Web 2.0 brings security risks

Johannesburg, 04 Apr 2008

Web 2.0 is causing a great many security issues for both the user and the organisation.

According to Ian de Villiers, senior security developer at Sensepost, Web 2.0 is a new method of using the Internet.

"Instead of limiting the Internet to viewing content, users can now view, edit, update and comment on content contained on Web pages. In many cases, this is done using a combination of some really old, and some really new processes where the user is unaware that his Web browser is making requests on his behalf."

This can have a great impact on information security. "Web 2.0 poses security concerns by exposing functions and procedures in JavaScript, for example."

According to De Villiers, some security threats include a script that port-scans internal networks while users are simply viewing a Web page, or a worm that exists purely in a Web application. An example of this was the MySpace - 'Samy is my Hero' worm that infected over a million accounts in less than 24 hours, he says.

According to Anton Grashion, EMEA security strategist at Juniper Networks, a "rogue application" is one that has a clandestine behaviour that may expose the organisation to threat. The application is usually not sanctioned and approved by an enterprise's IT department and may have been downloaded in ignorance by a user, he explains.

"They can siphon information out of an organisation, track behaviours and usage, and act as a backdoor to download further malware, to list some examples," says Grashion.

This can cause mayhem in the workplace. "Security resources are diverted to cleaning up the aftermath of such violations of usage policy."

According to Grashion, security policies must be employed and strictly enforced. "Expenditure into new policy, and monitoring tools to enforce corporate policy and guidelines in a more automated manner should be employed," he says. "This includes an effective endpoint strategy for fixed, mobile, and all classes of guest users tied to access control, intrusion prevention and SIEM, among others."

De Villiers further suggests that organisations ensure they are using a fully patched browser and to certify their staff members are aware of the privacy concerns related to the Web application they are using.