Caught in the Social Web
The rise of Web 2.0 is assisting computer crime in a multitude of ways. User-contributed content is a major source of malware. IBM ISS reported late in 2009 that more malware was found on legitimate sites (like PlayStation.com) than on suspicious sites. Free blogging services are being used to host porn links that direct users to drive-by downloads of malware. Social networking sites such as Facebook and Twitter create a false sense of trust between users and provide excellent vectors of attack. The explosion of useless toys called apps on Facebook, Google and the iPhone greatly contributes to users violating their own security. Bit.ly and TinyURL.com are not only convenient but also do a great job of obfuscating the real URL and making it difficult for human and machine alike to judge the safety of a link.HTML5 is right around the corner and will bring with it a whole new series of attacks. Once the distinction between Web applications and desktop applications fades, attackers will move right in and take advantage of the situation. Corporate security leaders should deeply evaluate HTML5 and the next Google Chrome OS to determine whether the rewards outweigh the risks. Early on this transparent merging of local and Internet resources will not hold many rewards and companies will be cautious, but then there will be some silly consumer app that your CEO orders you to support, so your security, desktop and Web development teams must prepare.The other side of the coin is the need to protect your own Web 2.0 servers. Not only could you suffer from an attack, but so could your employees, customers and business partners. Every company has a responsibility to Internet society to protect its servers from being used to attack others. Build security checks into your site design and quality assurance process. Run a Web application firewall and an IPS (intrusion prevention system). Vulnerabilities to look for include cross-site scripting, improper iFrames and poor validation of forms resulting in SQL injection attacks. Today's threats aren't terribly different from those of yesterday; they're just becoming easier for criminals to exploit. And at the same time, companies are doing everything they can to control security costs. The upshot is that the only way to keep corporate networks and data safe is through well-planned security initiatives and strong lines of communication between business and security leaders.