35

ISSA PreemInent truSted GlobAl

InformAtIon SecurIty communIty

Web 2.0 refers to the second generation of Web de-velopment and design and has brought about sig-nificant change in the Internet such as web-based

communities, hosted services, and applications such as so-cial networking sites, wikis, blogs, video sharing sites, RSS feeds, and much more. Web 2.0 delivers a new kind of Web experience that is interactive, real-time, and collaborative. Although many of the underlying technical components of the Web have remained the same, the use of the Web as a plat-form on which to build rich applications is transforming our online experience. Organizations are also investing in Web 2.0 technologies to harness its power to draw in more cus-tomers. The participatory approach of Web 2.0 is also taking governments by storm as well, leading to the next generation of governance: eGovernance 2.0.

As with any paradigm shift, technologies and processes can take us to new levels of user expe-rience and productivity, but those same technologies also present us with new levels of threats and risks. Whether inadvertent or intention-al, the threats are equally danger-ous to people, customers, business, and countries. These risks, if iden-tified and controlled in the proper way, can bring a lot of benefits to the organization and society as a whole.

Managing and mitigating risks in Web 2.0 requires a more diversi-fied approach rather than a single

straight approach. A recent study by KPMG Insider reports a significant percentage of organizations are not confident in the security measures that are in place for Web 2.0.1 This must be accomplished through an integrated approach of people, processes, and technological controls. Before we delve into the mitigation strategies, we will analyze the threats that are evident through Web 2.0 technologies.

threat sources for Web 2.0The threat table given in Figure 1 is intended to organize the rest of the article. It is not intended to be complete, but can be used as a sample to map out threats and their implications.

1 Claire Le Masurier, “Risk Concerns Stall Uptake of Web 2.0 Technology in the Workplace,” A KPMG Insider Report 2008 – http://www.kpmg.co.uk/news/detail.cfm?pr=3012.

A recent study reports a significant percentage of organizations are not confident in the

security measures that are in place for Web 2.0. this article looks to an integrated approach

of people, processes, and technological controls to mitigate Web 2.0 security risks.

By Vinoth Sivasubramanian – ISSA member, UK Chapter, and in the process of founding/establishing a chapter in the United Arab Emirates (UAE)

risk management in the Web 2.0 environment

Threat Source Vulnerable Areas Threat Impacts Implications

HumansSocial networks, blogs, instant messenger, private email, etc.

Loss of sensitive data, knowingly or unknow-ingly

Loss of reputation in the eyes of public

Systems/Networks Browsers, unpatched systems, and servers

Malware, viruses, spyware, logic bombs, and a host of other threats

Loss of CIA, legal implica-tions, and financial losses

Application related Applications Malware, logic bombs Loss of CIA, legal, and financial implications.

Improper Controls Entire organization is exposed

Loss of data, viruses, logic bombs, etc.

Loss of CIA, legal implica-tions, reputational damage, and business losses

figure 1 – Web 2.0 threat sources

ISSA Journal | February 2010

36

risk management in the Web 2.0 environment | Vinoth Sivasubramanian

Now with some familiarity of the threat source, let us analyze some of the strategies that could be implemented for mitigat-ing and controlling the threats caused by the noted sources. These threats can be mitigated through a multi-layered de-fense process of internal controls, technological controls, and processes.

Human threats People are the weakest as well as the strongest link in an orga-nization. LinkedIn and MySpace are two of the major social networking sites where people working within the organiza-tion can leak sensitive data deliberately or inadvertently. Or-ganizations cannot block social networks because they are becoming the base infrastructure for business and personal interaction of the future. For effective social network use in the workplace and to ensure that valuable data is not leaked, organizations must ensure the following minimal steps.

define a policy for virtual environmentsClearly document the websites/activities that are permitted within the corporate environment. Also document the ac-tivities that are allowed in virtual environments. With the help of a legal counsel, document the actions that would be initiated in the event of not complying with these policies.

monitor virtual environmentsThe workplace is not the only place vital data can be leaked; therefore, monitor virtual environments regularly. IT man-agers must ensure that they organize an internal team to monitor virtual environments for slanderous comments, sensitive data, and other objectionable content. This must be done periodically, at least once a month, and reports stored. Deviations, if any, must be reported to management and ac-tions must be taken in accordance with local laws and orga-nizational policies.

educate end usersSecurity is everyone’s responsibility. Educating end users on security awareness in the Web 2.0 environment is more criti-cal than ever. It is essential that they be taught not only the traditional email, system, and web security jargons but also what can be discussed/posted on virtual environments. Also make clear the repercussions that would follow if inappro-priate behavior is discovered. Educate them on the potential risks that the organization is exposed to if browsing from an airport coffee shop or WiFi hotspot. Have a training manual, distribute it to everyone, and keep it updated. Conduct regu-lar security training awareness programs.

