This article discusses risk management strategies for organizations using Web 2.0 technologies. It identifies key threat sources like humans, systems/networks, and applications. It recommends a multi-layered approach using people, processes, and technological controls to mitigate risks. Some strategies discussed are developing security policies for virtual environments; monitoring social networks; educating users; implementing firewalls, antivirus software, and patches; and conducting risk assessments and incident planning. The goal is to properly manage Web 2.0 technologies to maximize their benefits while minimizing security risks.
The Cisco 2010 Midyear Security Report includes:
* Results and analysis from two new Cisco studies -- one focused on employee collaboration and the other on the concerns of IT decision-makers worldwide
* International trends in cyber-security and their potential impact on business
* Insight into how hackers penetrate “soft spots” in enterprise security to steal sensitive data and sell it to the highest bidder
* An update on global spam trends since late 2009 and spam volume predictions for 2010
* Guidance from Cisco security experts to help businesses improve their enterprise security by 2011
Puppetnets and Botnets: Information Technology Vulnerability Exploitsecarrow
The focus of this paper is to identify dominant trends of
information security threats to the Internet 2001 to 2007. This
paper is intended to provide an understanding of the new
emphasis of attacks through use of robotic networks and how
some users and organizations are already preparing a response
using innovative visualization techniques in conjunction with
traditional methods. The scope of research will focus on basic
enterprise level services that are commonly provided by various
corporations; e.g., e-mail, browser applications, wireless and
mobile devices, IP telephony, and online banking. The research
will first review the network infrastructure common to most
corporate organizations and assume basic enterprise components
and functionality in response to the current security threats. The
second emphasis will consider the impact of malware robotic
networks (Botnets and Puppetnets) on the corporate network
infrastructure and how to address these threats with new and
innovative techniques. This approach is pragmatic in application
and focuses on assimilation of existing data to present a
functional rationale of attacks to anticipate and prepare for this
coming year.
Information Security Governance at Board and Executive LevelKoen Maris
Information security governance is a relative new area it doesn't always receive the required attention such as business support, management support and eventually the necessary budgets to keep Mr Evil out. The reasons why information security is not receiving the required attention are plenty, but a main issue that it is failing to get on the agenda could be that the upper levels of an organisational structure do not receive the information required to get their attention, or that companies are risk taking instead of risk averse or it seems impossible to identify value for the business. Security is about avoiding something, where a new application is about adding functionality in order to increase efficiency, production etc… Unfortunately, security is still seen as a business disabler.
Print - Overlooked piece of the security puzzle whitepaper - DRAFTGerry Skipwith
Information security is an important part of corporate governance. Print is often overlooked as a critical piece of the security puzzle. This whitepaper serves to help educate companies on the risks inherent to their print infrastructure.
The Cisco 2010 Midyear Security Report includes:
* Results and analysis from two new Cisco studies -- one focused on employee collaboration and the other on the concerns of IT decision-makers worldwide
* International trends in cyber-security and their potential impact on business
* Insight into how hackers penetrate “soft spots” in enterprise security to steal sensitive data and sell it to the highest bidder
* An update on global spam trends since late 2009 and spam volume predictions for 2010
* Guidance from Cisco security experts to help businesses improve their enterprise security by 2011
Puppetnets and Botnets: Information Technology Vulnerability Exploitsecarrow
The focus of this paper is to identify dominant trends of
information security threats to the Internet 2001 to 2007. This
paper is intended to provide an understanding of the new
emphasis of attacks through use of robotic networks and how
some users and organizations are already preparing a response
using innovative visualization techniques in conjunction with
traditional methods. The scope of research will focus on basic
enterprise level services that are commonly provided by various
corporations; e.g., e-mail, browser applications, wireless and
mobile devices, IP telephony, and online banking. The research
will first review the network infrastructure common to most
corporate organizations and assume basic enterprise components
and functionality in response to the current security threats. The
second emphasis will consider the impact of malware robotic
networks (Botnets and Puppetnets) on the corporate network
infrastructure and how to address these threats with new and
innovative techniques. This approach is pragmatic in application
and focuses on assimilation of existing data to present a
functional rationale of attacks to anticipate and prepare for this
coming year.
Information Security Governance at Board and Executive LevelKoen Maris
Information security governance is a relative new area it doesn't always receive the required attention such as business support, management support and eventually the necessary budgets to keep Mr Evil out. The reasons why information security is not receiving the required attention are plenty, but a main issue that it is failing to get on the agenda could be that the upper levels of an organisational structure do not receive the information required to get their attention, or that companies are risk taking instead of risk averse or it seems impossible to identify value for the business. Security is about avoiding something, where a new application is about adding functionality in order to increase efficiency, production etc… Unfortunately, security is still seen as a business disabler.
