Gone are the days of text user interfaces for exchanging data or email over the Internet. Now, users are hard pressed to exchange information without using HTML or any of the Web 2.0 features. When the WWW was in its infancy, our ability to share and download information propelled us from expensive snail mail-based forms of communication, to a method whereby the cost to share was miniscule.
Information was freely available to anybody who wanted to go to a corporate, government, or personal website. But the key was that the information initially traveled one way – from the server to the client. WWW was a great source of information, from government reports, to company publications, to advertising. Just imagine the cost savings when the companies realized they could share their end-of-year financial reports with their shareholders via the web instead of mailing our thousands of glossy, multi-color novelettes about what they did in the previous 12 months. This represented a huge savings for the company and data-on-demand capability for the shareholders. This was win-win situation for everybody.
However, as the WWW has matured to Web 2.0, websites have begun to emerge that do not just provide information – they take it! These data “sinks” may appear innocent or helpful but are designed to encourage the visitors to provide information – information about themselves, their accounts, their personally identifiable information, friends, customers, and their financial information. They are phishing sites and a trick criminals use to get unwary users to visit these sites and be subject to their solicitations. Unfortunately, Web 2.0 provides numerous ways for criminals to embed links to their sites in emails and social networking sites that people inherently trust.
USA Today reported that some of the most popular websites today, Facebook and Twitter, are unable to prevent poisoned or malicious links (or advertising for that matter) from being embedded in posts. When users follow these links – links they trust because they are from an advertisement or post from a “friend” – they are taken down into the drain of criminal activity in much the same way that Alice was taken into the rabbit hole.
Computer network security is needed now more than ever to act as a guard against unintentional visitation to phishing sites (by way of poisoned links or any other method). “Security in depth” is a mantra that reminds us that we cannot just rely on software on PCs to protect us from visiting phishing sites when we use smart pads and smartphones as often as we use our PC – and what protection do we have on our smartphone?
When we look at defense in depth, we need to look not just at the PC, but more importantly, at the network. PCs, like users, can be fooled into visiting phishing sites. However, if your network is deployed using best practices and anti-phishing protection, it acts as another protective layer of your defense, and not just a conduit for surfing the web.
As valuable as your personal information is today, you want to ensure that your WWW is providing you with great sources of information and not taking your information from you. It is clear from the USA Today report that taking information from you is popular, and much easier to do with many of the Web 2.0 applications. Use your business' network to block access to these sites and stop the leaks.