SlideShare a Scribd company logo

Sivasubramanian Risk Management In The Web 2.0 Environment

V
Vinoth Sivasubramanan

My ISSA Publication selected as one of the best of 2009.

1 of 5
Download to read offline
PreemInent truSted GlobAl ISSA ISSA Journal | February 2010 InformAtIon SecurIty communIty risk management in the Web 2.0 environment By Vinoth Sivasubramanian – ISSA member, UK Chapter, and in the process of founding/establishing a chapter in the United Arab Emirates (UAE) A recent study reports a significant percentage of organizations are not confident in the security measures that are in place for Web 2.0. this article looks to an integrated approach of people, processes, and technological controls to mitigate Web 2.0 security risks. W eb 2.0 refers to the second generation of Web de- straight approach. A recent study by KPMG Insider reports velopment and design and has brought about sig- a significant percentage of organizations are not confident nificant change in the Internet such as web-based in the security measures that are in place for Web 2.0.1 This communities, hosted services, and applications such as so- must be accomplished through an integrated approach of cial networking sites, wikis, blogs, video sharing sites, RSS people, processes, and technological controls. Before we delve feeds, and much more. Web 2.0 delivers a new kind of Web into the mitigation strategies, we will analyze the threats that experience that is interactive, real-time, and collaborative. are evident through Web 2.0 technologies. Although many of the underlying technical components of the Web have remained the same, the use of the Web as a plat- threat sources for Web 2.0 form on which to build rich applications is transforming our The threat table given in Figure 1 is intended to organize the online experience. Organizations are also investing in Web rest of the article. It is not intended to be complete, but can 2.0 technologies to harness its power to draw in more cus- be used as a sample to map out threats and their implications. tomers. The participatory approach of Web 2.0 is also taking governments by storm as well, leading to the next generation of governance: eGovernance 2.0. 1 Claire Le Masurier, “Risk Concerns Stall Uptake of Web 2.0 Technology in the Workplace,” A KPMG Insider Report 2008 – http://www.kpmg.co.uk/news/detail. As with any paradigm shift, technologies and processes can cfm?pr=3012. take us to new levels of user expe- rience and productivity, but those Threat Source Vulnerable Areas Threat Impacts Implications same technologies also present us Social networks, blogs, Loss of sensitive data, with new levels of threats and risks. Humans instant messenger, private knowingly or unknow- Loss of reputation in the Whether inadvertent or intention- eyes of public email, etc. ingly al, the threats are equally danger- ous to people, customers, business, Malware, viruses, Browsers, unpatched spyware, logic bombs, Loss of CIA, legal implica- and countries. These risks, if iden- Systems/Networks systems, and servers and a host of other tions, and financial losses tified and controlled in the proper threats way, can bring a lot of benefits to Loss of CIA, legal, and the organization and society as a Application related Applications Malware, logic bombs financial implications. whole. Loss of CIA, legal implica- Managing and mitigating risks in Improper Controls Entire organization is exposed Loss of data, viruses, logic bombs, etc. tions, reputational damage, Web 2.0 requires a more diversi- and business losses fied approach rather than a single figure 1 – Web 2.0 threat sources 35
risk management in the Web 2.0 environment | Vinoth Sivasubramanian ISSA Journal | February 2010 Invest in training and development People are the weakest as well as the Keep the security people busy: invest in training security strongest link in an organization. personnel on latest threats and protections through internal resources or external training, and make sure that they stay updated on the latest trends and technologies. Security per- Now with some familiarity of the threat source, let us analyze sonnel who do not keep themselves updated on latest tech- some of the strategies that could be implemented for mitigat- nologies and trends pose a threat in of themselves. The IT/ ing and controlling the threats caused by the noted sources. security department should subscribe to good security jour- These threats can be mitigated through a multi-layered de- nals and sponsor memberships in professional organization fense process of internal controls, technological controls, and such as ISSA, ISACA, IEEE, etc., which provide a wealth of processes. information on security and related research. Human threats Instill ethics and integrity into the culture of the People are the weakest as well as the strongest link in an orga- organization nization. LinkedIn and MySpace are two of the major social This is by far the most potent weapon for creating an almost networking sites where people working within the organiza- infallible security culture and program within the organiza- tion can leak sensitive data deliberately or inadvertently. Or- tion, but also the most difficult. Outlined are some simple ganizations cannot block social networks because they are points to help create and foster a culture of integrity and eth- becoming the base infrastructure for business and personal ics within the organization. interaction of the future. For effective social network use in • Have a written code of ethics in place involving all the workplace and to ensure that valuable data is not leaked, business leaders; ensure that every employee signs it organizations must ensure the following minimal steps. and make him or her aware of the advantages of hav- define a policy for virtual environments ing one in place and how and where to report in case of violations. Have regular ethics awareness training Clearly document the websites/activities that are permitted programs for the staff members. within the corporate environment. Also document the ac- tivities that are allowed in virtual environments. With the • Leaders and senior management must practice in- help of a legal counsel, document the actions that would be tegrity and fairness in all their dealings; this way it initiated in the event of not complying with these policies. spreads and percolates as a culture within the orga- nization. monitor virtual environments • Develop mature, fair, and rigorous employee perfor- The workplace is not the only place vital data can be leaked; mance management systems. This will ensure that therefore, monitor virtual environments regularly. IT man- the right people are retained, trained, and motivated. agers must ensure that they organize an internal team to Have incentives linked to ethical behavior and acts; monitor virtual environments for slanderous comments, measure the effectiveness over time, and keep inno- sensitive data, and other objectionable content. This must be vating for a highly positive culture. done periodically, at least once a month, and reports stored. Deviations, if any, must be reported to management and ac- Protect system assets tions must be taken in accordance with local laws and orga- System assets include the servers, desktops, PDAs, Black- nizational policies. berries, laptops, and any other asset that is used for access- ing data in an organization. Since Web 2.0 runs on all web educate end users browsers, exploitation can occur both at the server side and Security is everyone’s responsibility. Educating end users on the client side, which can then get distributed. Therefore, it security awareness in the Web 2.0 environment is more criti- becomes mandatory to harden servers, desktops, PDAs, and cal than ever. It is essential that they be taught not only the laptops. Some suggested best practices for protecting systems traditional email, system, and web security jargons but also assets are the following: what can be discussed/posted on virtual environments. Also • A baseline standard like NIST can be used for hard- make clear the repercussions that would follow if inappro- ening the servers, operating systems, PDAs, desktops, priate behavior is discovered. Educate them on the potential and laptops risks that the organization is exposed to if browsing from an airport coffee shop or WiFi hotspot. Have a training manual, • Make sure an updated antivirus runs on all the sys- distribute it to everyone, and keep it updated. Conduct regu- tem assets in the organization lar security training awareness programs. • Make sure the necessary patches are updated on all the system assets 36
Enterprise Information Protection Companies serious about information protection choose Verdasys To learn more about Enterprise Information Protection (EIP) and Verdasys visit www.verdasys.com/eip or call 781-788-8180 Enterprise Information Protection is a Verdasys Trademark. Copyright © 2010 Verdasys, Inc. All Rights Reserved.