Invest in training and developmentKeep the security people busy: invest in training security personnel on latest threats and protections through internal resources or external training, and make sure that they stay updated on the latest trends and technologies. Security per-sonnel who do not keep themselves updated on latest tech-nologies and trends pose a threat in of themselves. The IT/security department should subscribe to good security jour-nals and sponsor memberships in professional organization such as ISSA, ISACA, IEEE, etc., which provide a wealth of information on security and related research.

Instill ethics and integrity into the culture of the organizationThis is by far the most potent weapon for creating an almost infallible security culture and program within the organiza-tion, but also the most difficult. Outlined are some simple points to help create and foster a culture of integrity and eth-ics within the organization.

• Have a written code of ethics in place involving all business leaders; ensure that every employee signs it and make him or her aware of the advantages of hav-ing one in place and how and where to report in case of violations. Have regular ethics awareness training programs for the staff members.

• Leaders and senior management must practice in-tegrity and fairness in all their dealings; this way it spreads and percolates as a culture within the orga-nization.

• Develop mature, fair, and rigorous employee perfor-mance management systems. This will ensure that the right people are retained, trained, and motivated. Have incentives linked to ethical behavior and acts; measure the effectiveness over time, and keep inno-vating for a highly positive culture.

Protect system assetsSystem assets include the servers, desktops, PDAs, Black-berries, laptops, and any other asset that is used for access-ing data in an organization. Since Web 2.0 runs on all web browsers, exploitation can occur both at the server side and the client side, which can then get distributed. Therefore, it becomes mandatory to harden servers, desktops, PDAs, and laptops. Some suggested best practices for protecting systems assets are the following:

• A baseline standard like NIST can be used for hard-ening the servers, operating systems, PDAs, desktops, and laptops

• Make sure an updated antivirus runs on all the sys-tem assets in the organization

• Make sure the necessary patches are updated on all the system assets

People are the weakest as well as the strongest link in an organization.

ISSA Journal | February 2010

Enterprise Information Protection

To learn more about Enterprise Information Protection (EIP) and Verdasys visit www.verdasys.com/eip or call 781-788-8180

Companies serious aboutinformation protection choose Verdasys

Enterprise Information Protection is a Verdasys Trademark.Copyright © 2010 Verdasys, Inc. All Rights Reserved.

38

risk management in the Web 2.0 environment | Vinoth Sivasubramanian

• Implement host intrusion prevention systems (HIPS) with proper configurations to test for anomalies on servers that host web applications

• Make sure you test all the system assets regularly to keep them updated against emerging threats

network hardeningA hardened network implemented with proper next-genera-tion firewalls and necessary controls provides a vital defense for the organization against any kind of attack. Fortifying networks is probably the first level of defense and must be properly done.

Some of the basic and necessary steps that need to be per-formed are the following, apart from the technological solu-tions that need to be implemented:

• Harden all the network devices using standard base-lines such as NIST

• Manage change effectively on the networks: if a new route has to be added on the firewall/router, make sure a change management procedure is followed and up-date the configuration management database

Implement next-generation firewallsLegacy URL filtering solutions are insufficient. They rely only on categorized databases of URL entries that only update a few times a day. What is needed is a “reputation system” that assigns global reputations to URLs and IP addresses, and works alongside the categorized databases for the ultimate protection. A sophisticated, third-generation reputation system provides a mechanism for determining the risk as-sociated with receiving data from a particular website. This reputation can be used in conjunction with categories in an organization’s security policy, allowing them the ability to make appropriate decisions based on both category and se-curity reputation information. This reputation-based URL filtering solution needs to be global in scope and internation-alized to handle websites in any language.

It is critical that the reputation system provides both web and messaging reputation. Since malicious attacks are multi-protocol, the reputation system must be aware of both email and web threats. A new domain without content cannot be categorized, but if it is associated with IP addresses sending email and they have a history of spam, phishing, or other malicious activity, then the web reputation for this uncatego-rized domain can immediately be determined and security protections provided to those who try to access the site.

Organizations should deploy email gateways that utilize sender reputation to stop malicious attacks, often launched via spam and social engineering. Email reputation is also critical as spam, phishing, and other malicious emails will include an URL or IP address that needs to be immediately fed back into the web gateway security infrastructure.

ensure that all caches and proxies are “security-aware”Objects that can be cached must be filtered for malware, se-curity reputation, and URL filtering policy prior to delivery to the requestor’s browser. Cached objects must have these filters applied each time the object is delivered to the end user because the reputation may have changed since the object was originally cached or the security policy of this requestor may be different than the previous requestors. This policy might be different in any of these areas: security reputation, URL filter policy, or malware. Deploying caches and proxies that are not security-aware runs the risk of delivering malicious code to the user.

enable bi-directional filteringEnsure that bi-directional filtering and application control are implemented at the gateway for all kinds of web traffic. This will scan all incoming and outgoing web traffic, which will assist the IT security personnel in having a greater view of what comes in and goes out. Filter unwanted traffic; moni-tor violations, incident responses, and forensics. Store the data onto a syslog server and archive it after a certain interval of time.