Print - Overlooked piece of the security puzzle whitepaper - DRAFTGerry Skipwith
Information security is an important part of corporate governance. Print is often overlooked as a critical piece of the security puzzle. This whitepaper serves to help educate companies on the risks inherent to their print infrastructure.
Preparing today for tomorrow’s threats.
When companies hear the word “security,” what concepts come to mind
— safety, protection or perhaps comfort? To the average IT administrator,
security conjures up images of locked-down networks and virus-free devices.
An attacker, state-sponsored agent or hactivist, meanwhile, may view security
as a way to demonstrate expertise by infiltrating and bringing down corporate
or government networks for profit, military goals, political gain — or even fun.
We live in a world in which cybercrime is on the rise. A quick scan of the
timeline of major incidents (See Figure 1, Page 9) shows the increasing
frequency and severity of security breaches — a pattern that is likely
to continue for years to come. Few if any organizations are safe from
cybercriminals, to say nothing of national security. In fact, experts even
exposed authentication and encryption vulnerabilities in the U.S. Federal
Aviation Administration’s new state-of-the-art multibillion-dollar air
traffic control system
Wireless Vulnerability Management: What It Means for Your EnterpriseAirTight Networks
The instant and obvious benefits of WiFi have made WLANs a big success
in public, private, and enterprise sectors. Unfortunately, the adoption of
correct security measures for WLANs is lagging far behind the fast pace
at which these networks are being deployed. The presence of WiFi in
most laptops and handhelds, the simplicity of independently installing
WiFi networks, and the ease of exploiting wireless vulnerabilities have
together escalated the risks manifold. Even organizations that do not
own a WLAN are equally at risk.
Scott Roe from Corporate Risk Solutions, a solution provider at the marcus evans Generation Summit 2012, on protecting utilities from internal and external attacks.
Interview with: Scott Roe, President, Corporate Risk Solutions
AN EFFECTIVE METHOD FOR INFORMATION SECURITY AWARENESS RAISING INITIATIVESijcsit
Increasingly, all kinds of organizations and institutions are adopting the E-business model to conduct their
activities and provide E-Services for their customers. In the process, whether they know it or not, those
organizations are also opening themselves up to the risk of information security breaches. Therefore
protecting an organization’s ICT infrastructure, IT systems, and Data is a vital issue that is often
underestimated. Research has shown that one of the most significant threats to information security comes
not from external attack but rather from the system's users, because they are familiar with the
infrastructure and have access to its resources, but may be unaware of the risks. Moreover, using only
technological solutions to protect an organization’s assets is not enough; there is a need to consider the
human factor by raising users’ security awareness. Our contribution to this problem is to propose an
Information Security Awareness Program that aims at raising and maintaining the level of users’ security
awareness. This paper puts forward a general model for an information security awareness program and
describes how it could be incorporated into an organization’s website through the process of development
life cycle.
This Special Report from the Security for Business Innovation Council identifies four technology trends -- cloud computing, social media, big data, and mobile devices -- as game-changers for 2013 and offers concrete guidance on how security teams can meet these requirements.
Presentation by Larry Clinton, President of the Internet Security Alliance (ISA) to the 66th Annual Fowler Seminar on Oct 12 2012 titled Evolution of the Cyber Threat - A Unified Systems Approach.
2009 Security Mega Trends & Emerging ThreatsLumension
To help define what the biggest security threats will be to an organization’s sensitive and confidential data over the next 12 to 24 months, Lumension has teamed up with the Ponemon Institute, a leading research firm, to charter our first annual 2009 Security Mega Trends Survey. The survey also outlines key alignments and gaps between two traditionally disparate groups - IT Security and IT Operations when it comes to these new and emerging threats.
Preparing today for tomorrow’s threats.
When companies hear the word “security,” what concepts come to mind
— safety, protection or perhaps comfort? To the average IT administrator,
security conjures up images of locked-down networks and virus-free devices.
An attacker, state-sponsored agent or hactivist, meanwhile, may view security
as a way to demonstrate expertise by infiltrating and bringing down corporate
or government networks for profit, military goals, political gain — or even fun.
