Web 2.0 : Criminals 2.0

It is fair to say that the use of Web 2.0 is exploding. However, its full
impact is still not well understood, and perhaps even the term itself is not
clear. So, before we go any further lets define what it means. When I refer to
Web 2.0, I am primarily speaking about websites that allow user-generated
content.

User-generated content changes everything on the web. Virtually,
anyonefriend or foecan create content, edit HTML directly, upload files, and
distribute content which could equally be of value or deliberately malicious in
nature. Blogging, commenting, social networking and similar methods of
information exchange collectively form a significant and widely used segment of
the Web 2.0 space and has many uses both socially and from a business point of
view.

In the case of the Obama campaign site, the site was designed specifically
for voters and community organizers to spread the word and interact with more
potential voters and influencers. To do this, they allowed users to create blogs
that could have any content on them. There was nothing that could stop someone
from posting a comment in a blog that looked like it should be there (related
somehow to the blog post), yet linked to a site hosting malware. Websense found
that hackers did just this by creating blogs on this site specifically designed
to spread information stealing malware.

In the past, we have also found malicious code on sites such as Myspace,
Facebook, and Google. We have even seen sites that use Googles Doubleclick ad
network hosting advertisements linking to malicious code. The key point I am
trying to make here is called web reputation. You would think that Facebook,
Google, and MyBarackObama.com all have good web reputationscores that security
companies gives to sites for being trustedand you are right. The problem is
that good reputation can go out of the window with just one piece of malicious
user-generated content or hidden code.

To look at an example closer to home, the official website of the Rajshri
Productions, India, was recently compromised and began infecting the machines of
site visitors with malicious code. The malicious code was hidden on the main
page of the site and led to an Adobe Reader PDF exploit. The organization has
been an integral part of the Indian film industry, enjoying a unique and
respected position in the market, and yet their site was unwittingly used by
cyber criminals. Since many security solutions use web reputation as a basis for
either allowing or not allowing a user to get to the site, this is a serious
problem.

One can therefore, say that user-generated content takes the web security
fight to a whole new level.

Seventy of the top hundred most popular websites either hosted malicious
content or contained a masked redirect to lure unsuspecting victims from
legitimate sites to malicious sites. This represents a 16% increase over the
last six month period, according to a new research released earlier this year
from Websense Security Labs. The top 100 most popular websites, many of which
are social networking, Web 2.0 and search sites, represent the majority of all
web page views and are the most popular target for attackers. People (and
security software) cannot rely on web reputation alone and web reputation is
outdated. In the second half of 2008, more than 77% of the websites classified
as malicious by Websense were actually sites with seemingly good reputations
that had been compromised by attackers. This percentage is up from 75% in the
first half of 2008.

The web is the number one attack vector for online criminals. The web
continues to be the most popular vector for data stealing attacks. In the second
half of 2008, the Websense Security Labs found that 57% of data stealing attacks
are conducted over the web, representing a 24% increase over the six month
period.

Challenging Times

All these points raise issues which evidently need addressing. The business
concerns around Web 2.0 directly mirror issues from the past, when Internet
access became widespread in the corporate world. However, in todays Web 2.0
world, these threats are accelerated and multiplied because web content is
constantly changing and new applications are evolving daily. The use of these
dynamically changing websites presents a challenge to defined web usage policy
as well as offering new ways for data to leave the organization. IT
professionals are left with the tremendous predicament of taking into account
several different business concerns at once.

The most obvious concern is that of security. Web-based threats and blended
threats with email are evolving rapidly and leveraging Web 2.0 technology such
as active scripting to bypass legacy AV and IPS systems. However, there is also
a privacy aspect to Web 2.0. Casual and rapid communication with wider groups of
people can easily expose, accidentally, personal or confidential business
information online. This in turn reminds us of the need for suitable Data Loss
Prevention techniques. Dozens of new communication methods such as blogs, social
networking sites and instant messenger, multiply the chances for accidental and
irreversible online data leaks that can spread to enormous proportions.

We also have the question of liability to take into consideration.
Organizations can no longer effectively enforce acceptable use of policies based
on static lists of known bad URLs. Dynamic Web 2.0 content exposes
organizations to unprecedented exposure to inappropriate or legally dangerous
content.

All this is before we have even touched on bandwidth. While bandwidth has
become less expensive in most parts of the world, new rich content, video,
streaming media, and large downloads can quickly bog down even the most robust
networks. And the question of productivity remains a concern for many managers.
Social networking and Web 2.0 applications such as Facebook or MySpace can be
incredibly enticing and black holes for productivity, if left unmanaged.

With IT professionals struggling to understand its impact and adopt
reasonable policy controls, usage of dynamic Web 2.0 websites and applications,
whether sanctioned by IT or not, is more than likely happening within any
organization. What can be done?

Protection

It is apparent that the sophistication of Internet security threats and
malicious attacks has only increased as technology advances. With the adoption
of dynamic capabilities within the most popular websites on the Internet,
hackers have seized the opportunity presented by these high traffic websites to
try and infect victims. Compromising these trusted websites increases the
chance of a successful infection, and therefore the potential loss of data.

The ability to detect and prevent these dynamic, embedded threats requires
two things-knowledge, and the ability to act on this knowledge in realtime.

The ability to implant this knowledge, and analysis within the product, and
inspecting the content, is then of key importance.

Despite the exposure to security risks, businesses understand that shutting
off Internet access is no longer a viable solution, as organizations need to
harness the benefits of the Web 2.0 world. In order to allow the safe and
productive use of new Web 2.0 technologies, while protecting essential
information, businesses need to deploy technologies that provide real-time
analysis and reputation management of the web.

For the most comprehensive protection, organizations should look for a
solution that integrates web security, email security, and data security to
protect essential information and enable productive, safe use of the Internet
platform. Technology that sets and enforces policy settings for web and data
use, combined with contextual understanding of data, is also a must. Knowing who
is sending information, what it is, where it is going and how it is getting
there is essential to defining if data is being used correctly or not.

By bringing together process and technology, organizations can be more secure
as well as harness the benefits of the Web 2.0 world. Websense combines web and
email intelligence with real-time analysis and data security, giving customers
the necessary context to implement informed, defined data protection strategies.
By pulling these elements together with training, processes and a data-centric
security strategy will protect an organizations essential information.

When your essential information is protected, you get to say Yes to a whole
new business environment.

Surendra Singh

The author is regional director, Saarc, Websense