1. Mitigating Web 2.0 Threats
Or, “This isn’t your mother’s internet!”
David Sherry CISSP CISM
Chief Information Security Officer
Sponsored By: Brown University
2. Security @ Brown
•Security evangelism •Public Safety support
•Incident Response Team •Human Resources support
•Audit support •Records Management
•Compliance and legal •Business Continuity
standards •Disaster Recovery
•Firewalls, IDS, IPS, VPN, •Copyright / DMCA agent
sniffers, A/V, DNS, etc…. •Discipline Committee
•Security audits and •Mandatory / elective training
certifications •Awareness
2
3. Today’s Agenda (or is it a mashup?)
• Our changing world of security
• What is web 2.0?
• Attack vectors and areas of concern
• The evolution of the threats….they’re nothing new!
• What should be focused on
• Recommendations to reduce the threat
4. Our World is Changing
May you live in interesting times…..
Chinese Proverb
• Compliance is a key competency of security pros
• Identity Theft is fastest growing crime
• President’s Cyber Security Initiative provides spotlight
• Online underground economy has matured
• National and global economy means “do more with less”
• Threat evolution:
• Infrastructure > web/messaging > DLP > Web 2.0
5. What is Web 2.0?
Used with permission via Creative Commons: http://kosmar.de/archives/2005/11/11/the-huge-cloud-lens-bubble-map-web20/
6.
7. What is Web 2.0?
From Wikipedia: (which is, itself, a 2.0 phenomenon)
"Web 2.0" refers to web development and web design that
facilitates interactive information sharing, interoperability,
user-centered design and collaboration on the World Wide
Web. Examples of Web 2.0 include web-based communities,
hosted services, web applications, social-networking sites,
video-sharing sites, wikis, blogs, mashups and
folksonomies. A Web 2.0 site allows its users to interact
with other users or to change website content, in contrast
to non-interactive websites where users are limited to the
passive viewing of information that is provided to them.
8. Common Web 2.0 Descriptors
• “User generated content”
• “Mashups and web services”
• “Consumer and enterprise convergence”
• “Diversity of client software”
• “Complexity and asynchronous operations”
9. The Enterprise Triple-Threat of 2.0
1. Loss of productivity
2. Vulnerable to data leaks
3. Increased security risks
10. Characteristics of Web 2.0 Security
• Web filtering is no longer adequate
• AJAX, SAML, XML create problems for
detection
• RSS and RIA can enter directly into networks
• Non-static makes identification difficult
• High bandwidth use can hinder availability
• User generated content hard to contain
11. Web 2.0 Attack Vectors
• Blogs
• Social networks
• Web portals
• Mashups
• Pop-ups
• Anonymizing proxies
• Spamdexing
• Widgets
12. Web 2.0 Areas of Concern
• Client side issues
• Transparency and cross-domain communications; AJAX and
JavaScript attacks on the rise
• Protocols
• New protocols on top of HTTP/S (SOAP, XML, etc)
• Information sources
• Concerns over integrity, transiency, and diversity
• Information structures
• Variations of data structures, injection attacks
• Server side
• Architecture, authorization, and authentication weaknesses
13. Evolution of the Threats in 2.0
• USB and auto-run malicious code
• Insiders are a threat, but they don’t know it
• Adobe PDFs and Flash replace Word and Excel
• Worms travel through social spaces into offices
• DOS attacks against social networks
• Malware travels via all conduits
• Pop-ups advertise seemingly legitimate
services and take advantage of current events
14. So what do you focus on?
From Secure Enterprise 2.0, the dangers come from:
1. Insufficient authentication controls
2. Cross-site scripting
3. Cross-site request forgery
4. Phishing
5. Information leakage
6. Injection flaws
7. Information integrity
8. Insufficient anti-automation
www.secure-enterprise20.org
15. Recommendations for Web 2.0
Technical:
• Experts recommend a three-tiered, integrated data
protection approach:
• Maintain vigilant anti-virus protection
• Establish a robust anti-malware protection program
• Utilize an AJAX-aware analysis platform
• Use real-time content and security scanning
• Make sure browsers and plug-ins are patched
• Don’t just patch “high” rated patches!
• Remember your end points
• Use encryption as a key strategic defense
16. Recommendations for Web 2.0
Managerial:
• Ensure that your policies are current and address 2.0
• Subjective policy setting
• Group level access
• Productivity based policies
• Use a Data Loss Prevention as an essential teaching tool
• Education and awareness must go beyond passwords
• Ensure cross-functional response and participation
• Speak with data!
17. Ensuring a Defensive Web 2.0 Policy
• Revisit your Acceptable Use Policy
• View the policy from a web 2.0 lens
• Be sure to cover new technologies like anonymizing proxies
• Include other groups for strength
• Human Resources, Risk Management, Privacy, Physical
Security, Audit, and Legal
• Step up your training and awareness for Web
2.0 concerns
18. Support your policy through technology
• IDS / IPS
• Bandwidth shaping and throttling
• Standard images
• Group policy objects
• Firewall rules
• Anti-virus, spyware, and malware
• Monitor for your good name!
19. Summary
• We are living in a changing world, and Web
2.0 is part of it
• 2.0 brings added challenges and
characteristics to security professionals
• There are technical and managerial solutions
to reduce Web 2.0 concerns
• Like all emerging technologies and their
related threats, a holistic security approach
is needed
20. There is never enough time;
thank you for some of yours.
David Sherry, CISSP CISM
Chief Information Security Officer
Brown University
Campus Box 1885
Providence, RI 02912
401.863-7266
david_sherry@brown.edu