Mitigating Web 2.0 ThreatsOr, “This isn’t your mother’s internet!”

David Sherry CISSP CISM

Chief Information Security OfficerBrown UniversitySponsored By:

2

•Security evangelism•Incident Response Team•Audit support•Compliance and legal standards•Firewalls, IDS, IPS, VPN, sniffers, A/V, DNS, etc….•Security audits and certifications

•Public Safety support•Human Resources support•Records Management•Business Continuity•Disaster Recovery•Copyright / DMCA agent•Discipline Committee•Mandatory / elective training•Awareness

Security @ Brown

Today’s Agenda (or is it a mashup?)

• Our changing world of security

• What is web 2.0?

• Attack vectors and areas of concern

• The evolution of the threats….they’re nothing new!

• What should be focused on

• Recommendations to reduce the threat

Our World is Changing

• Compliance is a key competency of security pros

• Identity Theft is fastest growing crime

• President’s Cyber Security Initiative provides spotlight

• Online underground economy has matured

• National and global economy means “do more with less”

• Threat evolution:

• Infrastructure > web/messaging > DLP > Web 2.0

May you live in interesting times…..Chinese Proverb

What is Web 2.0?

Used with permission via Creative Commons: http://kosmar.de/archives/2005/11/11/the-huge-cloud-lens-bubble-map-web20/

What is Web 2.0?

"Web 2.0" refers to web development and web design that facilitates interactive information sharing, interoperability, user-centered design and collaboration on the World Wide Web. Examples of Web 2.0 include web-based communities, hosted services, web applications, social-networking sites, video-sharing sites, wikis, blogs, mashups and folksonomies. A Web 2.0 site allows its users to interact with other users or to change website content, in contrast to non-interactive websites where users are limited to the passive viewing of information that is provided to them.

From Wikipedia: (which is, itself, a 2.0 phenomenon)

Common Web 2.0 Descriptors

• “User generated content”

• “Mashups and web services”

• “Consumer and enterprise convergence”

• “Diversity of client software”

• “Complexity and asynchronous operations”

The Enterprise Triple-Threat of 2.0

1. Loss of productivity

2. Vulnerable to data leaks

3. Increased security risks

Characteristics of Web 2.0 Security

• Web filtering is no longer adequate

• AJAX, SAML, XML create problems for detection

• RSS and RIA can enter directly into networks

• Non-static makes identification difficult

• High bandwidth use can hinder availability

• User generated content hard to contain

Web 2.0 Attack Vectors

• Blogs

• Social networks

• Web portals

• Mashups

• Pop-ups

• Anonymizing proxies

• Spamdexing

• Widgets

Web 2.0 Areas of Concern • Client side issues

• Transparency and cross-domain communications; AJAX and JavaScript attacks on the rise

• Protocols• New protocols on top of HTTP/S (SOAP, XML, etc)

• Information sources• Concerns over integrity, transiency, and diversity

• Information structures• Variations of data structures, injection attacks

• Server side• Architecture, authorization, and authentication weaknesses

Evolution of the Threats in 2.0• USB and auto-run malicious code

• Insiders are a threat, but they don’t know it

• Adobe PDFs and Flash replace Word and Excel

• Worms travel through social spaces into offices

• DOS attacks against social networks

• Malware travels via all conduits

• Pop-ups advertise seemingly legitimate services and take advantage of current events

So what do you focus on?

From Secure Enterprise 2.0, the dangers come from:

1. Insufficient authentication controls

2. Cross-site scripting

3. Cross-site request forgery

4. Phishing

5. Information leakage

6. Injection flaws

7. Information integrity

8. Insufficient anti-automation

www.secure-enterprise20.org

Recommendations for Web 2.0

• Experts recommend a three-tiered, integrated data protection approach:

• Maintain vigilant anti-virus protection

• Establish a robust anti-malware protection program

• Utilize an AJAX-aware analysis platform

• Use real-time content and security scanning

• Make sure browsers and plug-ins are patched

• Don’t just patch “high” rated patches!

• Remember your end points

• Use encryption as a key strategic defense

Technical:

• Ensure that your policies are current and address 2.0

• Subjective policy setting

• Group level access

• Productivity based policies

• Use a Data Loss Prevention as an essential teaching tool

• Education and awareness must go beyond passwords

• Ensure cross-functional response and participation

• Speak with data!

Managerial:

Recommendations for Web 2.0

Ensuring a Defensive Web 2.0 Policy

• Revisit your Acceptable Use Policy• View the policy from a web 2.0 lens

• Be sure to cover new technologies like anonymizing proxies

• Include other groups for strength• Human Resources, Risk Management, Privacy, Physical

Security, Audit, and Legal

• Step up your training and awareness for Web 2.0 concerns

Support your policy through technology

• IDS / IPS

• Bandwidth shaping and throttling

• Standard images

• Group policy objects

• Firewall rules

• Anti-virus, spyware, and malware

• Monitor for your good name!

Summary• We are living in a changing world, and Web

2.0 is part of it

• 2.0 brings added challenges and characteristics to security professionals

• There are technical and managerial solutions to reduce Web 2.0 concerns

• Like all emerging technologies and their related threats, a holistic security approach is needed

David Sherry, CISSP CISM

Chief Information Security Officer

Brown University

Campus Box 1885

Providence, RI 02912

401.863-7266

david_sherry@brown.edu

There is never enough time;thank you for some of yours.

Thanks to our Sponsors

Product trial download page

Free Whitepaper: Reduce shopping cart abandonment. Increase revenue.