Sivasubramanian Risk Management In The Web 2.0 Environment


Published on

My ISSA Publication selected as one of the best of 2009.

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Sivasubramanian Risk Management In The Web 2.0 Environment

  1. 1. PreemInent truSted GlobAl ISSA ISSA Journal | February 2010 InformAtIon SecurIty communIty risk management in the Web 2.0 environment By Vinoth Sivasubramanian – ISSA member, UK Chapter, and in the process of founding/establishing a chapter in the United Arab Emirates (UAE) A recent study reports a significant percentage of organizations are not confident in the security measures that are in place for Web 2.0. this article looks to an integrated approach of people, processes, and technological controls to mitigate Web 2.0 security risks. W eb 2.0 refers to the second generation of Web de- straight approach. A recent study by KPMG Insider reports velopment and design and has brought about sig- a significant percentage of organizations are not confident nificant change in the Internet such as web-based in the security measures that are in place for Web 2.0.1 This communities, hosted services, and applications such as so- must be accomplished through an integrated approach of cial networking sites, wikis, blogs, video sharing sites, RSS people, processes, and technological controls. Before we delve feeds, and much more. Web 2.0 delivers a new kind of Web into the mitigation strategies, we will analyze the threats that experience that is interactive, real-time, and collaborative. are evident through Web 2.0 technologies. Although many of the underlying technical components of the Web have remained the same, the use of the Web as a plat- threat sources for Web 2.0 form on which to build rich applications is transforming our The threat table given in Figure 1 is intended to organize the online experience. Organizations are also investing in Web rest of the article. It is not intended to be complete, but can 2.0 technologies to harness its power to draw in more cus- be used as a sample to map out threats and their implications. tomers. The participatory approach of Web 2.0 is also taking governments by storm as well, leading to the next generation of governance: eGovernance 2.0. 1 Claire Le Masurier, “Risk Concerns Stall Uptake of Web 2.0 Technology in the Workplace,” A KPMG Insider Report 2008 – As with any paradigm shift, technologies and processes can cfm?pr=3012. take us to new levels of user expe- rience and productivity, but those Threat Source Vulnerable Areas Threat Impacts Implications same technologies also present us Social networks, blogs, Loss of sensitive data, with new levels of threats and risks. Humans instant messenger, private knowingly or unknow- Loss of reputation in the Whether inadvertent or intention- eyes of public email, etc. ingly al, the threats are equally danger- ous to people, customers, business, Malware, viruses, Browsers, unpatched spyware, logic bombs, Loss of CIA, legal implica- and countries. These risks, if iden- Systems/Networks systems, and servers and a host of other tions, and financial losses tified and controlled in the proper threats way, can bring a lot of benefits to Loss of CIA, legal, and the organization and society as a Application related Applications Malware, logic bombs financial implications. whole. Loss of CIA, legal implica- Managing and mitigating risks in Improper Controls Entire organization is exposed Loss of data, viruses, logic bombs, etc. tions, reputational damage, Web 2.0 requires a more diversi- and business losses fied approach rather than a single figure 1 – Web 2.0 threat sources 35
  2. 2. risk management in the Web 2.0 environment | Vinoth Sivasubramanian ISSA Journal | February 2010 Invest in training and development People are the weakest as well as the Keep the security people busy: invest in training security strongest link in an organization. personnel on latest threats and protections through internal resources or external training, and make sure that they stay updated on the latest trends and technologies. Security per- Now with some familiarity of the threat source, let us analyze sonnel who do not keep themselves updated on latest tech- some of the strategies that could be implemented for mitigat- nologies and trends pose a threat in of themselves. The IT/ ing and controlling the threats caused by the noted sources. security department should subscribe to good security jour- These threats can be mitigated through a multi-layered de- nals and sponsor memberships in professional organization fense process of internal controls, technological controls, and such as ISSA, ISACA, IEEE, etc., which provide a wealth of processes. information on security and related research. Human threats Instill ethics and integrity into the culture of the People are the weakest as well as the strongest link in an orga- organization nization. LinkedIn and MySpace are two of the major social This is by far the most potent weapon for creating an almost networking sites where people working within the organiza- infallible security culture and program within the organiza- tion can leak sensitive data deliberately or inadvertently. Or- tion, but also the most difficult. Outlined are some simple ganizations cannot block social networks because they are points to help create and foster a culture of integrity and eth- becoming the base infrastructure for business and personal ics within the organization. interaction of the future. For effective social network use in • Have a written code of ethics in place involving all the workplace and to ensure that valuable data is not leaked, business leaders; ensure that every employee signs it organizations must ensure the following minimal steps. and make him or her aware of the advantages of hav- define a policy for virtual environments ing one in place and how and where to report in case of violations. Have regular ethics awareness training Clearly document the websites/activities that are permitted programs for the staff members. within the corporate environment. Also document the ac- tivities that are allowed in virtual environments. With the • Leaders and senior management must practice in- help of a legal counsel, document the actions that would be tegrity and fairness in all their dealings; this way it initiated