SlideShare uma empresa Scribd logo

Web reputation

GFI Software
GFI Software

Web Reputation is the latest method in use to boost protection against current to future malicious content on the web for those browsing the Internet. Using Web Reputation, websites are assessed for immediate and potential threats, malicious content and risky characteristics and a score (0 – 100) is given.

TecnologiaDesign
1 de 8
Baixar para ler offline
GFI White Paper How Web Reputation increases your online protection
Contents Introduction to Web Reputation 3 Why use Web Reputation? 3 The value of using Web Reputation and antivirus software 3 The value of using Web Reputation with Content Categorization 4 Anatomy of a malware attack 4 How to use a Web Reputation Index – different scenarios 5 How is the Web Reputation Index calculated 6 Reputation Index for websites with malicious content 7 Dynamic real-time updates 7 About GFI® 7 How Web Reputation increases your online protection 2
Introduction to Web Reputation Web Reputation is the latest method in use to boost protection against current to future malicious content on the web for those browsing the Internet. Using Web Reputation, websites are assessed for immediate and potential threats, malicious content and risky characteristics and a score (0 – 100) is given. In a similar way that Content Categorization places websites into different categories and classifies them based on their content, Web Reputation scores are used to determine the risk factor of each website. Once the score for a website has been determined, this will help an administrator to take action – block/ proceed with caution/allow access to those websites. Although a good antivirus engine offers significant threat coverage, and multiple antivirus engines provide greater protection than you get with a single antivirus engine, it is very difficult to achieve total protection in a very dynamic Web 2.0 world. Web Reputation fills a void left by traditional protection engines by giving a “safety” rating to websites and where necessary, allowing proactive blocking of risky sites. The GFI WebMonitor™ WebGrade Web Reputation Index is a comprehensive security assessment of a website based not only on its current threat level, but also on its potential to be a threat in the future. It gives each URL a score (0-100) – the lower the score, the greater the risk that website poses to users. Broadly speaking, web reputation scores typically fall into five risk bands: » High Risk (1 – 20) » Suspicious (21 – 40) » Moderate Risk (41 – 60) » Low Risk (61 – 80) » Trustworthy (81 – 100) Why use Web Reputation? To better understand the benefits of Web Reputation, here is a real world example. Let’s say you are going on vacation. While you are planning your holiday, you check the reviews of the hotel where you would like to stay before you actually take a decision to book or not. Unless you confirm that the hotel (which you’ve never stayed in before) has been given a good rating in various categories (price, cleanliness, location, family- friendly) etc. you wouldn’t book your stay there. The same concept applies to the Web. The Web Reputation Index is calculating a score for a website for you to proactively determine, on the basis of various ‘safety variables’, whether you should visit that site or not. The value of using Web Reputation and antivirus software With the growing number of malware threats and an ever-changing security landscape, it is increasingly difficult for traditional antivirus engines to be constantly up-to-date and protect users from ALL the latest threats. Different antivirus vendors have different response times to different types of emerging threats – some focus on speed and all the latest threats, while others focus on complete coverage with threat signatures going back many years. Therefore, having additional defence mechanisms in place to protect you against new zero-hour and zero-day threats is a must. Malware authors are constantly changing their techniques and use various tricks to outsmart antivirus engines. The ability to assess websites and domains on the basis of reputation radically boosts the software’s capability to protect users and organizations against new and unknown threats. Web Reputation enhances the security engine coverage through two main features: » It predicts the security risk a website poses before an actual threat is detected » It keeps a record of previously infected sites and uses this data as part of the scoring mechanism How Web Reputation increases your online protection 3
The value of using Web Reputation with Content Categorization In web filtering, categories are used to identify the type of website, e.g. “News and Media”, “Shopping” and “Search Engines” among others. Some categories are by their very nature a security risk e.g. “Phishing” or “Malware”. However, all categories may feature websites which have reputation scores across the spectrum (see bands above). What this means is that in any category you can have a mix of sites which are a risk, and others which are safe. For example, a hypothetical website (www.snipe-a-fish.com) is categorized under “Hobbies and Recreation” – a category which is not typically considered a security threat. Although the website is in a category which is not known for pushing malicious content, the website itself is very poorly maintained, is prone to infection, and is therefore a high security risk. In fact, the website had been compromised already in the past and used to distribute malware. On the other hand, there are many sites which are very highly rated in the same category. Such a broad range of scores in the same category holds true for all categories – meaning that the risk factor of a website is usually independent of the category in which the website is found. This is why Web Reputation is so important – it adds a layer of protection irrespective of the category the website is in. Anatomy of a malware attack Cyber criminals know that the weakest link in most organizations is not the technology, but (in the majority of cases) the person sitting in front of a computer. These criminals, often out for financial gain, exploit the popularity of high traffic sites such as YouTube, Facebook and Twitter to distribute malicious links and payloads. Very often users are not even aware that by clicking on links they may be exposing their machine and the network to a number of threats. This ‘attack surface’ grew considerably with the introduction of short URLs (e.g. http://bit.ly/q9GelC) – all URLs look practically the same. The attackers also know that few users think about risk when they visit a new website and they use this behavior to their advantage, riding piggy-back on the success of high traffic sites which are used to initiate the transmission of malicious content. This content however requires a host, i.e. a website from where the content can be distributed. There are two ways to create malicious content on the web: » Create a new website or use an existing website to host the malicious content » Compromise (hack) a legitimate site and inject malicious content Cybercriminals and security organizations are playing a constant cat-and-mouse game – one side creating new malicious content, the other designing protective measures to block it. The best weapon for criminals is an ever-changing malware host. Effective attacks require a website or malware strain which is currently not recognized by antivirus engines. So the best means of attack is to actually deploy new websites or website hosts as often as possible. This ensures that these websites have not been recognized by security organizations and consequently blocked. Once a website is ‘caught’ by antivirus engines or other security measures, it loses its effectiveness and would need to be taken down and replaced by another. Zero-day/zero-hour 0-day/0-hour: the period of time from when a new malware hosting website is created until it is recognized as malicious. During this period, activity on these sites is considered high risk. In the zero-hour period, no matter how many antivirus engines you have deployed, anybody visiting a website hosting new malicious content is at risk and their machine will probably be infected. How Web Reputation increases your online protection 4
Figure 1 - Stages in malware attack cycle So how do we mitigate this problem? Reputation is the answer. Certain types of websites, including those which have not been seen before are immediately classified as “Suspicious”. Applying a reputation score to websites and classifying them as “Suspicious” is a proactive approach to security – you are addressing a risk before it can become a serious threat. Figure 2 - How Reputation protects against unknown threats How to use a Web Reputation Index – different scenarios Known Compromised Sites – high risk (0 – 20) As soon as a website is detected as being compromised, its score immediately drops into the High Risk zone. Any website classified in the High Risk Zone should be treated as a “No Go Area” – the risk of infection is high for sites in the High Risk zone. Once the infection is cleaned, the site’s reputation is restored; though the reputation score will now take into account the fact that this site has an infection history (thus its score will initially be lower). Usage: Anything in the High Risk Zone should be blocked. How Web Reputation increases your online protection 5
Unknown and Suspicious Sites (21 – 40) – proactive protection Unknown sites are typically sites which are relatively new and have never have been reviewed. With the classification engine scanning thousands of URLs per second, any legitimate URL will most likely have already been scanned and given an appropriate rating. Sites in this zone should be treated as suspicious. Usage: Anything in the Suspicious Zone should be blocked unless shown to be legitimate. Other Known Sites (41 – 60) – moderate risk These are other known sites which have been around for several months and could still present a risk because: » They have been infected in the past year » They have exhibited some kind of risky characteristic Usage: Proceed with caution! These sites should be handled with care and visited only by those who are knowledgeable in the subject area and will not expose others to the risk of infection. Relatively Safe Sites – (61 – 80) – low risk These known sites exhibit few risky characteristics and therefore are relatively safe. Usage: These sites have a low risk of infection and access can be given to everyone. Trustworthy (81-100) – trustworthy These are highly trusted sites which exhibit little to no risk and therefore are trustworthy and safe to visit. Usage: These sites have the lowest risk of infection and access can be given to everyone. How is the Web Reputation Index calculated Web Reputation is calculated using a large number of factors and a machine learning process. Rather than controlling the process manually, advanced techniques are used to allow the classifier to determine the correct weights based on millions of examples of “good websites” and “bad websites”. The following are some of the features analyzed: » Location of website • Geography (Country/City) • ISP/WebHost • IP neighborhood Some areas of the Internet are known to be “bad neighborhoods”. A website hosted in these neighborhoods could increase its risk rating. » Behavior and Content of website • JavaScript content and characteristics • Popups • Redirects • Executable file downloads How Web Reputation increases your online protection 6
Websites which typically have or distribute malicious content are similar in terms of the content they provide. For example, creating multiple redirects to different websites is a technique which may be used by hackers to mask the true destination a website is trying to send users to. » Legitimacy • Domain/Category Age • Number of IP addresses for a site • Top Level Domain The above characteristics also show how legitimate a website is. For example, a website can be deployed with malicious content within a few hours. New websites are treated suspiciously unless it is otherwise clear that they are legitimate. » Threat History • Past Safety Track Record (history of infections in the last three and 12 month-periods) A site which has been infected in the past is a greater risk than a website which has a clean track record. More than 400 weighted variables are used to give a correct score. The weighting is not decided arbitrarily but based on the process’s capacity to analyze and determine the ideal weightings for each analyzed feature. Reputation Index for websites with malicious content A website which is found to be distributing malicious content is immediately put into the high-risk zone. The website stays in this zone until it has been “cleaned”. Once it is clean, rather than giving it the same score as before, the infection history is taken into consideration and its original score is only restored over a period of time. Most reputation services do not maintain a history of behaviour; on the other hand, the WebGrade Reputation index grows and decays over time depending on the behaviour of a website. Dynamic real-time updates Changes in the score of a website are immediately available via the hybrid reputation index service which consists of a local database of popular sites – and an online querying mechanism for sites not in the local database. Websites are revisited often to update the classification of the content; the revisit frequency varies depending on parameters such as the change velocity of the site, popularity, ranking, history of previous changes, and other relevant factors. About GFI GFI Software provides web and mail security, archiving, backup and fax, networking and security software and hosted IT solutions for small to medium-sized businesses (SMBs) via an extensive global partner community. GFI products are available either as on-premise solutions, in the cloud or as a hybrid of both delivery models. With award-winning technology, a competitive pricing strategy, and a strong focus on the unique requirements of SMBs, GFI satisfies the IT needs of organizations on a global scale. The company has offices in the United States (North Carolina, California and Florida), UK (London and Dundee), Austria, Australia, Malta, Hong Kong, Philippines and Romania, which together support hundreds of thousands of installations worldwide. GFI is a channel-focused company with thousands of partners throughout the world and is also a Microsoft Gold Certified Partner. More information about GFI can be found at http://www.gfi.com. How Web Reputation increases your online protection 7
USA, CANADA AND CENTRAL AND SOUTH AMERICA GFI 2230 sep11 15300 Weston Parkway, Suite 104, Cary, NC 27513, USA Telephone: +1 (888) 243-4329 Fax: +1 (919) 379-3402 ussales@gfi.com UK AND REPUBLIC OF IRELAND Magna House, 18-32 London Road, Staines, Middlesex, TW18 4BP, UK Telephone: +44 (0) 870 770 5370 Fax: +44 (0) 870 770 5377 sales@gfi.co.uk EUROPE, MIDDLE EAST AND AFRICA GFI House, San Andrea Street, San Gwann, SGN 1612, Malta Telephone: +356 2205 2000 Fax: +356 2138 2419 sales@gfi.com AUSTRALIA AND NEW ZEALAND 83 King William Road, Unley 5061, South Australia Telephone: +61 8 8273 3000 Fax: +61 8 8273 3099 sales@gfiap.com For a full list of GFI offices/contact details worldwide, please visit http://www.gfi.com/contactus Disclaimer © 2011. GFI Software. All rights reserved. All product and company names herein may be trademarks of their respective owners. The information and content in this document is provided for informational purposes only and is provided “as is” with no warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and non-infringement. GFI Software is not liable for any damages, including any consequential damages, of any kind that may result from the use of this document. The information is obtained from publicly available sources. Though reasonable effort has been made to ensure the accuracy of the data provided, GFI makes no claim, promise or guarantee about the completeness, accuracy, recency or adequacy of information and is not responsible for misprints, out- of-date information, or errors. GFI makes no warranty, express or implied, and assumes no legal liability or responsibility for the accuracy or completeness of any information contained in this document. If you believe there are any factual errors in this document, please contact us and we will review your concerns as soon as practical.

