View
1.786
Download
0
Embed Size (px)
DESCRIPTION
Mitigating Web 2.0 Threats - Good report on threats from Web 2.0 websites like Facebook, LinkedIn, MySpace, YouTube, Live.com and others
Citation preview
Mitigating Web 2.0 ThreatsOr, “This isn’t your mother’s internet!”
David Sherry CISSP CISM
Chief Information Security OfficerBrown UniversitySponsored By:
2
•Security evangelism•Incident Response Team•Audit support•Compliance and legal standards•Firewalls, IDS, IPS, VPN, sniffers, A/V, DNS, etc….•Security audits and certifications
•Public Safety support•Human Resources support•Records Management•Business Continuity•Disaster Recovery•Copyright / DMCA agent•Discipline Committee•Mandatory / elective training•Awareness
Security @ Brown
Today’s Agenda (or is it a mashup?)
• Our changing world of security
• What is web 2.0?
• Attack vectors and areas of concern
• The evolution of the threats….they’re nothing new!
• What should be focused on
• Recommendations to reduce the threat
Our World is Changing
• Compliance is a key competency of security pros
• Identity Theft is fastest growing crime
• President’s Cyber Security Initiative provides spotlight
• Online underground economy has matured
• National and global economy means “do more with less”
• Threat evolution:
• Infrastructure > web/messaging > DLP > Web 2.0
May you live in interesting times…..Chinese Proverb
What is Web 2.0?
Used with permission via Creative Commons: http://kosmar.de/archives/2005/11/11/the-huge-cloud-lens-bubble-map-web20/
What is Web 2.0?
"Web 2.0" refers to web development and web design that facilitates interactive information sharing, interoperability, user-centered design and collaboration on the World Wide Web. Examples of Web 2.0 include web-based communities, hosted services, web applications, social-networking sites, video-sharing sites, wikis, blogs, mashups and folksonomies. A Web 2.0 site allows its users to interact with other users or to change website content, in contrast to non-interactive websites where users are limited to the passive viewing of information that is provided to them.
From Wikipedia: (which is, itself, a 2.0 phenomenon)
Common Web 2.0 Descriptors
• “User generated content”
• “Mashups and web services”
• “Consumer and enterprise convergence”
• “Diversity of client software”
• “Complexity and asynchronous operations”
The Enterprise Triple-Threat of 2.0
1. Loss of productivity
2. Vulnerable to data leaks
3. Increased security risks
Characteristics of Web 2.0 Security
• Web filtering is no longer adequate
• AJAX, SAML, XML create problems for detection
• RSS and RIA can enter directly into networks
• Non-static makes identification difficult
• High bandwidth use can hinder availability
• User generated content hard to contain
Web 2.0 Attack Vectors
• Blogs
• Social networks
• Web portals
• Mashups
• Pop-ups
• Anonymizing proxies
• Spamdexing
• Widgets
Web 2.0 Areas of Concern • Client side issues
• Transparency and cross-domain communications; AJAX and JavaScript attacks on the rise
• Protocols• New protocols on top of HTTP/S (SOAP, XML, etc)
• Information sources• Concerns over integrity, transiency, and diversity
• Information structures• Variations of data structures, injection attacks
• Server side• Architecture, authorization, and authentication weaknesses
Evolution of the Threats in 2.0• USB and auto-run malicious code
• Insiders are a threat, but they don’t know it
• Adobe PDFs and Flash replace Word and Excel
• Worms travel through social spaces into offices
• DOS attacks against social networks
• Malware travels via all conduits
• Pop-ups advertise seemingly legitimate services and take advantage of current events
So what do you focus on?
From Secure Enterprise 2.0, the dangers come from:
1. Insufficient authentication controls
2. Cross-site scripting
3. Cross-site request forgery
4. Phishing
5. Information leakage
6. Injection flaws
7. Information integrity
8. Insufficient anti-automation
www.secure-enterprise20.org
Recommendations for Web 2.0
• Experts recommend a three-tiered, integrated data protection approach:
• Maintain vigilant anti-virus protection
• Establish a robust anti-malware protection program
• Utilize an AJAX-aware analysis platform
• Use real-time content and security scanning
• Make sure browsers and plug-ins are patched
• Don’t just patch “high” rated patches!
• Remember your end points
• Use encryption as a key strategic defense
Technical:
• Ensure that your policies are current and address 2.0
• Subjective policy setting
• Group level access
• Productivity based policies
• Use a Data Loss Prevention as an essential teaching tool
• Education and awareness must go beyond passwords
• Ensure cross-functional response and participation
• Speak with data!
Managerial:
Recommendations for Web 2.0
Ensuring a Defensive Web 2.0 Policy
• Revisit your Acceptable Use Policy• View the policy from a web 2.0 lens
• Be sure to cover new technologies like anonymizing proxies
• Include other groups for strength• Human Resources, Risk Management, Privacy, Physical
Security, Audit, and Legal
• Step up your training and awareness for Web 2.0 concerns
Support your policy through technology
• IDS / IPS
• Bandwidth shaping and throttling
• Standard images
• Group policy objects
• Firewall rules
• Anti-virus, spyware, and malware
• Monitor for your good name!
Summary• We are living in a changing world, and Web
2.0 is part of it
• 2.0 brings added challenges and characteristics to security professionals
• There are technical and managerial solutions to reduce Web 2.0 concerns
• Like all emerging technologies and their related threats, a holistic security approach is needed
David Sherry, CISSP CISM
Chief Information Security Officer
Brown University
Campus Box 1885
Providence, RI 02912
401.863-7266
There is never enough time;thank you for some of yours.
Thanks to our Sponsors
Product trial download page
Free Whitepaper: Reduce shopping cart abandonment. Increase revenue.