risk management in the Web 2.0 environment | Vinoth Sivasubramanian ISSA Journal | February 2010 • Implement host intrusion prevention systems (HIPS) ensure that all caches and proxies are “security- with proper configurations to test for anomalies on aware” servers that host web applications Objects that can be cached must be filtered for malware, se- • Make sure you test all the system assets regularly to curity reputation, and URL filtering policy prior to delivery keep them updated against emerging threats to the requestor’s browser. Cached objects must have these network hardening filters applied each time the object is delivered to the end user because the reputation may have changed since the object was A hardened network implemented with proper next-genera- originally cached or the security policy of this requestor may tion firewalls and necessary controls provides a vital defense be different than the previous requestors. This policy might for the organization against any kind of attack. Fortifying be different in any of these areas: security reputation, URL networks is probably the first level of defense and must be filter policy, or malware. Deploying caches and proxies that properly done. are not security-aware runs the risk of delivering malicious Some of the basic and necessary steps that need to be per- code to the user. formed are the following, apart from the technological solu- tions that need to be implemented: enable bi-directional filtering • Harden all the network devices using standard base- Ensure that bi-directional filtering and application control lines such as NIST are implemented at the gateway for all kinds of web traffic. This will scan all incoming and outgoing web traffic, which • Manage change effectively on the networks: if a new will assist the IT security personnel in having a greater view route has to be added on the firewall/router, make sure of what comes in and goes out. Filter unwanted traffic; moni- a change management procedure is followed and up- tor violations, incident responses, and forensics. Store the date the configuration management database data onto a syslog server and archive it after a certain interval Implement next-generation firewalls of time. Legacy URL filtering solutions are insufficient. They rely only Implement deep-content protection on categorized databases of URL entries that only update a There are many products available in the market today for few times a day. What is needed is a “reputation system” that implementing deep-content protection. But for achieving assigns global reputations to URLs and IP addresses, and success organizations must make sure they have taken the works alongside the categorized databases for the ultimate following steps: protection. A sophisticated, third-generation reputation system provides a mechanism for determining the risk as- • Have a clearly defined security policy on what should sociated with receiving data from a particular website. This be done by whom reputation can be used in conjunction with categories in an • Define what is sensitive and what is not sensitive with organization’s security policy, allowing them the ability to reference to data make appropriate decisions based on both category and se- Once the above necessary steps are done then the deep- curity reputation information. This reputation-based URL content protection takes care of things: information that is filtering solution needs to be global in scope and internation- classified can be ensured not to be sent over personal email alized to handle websites in any language. IDs, or even through official IDs. Deep-content protection It is critical that the reputation system provides both web also empowers the IT security personnel to granularly con- and messaging reputation. Since malicious attacks are multi- trol what users will be able to do in the virtual world when protocol, the reputation system must be aware of both email using the organizational network; for example, users may be and web threats. A new domain without content cannot be allowed to view social networks but may be restricted access categorized, but if it is associated with IP addresses sending to posting. email and they have a history of spam, phishing, or other malicious activity, then the web reputation for this uncatego- use comprehensive access, management, and rized domain can immediately be determined and security reporting tools protections provided to those who try to access the site. Enterprises should deploy solutions that provide “at-a- Organizations should deploy email gateways that utilize glance” reporting on the status and health of their services. sender reputation to stop malicious attacks, often launched They also need both real-time and forensic reporting that al- via spam and social engineering. Email reputation is also lows them to drill down into problems for remediation and critical as spam, phishing, and other malicious emails will post-event analysis. Providing robust and extensible report- include an URL or IP address that needs to be immediately ing is a critical function to understand risk, refine policy, and fed back into the web gateway security infrastructure. measure compliance. 38
risk management in the Web 2.0 environment | Vinoth Sivasubramanian ISSA Journal | February 2010 with changing trends of security and business, and measure Application hardening their effectiveness by conducting regular awareness quizzes. Developing a successful and secure application involves Monitor for violations using technology, processes, and peo- many phases. While there are a plethora of articles and stan- ple. Record and rectify them. dards available on application-related vulnerabilities of Web 2.0 and how to deal with them, we will focus on the overall Incident response picture and not delve into each and every exploit here but In spite of the best firewalls, effective security policies and outline those basic steps that need to be taken which have audits, and the best people, breaches and threats can be real- often been overlooked in comparison with technical-related ized. If such an incident happens, make sure there is an inci- vulnerabilities. Following these simple steps can ensure to a dent response plan in place on how to deal with that situation. good extent that the applications are securely built. Future Train people on effective incident management procedures. vulnerabilities can be easily dealt with if these simple guide- lines are followed: conduct continuous risk assessment 1. Have/hire competent programmers in place who are also Conduct regular risk assessments on web applications with deft at handling application security. Develop a culture of a holistic approach towards security and check to see if the secure programming within the IT team. Have the infor- controls are to an optimum and desired level as expected by mation security personnel participate in the development the business units and executive management. process. 2. Practice good coding standards using baselines and other follow benchmarks standards available from various resources – one excellent Finally, benchmark your protection strategy at regular inter- resource is the Open Web Application Security Project vals against global standards or other best practices followed (OWASP).2 Ensure that the baselines and standards are by your peers or other organizations. Align them to your strictly followed by the programming team. business needs if needed. 3. Create a threat model of the application using known and unknown incidents and do stressful penetration tests on conclusion applications before they go live. Document the recordings Web 2.0 is a boon, and if implemented and managed prop- of the tests. This will serve as a reference point for building erly, organizations, societies, and countries can benefit from future applications and saves time and money. the participatory approach of the collaborative Internet. Or- 4. Have a mature risk assessment/ management process in ganizations and governments spanning countries must come place that has a holistic approach towards application de- forward with good regulations and measures for making this velopment: people risks, process risks, technological risks. new trend a success for one and all as cybersecurity and web- By having a mature risk management process in place, sites cannot be restricted to a single country alone. processes are repeatable/reproducible, saving time when newer applications are built. references • People risks: people risks are often considered be- — Jacques Bughin and James Manyika, “How Business are Using yond application purview but should be scrutinized Web 2.0,” Mckinsey Global Survey 2007 – http://www.mck- as carefully as the code they are producing. inseyquarterly.com/How_businesses_are_using_Web_20_A_ McKinsey_Global_Survey_1913. • Process risks: effective change management policy — “Losing Ground Global Security Survey 2009,” from Deloitte and application release management procedures – http://www.deloitte.com/view/en_US/us/Industries/Media- should be established and maintained for the devel- Entertainment/article/e510f6b085912210VgnVCM100000ba- opment cycle. 42f00aRCRD.htm. • Technological risks: are the best technologies being — Web 2.0 – www.wikipedia.org. used? For example, code should not be developed and — Web 2.0 Security Threats – www.enterprise2.0.org. compiled using older vulnerable versions, e.g., Java, when new stable releases are available – new releases About the Author mitigate a lot of known vulnerabilities. Vinoth Sivasubramanian, CEH, ABRC- CIP, ISO 27001 LA, has over seven years Process and policy control mechanisms of experience in the information security discipline in the domains of telecommu- Security policies in place nication, finance, and consulting. He is a member of the ISSA Educational Ad- Have effective security policies in place and ensure that they visory Council, a working committee are followed by everybody. Always have them current in line member of International Cyber Ethics, and a reviewer of IFIP Conference. He can be reached at vinoth. 2 OWASP – www.owasp.org. sivasubramanian@gmail.com. 46