in the event of not complying with these policies. spreads and percolates as a culture within the orga- nization. monitor virtual environments • Develop mature, fair, and rigorous employee perfor- The workplace is not the only place vital data can be leaked; mance management systems. This will ensure that therefore, monitor virtual environments regularly. IT man- the right people are retained, trained, and motivated. agers must ensure that they organize an internal team to Have incentives linked to ethical behavior and acts; monitor virtual environments for slanderous comments, measure the effectiveness over time, and keep inno- sensitive data, and other objectionable content. This must be vating for a highly positive culture. done periodically, at least once a month, and reports stored. Deviations, if any, must be reported to management and ac- Protect system assets tions must be taken in accordance with local laws and orga- System assets include the servers, desktops, PDAs, Black- nizational policies. berries, laptops, and any other asset that is used for access- ing data in an organization. Since Web 2.0 runs on all web educate end users browsers, exploitation can occur both at the server side and Security is everyone’s responsibility. Educating end users on the client side, which can then get distributed. Therefore, it security awareness in the Web 2.0 environment is more criti- becomes mandatory to harden servers, desktops, PDAs, and cal than ever. It is essential that they be taught not only the laptops. Some suggested best practices for protecting systems traditional email, system, and web security jargons but also assets are the following: what can be discussed/posted on virtual environments. Also • A baseline standard like NIST can be used for hard- make clear the repercussions that would follow if inappro- ening the servers, operating systems, PDAs, desktops, priate behavior is discovered. Educate them on the potential and laptops risks that the organization is exposed to if browsing from an airport coffee shop or WiFi hotspot. Have a training manual, • Make sure an updated antivirus runs on all the sys- distribute it to everyone, and keep it updated. Conduct regu- tem assets in the organization lar security training awareness programs. • Make sure the necessary patches are updated on all the system assets 36
  3. 3. Enterprise Information Protection Companies serious about information protection choose Verdasys To learn more about Enterprise Information Protection (EIP) and Verdasys visit or call 781-788-8180 Enterprise Information Protection is a Verdasys Trademark. Copyright © 2010 Verdasys, Inc. All Rights Reserved.
  4. 4. risk management in the Web 2.0 environment | Vinoth Sivasubramanian ISSA Journal | February 2010 • Implement host intrusion prevention systems (HIPS) ensure that all caches and proxies are “security- with proper configurations to test for anomalies on aware” servers that host web applications Objects that can be cached must be filtered for malware, se- • Make sure you test all the system assets regularly to curity reputation, and URL filtering policy prior to delivery keep them updated against emerging threats to the requestor’s browser. Cached objects must have these network hardening filters applied each time the object is delivered to the end user because the reputation may have changed since the object was A hardened network implemented with proper next-genera- originally cached or the security policy of this requestor may tion firewalls and necessary controls provides a vital defense be different than the previous requestors. This policy might for the organization against any kind of attack. Fortifying be different in any of these areas: security reputation, URL networks is probably the first level of defense and must be filter policy, or malware. Deploying caches and proxies that properly done. are not security-aware runs the risk of delivering malicious Some of the basic and necessary steps that need to be per- code to the user. formed are the following, apart from the technological solu- tions that need to be implemented: enable bi-directional filtering • Harden all the network devices using standard base- Ensure that bi-directional filtering and application control lines such as NIST are implemented at the gateway for all kinds of web traffic. This will scan all incoming and outgoing web traffic, which • Manage change effectively on the networks: if a new will assist the IT security personnel in having a greater view route has to be added on the firewall/router, make sure of what comes in and goes out. Filter unwanted traffic; moni- a change management procedure is followed and up- tor violations, incident responses, and forensics. Store the date the configuration management database data onto a syslog server and archive it after a certain interval Implement next-generation firewalls of time. Legacy URL filtering solutions are insufficient. They rely only Implement deep-content protection on categorized databases of URL entries that only update a There are many products available in the market today for few times a day. What is needed is a “reputation system” that implementing deep-content protection. But for achieving assigns global reputations to URLs and IP addresses, and success organizations must make sure they have taken the works alongside the categorized databases for the ultimate following steps: protection. A sophisticated, third-generation reputation system provides a mechanism for determining the risk as- • Have a clearly defined security policy on what should sociated with receiving data from a particular website. This be done by whom reputation can be used in conjunction with categories in an • Define what is sensitive and what is not sensitive with organization’s security policy, allowing them the ability to reference to data make appropriate decisions based on both category and se- Once the above necessary steps are done then the deep- curity reputation information. This reputation-based URL content protection takes care of things: information that is filtering solution needs to be global in scope and internation- classified can be ensured not to be sent over personal email alized to handle websites in any language. IDs, or even through official IDs. Deep-content protection It is critical