Open season for attackers?

With Web 2.0 exposing communications even more, security is at higher risk than ever

 

BY Wayne Neich

The Web is now a participatory medium, with users contributing, communicating, and building. The downside of this connectivity and user participation is a new slew of security threats many IT professionals have yet to fully grasp.

For a number of years, the Web was a relatively one-dimensional experience characterised by the delivery of static HTML pages within a one-way client-server environment, with little direct user involvement. Web 2.0 is a different animal. Web 2.0 is participatory; a server environment of P2P networking, AJAX-generated applications, social networking, bookmarking, media-sharing sites, blogs, wikis, and RSS feeds. A world largely outside of the IT department’s control.

The boundary between the trusted network and the Internet is quickly disappearing, leaving the corporate enterprise open to a new generation of threats that make the previous generation’s seem benign. Take email. Several years ago, SMTP was the main vector for viruses and other malicious content. In Web 2.0, SMTP is no longer the carrier for the malicious payload. Instead, email only directs the unsuspecting user to a web site, where the more dynamic HTTP can be exploited for nefarious purposes.

Web 2.0 is by definition dynamic, social, and collaborative. Users supply the data that make many Web 2.0 applications and services what they are - Google Earth works because users interact with it, MySpace is only as great as the sum of its members, del.icio.us.com functions because users share their bookmarks, the blogosphere exists because users blog. It is this very collaboration and openness that attackers thrive on. Users today share information in multiple venues—email was once the venue.

In this open environment monitoring for corporate data leakage and unwanted content becomes a herculean task. The danger has increased in orders of magnitude. An email leaking corporate information has a limited reach and shelf-life (delete it and it’s gone). But sensitive data leaked into the blogosphere has the potential to do significant, long-term damage. Blogs are stored in searchable archives. Redirects to thousands of websites put data at the fingertips of anyone interested in the information.

As always, the challenge is balancing user expectations with corporate security. Users demand unfettered connectivity—email, IM, and video conferencing, and access to Web-based applications. More and more companies are outsourcing their mission-critical data (for example, CRM systems) to web-based hosting infrastructures. These applications enable organisations to reduce IT administration costs and headaches associated with traditional, locally-hosted applications. But hackers have been quick to exploit vulnerabilities in web applications.

For example, Web 2.0 has been especially good to phishing attackers. Phishing sites built using Rich Internet Applications (RIAs) appear so legitimate that even seasoned users and early-generation security solutions are fooled. Nomadic attack patterns make it almost impossible to track down the attackers.

Legitimate websites aren’t safe anymore either. Attackers can (and do) embed executable XML malware on popular sites: Last year, computer experts found virus code embedded in MySpace pages. Streaming video is the next vector of choice. Imagine the effect of a Trojan horse embedded in one of YouTube’s popular videos which, potentially, millions of unsuspecting users would view.

What can security professionals do to protect their enterprises?

First they must have the ability to scan legitimate websites in real time for executable viruses and other malware. Blanket blocking is not the answer—many legitimate web-based business applications use executables to enrich the user experience. Security professionals must also be able to establish both broad and granular user-based policy controls over P2P applications such as IM and Skype, without hindering user productivity and application performance.

An understanding of today’s phishing techniques is also essential. Users should be blocked from posting data to high-risk sites and sites with invalid SSL certificates. Finally, IT professionals should exercise broad protocol control over RTSP, MMS, IM, SSL, and P2P applications so threats can be identified and blocked. Some of the more comprehensive web security solutions offer this level of functionality along with basic messaging, anti-virus and anti-spam filters. The key is to ensure a seamless, unfettered user experience. It’s a tall order, but not an impossible one.

Wayne Neich is the country manager of Blue Coat Systems, Australia and New Zealand.