Mitigating Web 2.0 Threats


Published on

Mitigating Web 2.0 Threats - Good report on threats from Web 2.0 websites like Facebook, LinkedIn, MySpace, YouTube, and others

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Mitigating Web 2.0 Threats

  1. 1. Mitigating Web 2.0 Threats Or, “This isn’t your mother’s internet!” David Sherry CISSP CISM Chief Information Security Officer Sponsored By: Brown University
  2. 2. Security @ Brown •Security evangelism •Public Safety support •Incident Response Team •Human Resources support •Audit support •Records Management •Compliance and legal •Business Continuity standards •Disaster Recovery •Firewalls, IDS, IPS, VPN, •Copyright / DMCA agent sniffers, A/V, DNS, etc…. •Discipline Committee •Security audits and •Mandatory / elective training certifications •Awareness 2
  3. 3. Today’s Agenda (or is it a mashup?) • Our changing world of security • What is web 2.0? • Attack vectors and areas of concern • The evolution of the threats….they’re nothing new! • What should be focused on • Recommendations to reduce the threat
  4. 4. Our World is Changing May you live in interesting times….. Chinese Proverb • Compliance is a key competency of security pros • Identity Theft is fastest growing crime • President’s Cyber Security Initiative provides spotlight • Online underground economy has matured • National and global economy means “do more with less” • Threat evolution: • Infrastructure > web/messaging > DLP > Web 2.0
  5. 5. What is Web 2.0? Used with permission via Creative Commons:
  6. 6. What is Web 2.0? From Wikipedia: (which is, itself, a 2.0 phenomenon) "Web 2.0" refers to web development and web design that facilitates interactive information sharing, interoperability, user-centered design and collaboration on the World Wide Web. Examples of Web 2.0 include web-based communities, hosted services, web applications, social-networking sites, video-sharing sites, wikis, blogs, mashups and folksonomies. A Web 2.0 site allows its users to interact with other users or to change website content, in contrast to non-interactive websites where users are limited to the passive viewing of information that is provided to them.
  7. 7. Common Web 2.0 Descriptors • “User generated content” • “Mashups and web services” • “Consumer and enterprise convergence” • “Diversity of client software” • “Complexity and asynchronous operations”
  8. 8. The Enterprise Triple-Threat of 2.0 1. Loss of productivity 2. Vulnerable to data leaks 3. Increased security risks
  9. 9. Characteristics of Web 2.0 Security • Web filtering is no longer adequate • AJAX, SAML, XML create problems for detection • RSS and RIA can enter directly into networks • Non-static makes identification difficult • High bandwidth use can hinder availability • User generated content hard to contain
  10. 10. Web 2.0 Attack Vectors • Blogs • Social networks • Web portals • Mashups • Pop-ups • Anonymizing proxies • Spamdexing • Widgets
  11. 11. Web 2.0 Areas of Concern • Client side issues • Transparency and cross-domain communications; AJAX and JavaScript attacks on the rise • Protocols • New protocols on top of HTTP/S (SOAP, XML, etc) • Information sources • Concerns over integrity, transiency, and diversity • Information structures • Variations of data structures, injection attacks • Server side • Architecture, authorization, and authentication weaknesses
  12. 12. Evolution of the Threats in 2.0 • USB and auto-run malicious code • Insiders are a threat, but they don’t know it • Adobe PDFs and Flash replace Word and Excel • Worms travel through social spaces into offices • DOS attacks against social networks • Malware travels via all conduits • Pop-ups advertise seemingly legitimate services and take advantage of current events
  13. 13. So what do you focus on? From Secure Enterprise 2.0, the dangers come from: 1. Insufficient authentication controls 2. Cross-site scripting 3. Cross-site request forgery 4. Phishing 5. Information leakage 6. Injection flaws 7. Information integrity 8. Insufficient anti-automation
  14. 14. Recommendations for Web 2.0 Technical: • Experts recommend a three-tiered, integrated data protection approach: • Maintain vigilant anti-virus protection • Establish a robust anti-malware protection program • Utilize an AJAX-aware analysis platform • Use real-time content and security scanning • Make sure browsers and plug-ins are patched • Don’t just patch “high” rated patches! • Remember your end points • Use encryption as a key strategic defense
  15. 15. Recommendations for Web 2.0 Managerial: • Ensure that your policies are current and address 2.0 • Subjective policy setting • Group level access • Productivity based policies • Use a Data Loss Prevention as an essential teaching tool • Education and awareness must go beyond passwords • Ensure cross-functional response and participation • Speak with data!
  16. 16. Ensuring a Defensive Web 2.0 Policy • Revisit your Acceptable Use Policy • View the policy from a web 2.0 lens • Be sure to cover new technologies like anonymizing proxies • Include other groups for strength • Human Resources, Risk Management, Privacy, Physical Security, Audit, and Legal • Step up your training and awareness for Web 2.0 concerns
  17. 17. Support your policy through technology • IDS / IPS • Bandwidth shaping and throttling • Standard images • Group policy objects • Firewall rules • Anti-virus, spyware, and malware • Monitor for your good name!
  18. 18. Summary • We are living in a changing world, and Web 2.0 is part of it • 2.0 brings added challenges and characteristics to security professionals • There are technical and managerial solutions to reduce Web 2.0 concerns • Like all emerging technologies and their related threats, a holistic security approach is needed
  19. 19. There is never enough time; thank you for some of yours. David Sherry, CISSP CISM Chief Information Security Officer Brown University Campus Box 1885 Providence, RI 02912 401.863-7266
  20. 20. Thanks to our Sponsors Product trial download page Free Whitepaper: Reduce shopping cart abandonment. Increase revenue.