Spam and malware attacks via social networking sites are on the up, and then some. Research from Sophos suggests a 70% rise last year in these threats from Facebook, Twitter and LinkedIn. Proofpoint also found that around 10% of workers in the UK were using social media platforms more than email in their working lives last year.
The most recent research into the business adoption of social media, which has only just been published, comes from Clearswift. It reveals that 60% of managers simply trust employees to use social media responsibly despite 25% of employees admitting to posting content they have later regretted. Worryingly, 51% of managers say that employees are oblivious to social media security concerns. Which leaves us pondering, does Web 2.0 urgently need security 2.0?
Vendor Considerations
There is no doubt that there has been a proliferation of Web 2.0 services, but have security vendors reconsidered their offerings to ensure these new technologies don’t also create new security holes?
To answer that, you first need to define Web 2.0 according to SecureWorks’ Randy Janinda, a senior application security consultant. “It’s not a technology, or even a group of technologies”, Janinda argues. “It’s a shift in the way people use and consume the internet”.
| "Security controls for the Web 2.0 world will generally be extensions of the existing security solutions" |
| Taher Elgamal, Axway |
The term is now commonly associated with web applications that facilitate interactive information sharing, interoperability, user-centered design, and collaboration. “This basis of Web 2.0 has exponentially increased the potential attack surface for web applications”, Janinda insists. Which, unsurprisingly, is not something that security vendors have failed to spot.
However, an increased attack surface does not mean an altogether new one, points out Taher Elgamal, chief security officer at Axway and inventor of SSL. “The important thing to notice first is that these Web 2.0 systems are based on the products and technologies that have already existed for a long time”, he says, adding “that means that the security controls for the Web 2.0 world will generally be extensions of the existing security solutions”.
Tools such as web application scanning, source code scanning, and continuous site monitoring all play their part in securing businesses against web-based threats, including Web 2.0-specific ones. Yet according to Michael Shema, a security research engineer with Qualys, none of these tools have any fundamental understanding of the types of information going in and out of a website.
“While the tools can be excellent at identifying potential attack vectors that a hacker might use to extract someone’s personal data”, Shema points out that “they are rarely able to place any value on the impact of an attack”. This means that hackers will also look for ways to abuse web functionality to obtain email addresses or private profile information.
| "Many major players are slowly catching up with greater web application security features" |
| Garry Sidaway, Integralis |
Could it be, then, that Web 2.0 isn’t necessarily accelerating the spread of online threats, but taking them into different and new directions? That’s the thinking of Paul Wood, a senior analyst at Symantec Hosted Services, who insists that “the use of Web 2.0 should not warrant additional security countermeasures aimed at Web 2.0 per se, but it should place a greater emphasis on the endpoint in terms of protection”. Which leads us nicely onto the next question: Does Web 2.0 need different security technology at all then?
Technically Speaking
Security guru and Veracode CTO Chris Wysopal is convinced of one thing: that the high interactivity of Web 2.0 requires more code running on the user’s browser, be it FLEX, CLI or JavaScript. “To make things even more interesting from a security perspective, this client side code often is pulled from multiple external sources and ‘mashed up’ in the web browser”, Wysopal states.
| "Web 2.0 security should be standard to any offering that deals with web security, since users themselves do not differentiate" |
| Rebecca Steinberg Herson, Commtouch |
Rashmi Tarbatt, chief security architect EMEA at RSA, agrees that Web 2.0 is unavoidably complex and suggests that the three main areas of risk that businesses need to consider are: information loss, malware infestation and workforce productivity loss.
“To mitigate these risks”, she says, “security vendors need to continually review their enterprise offerings”. Yet while data loss prevention technology is updated to prevent loss of specific types of information, DLP solutions can only stop accidental data loss. According to Tarbatt, “malicious intent is a whole other ball game”. So what Web 2.0-specific security products are out there to meet this need?
Market Overview
Christopher Boyd, a senior threat researcher with Sunbelt Software, says that when it comes to the Web 2.0 security market, the industry has simply gone “from ‘block or allow’ specific 2.0 sites to ‘we need to tailor individual access to small chunks of those sites’ and it’s quite a challenge to work out how many pieces there are and what to do with them all”.