We live in a world in which cybercrime is on the rise. A quick scan of the
timeline of major incidents (See Figure 1, Page 9) shows the increasing
frequency and severity of security breaches — a pattern that is likely
to continue for years to come. Few if any organizations are safe from
cybercriminals, to say nothing of national security. In fact, experts even
exposed authentication and encryption vulnerabilities in the U.S. Federal
Aviation Administration’s new state-of-the-art multibillion-dollar air
traffic control system
Wireless Vulnerability Management: What It Means for Your EnterpriseAirTight Networks
The instant and obvious benefits of WiFi have made WLANs a big success
in public, private, and enterprise sectors. Unfortunately, the adoption of
correct security measures for WLANs is lagging far behind the fast pace
at which these networks are being deployed. The presence of WiFi in
most laptops and handhelds, the simplicity of independently installing
WiFi networks, and the ease of exploiting wireless vulnerabilities have
together escalated the risks manifold. Even organizations that do not
own a WLAN are equally at risk.
Scott Roe from Corporate Risk Solutions, a solution provider at the marcus evans Generation Summit 2012, on protecting utilities from internal and external attacks.
Interview with: Scott Roe, President, Corporate Risk Solutions
AN EFFECTIVE METHOD FOR INFORMATION SECURITY AWARENESS RAISING INITIATIVESijcsit
Increasingly, all kinds of organizations and institutions are adopting the E-business model to conduct their
activities and provide E-Services for their customers. In the process, whether they know it or not, those
organizations are also opening themselves up to the risk of information security breaches. Therefore
protecting an organization’s ICT infrastructure, IT systems, and Data is a vital issue that is often
underestimated. Research has shown that one of the most significant threats to information security comes
not from external attack but rather from the system's users, because they are familiar with the
infrastructure and have access to its resources, but may be unaware of the risks. Moreover, using only
technological solutions to protect an organization’s assets is not enough; there is a need to consider the
human factor by raising users’ security awareness. Our contribution to this problem is to propose an
Information Security Awareness Program that aims at raising and maintaining the level of users’ security
awareness. This paper puts forward a general model for an information security awareness program and
describes how it could be incorporated into an organization’s website through the process of development
life cycle.
This Special Report from the Security for Business Innovation Council identifies four technology trends -- cloud computing, social media, big data, and mobile devices -- as game-changers for 2013 and offers concrete guidance on how security teams can meet these requirements.
Presentation by Larry Clinton, President of the Internet Security Alliance (ISA) to the 66th Annual Fowler Seminar on Oct 12 2012 titled Evolution of the Cyber Threat - A Unified Systems Approach.
2009 Security Mega Trends & Emerging ThreatsLumension
To help define what the biggest security threats will be to an organization’s sensitive and confidential data over the next 12 to 24 months, Lumension has teamed up with the Ponemon Institute, a leading research firm, to charter our first annual 2009 Security Mega Trends Survey. The survey also outlines key alignments and gaps between two traditionally disparate groups - IT Security and IT Operations when it comes to these new and emerging threats.
A Multi-Layer Real Time Remote Monitoring & Corporate Network System For Viru...ijccsa
Corporations face a dangerous threat that existing security technologies do not adequately address, which includes malware, track ware and adware, describes any program that may track online and/or offline PC activity and locally saves or transmits those findings to third parties without user’s knowledge or consent. The same activities that make our employees efficient and productive doing research over the internet, sharing files, sending instant messages to customers and coworkers, and emailing status information while travelling are making our IT infrastructures vulnerable to mobile malicious code, Spyware, viruses, Trojan horses, phishing, and pharming. Gateway firewalls and antivirus software is no match for these new, virulent threats. To ensure the needed protection, organizations need to incorporate content level protection into their overall security strategies. As web-borne threats become more complex and virulent, companies must face the need to supplement their existing, traditional security measures. So, in this paper, we will highlight about our work which attempts to keep a real time track of each events of the client’s behavior inside a network.
International Journal on Cloud Computing: Services and Architecture (IJCCSA)ijccsa
As web-borne threats become more complex and virulent, companies must face the need to supplement their existing, traditional security measures. So, in this paper, we will highlight about our work which attempts to keep a real time track of each events of the client’s behavior inside a network.
White paper cyber risk appetite defining and understanding risk in the moder...balejandre
Managing risk is a balancing act for organizations of all sizes and disciplines. While some organizations take on too much risk, others arguably do not take on enough. Complicating this equation is the emergence of cyber as one of the most impactful sources of risk in the modern enterprise
56 \\ JULY 2017 \\ WWW.COMPLIANCEWEEK.COM
The crisis of the moment in cyber-space is WannaCry, a nasty piece of ransomware attacking organizations around the globe. Those unfortunate enough to be in-
held hostage, only to be returned and unlocked once a speci-
The spotlight on this cyber-threat du jour has sparked
management and the need to break down corporate silos.
