Web Browsers Can Bring Unwanted Threats to Hospitality Operations

By Michael Montecillo | May 20, 2008

Today, technology is deeply embedded within the day-to-day operations of the hospitality industry. Computer technologies and the Web are vital to streamlining operations, marketing and online reservations processes. Visiting guests now expect and require robust Internet access whether on business or vacation. While all us of would like to get "off the grid" when traveling, the plain truth is today's discerning travelers, conference attendees and even diners are in constant need of Internet connectivity.

As Internet access and usage continue to rise within the hospitality industry, particularly among the guest contingent, it is increasingly important to deploy strong IT security measures. Protecting internal computer networks and, perhaps more importantly, the computers of visitors, is crucial for business, brand reputation and a positive guest experience.

That said, one of the fastest-growing areas on computer and network security is propagated via one of the most basic and widely used applications today is the Web browser. Because Web browsers have become essential to most enterprises, nefarious computer attackers are busy infecting a growing number of Web sites with malware that produce a seemingly endless range of browser-related vulnerability exploits. This trend has created a major new issue for IT security professionals: the need to secure the browser.

Browser Technology

From its inception, the browser has been fundamental to the Web paradigm. Today's browsers are uniquely suited to performing multiple tasks and delivering a user experience that is engaging, rich, and fulfilling. They are among the most useful utilities that a user could possess.

From a security perspective, however, these very qualities make browsers a virtual breeding ground for vulnerabilities. The increased trend in browser-related security attacks is directly connected to the continued proliferation of vulnerabilities that parallel the proliferation of functionality available in today's browser.

Consider some of the well-known technologies integrated with current browser environments, such as Flash, ActiveX, QuickTime, Java and JavaScript. Each of these technologies, though useful, are potential attack vectors for the malicious. There also are vulnerabilities inherent within the browsers themselves, including how browsers handle particular pieces of code, such as iFrames, that have caused massive incidents in enterprises in recent years.

Making these vulnerabilities even more severe are the hacking innovations that allow attackers to steal sensitive information easily through simple methods. These methods include simple HTML coding that allows malicious Websites to steal browser information from visitors. This is a major concern as the user's browser history often contains sensitive information relating to Intranet sites as well as heavily utilized SaaS sites such as Salesforce.com (which, not coincidentally, was a recent target of a malware distribution attack).

All Websites are Potential Vectors of Attack

Most security professionals are already well aware of the potential malware risk posed by "seedy" Web sites such as those revolving around "warez," gambling or pornography. These sites have long been a thorn in the side of IT security professionals as they deal with new forms of malware, or other threats that have exploited users visiting these sites. Unfortunately, as the threat environment has evolved, so too has the nature of Websites infected with malware. Seedy Web sites are no longer the only sites that will readily deliver malware to visitors.

Alternatively, consider the payoff of defacing a more well-known or popular Web site that attracts thousands of users a minute. Imagine the payoff of defacing the cover page of one of these heavily trafficked sites to include malicious code. In such a case, even the best security team may take a half hour or more to detect the issue, determine the proper course of action, and remediate the issue. Within that same half hour, several tens if not hundreds of thousands of people may have visited these sites, resulting in infections.

Computer incident response and field service professionals have been dealing with incidents caused by these security issues for several years. Unfortunately, there is no end in sight as the number of malicious Web sites and browser-related vulnerabilities continues to increase. Further complicating matters is the mere fact that the demand for browser functionality is so high that in most cases it outweighs the demand for security. The positive result of this unbalanced demand for functionality is an enhanced user experience, but the negative effect is high exposure to malware-infected sites that can cause enterprise-wide incidents.

Web Content Filtering Solutions
 
Security professionals are not helpless, however. In their arsenal is a strong set of weapons for fighting infections propagated by malicious websites. One of the easiest and most effective ways to reduce the risk of incidents caused by compromised browsers is to implement a Web content filtering solution.

Most organizations that implement Web content filtering solutions already have the ability to mitigate a high level of browser related risk. This is accomplished through blocking

sites that are typically not related to business activities. Utilizing a Web content filtering solution to block pornographic, tasteless, or offensive Web sites through a method known as URL filtering can make a significant contribution to reducing the risk of browser-related incidents.

However, implementation of a URL filtering solution alone is not nearly enough. As noted earlier, even useful, well-regarded Web sites can be defaced to include sophisticated attacks as a means to propagate malware. Because legitimate as well as suspicious sites can be so exploited, URL filtering solutions may not disallow users from browsing these sites, particularly if the subverted site is highly popular or necessary. In order to further reduce the risk of incidents related to normal browsing activities, enterprises must implement more sophisticated content filtering solutions that go above and beyond simple URL filtering. These solutions may contain technology such as anti-malware, automated code filtering and botnet detection.

Browser vulnerabilities will no doubt continue to be one of the major vectors for attack in 2008. This reality translates into a high risk for organizations who do not currently have a strategy for addressing the problems inherent in unguarded Internet surfing. From a threat standpoint, the number of Web pages containing a malicious attack is growing at an alarming rate.

While this perspective may not be promising for those responsible for enterprise security, it does not mean that enterprises will not be able to ensure a reasonable level of operational risk mitigation. Several IT security vendors have created innovative solutions to enhance browser-related security. Technology such as Web content filtering can reduce risk through the implementation of a simple countermeasure. New technology solutions continue to emerge that combine malware defenses with Web security controls.

Until then, hospitality operators should consider the implementation of advanced Web content filtering technology as a necessity in 2008. With both the threat and vulnerabilities related to browser security increasing, the implementation of an effective countermeasure will become increasingly critical.
 
Michael Montecillo is a security and risk management analyst for Enterprise Management Associates.

comments powered by Disqus

ht events

2014 Restaurant Executive Summit
2015 Multi-Unit Restaurant Technology Conference