Which could be why the market isn’t exactly flooded with viable Web 2.0 security products right now. This is not to say there are none at all. Garry Sidaway, director of security strategy at Integralis, told us that “there are dedicated social networking security products from specialists such as Facetime, and next-generation web security products from general vendors including Palo Alto, Fortinet, Imperva etc”. He adds that “many major players are slowly catching up with greater web application security features”.
| "The use of Web 2.0 should not warrant additional security countermeasures aimed at Web 2.0 per se, but it should place a greater emphasis on the endpoint in terms of protection" |
| Paul Wood, Symantec Hosted Services |
So should Web 2.0 security simply be built into vendor offerings as standard then? Rebecca Steinberg Herson, vice president of marketing from Commtouch, argues exactly that. “Web 2.0 security should be standard to any offering that deals with web security, since users themselves do not differentiate”, she says.
Indeed, nobody uses the web in such a way that they decide to look at old-fashioned websites in the morning and Web 2.0 ones in the afternoon, so web security products need to protect across the board. But they need to do so effectively, and the Web 2.0 security market is not exactly mature right now.
Ronan Kavanagh, CEO of SpamTitan, argues that “simplicity and flexibility are still key with such offerings”, but Garry Sidaway reminds us that as most of these offerings are in their first or second generation that “granularity of control is generally weak”. Maybe then, there’s a real gap in the market here right now?
Watch the Gap
Meint Dijkstra, director of technical services at COMPUTERLINKS, wonders if the window of opportunity has already passed for new entrants with Web 2.0-specific security solutions? “The entry bar is already quite high with mature, well-funded vendors on the case”, he says.
Christopher Boyd disagrees, and sees a definite gap in the market. “I think the industry is struggling to not only keep up with the fragmented nature of the technologies 2.0 sites offer”, he told us, “but also the many weird and wonderful ways those products and sites can be exploited to harm end users”.
However, he does warn that any product can only do so much when it comes to addressing the many and varied aspects of harm arising from Web 2.0 abuse, ranging from social engineering to data mining. What Ian Moyse, channel director EMEA, for Webroot, sees is more of a functional gap than anything, with flexible protection at affordable prices being the key.
“The question is open as to whether the spend on this is high enough”, he says, arguing that just as the market spend in IM traffic protection never developed in its own right to create enough revenue for the IM filtering players (who ended up becoming general web filters or sold off to enhance bigger packages), “much the same is being seen of Web 2.0 at this time – a lot of talk but not a high spend to put the money where the mouth is yet”.
And, of course, ‘not high enough spend’ often equates to vendor repackaging of existing technologies as new solutions. Is that happening in the Web 2.0 security market?
Ed Rowley, product manager at M86 Security, agrees there has been a lot of hype, and there’s a degree of re-badging and repackaging going on, “but ultimately”, he warns, “if you can’t offer real-time inbound/outbound analysis, based on the way that web code is behaving, then your product is not going to do what it says on the tin”.
Indeed, this warning is echoed by Nick Billington, managing director of BitDefender UK, when he plainly states that “repackaging current technologies does not provide you with the same advantages as having a full Web 2.0 compatible solution”. It returns to what Billington calls “the challenge of protecting both computer and digital life” – namely that in the current climate there are clear risks in only protecting computers and not the behavior and lifestyle of those that use them.
In Conclusion
So, what to make of all this? As Steve Furnell, an IEEE member and professor of information systems security at the University of Plymouth, in the UK, points out, considering that a defining characteristic of Web 2.0 is the involvement of users as contributors, “one of the main risks comes from the information they share and with whom they share it”. Undoubtedly this means it requires a greater degree of information security but, Furnell warns, “we cannot rely upon vendors to provide a full solution”.
His argument is based on the premise that while technology can block access to dubious sites where users shouldn’t post data, less can be done to block the data itself. “As such”, Furnell concludes, “much of the solution lies with people rather than products”.
So what is needed then? Could it be that while Web 2.0 security will inevitably play its part, in the short term what’s needed is to raise awareness of the value of information and the ways it can be exploited? This would, as Furnell so sagely suggests, “help users make more informed decisions about what to share”.