Recomendados

GFI MailSecurity's Deployment Strategies
GFI MailSecurity's Deployment StrategiesGFI MailSecurity's Deployment Strategies
GFI MailSecurity's Deployment StrategiesGFI Software
 
Basic security
Basic securityBasic security
Basic securityGFI Software
 
How to Perform Network-wide Security Event Log Management
How to Perform Network-wide Security Event Log ManagementHow to Perform Network-wide Security Event Log Management
How to Perform Network-wide Security Event Log ManagementGFI Software
 
Master Class Series
Master Class SeriesMaster Class Series
Master Class SeriesGFI Software
 
Greylisting
GreylistingGreylisting
GreylistingGFI Software
 
Increasing Performance in Enterprise Anti-Malware Software
Increasing Performance in Enterprise Anti-Malware SoftwareIncreasing Performance in Enterprise Anti-Malware Software
Increasing Performance in Enterprise Anti-Malware SoftwareGFI Software
 
Data Backups
Data BackupsData Backups
Data BackupsGFI Software
 
Europese autoverkopen april 2014
Europese autoverkopen april 2014Europese autoverkopen april 2014
Europese autoverkopen april 2014Auto Verkopen
 

Recomendados

GFI MailSecurity's Deployment Strategies
GFI MailSecurity's Deployment StrategiesGFI MailSecurity's Deployment Strategies
GFI MailSecurity's Deployment StrategiesGFI Software
 
Basic security
Basic securityBasic security
Basic securityGFI Software
 
How to Perform Network-wide Security Event Log Management
How to Perform Network-wide Security Event Log ManagementHow to Perform Network-wide Security Event Log Management
How to Perform Network-wide Security Event Log ManagementGFI Software
 
Master Class Series
Master Class SeriesMaster Class Series
Master Class SeriesGFI Software
 
