Guest column: Security Web 2.0 - Open Season for the Attackers?

Powered by SC Magazine
 

The Web is now a participatory medium -- users contributing, communing, and building. The downside of this ubiquitous connectivity and user participation is a new slew of security threats many IT professionals have yet to fully grasp.

For a number of years, the Web was a relatively one-dimensional experience characterised by the delivery of static HTML pages within a one-way client-server environment – with little direct user involvement. The security threats were and are real. But Web 2.0 is a different animal. Web 2.0 is a participatory client, it is a server environment of P2P networking, AJAX-generated applications, social networking, bookmarking, media-sharing sites, blogs, wikis, and RSS feeds. A world largely outside of the IT department’s control.

The boundary between the trusted network and the Internet is quickly disappearing, leaving the corporate enterprise open to a new generation of threats that make the previous generation’s seem benign. Take email. Several years ago, SMTP was the main vector for viruses and other malicious content. In Web 2.0, SMTP is no longer the carrier for the malicious payload. Instead, email only directs the unsuspecting user to a web site, where the more dynamic HTTP can be exploited for nefarious purposes.

Among other techniques, attackers can now manipulate the DNS protocol to mask a malicious website as legitimate in order to gain access to the corporate network via the user’s browser and virtually any information the user can access. A chilling possibility.

Web 2.0 is by definition dynamic, social, and collaborative. Users supply the data that make many Web 2.0 applications and services what they are — Google Earth works because users interact with it, MySpace is only as great as the sum of its members, del.icio.s.com functions because users share their bookmarks, the Blogosphere because users blog. It is this very collaboration and openness that attackers thrive on. Users today share information in multiple venues — email was once the venue.

In this open environment monitoring for corporate data leakage and unwanted content becomes a Herculean task. The danger has increased in orders of magnitude. An email leaking corporate information has a limited reach and shelf-life (delete it and it's gone). But sensitive data leaked into the blogosphere has the potential to do significant, long-term damage. Blogs are stored in searchable archives. Redirects to thousands of websites put data at the fingertips of anyone interested in the information.

As always, the challenge is balancing user expectations with corporate security. Users demand unfettered connectivity — email, IM, and video conferencing — and access to Web-based applications. More and more companies are outsourcing their mission-critical data (e.g. CRM systems) to web-based hosting infrastructures. These applications enable organisations to reduce IT administration costs and headaches associated with traditional, locally-hosted applications. But hackers have been quick to exploit vulnerabilities in Web applications.

For example, Web 2.0 has been especially good to phishing attackers. Phishing sites built using Rich Internet Applications (RIAs) appear so legitimate that even seasoned users and early-generation security solutions are fooled. Nomadic attack patterns make it almost impossible to track down the attackers.

Legitimate stand-alone RIAs are powerful because they offload most of processing to the client machine via a client engine that acts as an extension of the user’s browser. This client executable can be used as a vector for malicious code. RIAs that use ActiveX plug-ins, a common RIA technique, are especially vulnerable to attack. (Eighty-nine percent of browser plug-in vulnerabilities disclosed by Symantec in the first half of 2007 affected ActiveX plug-ins in Internet Explorer.)

Legitimate websites aren't safe anymore either. Attackers can (and do) embed executable XML malware on popular sites--last year, computer experts found virus code embedded in MySpace pages. Streaming video is the next vector of choice. Imagine the effect of a Trojan horse embedded in one of YouTube’s featured videos which, potentially, millions of unsuspecting users would view.

Just this month, the long-running Storm Trojan horse that has infected user machines via SMTP, made the jump to HTTP. Storm backers infected the website for Republican Party in the 1st Congressional District of Wisconsin. Fortunately, the site’s owners were able to remove the dangerous code within a few hours. Security experts estimate that as many as two million machines are part of the Storm botnet; its tentacles could reach into the tens of millions with the move to the Web. Blanket blocking of legitimate sites is not the solution; arguably some of these sites fulfill legitimate business functions for some users.

SSL-encrypted websites also pose a threat. Most web security solutions don’t inspect the SSL tunnel, which carries the encrypted data point-to-point, making SSL an effective vector for stealing data. Attackers also set up SSL-enabled web servers to appear legitimate to phishing victims. When the user receives an email and clicks through to what he believes to be his banking site, the familiar lock within his web-browser gives him a false sense of security.

SSL is also an effective way of getting bots and Trojans past a corporate firewall and onto the trusted networks. Once a bot is installed, it forms botnets that use similar SSL sessions to leak sensitive data and other valuable content out of the corporate network. Most content filters and other security products fail to identify these attacks as they occur because they can’t view the encrypted data so these sessions are allowed in and out of the network.

What can security professionals do to protect their enterprises?

First they must have the ability to scan legitimate websites in real-time for executable viruses and other malware. Blanket blocking is not the answer — many legitimate web-based business applications use executables to enrich the user experience. Security professionals must also be able to establish both broad and granular user-based policy controls over P2P applications such as IM and Skype, without hindering user productivity and application performance.

An understanding of today’s phishing techniques is also essential. Users should be blocked from posting data to high-risk sites and sites with invalid SSL certificates. Finally, IT pros should exercise broad protocol control over RTSP, MMS, IM, SSL, and P2P applications so threats can be identified and blocked. Some of the more comprehensive web security solutions offer this level of functionality along with basic messaging, anti-virus and anti-spam filters. The key is to ensure a seamless, unfettered user experience. It’s a tall order, but not an impossible one.

Wayne Neich is the Country Manager of Blue Coat Systems, Australian and New Zealand.

 
 
 
Top Stories
Frugality as a service: the Amazon story
Behind the scenes, Amazon Web Services is one lean machine.
 
Negotiating with the cloud email megavendors
[Blog post] Lessons from Woolworths’ mammoth migration.
 
Qld govt to move up to 149k staff onto Office 365
Australia's largest deployment, outside of the universities.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...

Latest VideosSee all videos »

The great data centre opportunity on Australia's doorstep
The great data centre opportunity on Australia's doorstep
Scott Noteboom, CEO of LitBit speaking at The Australian Data Centre Strategy Summit 2014 in the Gold Coast, Queensland, Australia. http://bit.ly/1qpxVfV Scott Noteboom is a data centre engineer who led builds for Apple and Yahoo in the earliest days of the cloud, and who now eyes Asia as the next big opportunity. Read more: http://www.itnews.com.au/News/372482,how-do-we-serve-three-billion-new-internet-users.aspx#ixzz2yNLmMG5C
Interview: Karl Maftoum, CIO, ACMA
Interview: Karl Maftoum, CIO, ACMA
To COTS or not to COTS? iTnews asks Karl Maftoum, CIO of the ACMA, at the CIO Strategy Summit.
Susan Sly: What is the Role of the CIO?
Susan Sly: What is the Role of the CIO?
AEMO chief information officer Susan Sly calls for more collaboration among Australia's technology leaders at the CIO Strategy Summit.
Meet the 2014 Finance CIO of the Year
Meet the 2014 Finance CIO of the Year
Credit Union Australia's David Gee awarded Finance CIO of the Year at the iTnews Benchmark Awards.
Meet the 2014 Retail CIO of the Year
Meet the 2014 Retail CIO of the Year
Damon Rees named Retail CIO of the Year at the iTnews Benchmark Awards for his work at Woolworths.
Robyn Elliott named the 2014 Utilities CIO of the Year
Robyn Elliott named the 2014 Utilities CIO of the Year
Acting Foxtel CIO David Marks accepts an iTnews Benchmark Award on behalf of Robyn Elliott.
Meet the 2014 Industrial CIO of the Year
Meet the 2014 Industrial CIO of the Year
Sanjay Mehta named Industrial CIO of the Year at the iTnews Benchmark Awards for his work at ConocoPhillips.
Meet the 2014 Healthcare CIO of the Year
Meet the 2014 Healthcare CIO of the Year
Greg Wells named Healthcare CIO of the Year at the iTnews Benchmark Awards for his work at NSW Health.
Meet the 2014 Education CIO of the Year
Meet the 2014 Education CIO of the Year
William Confalonieri named Healthcare CIO of the Year at the iTnews Benchmark Awards for his work at Deakin University.
Meet the 2014 Government CIO of the Year
Meet the 2014 Government CIO of the Year
David Johnson named Government CIO of the Year at the iTnews Benchmark Awards for his work at the Queensland Police Service.
Q and A: Coalition Broadband Policy
Q and A: Coalition Broadband Policy
Malcolm Turnbull and Tony Abbott discuss the Coalition's broadband policy with the press.
AFP scalps hacker 'leader' inside Australia's IT ranks.
AFP scalps hacker 'leader' inside Australia's IT ranks.
The Australian Federal Police have arrested a Sydney-based IT security professional for hacking a government website.
NBN Petition Delivered To Turnbull's Office
NBN Petition Delivered To Turnbull's Office
UTS CIO: IT teams of the future
UTS CIO: IT teams of the future
UTS CIO Chrissy Burns talks data.
New UTS Building: the IT within
New UTS Building: the IT within
The IT behind tomorrow's universities.
iTnews' NBN Panel
iTnews' NBN Panel
Is your enterprise NBN-ready?
Introducing iTnews Labs
Introducing iTnews Labs
See a timelapse of the iTnews labs being unboxed, set up and switched on! iTnews will produce independent testing of the latest enterprise software to hit the market after installing a purpose-built test lab in Sydney. Watch the installation of two DL380p servers, two HP StoreVirtual 4330 storage arrays and two HP ProCurve 2920 switches.
The True Cost of BYOD
The True Cost of BYOD
iTnews' Brett Winterford gives attendees of the first 'Touch Tomorrow' event in Brisbane a brief look at his research into enterprise mobility. What are the use cases and how can they be quantified? What price should you expect to pay for securing mobile access to corporate applications? What's coming around the corner?
Ghost clouds
Ghost clouds
ACMA chair Chris Chapman says there is uncertainty over whether certain classes of cloud service providers are caught by regulations.
Was the Snowden leak inevitable?
Was the Snowden leak inevitable?
Privacy experts David Vaile (UNSW Cyberspace Law and Policy Centre) and Craig Scroggie (CEO, NextDC) claim they were not surprised by the Snowden leaks about the NSA's PRISM program.
Latest Comments
Polls
Which bank is most likely to suffer an RBS-style meltdown?





   |   View results
ANZ
  21%
 
Bankwest
  9%
 
CommBank
  11%
 
National Australia Bank
  17%
 
Suncorp
  24%
 
Westpac
  19%
TOTAL VOTES: 1455

Vote