With the explosion of Web 2.0 technology, Rob Swainson, managing director of Blue Cube Security, analyses the new level of threats and challenges posed by such technology and looks to see if IT security vendors are reconsidering traditional security offerings to plug the gaps where security loopholes have appeared. He also explains how these new products should be adopted to achieve the greatest degree of security within an organisation.
Web 2.0 applications and websites are rapidly taking over from traditional read-only sites, with particular emphasis on the use of social networking sites: Facebook alone received 206.9 million unique visitors in December 2009. It is therefore imperative for organisations to ensure that they are aware of the risks posed by Web 2.0 and have suitable protection in place to safeguard their networks.
Organisations have been quick to see the time saving possibilities and cost effective business benefits that Web 2.0 technology offers through its interactive, personal and real-time nature. It is not, however, all work and no play these days; organisations are starting to realise that billions of pounds are lost in productivity every year as a direct result of staff clocking up hundreds of hours each day online and visiting social networking sites whilst at work. This, along with the bigger threat of the potential loss or sharing of confidential information when logging into external sites and uploading information without the necessary security requirements in place, exposes an organisation's networks to bigger challenges than ever before.
Many organisations are making a knee-jerk response to this surge in use of social networking by implementing a complete ban on such sites in the workplace. On the face of it this approach would seem to cut out the associated security issues, but in reality it only serves to enhance the threat with evermore IT savvy staff using proxy sites; opening the company network up to a greater security risk than the original website.
Blue Cube recommends a policy of monitoring as opposed to blocking access. Organisations can passively monitor their networks to manage data loss or leakage, which can be caused when employees use their corporate addresses to access social networking sites and upload messages and information. Data leakage prevention (DLP) solutions can then be developed to address any problems that are identified.
It does not have to be a case of all or nothing when it comes to managing staff access to the web. There are a number of products available on the market that allow organisations the flexibility to implement granular controls to regulate how, when and what employees can access and upload/post onto websites. These controls can be implemented at email, web and instant messaging gateways to ensure real-time protection, which is invisible to the user. By regulating and implementing such controls, organisations can ensure corporate policy is adhered to with social networking being limited to legitimate business usage, whilst also mitigating security risks by limiting potentially hazardous actions.
A user-centric approach can often prove the most successful. By using technology to ‘pop up' messages to users informing that the action they are about to take (when sending attachments to emails/uploading sensitive content etc) may contravene corporate security policy and asking whether they wish to continue, the user is faced with the decision as to whether what they are doing is both legitimate or best practice. This also provides the organisation with a means of monitoring actions based on intent rather than accident.
Web 2.0 security, along with more traditional technologies, has two main areas where vulnerabilities can be exposed. The first stems from inadvertent errors within the coding of websites that can be easily exploited by hackers once identified; these errors can mostly be rectified relatively quickly and easily. The other source of vulnerability however comes from architectural design errors, rendering a system or solution fundamentally flawed and therefore posing vendors with a far harder issue to resolve to ensure adequate protection. The reality is that from wherever the problem originates, once identified neither of these flaws can be left exposed and a solution must be identified whether a temporary patch or full website re-design is required.
Web 2.0 technologies pose a number of different external security requirements and threats that need to be considered, on top of those tackled by traditional legacy protection. Traditional protection is no longer seen as sufficient due to the rich multi-directional aspect associated with Web 2.0 applications. As technology advances to improve user interaction with the web, it also develops for the sole purpose of finding and exploiting the expanded areas of weakness exposed in a system.
As new technological development comes into effect, so must new security products, to offer new levels of protection, with Web 2.0 being no different. The difference here, however, comes from there being no single and easy one-stop solution to combat the multidimensional threats and susceptibility of Web 2.0 applications.
So where should organisations start in order to protect their business network? With Web 2.0, organisations need to consider both inbound and outbound security measures to ensure sufficient protection is met. The developments in malware, zombie and Trojan attacks mean in some instances traditional signature-based anti-virus solutions can sometimes be considered as insufficient as the only line of defence for larger organisations. This is because new attacks have no known signature and are not flagged up. Traditional web filtering can also be ineffective in flagging up malicious sites, with Web 2.0 requiring a greater level of gateway monitoring to ensure full protection.
Whilst employees' actions in-house are being closely monitored, organisations are often missing the less obvious opportunities for a Web 2.0 security breach. With the ever-expanding boundaries of a company's network, organisations need to also seriously consider the security risks associated with mobile PDA devices and smartphones. Like PC's and laptops, organisations need to protect their phones from malware, viruses and data loss. With a huge surge in the number of people updating Web 2.0 sites, such as Facebook and Twitter, from smartphones and BlackBerrys these should be incorporated into an organisation's security governance.
I would recommend that every organisation considers the following areas of multi-factor protection to ensure they are prepared to combat the threats posed by Web 2.0: real-time URL and message filtering; anti-malware and signature-based malware protection to catch known and new unknown threats; bi-directional filtering and application control at the gateway, as well as monitoring software to check for data leakage; and finally a robust auditing reporting tool.
Due to this multifaceted threat, I believe an in-depth analysis of an organisation's systems and requirements, along with the habits and behaviour of employees, is needed to establish a tailor made solution, as through combination protection a much greater level of security can be achieved. By layering products you can remain one step ahead of the attacker. Another key element to successful protection is through anonymity, as by publicising the protection you have in place, attackers can easily target the known vulnerabilities of these specific products, but by keeping your security protection invisible you can also hide its weaknesses.
Once the ‘bad guys' have been blocked out of your business networks however, there are still more considerations necessary. Internal threats associated with Web 2.0 are not just from malicious employees leaking/stealing data or sensitive information directly, but can just as easily be through well meaning employees downloading applications that have not been approved by their IT department that unknowingly contain malicious content. Naivety of employees within organisations can cost companies substantial time and money to rectify. We would consider one of the greatest security measures an organisation can adopt would be a policy of educating staff about potential risk and how to avoid the obvious security pitfalls, since the majority of web users will not differentiate between a Web 2.0 and a read-only site and the different security considerations required.
As far as Web 2.0 goes, vendors who are starting to re-build and re-write their traditional security offerings to be Web 2.0 effective today will reap the rewards in tomorrow's market by being one step ahead of the game. It would also seem that as soon as Web 2.0 is secure and covered Web 3.0 or semantic web usage will be upon us, posing yet new challenges in its wake.
Web development and online networking is here to stay and will play a progressively intrinsic role in the way that companies operate. There are clear benefits of tapping into these innovations and advancements and despite the very genuine and real threats they pose, these can be mitigated with the introduction of vigorous corporate policies, supported by robust technologies, provided by trusted partners. Embracing change should enhance, not compromise, business performance.
Rob Swainson is managing director of Blue Cube Security