Greylisting
GreylistingGreylisting
GreylistingGFI Software
 
Increasing Performance in Enterprise Anti-Malware Software
Increasing Performance in Enterprise Anti-Malware SoftwareIncreasing Performance in Enterprise Anti-Malware Software
Increasing Performance in Enterprise Anti-Malware SoftwareGFI Software
 
Data Backups
Data BackupsData Backups
Data BackupsGFI Software
 
Europese autoverkopen april 2014
Europese autoverkopen april 2014Europese autoverkopen april 2014
Europese autoverkopen april 2014Auto Verkopen
 
How to configure IBM iSeries event collection with Audit and GFI EventsManager
How to configure IBM iSeries event collection with Audit and GFI EventsManagerHow to configure IBM iSeries event collection with Audit and GFI EventsManager
How to configure IBM iSeries event collection with Audit and GFI EventsManagerGFI Software
 
Hackers don’t discriminate
Hackers don’t discriminateHackers don’t discriminate
Hackers don’t discriminateGFI Software
 
Email Continuity
Email ContinuityEmail Continuity
Email ContinuityGFI Software
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability ManagementGFI Software
 
Why One Virus Engine is Not Enough
Why One Virus Engine is Not EnoughWhy One Virus Engine is Not Enough
Why One Virus Engine is Not EnoughGFI Software
 
Email Security Solutions
Email Security SolutionsEmail Security Solutions
Email Security SolutionsGFI Software
 
Email archiving
Email archivingEmail archiving
Email archivingGFI Software
 
Going beyond Exchange 2010
Going beyond Exchange 2010Going beyond Exchange 2010
Going beyond Exchange 2010GFI Software
 
Protecting Against the New Wave of Malware
Protecting Against the New Wave of MalwareProtecting Against the New Wave of Malware
Protecting Against the New Wave of MalwareGFI Software
 
Industrial Revolution
Industrial RevolutionIndustrial Revolution
Industrial Revolutioncedarrobertson
 
Email Continuity
Email ContinuityEmail Continuity
Email ContinuityGFI Software
 
Sending Faxes in real-time over an IP Network
Sending Faxes in real-time over an IP NetworkSending Faxes in real-time over an IP Network
Sending Faxes in real-time over an IP NetworkGFI Software
 
Spotlight on GFI EndPoint Security 2013
Spotlight on GFI EndPoint Security 2013Spotlight on GFI EndPoint Security 2013
Spotlight on GFI EndPoint Security 2013GFI Software
 
Network Environments
Network EnvironmentsNetwork Environments
Network EnvironmentsGFI Software
 
The Threats Posed by Portable Storage Devices
The Threats Posed by Portable Storage DevicesThe Threats Posed by Portable Storage Devices
The Threats Posed by Portable Storage DevicesGFI Software
 
Hybrid Technology
Hybrid TechnologyHybrid Technology
Hybrid TechnologyGFI Software
 
Understanding Data Backups
Understanding Data BackupsUnderstanding Data Backups
Understanding Data BackupsGFI Software
 
Security Threats for SMBs
Security Threats for SMBsSecurity Threats for SMBs
Security Threats for SMBsGFI Software
 
Security and SMBs
Security and SMBsSecurity and SMBs
Security and SMBsGFI Software
 
Deploying GFI EventsManager™
Deploying GFI EventsManager™Deploying GFI EventsManager™
Deploying GFI EventsManager™GFI Software
 
Maxmp greylisting
Maxmp greylistingMaxmp greylisting
Maxmp greylistingGFI Software
 
Messaging and Web Security
Messaging and Web SecurityMessaging and Web Security
Messaging and Web SecurityGFI Software
 

Mais conteúdo relacionado

Destaque

How to configure IBM iSeries event collection with Audit and GFI EventsManager
How to configure IBM iSeries event collection with Audit and GFI EventsManagerHow to configure IBM iSeries event collection with Audit and GFI EventsManager
How to configure IBM iSeries event collection with Audit and GFI EventsManagerGFI Software
 
Hackers don’t discriminate
Hackers don’t discriminateHackers don’t discriminate
Hackers don’t discriminateGFI Software
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability ManagementGFI Software
 
Why One Virus Engine is Not Enough
Why One Virus Engine is Not EnoughWhy One Virus Engine is Not Enough
Why One Virus Engine is Not EnoughGFI Software
 
Email Security Solutions
Email Security SolutionsEmail Security Solutions
Email Security SolutionsGFI Software
 
Going beyond Exchange 2010
Going beyond Exchange 2010Going beyond Exchange 2010
Going beyond Exchange 2010GFI Software
 
Protecting Against the New Wave of Malware
Protecting Against the New Wave of MalwareProtecting Against the New Wave of Malware
Protecting Against the New Wave of MalwareGFI Software
 
