The new Web means new security threats – and new ways of dealing with them.
“Web 2.0 breaks what we know about traditional Web security,” said David Meizlik, product marketing manager for security solutions with Websense Inc. The company is pitching a new Web gateway appliance, the Websense V10000, aimed specifically at Web 2.0 security threats. The V10000 will ship later this month.
Ninety of the Top 100 sites on the Web contain user-generated content, Meizlik said. “That content is constantly changing,” he said, so traditional approaches to Web security aren’t adequate. Reputation-based services will examine the URL; others will white-list a site based on a scan that’s several hours old.
“You need an engine that can inspect that content in real time,” Meizlik said. “You’re talking about being inline with the content.”
In the case of mash-ups, some content on the page might be a security threat or simply inappropriate, while the rest of the page is not. Meizlik said the V10000 can block content elements individually, still allowing access to the page.
“It really opens up the Web in terms of where users can go and what content they can access,” he said.
David Senf, director of Canadian security and infrastructure software research for IDC Canada Ltd., said there’s not just more people creating malware, there’s a bigger “attack surface” for them to compromise.
“Attackers love more features because there’s more to exploit,” Senf said. As data travel among mashed up applications, it can be compromised at many points, and there isn’t an identity scheme that helps users determine a level of trust among sites, Senf said.
READ MORE: Websense offers to take fear out of Facebook, Web 2.0
And, he said, “There’s more social engineering going on than ever before.” He gives the example of layering one Flash application over another; on the surface, it’s a game where you have to click on a particular object, but doing so downloads spyware or a keystroke logger from the other application.
In a February report, Secure Enterprise 2.0 Forum identified specific Web 2.0 security vulnerabilities, including:
* Cross-site scripting, in which malicious content is sent to a system, then displayed to other users. Social networking sites are particularly vulnerable.
* Cross-site request forgery, which generates requests to other sites for which the user is authorized while he or she is browsing the page.
* Phishing through fraudulent widgets that redirect to a malicious Web site.
* Leakage of sensitive information through social networking sites that may seem trivial in isolation, but combined with other small data items can be unacceptable.
* Injection flaws; XML, XPath, JavaScript and JSON are all vulnerable.
The report cites a McKinsey & Co. survey that found 87 per cent of companies plan to use Web 2.0 technologies to reach customers; at the same time, 78 per cent are concerned about unsanctioned, employee-driven use of Web 2.0 tools.
“Business data and customer information can be proteced if IT departments recognize (the) associated risks and prepare accordingly,” wrote Ofer Sheza, author of the report.
Meizlik said the security appliance takes the analytics of Websense’s ThreatSeeker technology and embeds it in the device. It works hand-in-hand with the company’s cloud-based security technology.
“It doesn’t just rely on on-premise technology,” he said.
The appliance is also built to host other Websense security technologies, for example data loss prevention, Meizlik said.
