With the continued increase in Web-based communication in the form of Web applications, social networking sites, wikis, blogs and podcasts, new security risks are rising throughout the enterprise. Organizations must take steps to strengthen their defenses in a Web 2.0 world.
As Web 2.0 continues to offer new and exciting ways to collaborate more interactively over the Internet, it is continuously bringing new targeted threats to the horizon. As employees use these Web-based services from work computers, they are unaware that they may be exposing themselves and their organizations to risk.
Hackers target Web 2.0 applications because they are easily able to find passwords, work-related or personal information of its users, and to compromise computers for their own purposes.
Target: Personal Data
Many security breaches that have occurred recently, such as the TJX incident, have resulted in stolen personalized information from customers or employees. Unfortunately, data suggests that this trend will continue if organizations neglect to implement precautionary security measures.
When employees are willing put their personal information online, listing their name, interests and contact information, they are making themselves an easy target for attacks. However, Web 2.0 presents risks even for those who avoid the obvious pitfalls. For example, at the Black Hat USA 2007 conference in Las Vegas, it was very clearly demonstrated that accessing webmail over unencrypted wireless access could result in immediate compromise of the user’s webmail account.
Many organizations conduct business exclusively over the Web. When these companies’ Web sites are attacked through any form of malicious activity, it greatly impacts their business. In order to protect corporate networks, IT decision makers are banning the use of Web mail, instant messaging and any social networking sites that may open a new avenue for hackers to attack.
Social Networking’s Twist
So far in 2007 we have already seen an increase in targeted attacks. Personalized e-mails are sent to us that read “A family member has sent you a e-card, click here to view.” By clicking on the link in the e-mail, the victim is immediately sent to an infected site, where malware is loaded onto the victim’s computer.
While these attacks may still be in the early stages, they can easily become even more targeted and lure the victim to believe the e-mail is indeed from a family member or friend. Hackers will soon be able to extract information to personalize the card further and trick the victim into thinking they’ve received a message from a friend on Facebookor MySpace when instead they click on a link to a Web site which is hosting malicious code.
The significant increase of sophisticated and targeted threats in the Web 2.0 era lends a hand in making personalized information more accessible. In the future, this will affect organizations and may even lead to high-profile losses of sensitive customer and employee information.
The security breaches of 2007 are a warning to all security professionals to expand their protection systems beyond threat-detection and towards information protection. Organizations should consider further education for their users, new information protection policies, and additional technology solutions such as intrusion prevention systems and information leakage protection solutions.
Protecting the Organization
To combat these risks for the next few years, security strategies need to be effectively put in place before new threats arise. Organizations should be investing time to ensure continued education of their computer users remains a top priority. Investing in next-generation host-based and network-based technology is a necessary precaution and will help organizations manage who has access to their networks.
In addition to these security measures, it is also important to implement strict authentication and access controls to reduce risks from insider threats and inappropriate access to sensitive company or customer information. Implementing organization-wide document classification processes can provide a basic infrastructure within which information protection policies can be enforced.
The key to securing a network is for enterprises to stay ahead of new security threats before they appear. To do this they must evaluate their security infrastructure and properly plan for the future, proactively thinking of how hackers will attack next. Threats will only become more common and creative.
Basic steps to strengthen defenses in a Web 2.0 world include the following:
- Continued Education of Computer Users
- Don’t click on strange links (avoid tempt-to-click attacks)
- Do not release personal information online
- Use caution with IM and SMS (short message service)
- Avoid social networking sites
- Don’t e-mail sensitive information
- Don’t hit “reply” to a received -email containing sensitive information
- Require mandatory VPN (virtual private network) use over wireless networks
- Host-Based Technology
- Require hard drive encryption on all laptops
- Control the use of portable storage media by managing desktops
- Require the use of personal/desktop firewall software
- Require the use of personal/desktop anti-malware software
- Consider implementing document management systems
- Network-Based Technology
- Deploy network intrusion prevention (IPS)
- Consider network admission control (NAC)
- Implement information leakage detection and prevention
- Consider IP reputation-based pre-filtering solutions
Increased use of Web 2.0 applications creates new a new avenue for hackers and their attacks. If organizations implement proper security practices, they will keep both their employees and secure data safe. In order to avoid data leakage, information breaches or any form of identity theft, it is advisable to follow best practices, such as those listed above.
Mike Paquette is chief strategy officer at Top Layer Networks.