Recent MASS Web Compromises continue to highlight the fact that users are at risk in every online transaction, even those that should be legitimate.
In my mind it re-emphasizes that we need to develop a more robust approach to protecting our environments and/or users.

Both Websense and SANS have published updated articles about the recent mass web infections affecting tens/hundreds of thousands of websites

I wanted to take a moment and expand on a couple of specific thoughts from SANS and Websense: From SANS: “They have hit city websites, commercial sites and even government websites. This type of injection pretty much null and voids the concept of “trusted website”. or “safe sites”.” From WebSense: “Sites of varying content have been infected including UK government sites, and a United Nations website.”

The implications here are not trivial.  If you are a the typical government employee (not security professional) and you’ve been through the security awareness training and actually read security information notices from your IT department and have a decent level of awareness - you would probably still think that UN or UK/US government sites could be “trusted” and feel fairly comfortable browsing to them.  Certainly some large percentage of the general user population would feel comfortable browsing those sites..  And yet by doing so you would compromise the integrity of your system, network and organization.  I see a major failure in the protection model here…

In my little mind, it is pretty much a given fact at this point that we can’t rely on restricting outbound access to the web for our user communities any more.  I don’t see how most organizations are going to stop their users from finding ways to use: youtube, google, yahoo, facebook, myspace, twitter, linkedin or the next new app.  We can continue to try.. but in the end we are swimming against the ocean current, bleeding with sharks circling…  Today’s user community needs the Internet nearly as much as air, food, water and sleep.  It is a built into their/our DNA at this point…. A quick point of reference… When my son graduates high school he’ll have 15 years of Internet/Computer experience - assuming he makes it that far   that said, how could I possible expect anything from him other than wanting to use the web to its fullest extent?

More importantly, as the above quotes indicate even if an organization does work through the politics of restricting access to “legitimate” sites and somehow manages to keep up with that - you are not fully protecting your user base. The end problem is the same.. the user’s system will be compromised/infected - it is only a matter of time. Hopefully, you’ll have the defenses in place to reduce the exposure once that compromise/infection occurs (and the visibility to know when it occurs).  Current traditional client-side defenses (Patching, Host Firewall, Anti-Virus, etc) are simply not effective enough to protect our users from hurting themselves and the rest of the organization.  We need to find better ways of protecting users and our networks.

I’ve heard organizations consider letting the users assume the risk completely - the argument is that since no combination of technology/training/awareness is effective in stopping compromise/infection anyway - why waste the resources?  Those organizations may be looking to virtual sandbox user environments that are cleaned with every login/logout.  Then the organization can then focus on protecting and monitoring the “core” more effectively.  Now, I’m not advocating that this is the solution… I just wanted to point out that there is serious frustration here and for good reason.  We as security professionals need to find better ways of protecting our customers.  What are you doing to protect your user community?