Web 2.0 enables companies to build dynamic networking communities and foster ad hoc collaboration among employees, customers and partners. This can be great for businesses, as they can gain insights and feedback in hours instead of weeks or months. However, the trusting, collaborative and open nature of the Web 2.0 environment is precisely what makes it ripe for malicious exploitation.
Like it or not, social media, peer-to-peer (P2P) file sharing, instant messaging, streaming media and mobile applications have not only taken over our personal lives, but also have made irreversible inroads into our businesses. Employees teleconference, telecommute and IM instead of making phone calls. Companies pitch their offerings to the world over YouTube, Twitter and Facebook. In struggling to keep a lid on Web 2.0 security, IT must answer three fundamental questions:
- Can Web 2.0 be trusted?
- Is Web 2.0 appropriate?
- How can I keep Web 2.0 under control?
Can Web 2.0 Be Trusted?
In a word, no.
With Web 2.0, it is best to think of trust as user-defined, based on relationships rather than authentication. There is nothing built into Web 2.0 that would prevent users from downloading a file or linking to a site that recommended by a friend — even if that friend were actually someone pretending to be a friend.
Earlier this year, for example, hackers lured victims from the social networking site LinkedIn to download malware from phony contact pages for Beyonce Knowles, Victoria Beckham, Salma Hayek and other celebrities. Similarly, hackers have commandeered Twitter celebrity profiles and applied phishing techniques to gather member authentication information.
Celebrity identities are not the only ones that get hijacked. Corporate identities and brands can be compromised as well. For instance, hackers recently persuaded members of BitTorrent, a P2P file-swapping site, to download an executable malware file masquerading as Apple iWork trialware. This exposed thousands of Macs to potential remote control by hackers, resulting in one of the most significant exploits ever targeted at the Apple brand.
Making the problem of Web 2.0 threats even more difficult to prevent is the hacker’s ability to attack under the conventional security radar. Any hacker can set up a malicious Web server in minutes and lure unsuspecting victims through posted social media links to a site that has not had time to develop a bad reputation.
So, how can businesses resolve the Web 2.0 trust issue? By taking Web 2.0 out of the equation, and making it a network trust issue.
While you are not going to be able to make every user of BitTorrent or LinkedIn trustworthy, you can apply and enforce policies to authenticate users who access your network or its resources. Similarly, you will not always prevent users from accessing malicious sites using signature updates alone; but you can add a layer of deep packet inspection at your gateway to analyze traffic payloads and stop users from downloading malware into your network.
Is Web 2.0 Appropriate?
Web 2.0 offers amazing tools for business productivity, like streaming video conferencing or social media marketing. For many, social media, instant messaging and texting have surpassed email as their primary means of business communications. However, what about inappropriate use of Web 2.0 sites and applications aimed at gambling, entertainment, sports, dating or other nonbusiness activities? These inhibit productivity, consume bandwidth, and expose businesses to data leakage and regulatory noncompliance.
Nearly all Web 2.0 applications are hard to define as “good” or “bad.” Their usefulness to a business can depend not only on the site and content, but also on the time of day, the requesting user, and even external events — such as a relevant news story or a video from a competitor.
The challenge for businesses is to strike a balance between Web 2.0 freedom and organizational productivity. In many organizations, the productivity threat of Web 2.0 can be as serious as traditional malware-based threats. With Web 2.0 traffic, productivity threat management often goes hand-in-hand with bandwidth management. No business wants to pay for more bandwidth than it uses, so IT often aims to keep excess available bandwidth at marginal levels.
Many Web 2.0 applications are especially media-rich, depleting bandwidth reserves. For example, during a major news or sports event, IT may see a huge spike in streaming video traffic that can steal remaining bandwidth away from mission-critical applications. Productivity gets hit two ways: Some employees are doing what they should not be doing, so others cannot do what they need to do.