Recommended

Security annual report_mid2010
Security annual report_mid2010Security annual report_mid2010
Security annual report_mid2010thaiantivirus
 
Darktrace_WhitePaper_EnterpriseImmuneSystem
Darktrace_WhitePaper_EnterpriseImmuneSystemDarktrace_WhitePaper_EnterpriseImmuneSystem
Darktrace_WhitePaper_EnterpriseImmuneSystemAustin Eppstein
 
7350_RiskWatch-Summer2015-Maligec
7350_RiskWatch-Summer2015-Maligec7350_RiskWatch-Summer2015-Maligec
7350_RiskWatch-Summer2015-MaligecChristine Maligec, CRM-E, CRIS
 
Puppetnets and Botnets: Information Technology Vulnerability Exploits
Puppetnets and Botnets: Information Technology Vulnerability ExploitsPuppetnets and Botnets: Information Technology Vulnerability Exploits
Puppetnets and Botnets: Information Technology Vulnerability Exploitsecarrow
 
Information Security Governance at Board and Executive Level
Information Security Governance at Board and Executive LevelInformation Security Governance at Board and Executive Level
Information Security Governance at Board and Executive LevelKoen Maris
 
2012 security services clientprex
2012 security services clientprex2012 security services clientprex
2012 security services clientprexKim Aarenstrup
 
Wall street journal 22 sept 10 - perspectives on risk it
Wall street journal 22 sept 10 - perspectives on risk itWall street journal 22 sept 10 - perspectives on risk it
Wall street journal 22 sept 10 - perspectives on risk itMessiernl
 
Print - Overlooked piece of the security puzzle whitepaper - DRAFT
Print - Overlooked piece of the security puzzle whitepaper - DRAFTPrint - Overlooked piece of the security puzzle whitepaper - DRAFT
Print - Overlooked piece of the security puzzle whitepaper - DRAFTGerry Skipwith
 

Recommended

Security annual report_mid2010
Security annual report_mid2010Security annual report_mid2010
Security annual report_mid2010thaiantivirus
 
Darktrace_WhitePaper_EnterpriseImmuneSystem
Darktrace_WhitePaper_EnterpriseImmuneSystemDarktrace_WhitePaper_EnterpriseImmuneSystem
Darktrace_WhitePaper_EnterpriseImmuneSystemAustin Eppstein
 
7350_RiskWatch-Summer2015-Maligec
7350_RiskWatch-Summer2015-Maligec7350_RiskWatch-Summer2015-Maligec
7350_RiskWatch-Summer2015-MaligecChristine Maligec, CRM-E, CRIS
 
Puppetnets and Botnets: Information Technology Vulnerability Exploits
Puppetnets and Botnets: Information Technology Vulnerability ExploitsPuppetnets and Botnets: Information Technology Vulnerability Exploits
Puppetnets and Botnets: Information Technology Vulnerability Exploitsecarrow
 
Information Security Governance at Board and Executive Level
Information Security Governance at Board and Executive LevelInformation Security Governance at Board and Executive Level
Information Security Governance at Board and Executive LevelKoen Maris
 
2012 security services clientprex
2012 security services clientprex2012 security services clientprex
2012 security services clientprexKim Aarenstrup
 
Wall street journal 22 sept 10 - perspectives on risk it
Wall street journal 22 sept 10 - perspectives on risk itWall street journal 22 sept 10 - perspectives on risk it
Wall street journal 22 sept 10 - perspectives on risk itMessiernl
 
Print - Overlooked piece of the security puzzle whitepaper - DRAFT
Print - Overlooked piece of the security puzzle whitepaper - DRAFTPrint - Overlooked piece of the security puzzle whitepaper - DRAFT
Print - Overlooked piece of the security puzzle whitepaper - DRAFTGerry Skipwith
 
Volume2 chapter1 security
Volume2 chapter1 securityVolume2 chapter1 security
Volume2 chapter1 securityat MicroFocus Italy ❖✔
 
Delusions of-safety-cyber-savvy-ceo
Delusions of-safety-cyber-savvy-ceoDelusions of-safety-cyber-savvy-ceo
Delusions of-safety-cyber-savvy-ceoJoão Rufino de Sales
 
Wireless Vulnerability Management: What It Means for Your Enterprise
Wireless Vulnerability Management: What It Means for Your EnterpriseWireless Vulnerability Management: What It Means for Your Enterprise
Wireless Vulnerability Management: What It Means for Your EnterpriseAirTight Networks
 
Why Traditional Security has Failed
Why Traditional Security has Failed Why Traditional Security has Failed
Why Traditional Security has Failed Steven_Jackson
 
Think like a hacker for better security awareness
Think like a hacker for better security awarenessThink like a hacker for better security awareness
Think like a hacker for better security awarenessCOMSATS
 
Protecting Utilities through Business Continuity - Scott Roe, Corporate Risk ...
Protecting Utilities through Business Continuity - Scott Roe, Corporate Risk ...Protecting Utilities through Business Continuity - Scott Roe, Corporate Risk ...
Protecting Utilities through Business Continuity - Scott Roe, Corporate Risk ...Energy Network marcus evans
 
Ten Security Essentials for CIOs
Ten Security Essentials for CIOsTen Security Essentials for CIOs
Ten Security Essentials for CIOsIBM Security
 
A Guide To SMB Network Security Compliance Research Group(1)
A Guide To SMB Network Security Compliance Research Group(1)A Guide To SMB Network Security Compliance Research Group(1)
A Guide To SMB Network Security Compliance Research Group(1)GuardEra Access Solutions, Inc.
 
