The real question is how can we, as security professionals, protect our networks from these types of attacks? Many organizations like to have a policy for Web surfing that allows users to go to any site they want, provided that it is not on the blacklist of their outbound Internet-filtering device. Attacks like the Facebook and MySpace incidents will start pushing the bounds of these policies. There are two main reasons for this. First, the number of malicious sites is growing so quickly that Internet-filtering lists can't keep up. Second, visitors to a website don't just download content from that specific site; they pull content from a variety of different sites or locations. For example, at Facebook.com, it's possible to pull content from Forbes, Veoh (a video player), and even a voice over IP application, not to mention custom applications that users build themselves. You can be sure that security was not a priority in the development process of any of these content sources or applications.
These issues highlight not only security concerns of Facebook or MySpace, but also the security of all of the additional widgets that users have added. Also, keep in mind that these attack vectors are not limited to sites like Facebook or MySpace; they can occur on any site that allows users to upload dynamic content. Blogs, for example, have been heavily attacked via cross-site request forgery (XSRF).
Because of these concerns, enterprises should revisit their policies to address whether sites like these should be accessible from work. Many companies try to strike a balance and make their environments fun places to work, but there may be risks involved that are greater than your organization is willing to accept.
Let's also address the user education aspect of these types of attacks. Many security professionals shudder when they think about trying to educate users. However, if you choose to allow employees to visit these types of sites, user education is your first and last line of defense. So ensure the organization has a clear policy for users and that they are trained to abide by that policy. It will save the company a lot of time and trouble if they know that personal endeavors like finding new friends online or pursuing the promise of love should be explored from the privacy of their own homes, not from a work computer.
This was first published in July 2008