Implement deep-content protectionThere are many products available in the market today for implementing deep-content protection. But for achieving success organizations must make sure they have taken the following steps:

• Have a clearly defined security policy on what should be done by whom

• Define what is sensitive and what is not sensitive with reference to data

Once the above necessary steps are done then the deep-content protection takes care of things: information that is classified can be ensured not to be sent over personal email IDs, or even through official IDs. Deep-content protection also empowers the IT security personnel to granularly con-trol what users will be able to do in the virtual world when using the organizational network; for example, users may be allowed to view social networks but may be restricted access to posting.

use comprehensive access, management, and reporting toolsEnterprises should deploy solutions that provide “at-a-glance” reporting on the status and health of their services. They also need both real-time and forensic reporting that al-lows them to drill down into problems for remediation and post-event analysis. Providing robust and extensible report-ing is a critical function to understand risk, refine policy, and measure compliance.

ISSA Journal | February 2010

46

risk management in the Web 2.0 environment | Vinoth Sivasubramanian

with changing trends of security and business, and measure their effectiveness by conducting regular awareness quizzes. Monitor for violations using technology, processes, and peo-ple. Record and rectify them.

Incident responseIn spite of the best firewalls, effective security policies and audits, and the best people, breaches and threats can be real-ized. If such an incident happens, make sure there is an inci-dent response plan in place on how to deal with that situation. Train people on effective incident management procedures.

conduct continuous risk assessmentConduct regular risk assessments on web applications with a holistic approach towards security and check to see if the controls are to an optimum and desired level as expected by the business units and executive management.

follow benchmarksFinally, benchmark your protection strategy at regular inter-vals against global standards or other best practices followed by your peers or other organizations. Align them to your business needs if needed.

conclusionWeb 2.0 is a boon, and if implemented and managed prop-erly, organizations, societies, and countries can benefit from the participatory approach of the collaborative Internet. Or-ganizations and governments spanning countries must come forward with good regulations and measures for making this new trend a success for one and all as cybersecurity and web-sites cannot be restricted to a single country alone.

references — Jacques Bughin and James Manyika, “How Business are Using

Web 2.0,” Mckinsey Global Survey 2007 – http://www.mck-inseyquarterly.com/How_businesses_are_using_Web_20_A_McKinsey_Global_Survey_1913.

— “Losing Ground Global Security Survey 2009,” from Deloitte – http://www.deloitte.com/view/en_US/us/Industries/Media-Entertainment/article/e510f6b085912210VgnVCM100000ba-42f00aRCRD.htm.

— Web 2.0 – www.wikipedia.org.

— Web 2.0 Security Threats – www.enterprise2.0.org.

About the AuthorVinoth Sivasubramanian, CEH, ABRC-CIP, ISO 27001 LA, has over seven years of experience in the information security discipline in the domains of telecommu-nication, finance, and consulting. He is a member of the ISSA Educational Ad-visory Council, a working committee member of International Cyber Ethics, and a reviewer of IFIP Conference. He can be reached at vinoth.sivasubramanian@gmail.com.

Application hardeningDeveloping a successful and secure application involves many phases. While there are a plethora of articles and stan-dards available on application-related vulnerabilities of Web 2.0 and how to deal with them, we will focus on the overall picture and not delve into each and every exploit here but outline those basic steps that need to be taken which have often been overlooked in comparison with technical-related vulnerabilities. Following these simple steps can ensure to a good extent that the applications are securely built. Future vulnerabilities can be easily dealt with if these simple guide-lines are followed:

1. Have/hire competent programmers in place who are also deft at handling application security. Develop a culture of secure programming within the IT team. Have the infor-mation security personnel participate in the development process.

2. Practice good coding standards using baselines and other standards available from various resources – one excellent resource is the Open Web Application Security Project (OWASP).2 Ensure that the baselines and standards are strictly followed by the programming team.

3. Create a threat model of the application using known and unknown incidents and do stressful penetration tests on applications before they go live. Document the recordings of the tests. This will serve as a reference point for building future applications and saves time and money.

4. Have a mature risk assessment/ management process in place that has a holistic approach towards application de-velopment: people risks, process risks, technological risks. By having a mature risk management process in place, processes are repeatable/reproducible, saving time when newer applications are built.

• People risks: people risks are often considered be-yond application purview but should be scrutinized as carefully as the code they are producing.

• Process risks: effective change management policy and application release management procedures should be established and maintained for the devel-opment cycle.

• Technological risks: are the best technologies being used? For example, code should not be developed and compiled using older vulnerable versions, e.g., Java, when new stable releases are available – new releases mitigate a lot of known vulnerabilities.

Process and policy control mechanisms

Security policies in placeHave effective security policies in place and ensure that they are followed by everybody. Always have them current in line

2 OWASP – www.owasp.org.

ISSA Journal | February 2010