Infotec 2010 Ben Rothke - social networks and information security
Infotec 2010 Ben Rothke - social networks and information security Infotec 2010 Ben Rothke - social networks and information security
Infotec 2010 Ben Rothke - social networks and information security Ben Rothke
 
Convergence of Security Risks
Convergence of Security RisksConvergence of Security Risks
Convergence of Security RisksEnterprise Security Risk Management
 
AN EFFECTIVE METHOD FOR INFORMATION SECURITY AWARENESS RAISING INITIATIVES
AN EFFECTIVE METHOD FOR INFORMATION SECURITY AWARENESS RAISING INITIATIVESAN EFFECTIVE METHOD FOR INFORMATION SECURITY AWARENESS RAISING INITIATIVES
AN EFFECTIVE METHOD FOR INFORMATION SECURITY AWARENESS RAISING INITIATIVESijcsit
 
CISO Survey Report 2010
CISO Survey Report 2010CISO Survey Report 2010
CISO Survey Report 2010Scientia Groups
 
Journal+Feature-InsiderThreat
Journal+Feature-InsiderThreatJournal+Feature-InsiderThreat
Journal+Feature-InsiderThreatAnthony Buenger
 
Information Security Shake-Up
Information Security Shake-Up Information Security Shake-Up
Information Security Shake-Up EMC
 
Idc cost complexitycompliance
Idc cost complexitycomplianceIdc cost complexitycompliance
Idc cost complexitycomplianceReadWrite
 
Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012Don Grauel
 
2009 Security Mega Trends & Emerging Threats
2009 Security Mega Trends & Emerging Threats2009 Security Mega Trends & Emerging Threats
2009 Security Mega Trends & Emerging ThreatsLumension
 
SIA-Q1-2016
SIA-Q1-2016SIA-Q1-2016
SIA-Q1-2016Owais Hassan
 
PwC Survey 2010 CIO Reprint
PwC Survey 2010 CIO ReprintPwC Survey 2010 CIO Reprint
PwC Survey 2010 CIO ReprintKim Jensen
 
Cyber Security small
Cyber Security smallCyber Security small
Cyber Security smallHenry Worth
 
The Vigilant Enterprise
The Vigilant EnterpriseThe Vigilant Enterprise
The Vigilant EnterpriseBooz Allen Hamilton
 
OverseeCyberSecurityAsHackersSeekToInfiltrate
OverseeCyberSecurityAsHackersSeekToInfiltrateOverseeCyberSecurityAsHackersSeekToInfiltrate
OverseeCyberSecurityAsHackersSeekToInfiltrateKashif Ali
 

More Related Content

What's hot

Wireless Vulnerability Management: What It Means for Your Enterprise
Wireless Vulnerability Management: What It Means for Your EnterpriseWireless Vulnerability Management: What It Means for Your Enterprise
Wireless Vulnerability Management: What It Means for Your EnterpriseAirTight Networks
 
Why Traditional Security has Failed
Why Traditional Security has Failed Why Traditional Security has Failed
Why Traditional Security has Failed Steven_Jackson
 
Think like a hacker for better security awareness
Think like a hacker for better security awarenessThink like a hacker for better security awareness
Think like a hacker for better security awarenessCOMSATS
 
Protecting Utilities through Business Continuity - Scott Roe, Corporate Risk ...
Protecting Utilities through Business Continuity - Scott Roe, Corporate Risk ...Protecting Utilities through Business Continuity - Scott Roe, Corporate Risk ...
Protecting Utilities through Business Continuity - Scott Roe, Corporate Risk ...Energy Network marcus evans
 
Ten Security Essentials for CIOs
Ten Security Essentials for CIOsTen Security Essentials for CIOs
Ten Security Essentials for CIOsIBM Security
 
A Guide To SMB Network Security Compliance Research Group(1)
A Guide To SMB Network Security Compliance Research Group(1)A Guide To SMB Network Security Compliance Research Group(1)
A Guide To SMB Network Security Compliance Research Group(1)GuardEra Access Solutions, Inc.
 
Infotec 2010 Ben Rothke - social networks and information security
Infotec 2010 Ben Rothke - social networks and information security Infotec 2010 Ben Rothke - social networks and information security
Infotec 2010 Ben Rothke - social networks and information security Ben Rothke
 
AN EFFECTIVE METHOD FOR INFORMATION SECURITY AWARENESS RAISING INITIATIVES
AN EFFECTIVE METHOD FOR INFORMATION SECURITY AWARENESS RAISING INITIATIVESAN EFFECTIVE METHOD FOR INFORMATION SECURITY AWARENESS RAISING INITIATIVES
AN EFFECTIVE METHOD FOR INFORMATION SECURITY AWARENESS RAISING INITIATIVESijcsit
 
Journal+Feature-InsiderThreat
Journal+Feature-InsiderThreatJournal+Feature-InsiderThreat
Journal+Feature-InsiderThreatAnthony Buenger
 
Information Security Shake-Up
Information Security Shake-Up Information Security Shake-Up
Information Security Shake-Up EMC
 
Idc cost complexitycompliance
Idc cost complexitycomplianceIdc cost complexitycompliance
Idc cost complexitycomplianceReadWrite
 
Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012Don Grauel
 
2009 Security Mega Trends & Emerging Threats
2009 Security Mega Trends & Emerging Threats2009 Security Mega Trends & Emerging Threats
2009 Security Mega Trends & Emerging ThreatsLumension
 
PwC Survey 2010 CIO Reprint
PwC Survey 2010 CIO ReprintPwC Survey 2010 CIO Reprint
PwC Survey 2010 CIO ReprintKim Jensen
 
Cyber Security small
Cyber Security smallCyber Security small
Cyber Security smallHenry Worth
 

What's hot (20)

Volume2 chapter1 security
Volume2 chapter1 securityVolume2 chapter1 security
Volume2 chapter1 security
 
Delusions of-safety-cyber-savvy-ceo
Delusions of-safety-cyber-savvy-ceoDelusions of-safety-cyber-savvy-ceo
Delusions of-safety-cyber-savvy-ceo
 
Wireless Vulnerability Management: What It Means for Your Enterprise
Wireless Vulnerability Management: What It Means for Your EnterpriseWireless Vulnerability Management: What It Means for Your Enterprise
Wireless Vulnerability Management: What It Means for Your Enterprise
 
Why Traditional Security has Failed
Why Traditional Security has Failed Why Traditional Security has Failed
Why Traditional Security has Failed
 
Think like a hacker for better security awareness
Think like a hacker for better security awarenessThink like a hacker for better security awareness
Think like a hacker for better security awareness
 
Protecting Utilities through Business Continuity - Scott Roe, Corporate Risk ...
Protecting Utilities through Business Continuity - Scott Roe, Corporate Risk ...Protecting Utilities through Business Continuity - Scott Roe, Corporate Risk ...
Protecting Utilities through Business Continuity - Scott Roe, Corporate Risk ...
 
