Web 2.0 simplifies hacking
The programmatic interfaces of Web 2.0 applications can let hackers automate attacks easier.
So said Stephan van der Merwe, Kaspersky Lab's head of operations for Sub-Saharan Africa, speaking at the ITWeb/Kaspersky Lab Social Networking Security Forum 2011, at Southern Sun Grayston in Sandton this week.
He suggested that organisations have to understand the types of risks involved when introducing Web 2.0 into the workplace.
However, Van der Merwe said while Web 2.0 may present different types of challenges, these are not necessarily worse than the risks involved with legacy applications, as they are just different.
He is of the view that the opportunities that Web 2.0 technology can provide a business make overcoming these potential threats worth the effort.
“Web 2.0 combined with our 'work-from-anywhere' lifestyle has begun to blur the lines between work and private life.
“With increased use, comes increased risk. In addition, because Web 2.0 applications often rely on client side code, they more often perform some client-side input validation, which an attacker can bypass,” he said.
Because of this psychological shift, he explained, people may inadvertently share information their employer would have considered sensitive.
“Even if individuals aren't sharing the equivalent of trade secrets, the accumulation of the small 'non-sensitive' items they share can allow competitors to gain intelligence about what's going on and being worked on at that company.”
He also noted that in many Web 2.0 applications, content is trusted in the hands of many users, not just a select number of authorised personnel.
“That means there's a greater chance that a less-experienced user can or will make a change that will negatively affect the overall system.”
Hackers now have access to a greater number of 'administrative' accounts of which passwords can often be easily cracked if the correct security controls are not in place. This means they can also exploit this change in a system's design, Van der Merwe warned.
Jan de Lange, MD of Westcon Security, who also spoke on top social networking security threats and vulnerabilities at the forum, said the other possible solutions is to roll out an all-in-one anti-malware program in the organisation.
“Anti-malware detection needs to be able to make use of heuristics or behaviour analysis to keep system protected from new and unknown threats.”
The other solution is to use a program that allows secondary settings and tasks for roaming users. “Organisations should define a social networking policy, which specifies what company details employees are allowed posting on public access sites,” he advised.
Organisations should also prevent employees from bypassing the corporate firewall and browsing rules by locking down end-point devices like 3G modems, he said.
ITWeb's editorial director, Ranka Jovanovic also presented the results of ITWeb/Kaspersky Lab Social Networking Threats Survey, which researched 303 respondents. The survey was run on ITWeb from 28 February to 14 March.
Jovanovic said it is worrying that 28% of companies do not have a security policy in place that includes rules for social networking use. However, 71% of respondents rated their concern over their online security as 'high' or 'very high'.
The survey shows that social network security awareness is rising among South African online users. Some 90.25% of respondents consider the security risks before installing an application or clicking on a link when visiting a social network. In addition, 62.87% of the surveyed companies have an IT security policy in place that includes rules for social networking use.
This survey showed that of the 97% of respondents that belong to a social network, 95% belong to Facebook, 63% to Twitter and 14% to LinkedIn. It also revealed that 6% of respondents have experienced an attack of sorts on their social network profile.
Sergio Ventura was also announced as the winner of the prize draw for the survey at the event.