Ransomware, an increasing problem for anyone with
-
tacks include e-mails that look legitimate and seem to be
from a known sender, but are engineered to trick the recip-
ient into opening a malignant bit of code. Once loose, it cre-
ates an illicit data pipeline. Malware can also be embedded
onto Websites, waiting for an unsuspecting right click to
open the door.
WannaCry ransomware (also known as WCry and Wan-
na Decryptor) used e-mail to exploit unpatched hazards in
outdated, unpatched Microsoft Windows operating systems,
-
rosoft (which released a patch for the exploit, for newer op-
erating systems, in March) is blaming the National Security
A global hack attack that held organizations’ data hostage for Bitcoin ransoms
raises serious regulatory issues, disclosure debates, and risk management
concerns. Joe Mont has more on the worldwide cyber-security event.
{CYBER-SECURITY}
Risk management lessons of
the WannaCry ransomware
WWW.COMPLIANCEWEEK.COM // JULY 2017 // 57
Agency for letting one of its experiments in software subter-
fuge into the wild.
The regulatory perspective
On May 17, amid ongoing waves of the cyber-attacks, the Se-
-
spections and Examinations issued a ransomware alert.
-
amined 75 SEC registered broker-dealers, investment advis-
ers, and investment companies to assess practices associated
» Five percent of broker-dealers and 26 percent of advisers
and funds examined did not conduct periodic risk assess-
ments of critical systems to identify cyber-security threats,
vulnerabilities, and the potential business consequences.
» Five percent of broker-dealers and 57 percent of the invest-
-
etration tests and vulnerability scans on systems that the
» While all broker-dealers and 96 percent of investment
regular system maintenance, including the installation of
software patches to address security vulnerabilities, some
that were missing important updates.
Although not related to the latest ransomware attack, the
-
Smith Barney agreed to pay a $1 million penalty to settle
charges related to its failures to protect customer informa-
requires registered broker-dealers, investment companies, and
investment advisers to “adopt written policies and procedures
that address administrative, technical, and physical safeguards
for the protection of customer records and information.”
Is it a breach?
must a ransomware attack be disclosed in accordance with
For healthcare organizations and their business associ-
-
ity Act’s privacy rule there may no.
Cyber Security Trends - Where the Industry Is Heading in an UncertaintyOrganization
Many major companies realize the continued importance of data and systems protection. Organizations will need to remain vigilant with regard to remote work policies, data access, and upskilling. Learn more about the different types of cyber security trends by PM Integrated.
The SolarWinds hack, first detected in December 2020 and referred to as “the largest and most sophisticated attack the world has ever seen” by the president of Microsoft, was a watershed moment in cybersecurity. Hundreds of organizations, including Fortune 500 companies and government agencies, were affected, with sensitive data compromised. A year on, a major study conducted by Splunk has found that 78% of companies expect the same thing to happen again.
With cybercrime (like denial of service, malware, phishing, and SQL injection) looming large in our digitized world, penetration testing - and code and application level security testing (SAST and DAST) - are essential for organizations to identify security loopholes in applications and beyond. We provide a guide to the salient standards and techniques for full-spectrum testing to safeguard your data - and reputation.
Shifting Risks and IT Complexities Create Demands for New Enterprise Security...Booz Allen Hamilton
Holistic Cyber Risk Management Programs in the Financial Industry Must "Predict and Prevent" in Today's Complex Threat Environment, says new White Paper.
1
2
Cyber Research Proposal
Cybersecurity in business
Introduction
Because of today's international economy, securing a company's intellectual property, financial information, and good name is critical for the company's long-term survival and growth. However, with the rise in risks and cyber vulnerability, most businesses find it difficult to keep up with the competition. Since their inception, most companies have reported 16% fraud, 37.7% financial losses, and an average of over 11% share value loss, according to data compiled by the US security. Most corporations and governments are working hard to keep their customers and residents safe from harm. There are both physical and cybersecurity risks involved with these threats. According to a recent study, many company owners aren't aware of the full scope of cybersecurity. People who own their businesses must deal with various issues daily.
