The evolution of web threats

Are your colleagues putting your business at risk?

Bob Tarzey,
Service Director
Quocirca Ltd

Nov 12th 2009

We must never lose site of
the how critical to all
businesses the web has
become and attempts to
control its use should not
hamper communications
and productivity
Percentage of employees working remotely
at some point during a week

Remote working is 0% 20% 40% 60% 80% 100%

common practice
Overall
across all sectors
Utility
and the web is key
Telecomms and Media
to achieving such Finance
work place flexibly Industrial
and environment Public Sector
targets Healthcare
Retail
> 75% 51%-75% 25%-50% <25%

Source, Quocirca, The Distributed

Business Index, March 2008
Percentage saying external users are
provided access to internal systems

0% 20% 40% 60% 80%

Finance
Utility
Telecomms and Media
Public Sector
The web is also Retail
essential for Industrial
enabling Healthcare
communications Contractors Partners Suppliers Customers
with external
organisations and
at the core of Source, Quocirca, The Distributed
many business Business Index, March 2008
processes
Drivers for web-enabling applications

Web enabling
applications is
essential to Source, Quocirca, Web Enabled
achieve this Applications and the Internet October 2007
The web is a huge
source of
knowledge and
provides an
efficient and green
way of driving
internal and
external
communications
But there are of course concerns

Web threats

Employee
distraction

IT productivity
To what extent are the following a threat
to IT security in your organisation?

Malware
Internet Actual

Internal users Perceived

Data compromise
Scale from 1 = “not a
External users threat” to 5 = “a very
serious threat”
“Web 2” tools
Email Source, Quocirca, Privileged
User Management, October
Privileged users 2009
2 2.5 3

After malware in general, the internet, internal users and data

compromise are the issues IT managers worry about most – often
these 3 amount to the same thing
Web based threats

• “Traditional” malware (viruses, spyware etc.)

• SQL injection attacks
• Malicious advertisements
• Phishing
• Search engine result redirection
• Cross-site scripting
• Drive-by download
• Click jacking
• ...... What next?
Do employees implement back door solutions for
IM, VoIP, web conferencing etc.

0% 10% 20% 30% 40%

Definitely

Probably

Possibly
Source, Superhighway
at the Crossroads –
No
Quocirca, September
2008
Don't know

Employees will try to deploy tools if they are not enabled for
them, better to allow access in a controlled way
Use of Web 2.0 technologies in businesses

Heavily
Moderately
Sparingly
Not at all

Source, Quocirca, Why

Application Security is
Crucial, March 2008
Policies and technologies for Limiting or
blocking use

Yes

Working on creating
them
No

Source, Quocirca, Why

Application Security is
Crucial, March 2008
Enable and control

• Web access security tools are now a

mainstream offering from most IT security
vendors
– URL filtering
– Malware protection
– Extended to remote users
– Bandwidth management
– Policy definition and enforcement
Centralised policy

Print Blogs

USB SMTP
Policy
FTP Web 2.0

Web Mail HTTP

Two ways to implement web security

Network Cloud/security as
Edge a service
Thanks, this presentation will be available on
www.quocirca.com

Thank you
Bob Tarzey
Quocirca
www.quocirca.com