Ten Security Essentials for CIOs
Ten Security Essentials for CIOsTen Security Essentials for CIOs
Ten Security Essentials for CIOs
 
A Guide To SMB Network Security Compliance Research Group(1)
A Guide To SMB Network Security Compliance Research Group(1)A Guide To SMB Network Security Compliance Research Group(1)
A Guide To SMB Network Security Compliance Research Group(1)
 
Infotec 2010 Ben Rothke - social networks and information security
Infotec 2010 Ben Rothke - social networks and information security Infotec 2010 Ben Rothke - social networks and information security
Infotec 2010 Ben Rothke - social networks and information security
 
Convergence of Security Risks
Convergence of Security RisksConvergence of Security Risks
Convergence of Security Risks
 
AN EFFECTIVE METHOD FOR INFORMATION SECURITY AWARENESS RAISING INITIATIVES
AN EFFECTIVE METHOD FOR INFORMATION SECURITY AWARENESS RAISING INITIATIVESAN EFFECTIVE METHOD FOR INFORMATION SECURITY AWARENESS RAISING INITIATIVES
AN EFFECTIVE METHOD FOR INFORMATION SECURITY AWARENESS RAISING INITIATIVES
 
CISO Survey Report 2010
CISO Survey Report 2010CISO Survey Report 2010
CISO Survey Report 2010
 
Journal+Feature-InsiderThreat
Journal+Feature-InsiderThreatJournal+Feature-InsiderThreat
Journal+Feature-InsiderThreat
 
Information Security Shake-Up
Information Security Shake-Up Information Security Shake-Up
Information Security Shake-Up
 
Idc cost complexitycompliance
Idc cost complexitycomplianceIdc cost complexitycompliance
Idc cost complexitycompliance
 
Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012
 
2009 Security Mega Trends & Emerging Threats
2009 Security Mega Trends & Emerging Threats2009 Security Mega Trends & Emerging Threats
2009 Security Mega Trends & Emerging Threats
 
SIA-Q1-2016
SIA-Q1-2016SIA-Q1-2016
SIA-Q1-2016
 
PwC Survey 2010 CIO Reprint
PwC Survey 2010 CIO ReprintPwC Survey 2010 CIO Reprint
PwC Survey 2010 CIO Reprint
 
Cyber Security small
Cyber Security smallCyber Security small
Cyber Security small
 

Similar to Sivasubramanian Risk Management In The Web 2.0 Environment

OverseeCyberSecurityAsHackersSeekToInfiltrate
OverseeCyberSecurityAsHackersSeekToInfiltrateOverseeCyberSecurityAsHackersSeekToInfiltrate
OverseeCyberSecurityAsHackersSeekToInfiltrateKashif Ali
 
Threat, Attack and Vulnerability Play a Key Role in Cyber Security
Threat, Attack and Vulnerability Play a Key Role in Cyber SecurityThreat, Attack and Vulnerability Play a Key Role in Cyber Security
Threat, Attack and Vulnerability Play a Key Role in Cyber SecurityIRJET Journal
 
A Multi-Layer Real Time Remote Monitoring & Corporate Network System For Viru...
A Multi-Layer Real Time Remote Monitoring & Corporate Network System For Viru...A Multi-Layer Real Time Remote Monitoring & Corporate Network System For Viru...
A Multi-Layer Real Time Remote Monitoring & Corporate Network System For Viru...ijccsa
 
International Journal on Cloud Computing: Services and Architecture (IJCCSA)
International Journal on Cloud Computing: Services and Architecture (IJCCSA)International Journal on Cloud Computing: Services and Architecture (IJCCSA)
International Journal on Cloud Computing: Services and Architecture (IJCCSA)ijccsa
 
Five Network Security Threats And How To Protect Your Business Wp101112
Five Network Security Threats And How To Protect Your Business Wp101112Five Network Security Threats And How To Protect Your Business Wp101112
Five Network Security Threats And How To Protect Your Business Wp101112Erik Ginalick
 
5 network-security-threats
5 network-security-threats5 network-security-threats
5 network-security-threatsReadWrite
 
White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...balejandre
 
56 JULY 2017 WWW.COM.docx
56 JULY 2017 WWW.COM.docx56 JULY 2017 WWW.COM.docx
56 JULY 2017 WWW.COM.docxalinainglis
 
Cyber Security Trends - Where the Industry Is Heading in an Uncertainty
Cyber Security Trends - Where the Industry Is Heading in an UncertaintyCyber Security Trends - Where the Industry Is Heading in an Uncertainty
Cyber Security Trends - Where the Industry Is Heading in an UncertaintyOrganization
 
Protective Intelligence
Protective IntelligenceProtective Intelligence
Protective Intelligencewbesse
 
Why Cybersecurity is a Data Problem
Why Cybersecurity is a Data ProblemWhy Cybersecurity is a Data Problem
Why Cybersecurity is a Data ProblemBernard Marr
 
Application Security: Safeguarding Data, Protecting Reputations
Application Security: Safeguarding Data, Protecting ReputationsApplication Security: Safeguarding Data, Protecting Reputations
Application Security: Safeguarding Data, Protecting ReputationsCognizant
 
Shifting Risks and IT Complexities Create Demands for New Enterprise Security...
Shifting Risks and IT Complexities Create Demands for New Enterprise Security...Shifting Risks and IT Complexities Create Demands for New Enterprise Security...
Shifting Risks and IT Complexities Create Demands for New Enterprise Security...Booz Allen Hamilton
 
12Cyber Research ProposalCyb
12Cyber Research ProposalCyb12Cyber Research ProposalCyb
12Cyber Research ProposalCybAnastaciaShadelb
 
Guide to high volume data sources for SIEM
Guide to high volume data sources for SIEMGuide to high volume data sources for SIEM
Guide to high volume data sources for SIEMJoseph DeFever
 

Similar to Sivasubramanian Risk Management In The Web 2.0 Environment (20)

The Vigilant Enterprise
The Vigilant EnterpriseThe Vigilant Enterprise
The Vigilant Enterprise
 
OverseeCyberSecurityAsHackersSeekToInfiltrate
OverseeCyberSecurityAsHackersSeekToInfiltrateOverseeCyberSecurityAsHackersSeekToInfiltrate
OverseeCyberSecurityAsHackersSeekToInfiltrate
 
Threat, Attack and Vulnerability Play a Key Role in Cyber Security
Threat, Attack and Vulnerability Play a Key Role in Cyber SecurityThreat, Attack and Vulnerability Play a Key Role in Cyber Security
Threat, Attack and Vulnerability Play a Key Role in Cyber Security
 
A Multi-Layer Real Time Remote Monitoring & Corporate Network System For Viru...
A Multi-Layer Real Time Remote Monitoring & Corporate Network System For Viru...A Multi-Layer Real Time Remote Monitoring & Corporate Network System For Viru...
A Multi-Layer Real Time Remote Monitoring & Corporate Network System For Viru...
 
