from Blue Coat on “The Web’s Shadiest Neighborhoods,” a number of domains have over 95 percent of websites that are considered suspicious. Access to these and other risky TLDs should be restricted by default and permitted only in rare cases with a valid business need and appropriate risk assessment.
9. Formalize granular exception process
To limit Internet exposure by default and permit required access by exception, organizations must have a formalized and robust exception process in place. If users do not know how to request an exception for a valid business need, or if the exception is not processed timely, they may resist or circumvent the policy. While there will be some organization-wide exceptions, the exception process should also be as granular as possible to minimize exposure to the extent practical. For example, if an employee responsible for obtaining and testing new Oracle client software needs to download executable content blocked by default, an exception should be placed to allow access only from the specific individual to the specific domain, versus allowing the same access for all employees or the ability to download executable software from anywhere on the Internet. Time restrictions can also be enforced for access that is temporary in nature.
In closing, a combination of the aforementioned approaches may be used to limit Internet exposure while minimizing the impact to critical business capabilities. For example, instead of completely blocking access to a given foreign TLD, it may be acceptable to allow access to only a subset of the websites using that foreign domain, and only for users within a specific business unit working with companies in that country. Using this approach, new malicious websites not yet analyzed by the filtering services would not be accessible, while other legitimate categorized sites could be reached.
By using some or all of these techniques, web proxy and gateway technologies can significantly reduce the attack surface and limit an agency’s exposure to the “big bad Internet” while allowing access to the portions of the web required to support critical business functions.