Nevertheless, steps are being taken to address these issues. Customers and the company are likely to be protected by the measures adopted. Cybersecurity is one of the most pressing issues facing organizations today. Leaks of a company's intellectual property and other secrets may have devastating effects on its operations, as competitors and rivals will do all in their power to stop them. is an excellent illustration of this. This is perhaps the most talked-about security compromise of the year [footnoteRef:3]. The firm was severely damaged because of this. [1: "Database security attacks and control methods."] [2:q "Comprehending the IoT cyber threat landscape: A data dimensionality reduction technique to infer and characterize Internet-scale IoT probing campaigns."] [3: "The Equifax data breach: What cpas and firms need to know now." ]
Some individuals take advantage of clients by stealing highly important information to profit financially from their actions. For example, if the wrong individuals get their hands on your credit card information, you're in serious trouble since you might lose money. Some families lose all their resources, while others are forced to declare bankruptcy after being financially stable for a long period. Many of the findings of this study will be focused on cybersecurity and the sources of cybersecurity risks. The paper outlines a few of the issues and solutions that organizations may use to keep their operations and consumers safe from exploiting dishonest individuals.
Research question
According to the most recent study, more than 1500 companies have been exposed to some cybersecurity assault[footnoteRef:4]. This research details the specific types of attacks that have occurred. Organizational operations are affected, as is corporate governance, and the internal management of financial status is rendered ineffective due to these assaults. The question that will be investigated during the study is: [4: "Towards blockchain-based identity and access management for internet of things in enterprises."]
How doe ...
1
2
Cyber Research Proposal
Cybersecurity in business
Introduction
Because of today's international economy, securing a company's intellectual property, financial information, and good name is critical for the company's long-term survival and growth. However, with the rise in risks and cyber vulnerability, most businesses find it difficult to keep up with the competition. Since their inception, most companies have reported 16% fraud, 37.7% financial losses, and an average of over 11% share value loss, according to data compiled by the US security. Most corporations and governments are working hard to keep their customers and residents safe from harm. There are both physical and cybersecurity risks involved with these threats. According to a recent study, many company owners aren't aware of the full scope of cybersecurity. People who own their businesses must deal with various issues daily.
Nevertheless, steps are being taken to address these issues. Customers and the company are likely to be protected by the measures adopted. Cybersecurity is one of the most pressing issues facing organizations today. Leaks of a company's intellectual property and other secrets may have devastating effects on its operations, as competitors and rivals will do all in their power to stop them. is an excellent illustration of this. This is perhaps the most talked-about security compromise of the year [footnoteRef:3]. The firm was severely damaged because of this. [1: "Database security attacks and control methods."] [2:q "Comprehending the IoT cyber threat landscape: A data dimensionality reduction technique to infer and characterize Internet-scale IoT probing campaigns."] [3: "The Equifax data breach: What cpas and firms need to know now." ]
Some individuals take advantage of clients by stealing highly important information to profit financially from their actions. For example, if the wrong individuals get their hands on your credit card information, you're in serious trouble since you might lose money. Some families lose all their resources, while others are forced to declare bankruptcy after being financially stable for a long period. Many of the findings of this study will be focused on cybersecurity and the sources of cybersecurity risks. The paper outlines a few of the issues and solutions that organizations may use to keep their operations and consumers safe from exploiting dishonest individuals.
Research question
According to the most recent study, more than 1500 companies have been exposed to some cybersecurity assault[footnoteRef:4]. This research details the specific types of attacks that have occurred. Organizational operations are affected, as is corporate governance, and the internal management of financial status is rendered ineffective due to these assaults. The question that will be investigated during the study is: [4: "Towards blockchain-based identity and access management for internet of things in enterprises."]
How doe ...
Sivasubramanian Risk Management In The Web 2.0 Environment
1. PreemInent truSted GlobAl
ISSA ISSA Journal | February 2010
InformAtIon SecurIty communIty
risk management in the
Web 2.0 environment
By Vinoth Sivasubramanian – ISSA member, UK Chapter, and in the process of founding/establishing a chapter
in the United Arab Emirates (UAE)
A recent study reports a significant percentage of organizations are not confident in the
security measures that are in place for Web 2.0. this article looks to an integrated approach
of people, processes, and technological controls to mitigate Web 2.0 security risks.
W
eb 2.0 refers to the second generation of Web de- straight approach. A recent study by KPMG Insider reports
velopment and design and has brought about sig- a significant percentage of organizations are not confident
nificant change in the Internet such as web-based in the security measures that are in place for Web 2.0.1 This
communities, hosted services, and applications such as so- must be accomplished through an integrated approach of
cial networking sites, wikis, blogs, video sharing sites, RSS people, processes, and technological controls. Before we delve
feeds, and much more. Web 2.0 delivers a new kind of Web into the mitigation strategies, we will analyze the threats that
experience that is interactive, real-time, and collaborative. are evident through Web 2.0 technologies.
