Your SlideShare is downloading. ×
Mitigating Web 2.0  Threats
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Mitigating Web 2.0 Threats

1,104
views

Published on

Mitigating Web 2.0 Threats - Good report on threats from Web 2.0 websites like Facebook, LinkedIn, MySpace, YouTube, Live.com and others

Mitigating Web 2.0 Threats - Good report on threats from Web 2.0 websites like Facebook, LinkedIn, MySpace, YouTube, Live.com and others

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,104
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
20
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Mitigating Web 2.0 Threats Or, “This isn’t your mother’s internet!” David Sherry CISSP CISM Chief Information Security Officer Sponsored By: Brown University
  • 2. Security @ Brown •Security evangelism •Public Safety support •Incident Response Team •Human Resources support •Audit support •Records Management •Compliance and legal •Business Continuity standards •Disaster Recovery •Firewalls, IDS, IPS, VPN, •Copyright / DMCA agent sniffers, A/V, DNS, etc…. •Discipline Committee •Security audits and •Mandatory / elective training certifications •Awareness 2
  • 3. Today’s Agenda (or is it a mashup?) • Our changing world of security • What is web 2.0? • Attack vectors and areas of concern • The evolution of the threats….they’re nothing new! • What should be focused on • Recommendations to reduce the threat
  • 4. Our World is Changing May you live in interesting times….. Chinese Proverb • Compliance is a key competency of security pros • Identity Theft is fastest growing crime • President’s Cyber Security Initiative provides spotlight • Online underground economy has matured • National and global economy means “do more with less” • Threat evolution: • Infrastructure > web/messaging > DLP > Web 2.0
  • 5. What is Web 2.0? Used with permission via Creative Commons: http://kosmar.de/archives/2005/11/11/the-huge-cloud-lens-bubble-map-web20/
  • 6. What is Web 2.0? From Wikipedia: (which is, itself, a 2.0 phenomenon) "Web 2.0" refers to web development and web design that facilitates interactive information sharing, interoperability, user-centered design and collaboration on the World Wide Web. Examples of Web 2.0 include web-based communities, hosted services, web applications, social-networking sites, video-sharing sites, wikis, blogs, mashups and folksonomies. A Web 2.0 site allows its users to interact with other users or to change website content, in contrast to non-interactive websites where users are limited to the passive viewing of information that is provided to them.
  • 7. Common Web 2.0 Descriptors • “User generated content” • “Mashups and web services” • “Consumer and enterprise convergence” • “Diversity of client software” • “Complexity and asynchronous operations”
  • 8. The Enterprise Triple-Threat of 2.0 1. Loss of productivity 2. Vulnerable to data leaks 3. Increased security risks
  • 9. Characteristics of Web 2.0 Security • Web filtering is no longer adequate • AJAX, SAML, XML create problems for detection • RSS and RIA can enter directly into networks • Non-static makes identification difficult • High bandwidth use can hinder availability • User generated content hard to contain
  • 10. Web 2.0 Attack Vectors • Blogs • Social networks • Web portals • Mashups • Pop-ups • Anonymizing proxies • Spamdexing • Widgets
  • 11. Web 2.0 Areas of Concern • Client side issues • Transparency and cross-domain communications; AJAX and JavaScript attacks on the rise • Protocols • New protocols on top of HTTP/S (SOAP, XML, etc) • Information sources • Concerns over integrity, transiency, and diversity • Information structures • Variations of data structures, injection attacks • Server side • Architecture, authorization, and authentication weaknesses
  • 12. Evolution of the Threats in 2.0 • USB and auto-run malicious code • Insiders are a threat, but they don’t know it • Adobe PDFs and Flash replace Word and Excel • Worms travel through social spaces into offices • DOS attacks against social networks • Malware travels via all conduits • Pop-ups advertise seemingly legitimate services and take advantage of current events
  • 13. So what do you focus on? From Secure Enterprise 2.0, the dangers come from: 1. Insufficient authentication controls 2. Cross-site scripting 3. Cross-site request forgery 4. Phishing 5. Information leakage 6. Injection flaws 7. Information integrity 8. Insufficient anti-automation www.secure-enterprise20.org
  • 14. Recommendations for Web 2.0 Technical: • Experts recommend a three-tiered, integrated data protection approach: • Maintain vigilant anti-virus protection • Establish a robust anti-malware protection program • Utilize an AJAX-aware analysis platform • Use real-time content and security scanning • Make sure browsers and plug-ins are patched • Don’t just patch “high” rated patches! • Remember your end points • Use encryption as a key strategic defense
  • 15. Recommendations for Web 2.0 Managerial: • Ensure that your policies are current and address 2.0 • Subjective policy setting • Group level access • Productivity based policies • Use a Data Loss Prevention as an essential teaching tool • Education and awareness must go beyond passwords • Ensure cross-functional response and participation • Speak with data!
  • 16. Ensuring a Defensive Web 2.0 Policy • Revisit your Acceptable Use Policy • View the policy from a web 2.0 lens • Be sure to cover new technologies like anonymizing proxies • Include other groups for strength • Human Resources, Risk Management, Privacy, Physical Security, Audit, and Legal • Step up your training and awareness for Web 2.0 concerns
  • 17. Support your policy through technology • IDS / IPS • Bandwidth shaping and throttling • Standard images • Group policy objects • Firewall rules • Anti-virus, spyware, and malware • Monitor for your good name!
  • 18. Summary • We are living in a changing world, and Web 2.0 is part of it • 2.0 brings added challenges and characteristics to security professionals • There are technical and managerial solutions to reduce Web 2.0 concerns • Like all emerging technologies and their related threats, a holistic security approach is needed
  • 19. There is never enough time; thank you for some of yours. David Sherry, CISSP CISM Chief Information Security Officer Brown University Campus Box 1885 Providence, RI 02912 401.863-7266 david_sherry@brown.edu
  • 20. Thanks to our Sponsors Product trial download page Free Whitepaper: Reduce shopping cart abandonment. Increase revenue.

×