Security Management Strategies for the CIO
Requires Free Membership to View
|  | ||||||||||||||||
| |||||||||||||||||
In this tip, we'll explain how assessing the security of the widgets in Web 2.0 applications before incorporating them into their Web 2.0 environments can protect businesses Web visitors, internal users and, ultimately, their corporate reputations. Though there are legitimate business uses of Web 2.0 widgets, particularly for incorporating content from third-party sites like Facebook, Twitter, Google and others, these widgets can all too easily distribute malware and malicious code, or potentially advance other attacks.
Web 2.0 widgets explained
Widgets are independent applications or snippets of code from third-party sites that can be used independently or included in other websites and Web applications. They often display content, like news items or press releases, for example, but they can perform other actions too, like display a Twitter feed or include a recent blog post from another page or site. Twitter widgets let users display individual tweets on websites that can serve as real-time updates for site visitors. Similarly, Facebook widgets allow content from Facebook to be served when visiting a third-party website.
Widgets can be developed with a variety of development languages. Ajax-based widgets use the Google Ajax APIs for displaying Google Maps or other Google content. Many widgets use embedded snippets of JavaScript to allow organizations to display new products or news on the Web. A Twitter profile widget, for example, displays recent tweets on a website. The JavaScript snippet is simply embedded in the place where the user wants the tweets displayed. The JavaScript is executed in a visitor's browser and the tweets are visible on the webpage. Basically, the website instructs Web browsers to execute code from multiple different Web servers simultaneously to create the webpage.
Security threats from Web 2.0 widgets
Malware authors started taking advantage of widgets as an attack vector several years ago, as noted in a 2008 advisory from Fortinet Inc.'s FortiGuard Center, which highlighted the Zango malware that was distributed by a malicious Facebook widget. Such threats aren't exactly new, but similar ones are plentiful in the wild today, and like Web 2.0 applications themselves, they are constantly evolving.
Web 2.0 widgets not only pose a security risk to enterprises, but also to individual website visitors. Risk scenarios to the enterprise vary depending on specific widgets used, but typically an individual employee would fall prey by accessing malicious widget content on the Web that affects his or her computer by planting malware that seeks to infect the network or steal sensitive data stored on the user's computer.
Similarly, an enterprise faces risk with the Web 2.0 widgets it may incorporate into its own Web 2.0 applications for customer or public use. This is becoming an increasing concern as more companies seek to appear trendy by integrating Web 2.0 widgets from social networking platforms into their own websites and mobile applications. If those third-party Web 2.0 widgets are malicious or compromised, a company's Web visitors may execute malicious JavaScript or mobile code from multiple different websites, even though it looks like it is coming from a legitimate source (your organization's website). Suddenly a company can find itself in a liability scenario, unknowingly spreading attackers' malware to its Web visitors and customers.
Web 2.0 widgets: Enterprise defense strategy
Despite these threats, there are ways to securely allow widgets to be used in the enterprise, both by users for their own consumption and when building mashups for external use. To protect an organization's Web visitors from malicious Web 2.0 widgets, there should first be a security awareness program in place for enterprise Web developers when including third-party widgets into websites they develop. Developers should be made aware of the potential risks from such widgets and taught to evaluate the security of the widgets before publishing them, a step easily forgotten given how simple it is to publish a new widget to a site.
 |
||||
|
|
|||
|
||||
To protect internal users from putting company networks and data at risk, use the standard antimalware protections. A combination of network and endpoint defenses will protect users from most malicious content encountered via a widget. Various network appliances -- often the same devices your organization may use to block basic malware, Web proxies, etc. -- include protections for social networking. Some devices offer this in the base functionality, but others require additional licenses or modules to monitor for these types of threats.
Awareness of the potential threats and ensuring that adequate antimalware protections are in place are critical to protect against Web 2.0 widget threats. Malicious or hacked Web 2.0 widgets can easily distribute code from third parties that can harm your infrastructure, steal your sensitive data or abuse the trust consumers Web visitors have in your organization. Going forward, it's critical that your enterprise not only realize that these mashups can be dangerous, but also implement the proper protections and practices to prevent them from causing harm.
About the author:
Nick Lewis (CISSP, GCWN) is an information security analyst for a large Public Midwest University responsible for the risk management program and also supports its technical PCI compliance program. Nick received his Master of Science in Information Assurance from Norwich University in 2005 and Telecommunications from Michigan State University in 2002. Prior to joining his current organization in 2009, Nick worked at Children's Hospital Boston, the primary pediatric teaching hospital of Harvard Medical School, as well as for Internet2 and Michigan State University. He also answers your information security threat questions.
This was first published in June 2010
Join the conversationComment
Share
Comments
Results
Contribute to the conversation