Sending Faxes in real-time over an IP Network
Sending Faxes in real-time over an IP NetworkSending Faxes in real-time over an IP Network
Sending Faxes in real-time over an IP NetworkGFI Software
 

Destaque (12)

How to configure IBM iSeries event collection with Audit and GFI EventsManager
How to configure IBM iSeries event collection with Audit and GFI EventsManagerHow to configure IBM iSeries event collection with Audit and GFI EventsManager
How to configure IBM iSeries event collection with Audit and GFI EventsManager
 
Hackers don’t discriminate
Hackers don’t discriminateHackers don’t discriminate
Hackers don’t discriminate
 
Email Continuity
Email ContinuityEmail Continuity
Email Continuity
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
 
Why One Virus Engine is Not Enough
Why One Virus Engine is Not EnoughWhy One Virus Engine is Not Enough
Why One Virus Engine is Not Enough
 
Email Security Solutions
Email Security SolutionsEmail Security Solutions
Email Security Solutions
 
Email archiving
Email archivingEmail archiving
Email archiving
 
Going beyond Exchange 2010
Going beyond Exchange 2010Going beyond Exchange 2010
Going beyond Exchange 2010
 
Protecting Against the New Wave of Malware
Protecting Against the New Wave of MalwareProtecting Against the New Wave of Malware
Protecting Against the New Wave of Malware
 
Industrial Revolution
Industrial RevolutionIndustrial Revolution
Industrial Revolution
 
Email Continuity
Email ContinuityEmail Continuity
Email Continuity
 
Sending Faxes in real-time over an IP Network
Sending Faxes in real-time over an IP NetworkSending Faxes in real-time over an IP Network
Sending Faxes in real-time over an IP Network
 

Mais de GFI Software

Spotlight on GFI EndPoint Security 2013
Spotlight on GFI EndPoint Security 2013Spotlight on GFI EndPoint Security 2013
Spotlight on GFI EndPoint Security 2013GFI Software
 
Network Environments
Network EnvironmentsNetwork Environments
Network EnvironmentsGFI Software
 
The Threats Posed by Portable Storage Devices
The Threats Posed by Portable Storage DevicesThe Threats Posed by Portable Storage Devices
The Threats Posed by Portable Storage DevicesGFI Software
 
Understanding Data Backups
Understanding Data BackupsUnderstanding Data Backups
Understanding Data BackupsGFI Software
 
Security Threats for SMBs
Security Threats for SMBsSecurity Threats for SMBs
Security Threats for SMBsGFI Software
 
Deploying GFI EventsManager™
Deploying GFI EventsManager™Deploying GFI EventsManager™
Deploying GFI EventsManager™GFI Software
 
Messaging and Web Security
Messaging and Web SecurityMessaging and Web Security
Messaging and Web SecurityGFI Software
 
How to Keep Spam Off Your Network
How to Keep Spam Off Your NetworkHow to Keep Spam Off Your Network
How to Keep Spam Off Your NetworkGFI Software
 
How to Block NDR Spam
How to Block NDR SpamHow to Block NDR Spam
How to Block NDR SpamGFI Software
 
How to tell if that pop-up window is offering you a rogue anti-malware product
How to tell if that pop-up window is offering you a rogue anti-malware productHow to tell if that pop-up window is offering you a rogue anti-malware product
How to tell if that pop-up window is offering you a rogue anti-malware productGFI Software
 
Binary translation
Binary translationBinary translation
Binary translationGFI Software
 
Why You Need an Email Exploit Detection Engine
Why You Need an Email Exploit Detection EngineWhy You Need an Email Exploit Detection Engine
Why You Need an Email Exploit Detection EngineGFI Software
 
VIPRE Business Takes a Bite out of Bloatware
VIPRE Business Takes a Bite out of BloatwareVIPRE Business Takes a Bite out of Bloatware
VIPRE Business Takes a Bite out of BloatwareGFI Software
 
When Less is More: Why Small Companies Should Think Outside the(Red/Yellow) B...
When Less is More: Why Small Companies Should Think Outside the(Red/Yellow) B...When Less is More: Why Small Companies Should Think Outside the(Red/Yellow) B...
When Less is More: Why Small Companies Should Think Outside the(Red/Yellow) B...GFI Software
 

Mais de GFI Software (18)

Spotlight on GFI EndPoint Security 2013
Spotlight on GFI EndPoint Security 2013Spotlight on GFI EndPoint Security 2013
Spotlight on GFI EndPoint Security 2013
 
Network Environments
Network EnvironmentsNetwork Environments
Network Environments
 
The Threats Posed by Portable Storage Devices
The Threats Posed by Portable Storage DevicesThe Threats Posed by Portable Storage Devices
The Threats Posed by Portable Storage Devices
 
Hybrid Technology
Hybrid TechnologyHybrid Technology
Hybrid Technology
 
Understanding Data Backups
Understanding Data BackupsUnderstanding Data Backups
Understanding Data Backups
 