International Journal on Cloud Computing: Services and Architecture (IJCCSA)
International Journal on Cloud Computing: Services and Architecture (IJCCSA)International Journal on Cloud Computing: Services and Architecture (IJCCSA)
International Journal on Cloud Computing: Services and Architecture (IJCCSA)
 
Five Network Security Threats And How To Protect Your Business Wp101112
Five Network Security Threats And How To Protect Your Business Wp101112Five Network Security Threats And How To Protect Your Business Wp101112
Five Network Security Threats And How To Protect Your Business Wp101112
 
5 network-security-threats
5 network-security-threats5 network-security-threats
5 network-security-threats
 
White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...
 
56 JULY 2017 WWW.COM.docx
56 JULY 2017 WWW.COM.docx56 JULY 2017 WWW.COM.docx
56 JULY 2017 WWW.COM.docx
 
Cyber Security Trends - Where the Industry Is Heading in an Uncertainty
Cyber Security Trends - Where the Industry Is Heading in an UncertaintyCyber Security Trends - Where the Industry Is Heading in an Uncertainty
Cyber Security Trends - Where the Industry Is Heading in an Uncertainty
 
Protective Intelligence
Protective IntelligenceProtective Intelligence
Protective Intelligence
 
Why Cybersecurity is a Data Problem
Why Cybersecurity is a Data ProblemWhy Cybersecurity is a Data Problem
Why Cybersecurity is a Data Problem
 
Application Security: Safeguarding Data, Protecting Reputations
Application Security: Safeguarding Data, Protecting ReputationsApplication Security: Safeguarding Data, Protecting Reputations
Application Security: Safeguarding Data, Protecting Reputations
 
University-of-Miami_MEDINA
University-of-Miami_MEDINAUniversity-of-Miami_MEDINA
University-of-Miami_MEDINA
 
Shifting Risks and IT Complexities Create Demands for New Enterprise Security...
Shifting Risks and IT Complexities Create Demands for New Enterprise Security...Shifting Risks and IT Complexities Create Demands for New Enterprise Security...
Shifting Risks and IT Complexities Create Demands for New Enterprise Security...
 
12Cyber Research ProposalCyb
12Cyber Research ProposalCyb12Cyber Research ProposalCyb
12Cyber Research ProposalCyb
 
12Cyber Research ProposalCyb
12Cyber Research ProposalCyb12Cyber Research ProposalCyb
12Cyber Research ProposalCyb
 
Cyber threat forecast 2018..
Cyber threat forecast 2018..Cyber threat forecast 2018..
Cyber threat forecast 2018..
 
Guide to high volume data sources for SIEM
Guide to high volume data sources for SIEMGuide to high volume data sources for SIEM
Guide to high volume data sources for SIEM
 
Ijnsa050215
Ijnsa050215Ijnsa050215
Ijnsa050215
 

More from Vinoth Sivasubramanan

The notorious nine_cloud_computing_top_threats_in_2013
The notorious nine_cloud_computing_top_threats_in_2013The notorious nine_cloud_computing_top_threats_in_2013
The notorious nine_cloud_computing_top_threats_in_2013Vinoth Sivasubramanan
 
Linux Firewall - NullCon Chennai Presentation
Linux Firewall - NullCon Chennai PresentationLinux Firewall - NullCon Chennai Presentation
Linux Firewall - NullCon Chennai PresentationVinoth Sivasubramanan
 
Business Continuity Management - Best Practice Across Industries
Business Continuity Management - Best Practice Across IndustriesBusiness Continuity Management - Best Practice Across Industries
Business Continuity Management - Best Practice Across IndustriesVinoth Sivasubramanan
 
4th Annual Corporate Governance Congress
4th Annual Corporate Governance Congress4th Annual Corporate Governance Congress
4th Annual Corporate Governance CongressVinoth Sivasubramanan
 

More from Vinoth Sivasubramanan (9)

The notorious nine_cloud_computing_top_threats_in_2013
The notorious nine_cloud_computing_top_threats_in_2013The notorious nine_cloud_computing_top_threats_in_2013
The notorious nine_cloud_computing_top_threats_in_2013
 
Linux Firewall - NullCon Chennai Presentation
Linux Firewall - NullCon Chennai PresentationLinux Firewall - NullCon Chennai Presentation
Linux Firewall - NullCon Chennai Presentation
 
Business Continuity Management - Best Practice Across Industries
Business Continuity Management - Best Practice Across IndustriesBusiness Continuity Management - Best Practice Across Industries
Business Continuity Management - Best Practice Across Industries
 
Storage Security Governance
Storage Security GovernanceStorage Security Governance
Storage Security Governance
 
Security kaizen cloud security
Security kaizen cloud securitySecurity kaizen cloud security
Security kaizen cloud security
 
Security kaizen consumerization
Security kaizen consumerizationSecurity kaizen consumerization
Security kaizen consumerization
 
DDOS Audit
DDOS AuditDDOS Audit
DDOS Audit
 
3rd Annual CISO Round Table
3rd Annual CISO Round Table3rd Annual CISO Round Table
3rd Annual CISO Round Table
 
4th Annual Corporate Governance Congress
4th Annual Corporate Governance Congress4th Annual Corporate Governance Congress
4th Annual Corporate Governance Congress
 

