Mitigating Web 2.0 Threats
-
date post
19-Oct-2014 -
Category
Technology
-
view
1.783 -
download
0
description
Transcript of Mitigating Web 2.0 Threats
Mitigating Web 2.0 ThreatsOr, “This isn’t your mother’s internet!”
David Sherry CISSP CISM
Chief Information Security OfficerBrown UniversitySponsored By:
2
•Security evangelism•Incident Response Team•Audit support•Compliance and legal standards•Firewalls, IDS, IPS, VPN, sniffers, A/V, DNS, etc….•Security audits and certifications
•Public Safety support•Human Resources support•Records Management•Business Continuity•Disaster Recovery•Copyright / DMCA agent•Discipline Committee•Mandatory / elective training•Awareness
Security @ Brown
Today’s Agenda (or is it a mashup?)
• Our changing world of security
• What is web 2.0?
• Attack vectors and areas of concern
• The evolution of the threats….they’re nothing new!
• What should be focused on
• Recommendations to reduce the threat
Our World is Changing
• Compliance is a key competency of security pros
• Identity Theft is fastest growing crime
• President’s Cyber Security Initiative provides spotlight
• Online underground economy has matured
• National and global economy means “do more with less”
• Threat evolution:
• Infrastructure > web/messaging > DLP > Web 2.0
May you live in interesting times…..Chinese Proverb
What is Web 2.0?
Used with permission via Creative Commons: http://kosmar.de/archives/2005/11/11/the-huge-cloud-lens-bubble-map-web20/
What is Web 2.0?
"Web 2.0" refers to web development and web design that facilitates interactive information sharing, interoperability, user-centered design and collaboration on the World Wide Web. Examples of Web 2.0 include web-based communities, hosted services, web applications, social-networking sites, video-sharing sites, wikis, blogs, mashups and folksonomies. A Web 2.0 site allows its users to interact with other users or to change website content, in contrast to non-interactive websites where users are limited to the passive viewing of information that is provided to them.
From Wikipedia: (which is, itself, a 2.0 phenomenon)
Common Web 2.0 Descriptors
• “User generated content”
• “Mashups and web services”
• “Consumer and enterprise convergence”
• “Diversity of client software”
• “Complexity and asynchronous operations”
The Enterprise Triple-Threat of 2.0
1. Loss of productivity
2. Vulnerable to data leaks
3. Increased security risks
Characteristics of Web 2.0 Security
• Web filtering is no longer adequate
• AJAX, SAML, XML create problems for detection
• RSS and RIA can enter directly into networks
• Non-static makes identification difficult
• High bandwidth use can hinder availability
• User generated content hard to contain
Web 2.0 Attack Vectors
• Blogs
• Social networks
• Web portals
• Mashups
• Pop-ups
• Anonymizing proxies
• Spamdexing
• Widgets
Web 2.0 Areas of Concern • Client side issues
• Transparency and cross-domain communications; AJAX and JavaScript attacks on the rise
• Protocols• New protocols on top of HTTP/S (SOAP, XML, etc)
• Information sources• Concerns over integrity, transiency, and diversity
• Information structures• Variations of data structures, injection attacks
• Server side• Architecture, authorization, and authentication weaknesses
Evolution of the Threats in 2.0• USB and auto-run malicious code
• Insiders are a threat, but they don’t know it
• Adobe PDFs and Flash replace Word and Excel
• Worms travel through social spaces into offices
• DOS attacks against social networks
• Malware travels via all conduits
• Pop-ups advertise seemingly legitimate services and take advantage of current events
So what do you focus on?
From Secure Enterprise 2.0, the dangers come from:
1. Insufficient authentication controls
2. Cross-site scripting
3. Cross-site request forgery
4. Phishing
5. Information leakage
6. Injection flaws
7. Information integrity
8. Insufficient anti-automation
www.secure-enterprise20.org
Recommendations for Web 2.0
• Experts recommend a three-tiered, integrated data protection approach:
• Maintain vigilant anti-virus protection
• Establish a robust anti-malware protection program
• Utilize an AJAX-aware analysis platform
• Use real-time content and security scanning
• Make sure browsers and plug-ins are patched
• Don’t just patch “high” rated patches!
• Remember your end points
• Use encryption as a key strategic defense
Technical:
• Ensure that your policies are current and address 2.0
• Subjective policy setting
• Group level access
• Productivity based policies
• Use a Data Loss Prevention as an essential teaching tool
• Education and awareness must go beyond passwords
• Ensure cross-functional response and participation
• Speak with data!
Managerial:
Recommendations for Web 2.0
Ensuring a Defensive Web 2.0 Policy
• Revisit your Acceptable Use Policy• View the policy from a web 2.0 lens
• Be sure to cover new technologies like anonymizing proxies
• Include other groups for strength• Human Resources, Risk Management, Privacy, Physical
Security, Audit, and Legal
• Step up your training and awareness for Web 2.0 concerns
Support your policy through technology
• IDS / IPS
• Bandwidth shaping and throttling
• Standard images
• Group policy objects
• Firewall rules
• Anti-virus, spyware, and malware
• Monitor for your good name!
Summary• We are living in a changing world, and Web
2.0 is part of it
• 2.0 brings added challenges and characteristics to security professionals
• There are technical and managerial solutions to reduce Web 2.0 concerns
• Like all emerging technologies and their related threats, a holistic security approach is needed
David Sherry, CISSP CISM
Chief Information Security Officer
Brown University
Campus Box 1885
Providence, RI 02912
401.863-7266
There is never enough time;thank you for some of yours.
Thanks to our Sponsors
Product trial download page
Free Whitepaper: Reduce shopping cart abandonment. Increase revenue.