Security Threats for SMBs
Security Threats for SMBsSecurity Threats for SMBs
Security Threats for SMBs
 
Security and SMBs
Security and SMBsSecurity and SMBs
Security and SMBs
 
Deploying GFI EventsManager™
Deploying GFI EventsManager™Deploying GFI EventsManager™
Deploying GFI EventsManager™
 
Maxmp greylisting
Maxmp greylistingMaxmp greylisting
Maxmp greylisting
 
Messaging and Web Security
Messaging and Web SecurityMessaging and Web Security
Messaging and Web Security
 
How to Keep Spam Off Your Network
How to Keep Spam Off Your NetworkHow to Keep Spam Off Your Network
How to Keep Spam Off Your Network
 
How to Block NDR Spam
How to Block NDR SpamHow to Block NDR Spam
How to Block NDR Spam
 
How to tell if that pop-up window is offering you a rogue anti-malware product
How to tell if that pop-up window is offering you a rogue anti-malware productHow to tell if that pop-up window is offering you a rogue anti-malware product
How to tell if that pop-up window is offering you a rogue anti-malware product
 
Binary translation
Binary translationBinary translation
Binary translation
 
Stopping Malware
Stopping MalwareStopping Malware
Stopping Malware
 
Why You Need an Email Exploit Detection Engine
Why You Need an Email Exploit Detection EngineWhy You Need an Email Exploit Detection Engine
Why You Need an Email Exploit Detection Engine
 
VIPRE Business Takes a Bite out of Bloatware
VIPRE Business Takes a Bite out of BloatwareVIPRE Business Takes a Bite out of Bloatware
VIPRE Business Takes a Bite out of Bloatware
 
When Less is More: Why Small Companies Should Think Outside the(Red/Yellow) B...
When Less is More: Why Small Companies Should Think Outside the(Red/Yellow) B...When Less is More: Why Small Companies Should Think Outside the(Red/Yellow) B...
When Less is More: Why Small Companies Should Think Outside the(Red/Yellow) B...
 

Último

DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 

Último (20)

DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 

Web reputation

  • 1. GFI White Paper How Web Reputation increases your online protection
  • 2. Contents Introduction to Web Reputation 3 Why use Web Reputation? 3 The value of using Web Reputation and antivirus software 3 The value of using Web Reputation with Content Categorization 4 Anatomy of a malware attack 4 How to use a Web Reputation Index – different scenarios 5 How is the Web Reputation Index calculated 6 Reputation Index for websites with malicious content 7 Dynamic real-time updates 7 About GFI® 7 How Web Reputation increases your online protection 2
  • 3. Introduction to Web Reputation Web Reputation is the latest method in use to boost protection against current to future malicious content on the web for those browsing the Internet. Using Web Reputation, websites are assessed for immediate and potential threats, malicious content and risky characteristics and a score (0 – 100) is given. In a similar way that Content Categorization places websites into different categories and classifies them based on their content, Web Reputation scores are used to determine the risk factor of each website. Once the score for a website has been determined, this will help an administrator to take action – block/ proceed with caution/allow access to those websites. Although a good antivirus engine offers significant threat coverage, and multiple antivirus engines provide greater protection than you get with a single antivirus engine, it is very difficult to achieve total protection in a very dynamic Web 2.0 world. Web Reputation fills a void left by traditional protection engines by giving a “safety” rating to websites and where necessary, allowing proactive blocking of risky sites. The GFI WebMonitor™ WebGrade Web Reputation Index is a comprehensive security assessment of a website based not only on its current threat level, but also on its potential to be a threat in the future. It gives each URL a score (0-100) – the lower the score, the greater the risk that website poses to users. Broadly speaking, web reputation scores typically fall into five risk bands: » High Risk (1 – 20) » Suspicious (21 – 40) » Moderate Risk (41 – 60) » Low Risk (61 – 80) » Trustworthy (81 – 100) Why use Web Reputation? To better understand the benefits of Web Reputation, here is a real world example. Let’s say you are going on vacation. While you are planning your holiday, you check the reviews of the hotel where you would like to stay before you actually take a decision to book or not. Unless you confirm that the hotel (which you’ve never stayed in before) has been given a good rating in various categories (price, cleanliness, location, family- friendly) etc. you wouldn’t book your stay there. The same concept applies to the Web. The Web Reputation Index is calculating a score for a website for you to proactively determine, on the basis of various ‘safety variables’, whether you should visit that site or not. The value of using Web Reputation and antivirus software With the growing number of malware threats and an ever-changing security landscape, it is increasingly difficult for traditional antivirus engines to be constantly up-to-date and protect users from ALL the latest threats. Different antivirus vendors have different response times to different types of emerging threats – some focus on speed and all the latest threats, while others focus on complete coverage with threat signatures going back many years. Therefore, having additional defence mechanisms in place to protect you against new zero-hour and zero-day threats is a must. Malware authors are constantly changing their techniques and use various tricks to outsmart antivirus engines. The ability to assess websites and domains on the basis of reputation radically boosts the software’s capability to protect users and organizations against new and unknown threats. Web Reputation enhances the security engine coverage through two main features: » It predicts the security risk a website poses before an actual threat is detected » It keeps a record of previously infected sites and uses this data as part of the scoring mechanism How Web Reputation increases your online protection 3
  • 4. The value of using Web Reputation with Content Categorization In web filtering, categories are used to identify the type of website, e.g. “News and Media”, “Shopping” and “Search Engines” among others. Some categories are by their very nature a security risk e.g. “Phishing” or “Malware”. However, all categories may feature websites which have reputation scores across the spectrum (see bands above). What this means is that in any category you can have a mix of sites which are a risk, and others which are safe. For example, a hypothetical website (www.snipe-a-fish.com) is categorized under “Hobbies and Recreation” – a category which is not typically considered a security threat. Although the website is in a category which is not known for pushing malicious content, the website itself is very poorly maintained, is prone to infection, and is therefore a high security risk. In fact, the website had been compromised already in the past and used to distribute malware. On the other hand, there are many sites which are very highly rated in the same category. Such a broad range of scores in the same category holds true for all categories – meaning that the risk factor of a website is usually independent of the category in which the website is found. This is why Web Reputation is so important – it adds a layer of protection irrespective of the category the website is in. Anatomy of a malware attack Cyber criminals know that the weakest link in most organizations is not the technology, but (in the majority of cases) the person sitting in front of a computer. These criminals, often out for financial gain, exploit the popularity of high traffic sites such as YouTube, Facebook and Twitter to distribute malicious links and payloads. Very often users are not even aware that by clicking on links they may be exposing their machine and the network to a number of threats. This ‘attack surface’ grew considerably with the introduction of short URLs (e.g. http://bit.ly/q9GelC) – all URLs look practically the same. The attackers also know that few users think about risk when they visit a new website and they use this behavior to their advantage, riding piggy-back on the success of high traffic sites which are used to initiate the transmission of malicious content. This content however requires a host, i.e. a website from where the content can be distributed. There are two ways to create malicious content on the web: » Create a new website or use an existing website to host the malicious content » Compromise (hack) a legitimate site and inject malicious content Cybercriminals and security organizations are playing a constant cat-and-mouse game – one side creating new malicious content, the other designing protective measures to block it. The best weapon for criminals is an ever-changing malware host. Effective attacks require a website or malware strain which is currently not recognized by antivirus engines. So the best means of attack is to actually deploy new websites or website hosts as often as possible. This ensures that these websites have not been recognized by security organizations and consequently blocked. Once a website is ‘caught’ by antivirus engines or other security measures, it loses its effectiveness and would need to be taken down and replaced by another. Zero-day/zero-hour 0-day/0-hour: the period of time from when a new malware hosting website is created until it is recognized as malicious. During this period, activity on these sites is considered high risk. In the zero-hour period, no matter how many antivirus engines you have deployed, anybody visiting a website hosting new malicious content is at risk and their machine will probably be infected. How Web Reputation increases your online protection 4
