FAQ: Corporate Web 2.0 ThreatsDate: Nov 12, 2008
In this expert video, you will learn about Web 2.0 software, the threats it poses, and whether the benefits outweigh the risks. Key areas covered include the threats posed by services like Facebook, MySpace, and LinkedIn, as well as wikis and blogs.
Our expert also dives into particular attack vectors and scenarios that are becoming popular, defensive policy, and technology best practices and Web 2.0 trends to monitor going forward.
About the speaker:
David Sherry is chief information security officer at Brown University.
Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact firstname.lastname@example.org.
FAQ: Corporate Web 2.0 Threats
Eric Parizo: Hi, I'm Eric Parizo. We're here today to talk with
David is an expert in enterprise governance and access control for
compliance in identity management. David, thanks so much for joining us
David Sherry: Thank you, Eric. Glad to be here.
Eric Parizo: David, let's set a baseline for the conversation. Tell us a little
bit about Web 2.0 software. What is it and what is it not?
David Sherry: Web 2.0, using the nomenclature of all internet technologies or
all software technologies, is just taking the internet to a different
level, a different perspective. It's not a dot release. It's doing
something different with something that was out there already. Web 2.0 is
allowing users to share information, interact with information, to comment
on information, even change information. It's taking different disparate
pieces of information and putting it into one location in a way that the
user wants to use if for their own benefit. Now you mentioned social
networking software and Web 2.0. Although part of the same, they're a little
bit different. Web 2.0 may bring more technologies in where a person can
design the content to get the view they want. Where a social networking
site is really just taking what we would know as human personal social
content and putting it on the internet. With pictures, with comments, with
likes and dislikes and sharing information amongst friends, colleagues,
family, whoever. Anyone can see it.
Eric Parizo: David, Web 2.0 technologies offer a number of benefits, including
enhanced communication for individuals. But what do they really offer the
enterprise in terms of productivity or other benefits?
David Sherry: Some of the Web 2.0 technologies that we are investigating and
trying to use in a corporate environment would be blogs and wikis and
sharing spaces with SharePoint. Particularly, wiki sites which is based on
Wikipedia that a lot of people are familiar with, where people can comment
on content that's already out there. But finding great value in a global
environment, where we have engineers and colleagues and contractors all
around the globe being able to contribute 24/7 on a workspace to fast track
a project. No longer are we bound by time. No longer are we bound by
physical location or where the engineers are physically located. We can
get them involved in a project. Talk about it. Brainstorm it. Change it.
Add to it. Modify it. And fast track projects. It has been a great tool
for us to get the best resources, no matter where they are, on a certain
project. It excites them. They know they can use it at any time. We're
not time bound by 2:00 in the morning phone calls for certain people at
different time zones. And we've seen great value for it for fast tracking
engineering and technical projects.
Eric Parizo: So, what are the biggest overarching risks that come with using Web
David Sherry: Well, there are some human resources risks and there are some
technical risks. When you bring in Web 2.0 technology, you're allowing the
person to comment or post content that may be detrimental to the
organization. There could be issues that people would have their
access privileges taken away. There could be discipline. It could be up
to even including termination. So you have that aspect of it. From a
technical point of view, there can be bandwidth hogs. We have to be
careful of that. They also have to be careful of software that could be
maliciously downloaded through some of these technologies. The popular
ones, MySpace, Facebook, they're giving engineers or people the opportunity
to create their own little applications that run in the back. And they're
not vetted through a security policy by these corporations. They're
basically just a conduit for one person to get their product out to someone
who wants to use it. Unfortunately, a lot of these are built specifically
to have malicious software in the background. Keystroke loggers, password
sniffers, anything that could happen. So from a security perspective and a
technology perspective, we need to be very, very careful as to what sites
we open up. Which widgets and which applications that we use in the
background or allow to come into our network and be aware of that. Now most
companies would have controls in place for that. IDS, IPS firewalls,
packet sniffing technologies that know what's going through our
environment. We could probably get that.
Eric Parizo: David, tell me more about these add-on widgets or applications that
are being made available for sites like Facebook. What kind of danger do
they particularly pose?
David Sherry: Well, specifically for an application such as Facebook, last count
about a month ago there were over 320,000 individual applications that you
could download. Approximately 120,000 of those are considered of a
business-like nature. Maybe it's a calendar sync tool. Maybe it's a tool
that shows different time zones when you open up your Facebook account so
you can know where you colleagues are at what time. It could be something
as easy as headlines of the day or stock tickers. Facebook has indicated
that their fastest growing population base of users is over 30 and
professional. People are recognizing that this is a viable alternative to
stay in touch with colleagues. With other professionals. To maybe get
their resume out there. So they're catering to that. More and more being
added every day. It's very easy to do. It takes really no technical
expertise to upload it once you've built it. And, as I stated,
Facebook is not really vetting these to see exactly what is in the
background. And it even says sometimes, when a so-called end user
licensing agreement pops up that you want to install it, it may say that
Facebook doesn't guarantee the security of it. And there may be malicious
software being, it wouldn't say malicious, but some kind of software being
added to your computer that maybe you don't want. Most people just click
right through and keep on going anyway.
