Is Web 2.0 Dangerous To Your Business?
I read recently in SC Magazine that Web 2.0 technologies may be Open Seasons for Attackers. Why?
With the advent and uptake of Web 2.0 and its associated server environment of P2P networking, social networking, bookmarking, media sharing, blogs, wikis and RSS feeds, the boundary between the trusted network and the Internet is quickly disappearing.
The question is, is whether this leaves an organisation open to a new generation of threats and, if so, just how bad are they and do will they compare to the known threats of today? Experts feel that these new threats may be make todays threats seem benign. If you consider that several years ago, Email was the main method for delivering malware. Now, Email is used to direct the user to a website where HTTP is used to deliver the malware.
However, this isn’t necessarily the concern for the security of the organisation. The whole premise of Web 2.0 is its collaborative nature. Sites like MySpace and FaceBook are only successful if the users, use them. Bookmarking sites like StumbleUpon, Technorati and the like allow users to share their bookmarks and Blogs allow users to disseminate information.
Whilst this in itself is not a problem, the main issue is that data can be leaked from a corporate entity very easily, and with the effectiveness of Web 2.0 technology becomes disseminated even more quickly.
If the information had been leaked using email, the threat has a short time-frame – delete the message and it’s gone. However, data that is leaked through Blogs and Social Network sites can have an extremely long life time because the data is generally stored in searchable archives, thus reasonably easy to retrieve for anyone.
This is not the only challenge though. Corporate data is being outsourced to web-based hosting not only to save money but to allow an ease of sharing across remote locations. The issue is that web-based hosting vulnerabilities can exist and these are exploited by hackers.
Phishing attackers use Web 2.0 extremely well. Phishing sites built using Rich Internet Applications (RIAs) appear legitimate and seasoned users and early-generation security solutions are fooled.
On the other side of the coin, legitimate stand-alone RIAs are powerful because they offload most of processing to the client machine via a client engine that acts as an extension of the user’s browser. This client executable can be used as a vector for malicious code.
Then, RIAs that use ActiveX plug-ins, a common RIA technique, are especially vulnerable to attack. According to Symantec, 89% of browser plug-in vulnerabilities disclosed in the first half of 2007 affected ActiveX plug-ins in Internet Explorer.
Embeded executable XML malware on popular legitimate websites, make these sites just as vulnerable to exploitation or to be used to exploit. In 2007, a virus was found to be embeded in MySpace pages.
Experts are concerned that streaming video will be the next target. What would the effect of a Trojan embedded in a popular YouTube video be?
Using SSL is not a safe guard either. SSL encrypts the data stream from the users PC to the end point and as such, the SSL tunnel is not checked by security solutions. As such, SSL can be used to sneak bots and Trojans past a corporate firewall and onto the trusted networks. Once a bot is installed, it forms botnets that use similar SSL sessions to leak sensitive data and other valuable content out of the corporate network.
Can something be done to protect your organisation?
The first reaction of an organisation is to just deny the services access to the network. This won’t work – many legitimate sites use the services.
Therefore, it is imperative that the security solution in use has the ability to scan any website visited for real-time executable malware. Organisations like PCTOOLS will release regular updates to their products.
Finally, the organisation needs to develop and establish both broad and granular user-based policy controls over IM applications and Skype, without hindering user productivity and application performance. Finally, users must be made aware of Acceptable Use Policies, which should be updated regularly to encompass new Web 2.0 technologies and applications that evolve.
Popularity: 87% [?]