Although many of the underlying technical components of
the Web have remained the same, the use of the Web as a plat- threat sources for Web 2.0
form on which to build rich applications is transforming our The threat table given in Figure 1 is intended to organize the
online experience. Organizations are also investing in Web rest of the article. It is not intended to be complete, but can
2.0 technologies to harness its power to draw in more cus- be used as a sample to map out threats and their implications.
tomers. The participatory approach of Web 2.0 is also taking
governments by storm as well, leading to the next generation
of governance: eGovernance 2.0. 1 Claire Le Masurier, “Risk Concerns Stall Uptake of Web 2.0 Technology in the
Workplace,” A KPMG Insider Report 2008 – http://www.kpmg.co.uk/news/detail.
As with any paradigm shift, technologies and processes can cfm?pr=3012.
take us to new levels of user expe-
rience and productivity, but those Threat Source Vulnerable Areas Threat Impacts Implications
same technologies also present us
Social networks, blogs, Loss of sensitive data,
with new levels of threats and risks. Humans instant messenger, private knowingly or unknow- Loss of reputation in the
Whether inadvertent or intention- eyes of public
email, etc. ingly
al, the threats are equally danger-
ous to people, customers, business, Malware, viruses,
Browsers, unpatched spyware, logic bombs, Loss of CIA, legal implica-
and countries. These risks, if iden- Systems/Networks systems, and servers and a host of other tions, and financial losses
tified and controlled in the proper threats
way, can bring a lot of benefits to
Loss of CIA, legal, and
the organization and society as a Application related Applications Malware, logic bombs financial implications.
whole.
Loss of CIA, legal implica-
Managing and mitigating risks in Improper Controls Entire organization is
exposed
Loss of data, viruses,
logic bombs, etc. tions, reputational damage,
Web 2.0 requires a more diversi- and business losses
fied approach rather than a single
figure 1 – Web 2.0 threat sources
35
2. risk management in the Web 2.0 environment | Vinoth Sivasubramanian ISSA Journal | February 2010
Invest in training and development
People are the weakest as well as the Keep the security people busy: invest in training security
strongest link in an organization. personnel on latest threats and protections through internal
resources or external training, and make sure that they stay
updated on the latest trends and technologies. Security per-
Now with some familiarity of the threat source, let us analyze sonnel who do not keep themselves updated on latest tech-
some of the strategies that could be implemented for mitigat- nologies and trends pose a threat in of themselves. The IT/
ing and controlling the threats caused by the noted sources. security department should subscribe to good security jour-
These threats can be mitigated through a multi-layered de- nals and sponsor memberships in professional organization
fense process of internal controls, technological controls, and such as ISSA, ISACA, IEEE, etc., which provide a wealth of
processes. information on security and related research.
Human threats Instill ethics and integrity into the culture of the
People are the weakest as well as the strongest link in an orga- organization
nization. LinkedIn and MySpace are two of the major social This is by far the most potent weapon for creating an almost
networking sites where people working within the organiza- infallible security culture and program within the organiza-
tion can leak sensitive data deliberately or inadvertently. Or- tion, but also the most difficult. Outlined are some simple
ganizations cannot block social networks because they are points to help create and foster a culture of integrity and eth-
becoming the base infrastructure for business and personal ics within the organization.
interaction of the future. For effective social network use in
• Have a written code of ethics in place involving all
the workplace and to ensure that valuable data is not leaked,
business leaders; ensure that every employee signs it
organizations must ensure the following minimal steps.
and make him or her aware of the advantages of hav-
define a policy for virtual environments ing one in place and how and where to report in case
of violations. Have regular ethics awareness training
Clearly document the websites/activities that are permitted programs for the staff members.
within the corporate environment. Also document the ac-
tivities that are allowed in virtual environments. With the • Leaders and senior management must practice in-
help of a legal counsel, document the actions that would be tegrity and fairness in all their dealings; this way it
initiated in the event of not complying with these policies. spreads and percolates as a culture within the orga-
nization.
monitor virtual environments • Develop mature, fair, and rigorous employee perfor-
The workplace is not the only place vital data can be leaked; mance management systems. This will ensure that
therefore, monitor virtual environments regularly. IT man- the right people are retained, trained, and motivated.
agers must ensure that they organize an internal team to Have incentives linked to ethical behavior and acts;
monitor virtual environments for slanderous comments, measure the effectiveness over time, and keep inno-
sensitive data, and other objectionable content. This must be vating for a highly positive culture.
done periodically, at least once a month, and reports stored.