Eric Parizo: David, let's talk about Ajax for a moment. I know some Web 2.0
sites are starting to incorporate it. It's perhaps most popular in Google
Maps with the drag and drop functionality there. It's essentially a
David Sherry: Ajax is the gasoline that can fuel those applications. Without
something like Ajax, probably the possibility that we're experiencing right
now of Web 2.0 would not be possible. That you could bring up a map. Not
only moving around but find your local coffee shops that you like. Or how
far it is to the closest Holiday Inn. It's all great technology. On the
other hand, because Ajax is so simple and so vibrant and so viable for an
end-user to use, there's the possibility that that's the easiest way for
malicious software to be downloaded. So it's such a good thing but at the
same time, if used for the wrong intent, very dangerous. With any
technology, you have to constantly be vigilant, be consistently looking at
the new emerging threats. Just because it's Web 2.0 doesn't make any
difference. The security framework from a technology point of view with
all of your defenses should be able to monitor this. Should be able to
defend most of it. But as it continues to emerge you need to keep your
defenses up. On the other side of it, just risk in controls, governance in
framework from your corporate access information policies through your HR
policies, you should be able to control. I would argue that most companies
with a solid framework in governance on their access control policies,
already have the wording in place to defend against the internal use of
this technology. A quick review by the legal team, a quick review by the
risk management team and the corporate risk people is not a bad thing in
emerging markets. The other problem with that is finding a legal counsel
that is up on Web 2.0 technologies and the dangers and the threats, so that
they can utilize that information to add to your corporate risk policies is
not easy in this day.
Eric Parizo: So within an organization, should different business groups get
together to make sure everyone is on the same page when it comes to
defending against Web 2.0 threats?
David Sherry: Well, it's like any access control to any application in your
environment. Adding access to Web 2.0 technologies and anything that has
collaboration techniques in the background, you maybe need to have an
access control form filled out. If we are against something like that
because we want to eliminate paperwork, we want to eliminate signatures,
possibly just a pop-up screen. A review that has to made and accepted that
the end-user is going to be fulfilling their obligations as a good
corporate citizen on how they use it. What they say, what they don't say.
And maybe periodic reviews of that. There has to some kind of
responsibility taken by the end-user that they're aware of what technology
they're using and why, and what their responsibilities would be.
Eric Parizo: David, let's talk about blogs for a minute. Maybe shifting gears a bit.
What kind of security best practices are necessary for securing the
information that's posted to blogs, both internal blogs and external ones?
David Sherry: We stress, when someone has access to our blog software, that we
want it to be as widely used as possible. It's a great way to get personal
information out. With it, once again, comes corporate responsibility. We
tell people to maintain professionalism, eliminate flame wars. We moderate
some of the sessions before they're posted. They can be disciplined up to
termination, which we very, very rarely do and hate to do. Because we have
good corporate citizens. But they have to understand that when they're
putting it out there, it's out there for all the world to see. We strongly
urge every employee, when they get hired and with our yearly security
practice, to utilize the knowledge of our corporation wisely, on external
sites. We have software that is continually searching for our name and
certain pieces of information on external blogs and on external social
networking sites. And the colleagues of citizens understand that taking
corporate information and putting it on their public thing does not protect
them from us taking action against that.
Eric Parizo: Wikis are growing as a way of disseminating information within an
organization., but it can be difficult, to say the least, to figure out how
to control what information is being disseminated. What are some best
practices you can recommend for limiting those kinds of risks?
David Sherry: Once again, awareness up front that it shouldn't be done.
Moderated discussions. Administrators of certain wiki sites that have the
ability to erase and scrape data that shouldn't be out there. And
vigilance on the people who are using it. We have found that some of our
wiki sites are very, very heavy on the user side of it. We'll see
continuous posting, continuous changes. It's more or less the project
management people and the technology people to improve their documentation
and to, as I stated earlier, fast track projects. Then there are some wikis
that are out there that have been sitting there for months without ever
being touched. Those are the ones you almost have to be a little bit more
vigilant on. Because someone could post something out there and it could
take a while before someone would spot it. The ones that are in use, the
people who are using them are very passionate. If something's out there
that shouldn't be there or is in appropriate or just flat out wrong, it's
usually scraped pretty quickly.