Sivasubramanian Risk Management In The Web 2.0 Environment

  • 1. PreemInent truSted GlobAl ISSA ISSA Journal | February 2010 InformAtIon SecurIty communIty risk management in the Web 2.0 environment By Vinoth Sivasubramanian – ISSA member, UK Chapter, and in the process of founding/establishing a chapter in the United Arab Emirates (UAE) A recent study reports a significant percentage of organizations are not confident in the security measures that are in place for Web 2.0. this article looks to an integrated approach of people, processes, and technological controls to mitigate Web 2.0 security risks. W eb 2.0 refers to the second generation of Web de- straight approach. A recent study by KPMG Insider reports velopment and design and has brought about sig- a significant percentage of organizations are not confident nificant change in the Internet such as web-based in the security measures that are in place for Web 2.0.1 This communities, hosted services, and applications such as so- must be accomplished through an integrated approach of cial networking sites, wikis, blogs, video sharing sites, RSS people, processes, and technological controls. Before we delve feeds, and much more. Web 2.0 delivers a new kind of Web into the mitigation strategies, we will analyze the threats that experience that is interactive, real-time, and collaborative. are evident through Web 2.0 technologies. Although many of the underlying technical components of the Web have remained the same, the use of the Web as a plat- threat sources for Web 2.0 form on which to build rich applications is transforming our The threat table given in Figure 1 is intended to organize the online experience. Organizations are also investing in Web rest of the article. It is not intended to be complete, but can 2.0 technologies to harness its power to draw in more cus- be used as a sample to map out threats and their implications. tomers. The participatory approach of Web 2.0 is also taking governments by storm as well, leading to the next generation of governance: eGovernance 2.0. 1 Claire Le Masurier, “Risk Concerns Stall Uptake of Web 2.0 Technology in the Workplace,” A KPMG Insider Report 2008 – http://www.kpmg.co.uk/news/detail. As with any paradigm shift, technologies and processes can cfm?pr=3012. take us to new levels of user expe- rience and productivity, but those Threat Source Vulnerable Areas Threat Impacts Implications same technologies also present us Social networks, blogs, Loss of sensitive data, with new levels of threats and risks. Humans instant messenger, private knowingly or unknow- Loss of reputation in the Whether inadvertent or intention- eyes of public email, etc. ingly al, the threats are equally danger- ous to people, customers, business, Malware, viruses, Browsers, unpatched spyware, logic bombs, Loss of CIA, legal implica- and countries. These risks, if iden- Systems/Networks systems, and servers and a host of other tions, and financial losses tified and controlled in the proper threats way, can bring a lot of benefits to Loss of CIA, legal, and the organization and society as a Application related Applications Malware, logic bombs financial implications. whole. Loss of CIA, legal implica- Managing and mitigating risks in Improper Controls Entire organization is exposed Loss of data, viruses, logic bombs, etc. tions, reputational damage, Web 2.0 requires a more diversi- and business losses fied approach rather than a single figure 1 – Web 2.0 threat sources 35
  • 2. risk management in the Web 2.0 environment | Vinoth Sivasubramanian ISSA Journal | February 2010 Invest in training and development People are the weakest as well as the Keep the security people busy: invest in training security strongest link in an organization. personnel on latest threats and protections through internal resources or external training, and make sure that they stay updated on the latest trends and technologies. Security per- Now with some familiarity of the threat source, let us analyze sonnel who do not keep themselves updated on latest tech- some of the strategies that could be implemented for mitigat- nologies and trends pose a threat in of themselves. The IT/ ing and controlling the threats caused by the noted sources. security department should subscribe to good security jour- These threats can be mitigated through a multi-layered de- nals and sponsor memberships in professional organization fense process of internal controls, technological controls, and such as ISSA, ISACA, IEEE, etc., which provide a wealth of processes. information on security and related research. Human threats Instill ethics and integrity into the culture of the People are the weakest as well as the strongest link in an orga- organization nization. LinkedIn and MySpace are two of the major social This is by far the most potent weapon for creating an almost networking sites where people working within the organiza- infallible security culture and program within the organiza- tion can leak sensitive data deliberately or inadvertently. Or- tion, but also the most difficult. Outlined are some simple ganizations cannot block social networks because they are points to help create and foster a culture of integrity and eth- becoming the base infrastructure for business and personal ics within the organization. interaction of the future. For effective social network use in • Have a written code of ethics in place involving all the workplace and to ensure that valuable data is not leaked, business leaders; ensure that every employee signs it organizations must ensure the following minimal steps. and make him or her aware of the advantages of hav- define a policy for virtual environments ing one in place and how and where to report in case of violations. Have regular ethics awareness training Clearly document the websites/activities that are permitted programs for the staff members. within the corporate environment. Also document the ac- tivities that are allowed in virtual environments. With the • Leaders and senior management must practice in- help of a legal counsel, document the actions that would be tegrity and fairness in all their dealings; this way it initiated in the event of not complying with these policies. spreads and percolates as a culture within the orga- nization. monitor virtual environments • Develop mature, fair, and rigorous employee perfor- The workplace is not the only place vital data can be leaked; mance management systems. This will ensure that therefore, monitor virtual environments regularly. IT man- the right people are retained, trained, and motivated. agers must ensure that they organize an internal team to Have incentives linked to ethical behavior and acts; monitor virtual environments for slanderous comments, measure the effectiveness over time, and keep inno- sensitive data, and other objectionable content. This must be vating for a highly positive culture. done periodically, at least once a month, and reports stored. Deviations, if any, must be reported to management and ac- Protect system assets tions must be taken in accordance with local laws and orga- System assets include the servers, desktops, PDAs, Black- nizational policies. berries, laptops, and any other asset that is used for access- ing data in an organization. Since Web 2.0 runs on all web educate end users browsers, exploitation can occur both at the server side and Security is everyone’s responsibility. Educating end users on the client side, which can then get distributed. Therefore, it security awareness in the Web 2.0 environment is more criti- becomes mandatory to harden servers, desktops, PDAs, and cal than ever. It is essential that they be taught not only the laptops. Some suggested best practices for protecting systems traditional email, system, and web security jargons but also assets are the following: what can be discussed/posted on virtual environments. Also • A baseline standard like NIST can be used for hard- make clear the repercussions that would follow if inappro- ening the servers, operating systems, PDAs, desktops, priate behavior is discovered. Educate them on the potential and laptops risks that the organization is exposed to if browsing from an airport coffee shop or WiFi hotspot. Have a training manual, • Make sure an updated antivirus runs on all the sys- distribute it to everyone, and keep it updated. Conduct regu- tem assets in the organization lar security training awareness programs. • Make sure the necessary patches are updated on all the system assets 36
  • 3. Enterprise Information Protection Companies serious about information protection choose Verdasys To learn more about Enterprise Information Protection (EIP) and Verdasys visit www.verdasys.com/eip or call 781-788-8180 Enterprise Information Protection is a Verdasys Trademark. Copyright © 2010 Verdasys, Inc. All Rights Reserved.
