Home  |  Newsletter | Feedback | Advertise - Online  | Help
Google
Web dqindia.com
Search by issue  | Sitemap

• Visit pcquest.com to know all about the business benefits of IT infrastructure outsourcing • Ad : Play and Plug ERP by IBM

 
 RSS |  Follow Us on twitter
Home > Security

Web 2.0 : Criminals 2.0
Todays Web 2.0 world is faced with increasing threatswith ever changing web content and constantly evolving applications
Thursday, May 21, 2009
Print Comment Email DiggDigg DeliciousDel.icio.us RedittReddit TwitterTwitter

It is fair to say that the use of Web 2.0 is exploding. However, its full impact is still not well understood, and perhaps even the term itself is not clear. So, before we go any further lets define what it means. When I refer to Web 2.0, I am primarily speaking about websites that allow user-generated content.

User-generated content changes everything on the web. Virtually, anyonefriend or foecan create content, edit HTML directly, upload files, and distribute content which could equally be of value or deliberately malicious in nature. Blogging, commenting, social networking and similar methods of information exchange collectively form a significant and widely used segment of the Web 2.0 space and has many uses both socially and from a business point of view.

In the case of the Obama campaign site, the site was designed specifically for voters and community organizers to spread the word and interact with more potential voters and influencers. To do this, they allowed users to create blogs that could have any content on them. There was nothing that could stop someone from posting a comment in a blog that looked like it should be there (related somehow to the blog post), yet linked to a site hosting malware. Websense found that hackers did just this by creating blogs on this site specifically designed to spread information stealing malware.

In the past, we have also found malicious code on sites such as Myspace, Facebook, and Google. We have even seen sites that use Googles Doubleclick ad network hosting advertisements linking to malicious code. The key point I am trying to make here is called web reputation. You would think that Facebook, Google, and MyBarackObama.com all have good web reputationscores that security companies gives to sites for being trustedand you are right. The problem is that good reputation can go out of the window with just one piece of malicious user-generated content or hidden code.

To look at an example closer to home, the official website of the Rajshri Productions, India, was recently compromised and began infecting the machines of site visitors with malicious code. The malicious code was hidden on the main page of the site and led to an Adobe Reader PDF exploit. The organization has been an integral part of the Indian film industry, enjoying a unique and respected position in the market, and yet their site was unwittingly used by cyber criminals. Since many security solutions use web reputation as a basis for either allowing or not allowing a user to get to the site, this is a serious problem.

One can therefore, say that user-generated content takes the web security fight to a whole new level.

Seventy of the top hundred most popular websites either hosted malicious content or contained a masked redirect to lure unsuspecting victims from legitimate sites to malicious sites. This represents a 16% increase over the last six month period, according to a new research released earlier this year from Websense Security Labs. The top 100 most popular websites, many of which are social networking, Web 2.0 and search sites, represent the majority of all web page views and are the most popular target for attackers. People (and security software) cannot rely on web reputation alone and web reputation is outdated. In the second half of 2008, more than 77% of the websites classified as malicious by Websense were actually sites with seemingly good reputations that had been compromised by attackers. This percentage is up from 75% in the first half of 2008.

The web is the number one attack vector for online criminals. The web continues to be the most popular vector for data stealing attacks. In the second half of 2008, the Websense Security Labs found that 57% of data stealing attacks are conducted over the web, representing a 24% increase over the six month period.

Challenging Times
All these points raise issues which evidently need addressing. The business concerns around Web 2.0 directly mirror issues from the past, when Internet access became widespread in the corporate world. However, in todays Web 2.0 world, these threats are accelerated and multiplied because web content is constantly changing and new applications are evolving daily. The use of these dynamically changing websites presents a challenge to defined web usage policy as well as offering new ways for data to leave the organization. IT professionals are left with the tremendous predicament of taking into account several different business concerns at once.