Deviations, if any, must be reported to management and ac- Protect system assets
tions must be taken in accordance with local laws and orga- System assets include the servers, desktops, PDAs, Black-
nizational policies. berries, laptops, and any other asset that is used for access-
ing data in an organization. Since Web 2.0 runs on all web
educate end users browsers, exploitation can occur both at the server side and
Security is everyone’s responsibility. Educating end users on the client side, which can then get distributed. Therefore, it
security awareness in the Web 2.0 environment is more criti- becomes mandatory to harden servers, desktops, PDAs, and
cal than ever. It is essential that they be taught not only the laptops. Some suggested best practices for protecting systems
traditional email, system, and web security jargons but also assets are the following:
what can be discussed/posted on virtual environments. Also • A baseline standard like NIST can be used for hard-
make clear the repercussions that would follow if inappro- ening the servers, operating systems, PDAs, desktops,
priate behavior is discovered. Educate them on the potential and laptops
risks that the organization is exposed to if browsing from an
airport coffee shop or WiFi hotspot. Have a training manual, • Make sure an updated antivirus runs on all the sys-
distribute it to everyone, and keep it updated. Conduct regu- tem assets in the organization
lar security training awareness programs. • Make sure the necessary patches are updated on all
the system assets
36
4. risk management in the Web 2.0 environment | Vinoth Sivasubramanian ISSA Journal | February 2010
• Implement host intrusion prevention systems (HIPS) ensure that all caches and proxies are “security-
with proper configurations to test for anomalies on
aware”
servers that host web applications
Objects that can be cached must be filtered for malware, se-
• Make sure you test all the system assets regularly to
curity reputation, and URL filtering policy prior to delivery
keep them updated against emerging threats
to the requestor’s browser. Cached objects must have these
network hardening filters applied each time the object is delivered to the end user
because the reputation may have changed since the object was
A hardened network implemented with proper next-genera- originally cached or the security policy of this requestor may
tion firewalls and necessary controls provides a vital defense be different than the previous requestors. This policy might
for the organization against any kind of attack. Fortifying be different in any of these areas: security reputation, URL
networks is probably the first level of defense and must be filter policy, or malware. Deploying caches and proxies that
properly done. are not security-aware runs the risk of delivering malicious
Some of the basic and necessary steps that need to be per- code to the user.
formed are the following, apart from the technological solu-
tions that need to be implemented: enable bi-directional filtering
• Harden all the network devices using standard base- Ensure that bi-directional filtering and application control
lines such as NIST are implemented at the gateway for all kinds of web traffic.
This will scan all incoming and outgoing web traffic, which
• Manage change effectively on the networks: if a new
will assist the IT security personnel in having a greater view
route has to be added on the firewall/router, make sure
of what comes in and goes out. Filter unwanted traffic; moni-
a change management procedure is followed and up-
tor violations, incident responses, and forensics. Store the
date the configuration management database
data onto a syslog server and archive it after a certain interval
Implement next-generation firewalls of time.
Legacy URL filtering solutions are insufficient. They rely only Implement deep-content protection
on categorized databases of URL entries that only update a
There are many products available in the market today for
few times a day. What is needed is a “reputation system” that
implementing deep-content protection. But for achieving
assigns global reputations to URLs and IP addresses, and
success organizations must make sure they have taken the
works alongside the categorized databases for the ultimate
following steps:
protection. A sophisticated, third-generation reputation
system provides a mechanism for determining the risk as- • Have a clearly defined security policy on what should
sociated with receiving data from a particular website. This be done by whom
reputation can be used in conjunction with categories in an • Define what is sensitive and what is not sensitive with
organization’s security policy, allowing them the ability to reference to data
make appropriate decisions based on both category and se-
Once the above necessary steps are done then the deep-
curity reputation information. This reputation-based URL
content protection takes care of things: information that is
filtering solution needs to be global in scope and internation-
classified can be ensured not to be sent over personal email
alized to handle websites in any language.
IDs, or even through official IDs. Deep-content protection
It is critical that the reputation system provides both web also empowers the IT security personnel to granularly con-
and messaging reputation. Since malicious attacks are multi- trol what users will be able to do in the virtual world when
protocol, the reputation system must be aware of both email using the organizational network; for example, users may be
and web threats. A new domain without content cannot be allowed to view social networks but may be restricted access
categorized, but if it is associated with IP addresses sending to posting.
email and they have a history of spam, phishing, or other
malicious activity, then the web reputation for this uncatego- use comprehensive access, management, and
rized domain can immediately be determined and security reporting tools
protections provided to those who try to access the site.
