Site iconSite icon IFSEC Insider | Security and Fire News and Resources

Secure IT: Web 2.0 and corporate security

Open season for attackers?

For a number of years, the Internet was a relatively one-dimensional experience characterised by the delivery of static HTML pages within a one-way client-server environment. There was little in the way of direct user involvement. Here, security threats were – and still are – very real indeed.

Web 2.0, on the other hand, is a very different animal. This is very much a participatory client-server environment defined by social networking, bookmarking, media-sharing sites, blogs, ‘wikis’, P2P networking, AJAX-generated applications and RSS feeds. It’s also a world largely outside of the IT and Security Departments’ control.

Several years ago, SMTP was the main vector for viruses and other malicious content. In Web 2.0, SMTP is no longer the carrier for the malicious payload. Instead, e-mail only directs the unsuspecting user to a web site, where the more dynamic HTTP can be exploited for nefarious purposes.

Today, many malicious attacks target the browser. Among other techniques, attackers can now manipulate the DNS protocol to mask a malicious web site as legitimate in order to gain access to the corporate network via the user’s browser. Chilling, isn’t it?

Dynamic, social, collaborative

Web 2.0 is, by definition, dynamic, social and collaborative. Users supply the data that make many Web 2.0 applications and services what they are – Google Earth works because users interact with it, MySpace is only as great as the sum of its members, the ‘Blogosphere’ because users blog. It’s this very collaboration and openness that attackers thrive on.

Users share information in multiple venues – e-mail was once the lone venue. In this new open environment, monitoring for corporate data leakage and unwanted content is a task of Herculean proportions. The danger has increased in orders of magnitude. An e-mail leaking corporate information has a limited reach and shelf-life (delete it and it’s gone), but sensitive data leaked into the blogosphere has the potential to do significant damage.

As always, the challenge involves balancing user expectations with corporate security. Users demand unfettered connectivity – e-mail and video conferencing, etc – and access to Web-based applications. More and more, companies are outsourcing their mission-critical data (such as CRM systems) to Web-based hosting infrastructures. These applications enable organisations to reduce IT administration costs and the headaches associated with traditional applications.

However, the hackers have been quick to exploit vulnerabilities in Web applications. For example, Web 2.0 has been especially good to phishing attackers. Phishing sites built using Rich Internet Applications (RIAs) appear so legitimate that even seasoned users and early-generation security solutions are fooled. Nomadic attack patterns make it almost impossible to track down the attackers.

Legitimate, stand-alone RIAs are powerful because they offload most of the processing tasks to the client machine via a client engine that acts as an extension of the user’s browser. This client executable can be used as a vector for malicious code. RIAs that employ ActiveX plug-ins, a common RIA technique, are particularly vulnerable to attack.

Embedded XML malware

Legitimate web sites aren’t safe any more, either. Attackers can (and do) embed executable XML malware on popular sites. Streaming video is the next vector of choice. Imagine the effect of a Trojan horse embedded in one of YouTube’s featured videos which, potentially, millions of unsuspecting users would view… Again, it’s frightening.

Only this month, the long-running Storm Trojan horse that has infected user machines via SMTP made the jump to HTTP. Storm backers infected the web site for the Republican Party in Wisconsin. Fortunately, the site’s owners were able to remove the dangerous code within a few hours.

Security experts estimate that as many as two million machines are part of the Storm botnet – its tentacles could reach into the tens of millions with the move to the Web. Blanket blocking of legitimate sites isn’t the solution – arguably, some of these sites fulfil legitimate business functions for some users.

Secure Socket Layer (SSL)-encrypted websites also pose a threat. Most Internet security solutions don’t inspect the SSL tunnel, which carries the encrypted data point-to-point, making SSL an effective vector for stealing data. Attackers also set up SSL-enabled Web servers to appear legitimate to phishing victims. When the user receives an e-mail and clicks through to what he or she believes to be their banking site, the familiar lock within the Web browser offers a false sense of security.

Once a bot is installed, it forms botnets that use similar SSL sessions to leak sensitive data and other valuable content out of the corporate network. Most content filters and other security products fail to identify these attacks as they occur. As a result, these sessions are allowed in and out of the network.

Protecting the enterprise

What can security professionals do to protect their enterprises? First, they must have the ability to scan legitimate websites in real-time for executable viruses and other malware. Blanket blocking is not the answer. Many legitimate Web-based business applications use executables to enrich the user experience.

Security professionals must also be able to establish both broad and granular user-based policy controls over P2P applications such as IM and Skype, without hindering user productivity and application performance.

An understanding of today’s phishing techniques is also essential. Users should be blocked from posting data to high-risk sites (often defined to include sites previously unknown to block brand new phishing sites)

IT and security professionals should exercise broad protocol control over RTSP, MMS, IM, SSL and P2P applications. Some of the more comprehensive Web security solutions offer this level of functionality along with basic messaging, anti-virus and anti-spam filters.

Exit mobile version