  • 4. risk management in the Web 2.0 environment | Vinoth Sivasubramanian ISSA Journal | February 2010 • Implement host intrusion prevention systems (HIPS) ensure that all caches and proxies are “security- with proper configurations to test for anomalies on aware” servers that host web applications Objects that can be cached must be filtered for malware, se- • Make sure you test all the system assets regularly to curity reputation, and URL filtering policy prior to delivery keep them updated against emerging threats to the requestor’s browser. Cached objects must have these network hardening filters applied each time the object is delivered to the end user because the reputation may have changed since the object was A hardened network implemented with proper next-genera- originally cached or the security policy of this requestor may tion firewalls and necessary controls provides a vital defense be different than the previous requestors. This policy might for the organization against any kind of attack. Fortifying be different in any of these areas: security reputation, URL networks is probably the first level of defense and must be filter policy, or malware. Deploying caches and proxies that properly done. are not security-aware runs the risk of delivering malicious Some of the basic and necessary steps that need to be per- code to the user. formed are the following, apart from the technological solu- tions that need to be implemented: enable bi-directional filtering • Harden all the network devices using standard base- Ensure that bi-directional filtering and application control lines such as NIST are implemented at the gateway for all kinds of web traffic. This will scan all incoming and outgoing web traffic, which • Manage change effectively on the networks: if a new will assist the IT security personnel in having a greater view route has to be added on the firewall/router, make sure of what comes in and goes out. Filter unwanted traffic; moni- a change management procedure is followed and up- tor violations, incident responses, and forensics. Store the date the configuration management database data onto a syslog server and archive it after a certain interval Implement next-generation firewalls of time. Legacy URL filtering solutions are insufficient. They rely only Implement deep-content protection on categorized databases of URL entries that only update a There are many products available in the market today for few times a day. What is needed is a “reputation system” that implementing deep-content protection. But for achieving assigns global reputations to URLs and IP addresses, and success organizations must make sure they have taken the works alongside the categorized databases for the ultimate following steps: protection. A sophisticated, third-generation reputation system provides a mechanism for determining the risk as- • Have a clearly defined security policy on what should sociated with receiving data from a particular website. This be done by whom reputation can be used in conjunction with categories in an • Define what is sensitive and what is not sensitive with organization’s security policy, allowing them the ability to reference to data make appropriate decisions based on both category and se- Once the above necessary steps are done then the deep- curity reputation information. This reputation-based URL content protection takes care of things: information that is filtering solution needs to be global in scope and internation- classified can be ensured not to be sent over personal email alized to handle websites in any language. IDs, or even through official IDs. Deep-content protection It is critical that the reputation system provides both web also empowers the IT security personnel to granularly con- and messaging reputation. Since malicious attacks are multi- trol what users will be able to do in the virtual world when protocol, the reputation system must be aware of both email using the organizational network; for example, users may be and web threats. A new domain without content cannot be allowed to view social networks but may be restricted access categorized, but if it is associated with IP addresses sending to posting. email and they have a history of spam, phishing, or other malicious activity, then the web reputation for this uncatego- use comprehensive access, management, and rized domain can immediately be determined and security reporting tools protections provided to those who try to access the site. Enterprises should deploy solutions that provide “at-a- Organizations should deploy email gateways that utilize glance” reporting on the status and health of their services. sender reputation to stop malicious attacks, often launched They also need both real-time and forensic reporting that al- via spam and social engineering. Email reputation is also lows them to drill down into problems for remediation and critical as spam, phishing, and other malicious emails will post-event analysis. Providing robust and extensible report- include an URL or IP address that needs to be immediately ing is a critical function to understand risk, refine policy, and fed back into the web gateway security infrastructure. measure compliance. 38
  • 5. risk management in the Web 2.0 environment | Vinoth Sivasubramanian ISSA Journal | February 2010 with changing trends of security and business, and measure Application hardening their effectiveness by conducting regular awareness quizzes. Developing a successful and secure application involves Monitor for violations using technology, processes, and peo- many phases. While there are a plethora of articles and stan- ple. Record and rectify them. dards available on application-related vulnerabilities of Web 2.0 and how to deal with them, we will focus on the overall Incident response picture and not delve into each and every exploit here but In spite of the best firewalls, effective security policies and outline those basic steps that need to be taken which have audits, and the best people, breaches and threats can be real- often been overlooked in comparison with technical-related ized. If such an incident happens, make sure there is an inci- vulnerabilities. Following these simple steps can ensure to a dent response plan in place on how to deal with that situation. good extent that the applications are securely built. Future Train people on effective incident management procedures. vulnerabilities can be easily dealt with if these simple guide- lines are followed: conduct continuous risk assessment 1. Have/hire competent programmers in place who are also Conduct regular risk assessments on web applications with deft at handling application security. Develop a culture of a holistic approach towards security and check to see if the secure programming within the IT team. Have the infor- controls are to an optimum and desired level as expected by mation security personnel participate in the development the business units and executive management. process. 2. Practice good coding standards using baselines and other follow benchmarks standards available from various resources – one excellent Finally, benchmark your protection strategy at regular inter- resource is the Open Web Application Security Project vals against global standards or other best practices followed (OWASP).2 Ensure that the baselines and standards are by your peers or other organizations. Align them to your strictly followed by the programming team. business needs if needed. 3. Create a threat model of the application using known and unknown incidents and do stressful penetration tests on conclusion applications before they go live. Document the recordings Web 2.0 is a boon, and if implemented and managed prop- of the tests. This will serve as a reference point for building erly, organizations, societies, and countries can benefit from future applications and saves time and money. the participatory approach of the collaborative Internet. Or- 4. Have a mature risk assessment/ management process in ganizations and governments spanning countries must come place that has a holistic approach towards application de- forward with good regulations and measures for making this velopment: people risks, process risks, technological risks. new trend a success for one and all as cybersecurity and web- By having a mature risk management process in place, sites cannot be restricted to a single country alone. processes are repeatable/reproducible, saving time when newer applications are built. references • People risks: people risks are often considered be- — Jacques Bughin and James Manyika, “How Business are Using yond application purview but should be scrutinized Web 2.0,” Mckinsey Global Survey 2007 – http://www.mck- as carefully as the code they are producing. inseyquarterly.com/How_businesses_are_using_Web_20_A_ McKinsey_Global_Survey_1913. • Process risks: effective change management policy — “Losing Ground Global Security Survey 2009,” from Deloitte and application release management procedures – http://www.deloitte.com/view/en_US/us/Industries/Media- should be established and maintained for the devel- Entertainment/article/e510f6b085912210VgnVCM100000ba- opment cycle. 42f00aRCRD.htm. • Technological risks: are the best technologies being — Web 2.0 – www.wikipedia.org. used? For example, code should not be developed and — Web 2.0 Security Threats – www.enterprise2.0.org. compiled using older vulnerable versions, e.g., Java, when new stable releases are available – new releases About the Author mitigate a lot of known vulnerabilities. Vinoth Sivasubramanian, CEH, ABRC- CIP, ISO 27001 LA, has over seven years Process and policy control mechanisms of experience in the information security discipline in the domains of telecommu- Security policies in place nication, finance, and consulting. He is a member of the ISSA Educational Ad- Have effective security policies in place and ensure that they visory Council, a working committee are followed by everybody. Always have them current in line member of International Cyber Ethics, and a reviewer of IFIP Conference. He can be reached at vinoth. 2 OWASP – www.owasp.org. sivasubramanian@gmail.com. 46