Prefetching Implications to forensics and policy enforcement

Prefetching is used by Google, and perhaps Yahoo!, to automatically begin downloading portions of the top pages listed on your search results. This is not available to Microsoft’s IE, but is configurable by Firefox and other Mozilla based browsers.

This is a great “speeds and feeds” feature, but begs the question of what this means to the end user and the organization as a whole. Given the dozens of times I use Google for mining for data I can attest that some results in the top 10 are not what I was looking for, and at no level appropriate for browsing. These sites may simply be spam sites grabbing the top links, “security” sites offering tools, or worse some form of attacking website.

Consider the business impacts to an organization where an end user searches for a topic and one of the ten are a malicious site. This one site may be allowed to drop cookies and code onto the system that may be attempt to compromise the system. There is evidence that indicate numerous web sites are online and designed to exploit unsuspecting visitors. The introduction of malicious code into the organization can lead to a data breach, as done via a P2P network attack at Pfizer recently. In addition, the introduction and lack of control on the system in question (every desktop in your organization that browses the internet and Google (commanding 65.26% market share) creates a lack of trust in the computing environment and increases the need for internal control validations.

There are many implications to having cache, cookies, or other website information about sites that are against policy in the organization or the law of the local region. Individuals have been fired for browsing illegal sites, teachers have been prosecuted because of pop-ups, and companies conducting forensic efforts rely on all of the data on a system to present a clear understanding of events.

While the idea of faster load times is desired, it should be strongly considered whether this is appropriate for EVERY workstation in your environment. The least difficult safeguard to apply would be to disable prefetching on workstations that have logical access to sensitive data. If this is not possible and prefetching is necessary – consider compensating controls at the perimeter and on the end-points to continually clean the cache, prevent malicious code downloads, and restrict “prefetch” header requests. These compensating controls are highlighted in the NSA’s security guide and specifically recommends setting Safari to “Private Browsing” or using a Firefox plugin that provides a more secure browsing platform.

I would be interested in other observations on this type of technology, and if it such exploits have been documented. It is possible through the browsers to restrict the code into a virtual sandbox, but that doesn’t completely remove the presence of the code only the location.

Best,

James

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s