Enterprises should deploy solutions that provide “at-a-
Organizations should deploy email gateways that utilize glance” reporting on the status and health of their services.
sender reputation to stop malicious attacks, often launched They also need both real-time and forensic reporting that al-
via spam and social engineering. Email reputation is also lows them to drill down into problems for remediation and
critical as spam, phishing, and other malicious emails will post-event analysis. Providing robust and extensible report-
include an URL or IP address that needs to be immediately ing is a critical function to understand risk, refine policy, and
fed back into the web gateway security infrastructure. measure compliance.
38
5. risk management in the Web 2.0 environment | Vinoth Sivasubramanian ISSA Journal | February 2010
with changing trends of security and business, and measure
Application hardening their effectiveness by conducting regular awareness quizzes.
Developing a successful and secure application involves Monitor for violations using technology, processes, and peo-
many phases. While there are a plethora of articles and stan- ple. Record and rectify them.
dards available on application-related vulnerabilities of Web
2.0 and how to deal with them, we will focus on the overall Incident response
picture and not delve into each and every exploit here but In spite of the best firewalls, effective security policies and
outline those basic steps that need to be taken which have audits, and the best people, breaches and threats can be real-
often been overlooked in comparison with technical-related ized. If such an incident happens, make sure there is an inci-
vulnerabilities. Following these simple steps can ensure to a dent response plan in place on how to deal with that situation.
good extent that the applications are securely built. Future Train people on effective incident management procedures.
vulnerabilities can be easily dealt with if these simple guide-
lines are followed: conduct continuous risk assessment
1. Have/hire competent programmers in place who are also Conduct regular risk assessments on web applications with
deft at handling application security. Develop a culture of a holistic approach towards security and check to see if the
secure programming within the IT team. Have the infor- controls are to an optimum and desired level as expected by
mation security personnel participate in the development the business units and executive management.
process.
2. Practice good coding standards using baselines and other follow benchmarks
standards available from various resources – one excellent Finally, benchmark your protection strategy at regular inter-
resource is the Open Web Application Security Project vals against global standards or other best practices followed
(OWASP).2 Ensure that the baselines and standards are by your peers or other organizations. Align them to your
strictly followed by the programming team. business needs if needed.
3. Create a threat model of the application using known and
unknown incidents and do stressful penetration tests on conclusion
applications before they go live. Document the recordings Web 2.0 is a boon, and if implemented and managed prop-
of the tests. This will serve as a reference point for building erly, organizations, societies, and countries can benefit from
future applications and saves time and money. the participatory approach of the collaborative Internet. Or-
4. Have a mature risk assessment/ management process in ganizations and governments spanning countries must come
place that has a holistic approach towards application de- forward with good regulations and measures for making this
velopment: people risks, process risks, technological risks. new trend a success for one and all as cybersecurity and web-
By having a mature risk management process in place, sites cannot be restricted to a single country alone.
processes are repeatable/reproducible, saving time when
newer applications are built. references
• People risks: people risks are often considered be- — Jacques Bughin and James Manyika, “How Business are Using
yond application purview but should be scrutinized Web 2.0,” Mckinsey Global Survey 2007 – http://www.mck-
as carefully as the code they are producing. inseyquarterly.com/How_businesses_are_using_Web_20_A_
McKinsey_Global_Survey_1913.
• Process risks: effective change management policy — “Losing Ground Global Security Survey 2009,” from Deloitte
and application release management procedures – http://www.deloitte.com/view/en_US/us/Industries/Media-
should be established and maintained for the devel- Entertainment/article/e510f6b085912210VgnVCM100000ba-
opment cycle. 42f00aRCRD.htm.
• Technological risks: are the best technologies being — Web 2.0 – www.wikipedia.org.
used? For example, code should not be developed and — Web 2.0 Security Threats – www.enterprise2.0.org.
compiled using older vulnerable versions, e.g., Java,
when new stable releases are available – new releases About the Author
mitigate a lot of known vulnerabilities. Vinoth Sivasubramanian, CEH, ABRC-
CIP, ISO 27001 LA, has over seven years
Process and policy control mechanisms of experience in the information security
discipline in the domains of telecommu-
Security policies in place nication, finance, and consulting. He is
a member of the ISSA Educational Ad-
Have effective security policies in place and ensure that they
visory Council, a working committee
are followed by everybody. Always have them current in line
member of International Cyber Ethics,
and a reviewer of IFIP Conference. He can be reached at vinoth.
2 OWASP – www.owasp.org. sivasubramanian@gmail.com.
46