The most obvious concern is that of security. Web-based threats and blended threats with email are evolving rapidly and leveraging Web 2.0 technology such as active scripting to bypass legacy AV and IPS systems. However, there is also a privacy aspect to Web 2.0. Casual and rapid communication with wider groups of people can easily expose, accidentally, personal or confidential business information online. This in turn reminds us of the need for suitable Data Loss Prevention techniques. Dozens of new communication methods such as blogs, social networking sites and instant messenger, multiply the chances for accidental and irreversible online data leaks that can spread to enormous proportions.

We also have the question of liability to take into consideration. Organizations can no longer effectively enforce acceptable use of policies based on static lists of known bad URLs. Dynamic Web 2.0 content exposes organizations to unprecedented exposure to inappropriate or legally dangerous content.

All this is before we have even touched on bandwidth. While bandwidth has become less expensive in most parts of the world, new rich content, video, streaming media, and large downloads can quickly bog down even the most robust networks. And the question of productivity remains a concern for many managers. Social networking and Web 2.0 applications such as Facebook or MySpace can be incredibly enticing and black holes for productivity, if left unmanaged.

With IT professionals struggling to understand its impact and adopt reasonable policy controls, usage of dynamic Web 2.0 websites and applications, whether sanctioned by IT or not, is more than likely happening within any organization. What can be done?

Protection
It is apparent that the sophistication of Internet security threats and malicious attacks has only increased as technology advances. With the adoption of dynamic capabilities within the most popular websites on the Internet, hackers have seized the opportunity presented by these high traffic websites to try and infect victims. Compromising these trusted websites increases the chance of a successful infection, and therefore the potential loss of data.

The ability to detect and prevent these dynamic, embedded threats requires two things-knowledge, and the ability to act on this knowledge in realtime.

The ability to implant this knowledge, and analysis within the product, and inspecting the content, is then of key importance.

Despite the exposure to security risks, businesses understand that shutting off Internet access is no longer a viable solution, as organizations need to harness the benefits of the Web 2.0 world. In order to allow the safe and productive use of new Web 2.0 technologies, while protecting essential information, businesses need to deploy technologies that provide real-time analysis and reputation management of the web.

For the most comprehensive protection, organizations should look for a solution that integrates web security, email security, and data security to protect essential information and enable productive, safe use of the Internet platform. Technology that sets and enforces policy settings for web and data use, combined with contextual understanding of data, is also a must. Knowing who is sending information, what it is, where it is going and how it is getting there is essential to defining if data is being used correctly or not.

By bringing together process and technology, organizations can be more secure as well as harness the benefits of the Web 2.0 world. Websense combines web and email intelligence with real-time analysis and data security, giving customers the necessary context to implement informed, defined data protection strategies. By pulling these elements together with training, processes and a data-centric security strategy will protect an organizations essential information.

When your essential information is protected, you get to say Yes to a whole new business environment.

Surendra Singh
The author is regional director, Saarc, Websense

Page(s)   1  

Print Comment Email DiggDigg DeliciousDel.icio.us RedittReddit TwitterTwitter



ZTE:Leading CDMA Technology

Extraordinary Networks:Freedom of Choice





Collective Intelligence @ Work

Analysts: Guiding Stars or Shepherds?

How's the 'pitch' looking?

What's your Everest?

 

 

 

 

 

 

Magazine Subscription | Sitemap | Contact Us | About Us | Advertising Print | Mediakit Print | jobs@cybermedia
Other CyberMedia web sites
  [Voice&Data]  [CIOL]  [PCQuest]  [Living Digital]  [IDC India]
  [CIOL Shop]  [DQ Channels]  [DQweek]  [CyberMedia Events]
  [Cybermedia Digital]  [CyberMedia India]   [Cyber Astro
  [Global Services Media ]  [BioSpectrum]  [BioSpectrum Asia]

Copyright © CyberMedia. All rights reserved.
Reproduction in whole or in part in any form or medium without express written permission is prohibited.
Usage of this web site is subject to terms and conditions.