Eric Parizo: So specific to sites like MySpace and Facebook, how does an
enterprise determine the level of risk that they represent? And then
what's the next step to go about mitigating that risk?
David Sherry: Very good question, once again. The public's perception of those
two websites is dramatically different from a security person's
perspective. If you ask a person on the street what is safer, MySpace or
Facebook, most people would say Facebook. That's where all the good kids
hang out. And on MySpace, we don't really know who hangs out on there, so
that would be considered more dangerous. From a security perspective,
MySpace is actually safer. They have better corporate policies. They have
better access controls. Their web vulnerabilities are very, very low.
They keep up with their scanning. They have a corporate information
security officer. Facebook, that's all emerging for them. It was very
easy to get into different accounts to scan for pictures. They have posted
a CISO job, but they are acting more as a conduit and just a blackboard
for people to use. And security is not really that good. From a corporate
perspective, we have to be careful if we're going to open up those sites,
exactly what could be downloaded. What could be run in the background.
It's really more of a management issue at that point. Are they doing their
job, or are they spending too much time on their social networking site?
Are they putting corporate information out there so they can utilize it
when they get home? Is it causing too much bandwidth? Are they using
inappropriate language? There are so many management and technical issues
it's a lot easier just to not allow it to happen on the corporate network.
Eric Parizo: Now thinking about a site that's more CIO oriented like LinkedIn, do
you use the same policies there that you would for a MySpace or a Facebook?
David Sherry: LinkedIn was grouped with the common social networking sites not
long ago on most Web content filtering filters. And it stopped working one
Monday morning for many of us. And there was a corporate outcry as to
people not being allowed to get to their LinkedIn site. We had to go
through the process through risk management to get an exemption to have
that added back into the whitelist so people could get to it. Now why was
that one okay and not Facebook? It comes down to what the purpose of it
is. Whether malicious software could be utilized in the background.
Whether there are applications, the type of people who utilize it. It was
deemed that it was more business appropriate for colleagues to keep in
touch to get business associated information back. To find a peer at
another corporation to ask them a question. To put a public question out to
get professionals and experts to come back. A lot cheaper than buying one
of the consulting hours from the big four. So it was deemed as being more
of a business application than a social networking site.
Eric Parizo: So from a policy and technology standpoint, what are your
David Sherry: First of all is just awareness on the security officer's part that
this technology is out there. It can be dangerous. It's going to be in
demand. It's going to be built into new technologies that are coming out
and probably entering your enterprise. So just an awareness from that
point of view to understand how it works, what the dangers are and what the
benefits are is the first step. Second of all is to get the corporate risk
people involved, the information risk people involved. To look through all
policies to make sure that the wording that is in there would cover this
new technology, this Web 2.0. And lastly, to ensure that any internal
technology governance framework that you have from IDS, IPS firewall, is
also monitoring, built and capable enough to handle this. There is a host
of management issues, from morale, from collaboration, from flame wars to
bad information, to good information, to public information, that comes into
play. It's actually an exciting time to be in the security field but at
the same time, a little bit cautious. And is a good thing as well.
Eric Parizo: Finally, as we wrap things up, we like to put numbers on everything.
So thinking about Web 2.5 or Web 3.0, what kinds of technology risks or
even policy risks do you see in the near future?
David Sherry: That's an excellent question. One of the things that has been on
the back of my mind, as we look at open-source solutions out there is open-
source Web 2.0 technologies that technology people like to dabble in. Like
to download. Like to start utilizing. Put a server under their desk and
start utilizing it to speak with friends or colleagues or peers inside the
company and outside the company. So I'm not so much concerned about
mainstream technology coming in with Web 2.0 and Ajax built in the
background. It's the open-source that I would be more concerned about.
Yes, it's a lot cheaper. It's fabulous for saving money and for getting
things fast tracked. And I'd have to go through so much corporate
rigmarole and paperwork to get things done. At the same time, let the
buyer beware on a lot of it. And the people that I hire are very smart,
very passionate. They want to get their jobs done as quickly as possible.
But they also like the cool new and emerging things. And if they see
something that's out there on Slashdot or any of the other public sites,
searchSecurity.com, and start latching onto it and decide to
download it onto their laptop, those are the pieces of Web 2.0 that I'd be
more concerned about.
Eric Parizo: David Sherry, thanks so much for joining us today.
David Sherry: Thank you for having me, Eric.
Eric Parizo: And thank you for watching. For more great information on Web 2.0
threats and other information security issues, visit our website
SearchSecurity.com. Have a great day.