that the reputation system provides both web also empowers the IT security personnel to granularly con- and messaging reputation. Since malicious attacks are multi- trol what users will be able to do in the virtual world when protocol, the reputation system must be aware of both email using the organizational network; for example, users may be and web threats. A new domain without content cannot be allowed to view social networks but may be restricted access categorized, but if it is associated with IP addresses sending to posting. email and they have a history of spam, phishing, or other malicious activity, then the web reputation for this uncatego- use comprehensive access, management, and rized domain can immediately be determined and security reporting tools protections provided to those who try to access the site. Enterprises should deploy solutions that provide “at-a- Organizations should deploy email gateways that utilize glance” reporting on the status and health of their services. sender reputation to stop malicious attacks, often launched They also need both real-time and forensic reporting that al- via spam and social engineering. Email reputation is also lows them to drill down into problems for remediation and critical as spam, phishing, and other malicious emails will post-event analysis. Providing robust and extensible report- include an URL or IP address that needs to be immediately ing is a critical function to understand risk, refine policy, and fed back into the web gateway security infrastructure. measure compliance. 38
  5. 5. risk management in the Web 2.0 environment | Vinoth Sivasubramanian ISSA Journal | February 2010 with changing trends of security and business, and measure Application hardening their effectiveness by conducting regular awareness quizzes. Developing a successful and secure application involves Monitor for violations using technology, processes, and peo- many phases. While there are a plethora of articles and stan- ple. Record and rectify them. dards available on application-related vulnerabilities of Web 2.0 and how to deal with them, we will focus on the overall Incident response picture and not delve into each and every exploit here but In spite of the best firewalls, effective security policies and outline those basic steps that need to be taken which have audits, and the best people, breaches and threats can be real- often been overlooked in comparison with technical-related ized. If such an incident happens, make sure there is an inci- vulnerabilities. Following these simple steps can ensure to a dent response plan in place on how to deal with that situation. good extent that the applications are securely built. Future Train people on effective incident management procedures. vulnerabilities can be easily dealt with if these simple guide- lines are followed: conduct continuous risk assessment 1. Have/hire competent programmers in place who are also Conduct regular risk assessments on web applications with deft at handling application security. Develop a culture of a holistic approach towards security and check to see if the secure programming within the IT team. Have the infor- controls are to an optimum and desired level as expected by mation security personnel participate in the development the business units and executive management. process. 2. Practice good coding standards using baselines and other follow benchmarks standards available from various resources – one excellent Finally, benchmark your protection strategy at regular inter- resource is the Open Web Application Security Project vals against global standards or other best practices followed (OWASP).2 Ensure that the baselines and standards are by your peers or other organizations. Align them to your strictly followed by the programming team. business needs if needed. 3. Create a threat model of the application using known and unknown incidents and do stressful penetration tests on conclusion applications before they go live. Document the recordings Web 2.0 is a boon, and if implemented and managed prop- of the tests. This will serve as a reference point for building erly, organizations, societies, and countries can benefit from future applications and saves time and money. the participatory approach of the collaborative Internet. Or- 4. Have a mature risk assessment/ management process in ganizations and governments spanning countries must come place that has a holistic approach towards application de- forward with good regulations and measures for making this velopment: people risks, process risks, technological risks. new trend a success for one and all as cybersecurity and web- By having a mature risk management process in place, sites cannot be restricted to a single country alone. processes are repeatable/reproducible, saving time when newer applications are built. references • People risks: people risks are often considered be- — Jacques Bughin and James Manyika, “How Business are Using yond application purview but should be scrutinized Web 2.0,” Mckinsey Global Survey 2007 – http://www.mck- as carefully as the code they are producing. McKinsey_Global_Survey_1913. • Process risks: effective change management policy — “Losing Ground Global Security Survey 2009,” from Deloitte and application release management procedures – should be established and maintained for the devel- Entertainment/article/e510f6b085912210VgnVCM100000ba- opment cycle. 42f00aRCRD.htm. • Technological risks: are the best technologies being — Web 2.0 – used? For example, code should not be developed and — Web 2.0 Security Threats – compiled using older vulnerable versions, e.g., Java, when new stable releases are available – new releases About the Author mitigate a lot of known vulnerabilities. Vinoth Sivasubramanian, CEH, ABRC- CIP, ISO 27001 LA, has over seven years Process and policy control mechanisms of experience in the information security discipline in the domains of telecommu- Security policies in place nication, finance, and consulting. He is a member of the ISSA Educational Ad- Have effective security policies in place and ensure that they visory Council, a working committee are followed by everybody. Always have them current in line member of International Cyber Ethics, and a reviewer of IFIP Conference. He can be reached at vinoth. 2 OWASP – 46