Let’s start with what’s Web 2.0 before getting in to the risks.
The term Web 2.0 is commonly associated with web applications that facilitate interactive information sharing, interoperability, user-centered design and collaboration on the World Wide Web.
For some of you still not clear of what’s Web 2.0 let me put it down in a different way. Web 2.0 is Facebook or MySpace or Linkedin or Twitter or the blogs or the Wikis or any web site which allows the visitor to interact by posting updates, comments or uploading pictures or videos.
The biggest challenge of the Web 2.0 world is that security must focus on protecting open systems rather than shutting everyone out. The social networking tools built on web and web 2.0 are incredibly powerful and useful: in some cases it can make employees more productive and speed up decision-making and in some cases they can allow companies to gain a competitive advantage over their rivals, and they can significantly reduce the cost of doing business.
According to a study by global communications firm Burson-Marsteller, more than three-quarters of the Fortune Global 100 companies are using at least one of the most popular social media platforms (Twitter, Facebook, YouTube, and corporate blogs) to actively engage with stakeholders. Sixty-five percent of the largest 100 international companies have active accounts on Twitter, 54 percent have a Facebook fan page, 50 percent have a YouTube channel, and one-third have corporate blogs.
The Nielsen Wire reports that the world now spends over 100 billion minutes or 22 percent of all time online on social networks and blog sites.
So what’s the risk?
The trusted nature of Facebook, MySpace and other social networks allow hackers to launch exploits and spread Web-based malware. Research says that, high number of users click on any link send by their friends in Facebook or MySpace or Linkedin due to the façade of trust these sites have. They won’t exhibit same amount of caution on social networks as they would when communicating in person.
I hope most of you are aware of the phishing scams common in email networks and it reached a stage where these techniques are extended to social networks. In email networks users are typically lured to a fake financial institution web site controlled by cybercriminals and once the data is entered into the fake site, it is stolen and used in identity theft crimes.
The open and trusted nature of social networks is making it easier to have same kind of scams and as per security company Kaspersky there were several phishing scams targeting Facebook or MySpace where a user received an email (from a trusted friend) with a link to a groundbreaking news event or an exciting photograph or video. A user clicking on that link is taken to a bogus site that imitates the login page of Facebook or MySpace. The end result is another stolen credential.
Web-based Malware, exploits and other attacks
As email is getting more and more secured by having multiple levels of malware protection and spam filtering, majority of malware is today distributed through websites. The methods could be asking the user to visit a website to get some freebies or to view some amazing video by downloading some plug-in and their by infecting the system. In some cases the malwares will be exploiting the known or zero day vulnerabilities identified in the operating system or other software’s (Flash, Adobe, Java etc) users use.
The malwares entering the system this way will have the capability to steal sensitive information from a computer or make the system part of a botnet network.
Data Breaches and Data Leak
Inadvertent data breaches can occur when users use Web 2.0 tools. This could be the case where a user accidently entering some sensitive information on the web that can harm the reputation of his or her employer or inform the world of some confidential activity.
It’s possible to leak Sensitive or confidential information through social network or through social network based instant messaging
Due to the extensive use of status update sites, blogging sites and microblogging sites like Twitter, use of URL/Link shortening is very popular and this creates a security risk where end user has no way of knowing what is on the other end of the shortened link without clicking on it. This gives cybercriminals the potential to send legitimate sounding links that actually lead to malicious sites.
What’s the solution?
The first step in risk management is to understand the type of risks organizations facing from the variety of Web, Web 2.0 and social networking threats and the nature of these threats. This can vary from organization to organization and user group to user group. Use publically available sources to provide this education, including vendors of Web security gateways, industry analysts, consultants, speakers at trade shows, Webinars etc. The key for any Security Manager is to educate himself or herself about the nature of the threats, how they could specifically impact their organization, and the remedies that are available to prevent and/or remediate them.
The next step is to carry out a detailed audit of the organization’s Web and endpoint security controls. The goal is to identify the holes in the security systems and to see what protection method is implemented. The result of this audit should be a vulnerability assessment that clearly defines where the system/user/network is protected and where it is vulnerable to attack and the criticality of the risk.
Depends on your organizations requirements, make sure you have clearly defined policies on what’s allowed and what’s not allowed. Based on the policies, educate employees on safety and security, and provide a framework for managing violations.
Policies need to cover:
Details of monitoring and blocking in place, content users are allowed to share and services part of social networking allowed.
Educate users about the risks of Web 2.0 and make sure they are aware of all the risks associated. Tell them in the world of Web 2.0 or Social Networking ‘Don’t trust anything’, ‘Challenge everything’ and finally ‘Have your own privacy’. Further make sure users are aware of the existing policies and enforcement process
Good Endpoint Protection solution
Invest in a good endpoint protection solution. The days of having Antivirus and Antispyware protection based on signature analysis only is gone. Other than the Antivirus and Antispyware protection you need to have an endpoint protection solution which has more features like application & device control, HIDS/HIPS, firewall etc and malware detection capabilities based on signature, heuristics or behavior based.
Secured Web Gateway
For web traffic you need to employ malware, content and URL filtering technologies. Organizations need to ensure that all web traffic coming and going is passed through a Secured Web Gateway solution and typically, these security solutions are capable of efficiently thwarting the majority of malware and malicious content that propagates through web 2.0 technologies. Additionally, Data Loss Prevention is an effective tool for monitoring any outbound communications, especially social networking. Using data loss prevention solutions that prevent sensitive data traveling outside the corporate network can be extremely valuable in keeping corporate data from leaking out to a social network either accidentally or intentionally.