To offset this productivity threat, consider deploying bandwidth management tools to restrict the bandwidth available to nonproductive applications either by percentage or by time-of-day. These tools can also ensure minimum bandwidth percentages for critical applications.
In addition, you can configure application firewall services to block specific streaming media file sites. You should make sure these services have unrestricted capability to scan excessively large files that may contain malware in their payloads. However, to ensure optimal network performance, they must also be able to scan the files in real-time, instead of having to disassemble and reassemble packets.
Outbound traffic poses its own threats. As with email, employees tweeting, blogging or swapping files potentially can leak sensitive or confidential corporate information. Additionally, internal, governmental or industry regulatory mandates can require that offensive or discriminatory content cannot traverse your corporate network. Six percent of employers have fired employees for posting unacceptable content on their personal social networking sites or video-sharing sites, or for “inappropriate text messaging,” according to the American Management Association and the ePolicy Institute.
You can apply content filtering and application firewall technology to block transmission of inappropriate outbound traffic, and have it forwarded to appropriate management or human resources authorities. Once again, for comprehensive protection, the tool you use must be able to scan the entire data stream — not just packet headers.
Is Web 2.0 Under Control?
Perhaps the most disconcerting aspect of Web 2.0 to IT professionals is the potential risk of losing control over the corporate network and its traffic. Not many years ago, IT considered now-common technologies like Web access and external email to be too risky to allow them for everyday business use. Experience has shown that businesses eventually embrace and apply new advances in technology, and Web 2.0 is no exception.
A major challenge in controlling Web 2.0 is that the associations between users do not have to be defined until they meet. Consequently, a threat can start with one person and propagate quickly in unpredictable ways. In a controlled environment, a threat may progress through an address book, for example. Web 2.0 threats are aimed not only at individual users, but also at everyone in their entire networking community.
IT also loses control over Web 2.0 when employees download nonstandard platform applications to support their streaming media. For instance, an employee may be referred by a “friend” to a video download that requires them to install a new codec — which actually launches a virus. Even if the codec were legitimate, IT would still lose control over what media viewer applications were running on their corporate network and desktops.
Another inherent aspect of Web 2.0 that undermines IT control is its widespread integration with mobile technologies. Employees socialize online both personally and for business, using home PCs, laptops, netbooks, smartphones and other devices. One threat this poses is that the equipment is often personally owned — or if corporate-owned, not directly managed by IT. These “unmanageable” devices can be hacked or reconfigured after being lost, stolen, borrowed, or used by an employee’s family members.
While an employee teleworking on a home PC might not be lured by a link to a bogus celebrity site, the same might not be true of a teenage son or daughter using the same machine. That could potentially compromise both the security of the device and any further remote VPN connections made by the employee. Interactive gaming sites also pose a threat by requiring users to download executable programs or share files with unidentified users located anywhere around the world.
Application firewalls can help control Web 2.0 by blocking installation of unauthorized software like nonstandard browsers, P2P applications or media players. In addition, sophisticated deep packet inspection firewalls can help identify and block botnet attacks, malicious payloads buried in large files, and other types of threats.
In order to control Web 2.0 threats from unmanageable mobile devices, it’s best to route all traffic traversing a network via wireless, mobile or VPN technology through a comprehensive security firewall. Some firewalls incorporate these extended networking functions, so that it isn’t necessary to deploy or configure separate additional appliances such as wireless access controllers.
Securing Web 2.0 Is Up to You
Web 2.0 is here to stay. It is not inherently designed to be predictable, rigid or contained. It can be used to enhance productivity and drive collaboration, or crush productivity and deliver malware in unique and unpredictable ways.
For IT, the basic tenets of enabling productivity and protecting the organization are still in there — only the playing field has changed. It is up to each organization to enforce the levels of trust, appropriateness and control its IT department retains over Web 2.0 usage, using defenses like deep packet inspection, application firewalls, and content-filtering systems.
Patrick Sweeney is vice president of product management for all SonicWall business units.