  • 5. Figure 1 - Stages in malware attack cycle So how do we mitigate this problem? Reputation is the answer. Certain types of websites, including those which have not been seen before are immediately classified as “Suspicious”. Applying a reputation score to websites and classifying them as “Suspicious” is a proactive approach to security – you are addressing a risk before it can become a serious threat. Figure 2 - How Reputation protects against unknown threats How to use a Web Reputation Index – different scenarios Known Compromised Sites – high risk (0 – 20) As soon as a website is detected as being compromised, its score immediately drops into the High Risk zone. Any website classified in the High Risk Zone should be treated as a “No Go Area” – the risk of infection is high for sites in the High Risk zone. Once the infection is cleaned, the site’s reputation is restored; though the reputation score will now take into account the fact that this site has an infection history (thus its score will initially be lower). Usage: Anything in the High Risk Zone should be blocked. How Web Reputation increases your online protection 5
  • 6. Unknown and Suspicious Sites (21 – 40) – proactive protection Unknown sites are typically sites which are relatively new and have never have been reviewed. With the classification engine scanning thousands of URLs per second, any legitimate URL will most likely have already been scanned and given an appropriate rating. Sites in this zone should be treated as suspicious. Usage: Anything in the Suspicious Zone should be blocked unless shown to be legitimate. Other Known Sites (41 – 60) – moderate risk These are other known sites which have been around for several months and could still present a risk because: » They have been infected in the past year » They have exhibited some kind of risky characteristic Usage: Proceed with caution! These sites should be handled with care and visited only by those who are knowledgeable in the subject area and will not expose others to the risk of infection. Relatively Safe Sites – (61 – 80) – low risk These known sites exhibit few risky characteristics and therefore are relatively safe. Usage: These sites have a low risk of infection and access can be given to everyone. Trustworthy (81-100) – trustworthy These are highly trusted sites which exhibit little to no risk and therefore are trustworthy and safe to visit. Usage: These sites have the lowest risk of infection and access can be given to everyone. How is the Web Reputation Index calculated Web Reputation is calculated using a large number of factors and a machine learning process. Rather than controlling the process manually, advanced techniques are used to allow the classifier to determine the correct weights based on millions of examples of “good websites” and “bad websites”. The following are some of the features analyzed: » Location of website • Geography (Country/City) • ISP/WebHost • IP neighborhood Some areas of the Internet are known to be “bad neighborhoods”. A website hosted in these neighborhoods could increase its risk rating. » Behavior and Content of website • JavaScript content and characteristics • Popups • Redirects • Executable file downloads How Web Reputation increases your online protection 6
  • 7. Websites which typically have or distribute malicious content are similar in terms of the content they provide. For example, creating multiple redirects to different websites is a technique which may be used by hackers to mask the true destination a website is trying to send users to. » Legitimacy • Domain/Category Age • Number of IP addresses for a site • Top Level Domain The above characteristics also show how legitimate a website is. For example, a website can be deployed with malicious content within a few hours. New websites are treated suspiciously unless it is otherwise clear that they are legitimate. » Threat History • Past Safety Track Record (history of infections in the last three and 12 month-periods) A site which has been infected in the past is a greater risk than a website which has a clean track record. More than 400 weighted variables are used to give a correct score. The weighting is not decided arbitrarily but based on the process’s capacity to analyze and determine the ideal weightings for each analyzed feature. Reputation Index for websites with malicious content A website which is found to be distributing malicious content is immediately put into the high-risk zone. The website stays in this zone until it has been “cleaned”. Once it is clean, rather than giving it the same score as before, the infection history is taken into consideration and its original score is only restored over a period of time. Most reputation services do not maintain a history of behaviour; on the other hand, the WebGrade Reputation index grows and decays over time depending on the behaviour of a website. Dynamic real-time updates Changes in the score of a website are immediately available via the hybrid reputation index service which consists of a local database of popular sites – and an online querying mechanism for sites not in the local database. Websites are revisited often to update the classification of the content; the revisit frequency varies depending on parameters such as the change velocity of the site, popularity, ranking, history of previous changes, and other relevant factors. About GFI GFI Software provides web and mail security, archiving, backup and fax, networking and security software and hosted IT solutions for small to medium-sized businesses (SMBs) via an extensive global partner community. GFI products are available either as on-premise solutions, in the cloud or as a hybrid of both delivery models. With award-winning technology, a competitive pricing strategy, and a strong focus on the unique requirements of SMBs, GFI satisfies the IT needs of organizations on a global scale. The company has offices in the United States (North Carolina, California and Florida), UK (London and Dundee), Austria, Australia, Malta, Hong Kong, Philippines and Romania, which together support hundreds of thousands of installations worldwide. GFI is a channel-focused company with thousands of partners throughout the world and is also a Microsoft Gold Certified Partner. More information about GFI can be found at http://www.gfi.com. How Web Reputation increases your online protection 7
  • 8. USA, CANADA AND CENTRAL AND SOUTH AMERICA GFI 2230 sep11 15300 Weston Parkway, Suite 104, Cary, NC 27513, USA Telephone: +1 (888) 243-4329 Fax: +1 (919) 379-3402 ussales@gfi.com UK AND REPUBLIC OF IRELAND Magna House, 18-32 London Road, Staines, Middlesex, TW18 4BP, UK Telephone: +44 (0) 870 770 5370 Fax: +44 (0) 870 770 5377 sales@gfi.co.uk EUROPE, MIDDLE EAST AND AFRICA GFI House, San Andrea Street, San Gwann, SGN 1612, Malta Telephone: +356 2205 2000 Fax: +356 2138 2419 sales@gfi.com AUSTRALIA AND NEW ZEALAND 83 King William Road, Unley 5061, South Australia Telephone: +61 8 8273 3000 Fax: +61 8 8273 3099 sales@gfiap.com For a full list of GFI offices/contact details worldwide, please visit http://www.gfi.com/contactus Disclaimer © 2011. GFI Software. All rights reserved. All product and company names herein may be trademarks of their respective owners. The information and content in this document is provided for informational purposes only and is provided “as is” with no warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and non-infringement. GFI Software is not liable for any damages, including any consequential damages, of any kind that may result from the use of this document. The information is obtained from publicly available sources. Though reasonable effort has been made to ensure the accuracy of the data provided, GFI makes no claim, promise or guarantee about the completeness, accuracy, recency or adequacy of information and is not responsible for misprints, out- of-date information, or errors. GFI makes no warranty, express or implied, and assumes no legal liability or responsibility for the accuracy or completeness of any information contained in this document. If you believe there are any factual errors in this document, please contact us and we will review your concerns as soon as practical.