Internet security technology company, Menlo Security, says its global web survey has shown that almost half of the 1 million most popular web site, as rated by Alexa, present some security risk either directly or via some 25 million background sites used for ad serving and other purposes.
To analyse the top one million web sites for its State of the Web 2016 report and mimic real-world browsing, Menlo Security developed a distributed Chrome-based browser farm to load the homepage of each of the top one million web sites.
Greg Maudsley, senior director of product marketing at Menlo Security, told Computerworld that the company had undertaken a similar exercise for its 2015 report, but had not examined background sites for that report. “Last year we looked only at the primary site. This year we looked at all the sites it contacts in the background,” he said.
“We found that, for every user request to a web site, that site initiates, on average, requests to 25 background sites that send active content to your browser. Ad serving is the most common, but they are also use for anti-ad blocking software, user tracking etc.”
In many cases, he said, the owners of the primary sites had little or no control over what background sites gained access to their visitors’ browsers.
Menlo Security identified three grades of risky sites:
- Homepage or background site running software with known vulnerabilities;
- Homepage or background site already known to be bad as a source of phishing, malware etc;
- Homepage or background site had suffered a security incident in the last 12 months.
“Of the one million sites, 355,804 were either running vulnerable software or accessing background domains running vulnerable software; 166,853 fell into known-bad category, while 31,938 had experienced a recent security incident,” its report said.
It added: “The top three riskiest categories are News & Media, where 50 percent of sites satisfy at least one of our three criteria, followed by Entertainment & Arts at 49 percent, and Travel at 43 percent. The least risky category of the top 10, Computer & Internet Info, still comes in at a massive 37 percent.”
The wide-open World Wide Web
Menlo Security’s technology did not look for evidence of malware on any of the sites – it relied on reputation information only, but the company made the point that the widespread existence of vulnerable sites and easy-to-obtain hacking tools left the web, and users, wide-open to attack.
“Today, exploit kits are readily available to anyone, as are the instructional videos that provide step-by-step execution instructions. The expertise requirement has all but vanished,” its report said.
Maudsley said: “Riskier sites have never been easier to exploit and basically half the web is available to be exploited, and traditional security products fail to apply adequate protection, because we have no way of knowing what will be bad tomorrow.”
According to the report, this combination of widespread software vulnerabilities, pervasive exploit kits, and throngs of new attackers has created the perfect storm.
“For example, Microsoft-iis 7.5 was the second most common vulnerable software seen in our report, and is currently running on over 50,000 of the top one million websites,” it said.
“For an individual to compromise a web server running this software, it is a simple matter of using exploit kits readily available on the Internet to enable a total system compromise. … Within minutes, any motivated attacker can exert full control over a primary or background site, and deliver ransomware to unsuspecting visitors.”
Maudsley said Menlo Security had made no attempt to estimate the extent of security breaches resulting from compromised, legitimate web sites, but said endpoint security tools would never provide 100 percent protection.
Isolation might be the answer
As Computerworld reported earlier this year, Menlo Security has developed a service to protect enterprises from web-borne threats by routing all web site requests through an isolation platform that strips out all the underlying coding and presents the user’s browser with only the visual elements, and the links, of the page they are trying to access.
Maudsley said this type of protection was becoming increasing commonplace among enterprises but had yet to filter down to SMBs or individual users.
“Isolation technology is gaining traction very rapidly and Gartner is now recommending it now part of a comprehensive security infrastructure approach. It is as applicable to my grandmother as it is to the largest enterprise but there are only a handful of vendors and they are focussed on large enterprise at present. There is absolutely a demand at the lower end and over time I think you will see this work its way down to the consumer market.”
He said Menlo Security, which relies exclusively on channel partners, was looking at a number of routes to the small end of the market. “We operate a cloud based platform and that does lend itself to a managed service that could be offered to consumers in the future.”
Menlo Security’s report offers a number of suggestions as to how users can avoid browser-borne malware; Maudsley said being aware of the risk level was a good starting point.
“There will always be a place for endpoint protection but a lot of protecting oneself has to do with being aware that there is a threat. Understanding that half the web is vulnerable is an important first step, and disabling Flash and using a safe document viewer in the browser will eliminate some of the means by which you can get infected.”