What IT Security can learn from a restroom sign
As an industry - both security and application delivery - we talk a lot about securing the application infrastructure (databases, web and application servers) by making sure that the data going into the applications is "clean". After all, we know that GIGO (Garbage In Garbage Out) is a true statement in terms of web applications and data.
Unfortunately we tend to worry a lot more about the GI than the GO. While it's better for everyone to prevent that SQL injection or XSS attack from polluting our databases and potentially distributing malicious code to hundreds or thousands of users, that's not always possible as we've seen with the recent Adobe Zero Day exploit. SearchSecurity.com reports that McAfee has discovered a large number of sites poisoned by this exploit.
Poisoned. How apropos.
We've all seen the sign in the restroom of a restaurant, admonishing employees to "wash their hands before returning to work." That's because restaurateurs are attempting to mitigate the risk of poisoning their patrons with infections or potentially deadly viruses like e coli.
So in order to minimize their risk, they make it a policy that all employees need to make an effort to neutralize germs by washing their hands before serving food to their customers.
IT Security and developers could learn a lot from that sign because it applies to anyone in the business of serving content just as well as it applies to those businesses that serve food.
That's right. We should wash content before serving it to users to mitigate the potential for poisoning a user's desktop with malicious code.
Unfortunately, most security solutions are only concerned with keeping "bad stuff" from getting in, not preventing "bad stuff" from getting out. There are plenty of solutions out there that deal with data leak prevention, but few that specifically prevent malicious code from leaking into the nether regions of the Internet.
Yet the same solutions capable of stopping sensitive data from leaving the organization should be capable of preventing malicious content from leaving the organization as well. Those solutions with dynamic platforms capable of examining content as it leaves the building, as it were, can also stop that content before it infects users. In essence, such solutions can "wash the content" before serving it to users.
You might be thinking "It's a lot easier to wash my hands than it is content. After all, I don't know what I'm looking for in the content!"
Hey - you don't really know what you're looking for on your hands, either. Germs are microscopic, and even if you did know what they looked like you couldn't find them anyway - they're too small to see. But there are some things you can look for that may indicate something's rotten in the kitchen, or in your corporate database.
- Do your pages have Flash objects? Do those Flash objects belong in the middle of a forum?
- Does your application load content from external sites?
- Does your application use certain scripting functions like "document.write" or "window.open" routinely?
If you can get to know your application, then you can start crafting the right kind of content evaluation that can more easily determine if you've been infected and are passing it along to your users. While you can certainly craft a solution to stop a specific attack, like the Adobe exploit, it's a good idea to have a general solution that might be able to counter other zero day attacks and worms. If your application should only load content from certain sites, then look for attempts to load external content and verify that the site is one of those "approved" sites. If your application never uses "document.write" and suddenly it shows up in a web page, something ain't right.
What you do when you discover an infected application is up to you. If your solution is intelligent and flexible enough, you can block the whole page or just strip out the offending content. You can send a nice response to the user while simultaneously writing a log entry that will alert your security staff that there is a problem.
The problem isn't that the technology to accomplish this doesn't exist - it does - it's that we've been so focused on what goes in that we've sometimes forgotten to look at what goes out.
So as you're considering how to protect your applications, remember that sign in the restroom. Just as sincerely as you hope the staff at your favorite restaurant is minding their notice, so your users are hoping that you're minding one like it.
Imbibing: Coffee
Some F5 iRules that can help you start craft a content washing solution: