Sivasubramanian Risk Management In The Web 2.0 Environment
1. PreemInent truSted GlobAl
ISSA ISSA Journal | February 2010
InformAtIon SecurIty communIty
risk management in the
Web 2.0 environment
By Vinoth Sivasubramanian – ISSA member, UK Chapter, and in the process of founding/establishing a chapter
in the United Arab Emirates (UAE)
A recent study reports a significant percentage of organizations are not confident in the
security measures that are in place for Web 2.0. this article looks to an integrated approach
of people, processes, and technological controls to mitigate Web 2.0 security risks.
W
eb 2.0 refers to the second generation of Web de- straight approach. A recent study by KPMG Insider reports
velopment and design and has brought about sig- a significant percentage of organizations are not confident
nificant change in the Internet such as web-based in the security measures that are in place for Web 2.0.1 This
communities, hosted services, and applications such as so- must be accomplished through an integrated approach of
cial networking sites, wikis, blogs, video sharing sites, RSS people, processes, and technological controls. Before we delve
feeds, and much more. Web 2.0 delivers a new kind of Web into the mitigation strategies, we will analyze the threats that
experience that is interactive, real-time, and collaborative. are evident through Web 2.0 technologies.
Although many of the underlying technical components of
the Web have remained the same, the use of the Web as a plat- threat sources for Web 2.0
form on which to build rich applications is transforming our The threat table given in Figure 1 is intended to organize the
online experience. Organizations are also investing in Web rest of the article. It is not intended to be complete, but can
2.0 technologies to harness its power to draw in more cus- be used as a sample to map out threats and their implications.
tomers. The participatory approach of Web 2.0 is also taking
governments by storm as well, leading to the next generation
of governance: eGovernance 2.0. 1 Claire Le Masurier, “Risk Concerns Stall Uptake of Web 2.0 Technology in the
Workplace,” A KPMG Insider Report 2008 – http://www.kpmg.co.uk/news/detail.
As with any paradigm shift, technologies and processes can cfm?pr=3012.
take us to new levels of user expe-
rience and productivity, but those Threat Source Vulnerable Areas Threat Impacts Implications
same technologies also present us
Social networks, blogs, Loss of sensitive data,
with new levels of threats and risks. Humans instant messenger, private knowingly or unknow- Loss of reputation in the
Whether inadvertent or intention- eyes of public
email, etc. ingly
al, the threats are equally danger-
ous to people, customers, business, Malware, viruses,
Browsers, unpatched spyware, logic bombs, Loss of CIA, legal implica-
and countries. These risks, if iden- Systems/Networks systems, and servers and a host of other tions, and financial losses
tified and controlled in the proper threats
way, can bring a lot of benefits to
Loss of CIA, legal, and
the organization and society as a Application related Applications Malware, logic bombs financial implications.
whole.
Loss of CIA, legal implica-
Managing and mitigating risks in Improper Controls Entire organization is
exposed
Loss of data, viruses,
logic bombs, etc. tions, reputational damage,
Web 2.0 requires a more diversi- and business losses
fied approach rather than a single
figure 1 – Web 2.0 threat sources
35
2. risk management in the Web 2.0 environment | Vinoth Sivasubramanian ISSA Journal | February 2010
Invest in training and development
People are the weakest as well as the Keep the security people busy: invest in training security
strongest link in an organization. personnel on latest threats and protections through internal
resources or external training, and make sure that they stay
updated on the latest trends and technologies. Security per-
Now with some familiarity of the threat source, let us analyze sonnel who do not keep themselves updated on latest tech-
some of the strategies that could be implemented for mitigat- nologies and trends pose a threat in of themselves. The IT/
ing and controlling the threats caused by the noted sources. security department should subscribe to good security jour-
These threats can be mitigated through a multi-layered de- nals and sponsor memberships in professional organization
fense process of internal controls, technological controls, and such as ISSA, ISACA, IEEE, etc., which provide a wealth of
processes. information on security and related research.
Human threats Instill ethics and integrity into the culture of the
People are the weakest as well as the strongest link in an orga- organization
nization. LinkedIn and MySpace are two of the major social This is by far the most potent weapon for creating an almost
networking sites where people working within the organiza- infallible security culture and program within the organiza-
tion can leak sensitive data deliberately or inadvertently. Or- tion, but also the most difficult. Outlined are some simple
ganizations cannot block social networks because they are points to help create and foster a culture of integrity and eth-
becoming the base infrastructure for business and personal ics within the organization.
interaction of the future. For effective social network use in
• Have a written code of ethics in place involving all
the workplace and to ensure that valuable data is not leaked,
business leaders; ensure that every employee signs it
organizations must ensure the following minimal steps.
and make him or her aware of the advantages of hav-
define a policy for virtual environments ing one in place and how and where to report in case
of violations. Have regular ethics awareness training
Clearly document the websites/activities that are permitted programs for the staff members.
within the corporate environment. Also document the ac-
tivities that are allowed in virtual environments. With the • Leaders and senior management must practice in-
help of a legal counsel, document the actions that would be tegrity and fairness in all their dealings; this way it
initiated in the event of not complying with these policies. spreads and percolates as a culture within the orga-
nization.
monitor virtual environments • Develop mature, fair, and rigorous employee perfor-
The workplace is not the only place vital data can be leaked; mance management systems. This will ensure that
therefore, monitor virtual environments regularly. IT man- the right people are retained, trained, and motivated.
agers must ensure that they organize an internal team to Have incentives linked to ethical behavior and acts;
monitor virtual environments for slanderous comments, measure the effectiveness over time, and keep inno-
sensitive data, and other objectionable content. This must be vating for a highly positive culture.
done periodically, at least once a month, and reports stored.
Deviations, if any, must be reported to management and ac- Protect system assets
tions must be taken in accordance with local laws and orga- System assets include the servers, desktops, PDAs, Black-
nizational policies. berries, laptops, and any other asset that is used for access-
ing data in an organization. Since Web 2.0 runs on all web
educate end users browsers, exploitation can occur both at the server side and
Security is everyone’s responsibility. Educating end users on the client side, which can then get distributed. Therefore, it
security awareness in the Web 2.0 environment is more criti- becomes mandatory to harden servers, desktops, PDAs, and
cal than ever. It is essential that they be taught not only the laptops. Some suggested best practices for protecting systems
traditional email, system, and web security jargons but also assets are the following:
what can be discussed/posted on virtual environments. Also • A baseline standard like NIST can be used for hard-
make clear the repercussions that would follow if inappro- ening the servers, operating systems, PDAs, desktops,
priate behavior is discovered. Educate them on the potential and laptops
risks that the organization is exposed to if browsing from an
airport coffee shop or WiFi hotspot. Have a training manual, • Make sure an updated antivirus runs on all the sys-
distribute it to everyone, and keep it updated. Conduct regu- tem assets in the organization
lar security training awareness programs. • Make sure the necessary patches are updated on all
the system assets
36
4. risk management in the Web 2.0 environment | Vinoth Sivasubramanian ISSA Journal | February 2010
• Implement host intrusion prevention systems (HIPS) ensure that all caches and proxies are “security-
with proper configurations to test for anomalies on
aware”
servers that host web applications
Objects that can be cached must be filtered for malware, se-
• Make sure you test all the system assets regularly to
curity reputation, and URL filtering policy prior to delivery
keep them updated against emerging threats
to the requestor’s browser. Cached objects must have these
network hardening filters applied each time the object is delivered to the end user
because the reputation may have changed since the object was
A hardened network implemented with proper next-genera- originally cached or the security policy of this requestor may
tion firewalls and necessary controls provides a vital defense be different than the previous requestors. This policy might
for the organization against any kind of attack. Fortifying be different in any of these areas: security reputation, URL
networks is probably the first level of defense and must be filter policy, or malware. Deploying caches and proxies that
properly done. are not security-aware runs the risk of delivering malicious
Some of the basic and necessary steps that need to be per- code to the user.
formed are the following, apart from the technological solu-
tions that need to be implemented: enable bi-directional filtering
• Harden all the network devices using standard base- Ensure that bi-directional filtering and application control
lines such as NIST are implemented at the gateway for all kinds of web traffic.
This will scan all incoming and outgoing web traffic, which
• Manage change effectively on the networks: if a new
will assist the IT security personnel in having a greater view
route has to be added on the firewall/router, make sure
of what comes in and goes out. Filter unwanted traffic; moni-
a change management procedure is followed and up-
tor violations, incident responses, and forensics. Store the
date the configuration management database
data onto a syslog server and archive it after a certain interval
Implement next-generation firewalls of time.
Legacy URL filtering solutions are insufficient. They rely only Implement deep-content protection
on categorized databases of URL entries that only update a
There are many products available in the market today for
few times a day. What is needed is a “reputation system” that
implementing deep-content protection. But for achieving
assigns global reputations to URLs and IP addresses, and
success organizations must make sure they have taken the
works alongside the categorized databases for the ultimate
following steps:
protection. A sophisticated, third-generation reputation
system provides a mechanism for determining the risk as- • Have a clearly defined security policy on what should
sociated with receiving data from a particular website. This be done by whom
reputation can be used in conjunction with categories in an • Define what is sensitive and what is not sensitive with
organization’s security policy, allowing them the ability to reference to data
make appropriate decisions based on both category and se-
Once the above necessary steps are done then the deep-
curity reputation information. This reputation-based URL
content protection takes care of things: information that is
filtering solution needs to be global in scope and internation-
classified can be ensured not to be sent over personal email
alized to handle websites in any language.
IDs, or even through official IDs. Deep-content protection
It is critical that the reputation system provides both web also empowers the IT security personnel to granularly con-
and messaging reputation. Since malicious attacks are multi- trol what users will be able to do in the virtual world when
protocol, the reputation system must be aware of both email using the organizational network; for example, users may be
and web threats. A new domain without content cannot be allowed to view social networks but may be restricted access
categorized, but if it is associated with IP addresses sending to posting.
email and they have a history of spam, phishing, or other
malicious activity, then the web reputation for this uncatego- use comprehensive access, management, and
rized domain can immediately be determined and security reporting tools
protections provided to those who try to access the site.
Enterprises should deploy solutions that provide “at-a-
Organizations should deploy email gateways that utilize glance” reporting on the status and health of their services.
sender reputation to stop malicious attacks, often launched They also need both real-time and forensic reporting that al-
via spam and social engineering. Email reputation is also lows them to drill down into problems for remediation and
critical as spam, phishing, and other malicious emails will post-event analysis. Providing robust and extensible report-
include an URL or IP address that needs to be immediately ing is a critical function to understand risk, refine policy, and
fed back into the web gateway security infrastructure. measure compliance.
38
5. risk management in the Web 2.0 environment | Vinoth Sivasubramanian ISSA Journal | February 2010
with changing trends of security and business, and measure
Application hardening their effectiveness by conducting regular awareness quizzes.
Developing a successful and secure application involves Monitor for violations using technology, processes, and peo-
many phases. While there are a plethora of articles and stan- ple. Record and rectify them.
dards available on application-related vulnerabilities of Web
2.0 and how to deal with them, we will focus on the overall Incident response
picture and not delve into each and every exploit here but In spite of the best firewalls, effective security policies and
outline those basic steps that need to be taken which have audits, and the best people, breaches and threats can be real-
often been overlooked in comparison with technical-related ized. If such an incident happens, make sure there is an inci-
vulnerabilities. Following these simple steps can ensure to a dent response plan in place on how to deal with that situation.
good extent that the applications are securely built. Future Train people on effective incident management procedures.
vulnerabilities can be easily dealt with if these simple guide-
lines are followed: conduct continuous risk assessment
1. Have/hire competent programmers in place who are also Conduct regular risk assessments on web applications with
deft at handling application security. Develop a culture of a holistic approach towards security and check to see if the
secure programming within the IT team. Have the infor- controls are to an optimum and desired level as expected by
mation security personnel participate in the development the business units and executive management.
process.
2. Practice good coding standards using baselines and other follow benchmarks
standards available from various resources – one excellent Finally, benchmark your protection strategy at regular inter-
resource is the Open Web Application Security Project vals against global standards or other best practices followed
(OWASP).2 Ensure that the baselines and standards are by your peers or other organizations. Align them to your
strictly followed by the programming team. business needs if needed.
3. Create a threat model of the application using known and
unknown incidents and do stressful penetration tests on conclusion
applications before they go live. Document the recordings Web 2.0 is a boon, and if implemented and managed prop-
of the tests. This will serve as a reference point for building erly, organizations, societies, and countries can benefit from
future applications and saves time and money. the participatory approach of the collaborative Internet. Or-
4. Have a mature risk assessment/ management process in ganizations and governments spanning countries must come
place that has a holistic approach towards application de- forward with good regulations and measures for making this
velopment: people risks, process risks, technological risks. new trend a success for one and all as cybersecurity and web-
By having a mature risk management process in place, sites cannot be restricted to a single country alone.
processes are repeatable/reproducible, saving time when
newer applications are built. references
• People risks: people risks are often considered be- — Jacques Bughin and James Manyika, “How Business are Using
yond application purview but should be scrutinized Web 2.0,” Mckinsey Global Survey 2007 – http://www.mck-
as carefully as the code they are producing. inseyquarterly.com/How_businesses_are_using_Web_20_A_
McKinsey_Global_Survey_1913.
• Process risks: effective change management policy — “Losing Ground Global Security Survey 2009,” from Deloitte
and application release management procedures – http://www.deloitte.com/view/en_US/us/Industries/Media-
should be established and maintained for the devel- Entertainment/article/e510f6b085912210VgnVCM100000ba-
opment cycle. 42f00aRCRD.htm.
• Technological risks: are the best technologies being — Web 2.0 – www.wikipedia.org.
used? For example, code should not be developed and — Web 2.0 Security Threats – www.enterprise2.0.org.
compiled using older vulnerable versions, e.g., Java,
when new stable releases are available – new releases About the Author
mitigate a lot of known vulnerabilities. Vinoth Sivasubramanian, CEH, ABRC-
CIP, ISO 27001 LA, has over seven years
Process and policy control mechanisms of experience in the information security
discipline in the domains of telecommu-
Security policies in place nication, finance, and consulting. He is
a member of the ISSA Educational Ad-
Have effective security policies in place and ensure that they
visory Council, a working committee
are followed by everybody. Always have them current in line
member of International Cyber Ethics,
and a reviewer of IFIP Conference. He can be reached at vinoth.
2 OWASP – www.owasp.org. sivasubramanian@gmail.com.
46