Mitigating Web 2.0 Threats - Good report on threats from Web 2.0 websites like Facebook, LinkedIn, MySpace, YouTube, Live.com and others

1. Mitigating Web 2.0 Threats
Or, “This isn’t your mother’s internet!”
David Sherry CISSP CISM
Chief Information Security Officer
Sponsored By: Brown University

2. Security @ Brown
•Security evangelism •Public Safety support
•Incident Response Team •Human Resources support
•Audit support •Records Management
•Compliance and legal •Business Continuity
standards •Disaster Recovery
•Firewalls, IDS, IPS, VPN, •Copyright / DMCA agent
sniffers, A/V, DNS, etc…. •Discipline Committee
•Security audits and •Mandatory / elective training
certifications •Awareness
2

3. Today’s Agenda (or is it a mashup?)
• Our changing world of security
• What is web 2.0?
• Attack vectors and areas of concern
• The evolution of the threats….they’re nothing new!
• What should be focused on
• Recommendations to reduce the threat

4. Our World is Changing
May you live in interesting times…..
Chinese Proverb
• Compliance is a key competency of security pros
• Identity Theft is fastest growing crime
• President’s Cyber Security Initiative provides spotlight
• Online underground economy has matured
• National and global economy means “do more with less”
• Threat evolution:
• Infrastructure > web/messaging > DLP > Web 2.0

5. What is Web 2.0?
Used with permission via Creative Commons: http://kosmar.de/archives/2005/11/11/the-huge-cloud-lens-bubble-map-web20/

7. What is Web 2.0?
From Wikipedia: (which is, itself, a 2.0 phenomenon)
"Web 2.0" refers to web development and web design that
facilitates interactive information sharing, interoperability,
user-centered design and collaboration on the World Wide
Web. Examples of Web 2.0 include web-based communities,
hosted services, web applications, social-networking sites,
video-sharing sites, wikis, blogs, mashups and
folksonomies. A Web 2.0 site allows its users to interact
with other users or to change website content, in contrast
to non-interactive websites where users are limited to the
passive viewing of information that is provided to them.

8. Common Web 2.0 Descriptors
• “User generated content”
• “Mashups and web services”
• “Consumer and enterprise convergence”
• “Diversity of client software”
• “Complexity and asynchronous operations”

9. The Enterprise Triple-Threat of 2.0
1. Loss of productivity
2. Vulnerable to data leaks
3. Increased security risks

10. Characteristics of Web 2.0 Security
• Web filtering is no longer adequate
• AJAX, SAML, XML create problems for
detection
• RSS and RIA can enter directly into networks
• Non-static makes identification difficult
• High bandwidth use can hinder availability
• User generated content hard to contain

11. Web 2.0 Attack Vectors
• Blogs
• Social networks
• Web portals
• Mashups
• Pop-ups
• Anonymizing proxies
• Spamdexing
• Widgets

12. Web 2.0 Areas of Concern
• Client side issues
• Transparency and cross-domain communications; AJAX and
JavaScript attacks on the rise
• Protocols
• New protocols on top of HTTP/S (SOAP, XML, etc)
• Information sources
• Concerns over integrity, transiency, and diversity
• Information structures
• Variations of data structures, injection attacks
• Server side
• Architecture, authorization, and authentication weaknesses

13. Evolution of the Threats in 2.0
• USB and auto-run malicious code
• Insiders are a threat, but they don’t know it
• Adobe PDFs and Flash replace Word and Excel
• Worms travel through social spaces into offices
• DOS attacks against social networks
• Malware travels via all conduits
• Pop-ups advertise seemingly legitimate
services and take advantage of current events

14. So what do you focus on?
From Secure Enterprise 2.0, the dangers come from:
1. Insufficient authentication controls
2. Cross-site scripting
3. Cross-site request forgery
4. Phishing
5. Information leakage
6. Injection flaws
7. Information integrity
8. Insufficient anti-automation
www.secure-enterprise20.org

15. Recommendations for Web 2.0
Technical:
• Experts recommend a three-tiered, integrated data
protection approach:
• Maintain vigilant anti-virus protection
• Establish a robust anti-malware protection program
• Utilize an AJAX-aware analysis platform
• Use real-time content and security scanning
• Make sure browsers and plug-ins are patched
• Don’t just patch “high” rated patches!
• Remember your end points
• Use encryption as a key strategic defense

16. Recommendations for Web 2.0
Managerial:
• Ensure that your policies are current and address 2.0
• Subjective policy setting
• Group level access
• Productivity based policies
• Use a Data Loss Prevention as an essential teaching tool
• Education and awareness must go beyond passwords
• Ensure cross-functional response and participation
• Speak with data!

17. Ensuring a Defensive Web 2.0 Policy
• Revisit your Acceptable Use Policy
• View the policy from a web 2.0 lens
• Be sure to cover new technologies like anonymizing proxies
• Include other groups for strength
• Human Resources, Risk Management, Privacy, Physical
Security, Audit, and Legal
• Step up your training and awareness for Web
2.0 concerns

18. Support your policy through technology
• IDS / IPS
• Bandwidth shaping and throttling
• Standard images
• Group policy objects
• Firewall rules
• Anti-virus, spyware, and malware
• Monitor for your good name!

19. Summary
• We are living in a changing world, and Web
2.0 is part of it
• 2.0 brings added challenges and
characteristics to security professionals
• There are technical and managerial solutions
to reduce Web 2.0 concerns
• Like all emerging technologies and their
related threats, a holistic security approach
is needed

20. There is never enough time;
thank you for some of yours.
David Sherry, CISSP CISM
Chief Information Security Officer
Brown University
Campus Box 1885
Providence, RI 02912
401.863-7266
david_sherry@brown.edu

21. Thanks to our Sponsors
Product trial download page
Free Whitepaper: Reduce
shopping cart abandonment.
Increase revenue.