Risks in a Web 2.0 World: Web 2.0, the Next Generation of Internet-Based Services That Emphasizes Social Interaction and User-Driven Content, Has Arrived. but like All Internet Tools, Web 2.0 Introduces New Risks That Require Unique Solutions

Article excerpt


Interaction, openness, knowledge-sharing and malleability are the new online currency The internet has always represented a security challenge, but with the emergence of Web 2.0's reliance on open-ended, user-generated content, things just got even more complicated.

The shift of consumer-oriented Web 2.0 tools to the corporate enterprise, including use of social networking sites such as Facebook, YouTube, Craigslist, Flickr and Wikipedia, as well as the proliferation of blogs, RSS feeds and other emerging technologies, introduce a whole new level risk.

Ultimately, it is the social and interactive nature of Web 2.0 technologies that make them inherently difficult to secure. Couple that with the speed with which new applications and widgets are created and launched, and you have a potential disaster in the making for the unprepared.

Ready or Not

In addition to using them for personal reasons, employees and businesses are increasingly adopting Web 2.0 tools as legitimate and useful business tools. Already the term Enterprise 2.0 has been coined, and terms such as "enterprise social computing" are being used to label the adoption of Web 2.0 by business.

According to Nemertes Research, 18% of companies currently use blogs, 32% use wikis (collections of web pages that anyone can modify or contribute to) and 23% use RSS feeds. These numbers are expected to grow rapidly, with leading analyst firms such as Gartner, the Radicati Group and Forrester Research predicting that enterprise spending on Web 2.0 business social software could reach up to $4.6 billion dollars by 2013. The notoriously secretive CIA even recently launched an internal wiki called Intellipedia to capture intelligence gathered from its global network of field agents and internal researchers.

Web 2.0 holds the key to breaking down the barriers between siloed business groups and in making valuable corporate information and organizational intelligence more accessible, searchable and more easily shared. It is a primary reason why wikis currently are one of the most popular social media tools for enterprises.

Web 2.0, with its built-in collaboration, promises to help capture and derive value from institutional knowledge and know-how. The fact that information is no longer centrally controlled and that the abuse of publishing tools is very easy, however, is a justifiable reason for concern. So too is the untested nature of many Web 2.0 applications.

Regardless of the which specific technologies are used, it is how Web 2.0 is implemented and how the associated risks are managed that will be most important. Even those organizations that are not using Web 2.0 themselves will need to take steps to secure users and their internal systems.

In some instances Web 2.0 tools and practices are being introduced on an ad hoc basis, without full knowledge or oversight by IT or management. Employees are simply taking the tools and running with them. Wikis, blogs, Flickr, social tagging, bookmarking and the like are all tools that can have a valuable role to play in business--that is, if the risks are understood and the necessary precautions and training are undertaken across the organization to reduce those risks.

The Risks Involved

As Web 2.0 solutions become more popular and more pervasive, security in the corporate enterprise will continue to be a major factor. As already outlined, the interactive nature of these applications creates new avenues for information leakage, and makes them inherently difficult to secure.

New technologies, like RSS, Ajax, and even instant messaging all introduce new vulnerabilities. The heavy use of Ajax (a web development technique that is used to create interactive web applications) and the move of processing from the almost exclusive domain of servers to client devices and handheld technologies heightens risks. Hackers can far more easily attack Web 2.0 sites with tactics such as cross site scripting (XSS) simply because there are more opportunities ("attack surfaces," in techie parlance) than in traditional scenarios.

There are also social risks to consider. The essence of Web 2.0 is increased interactivity. The more people participate, the more likely it is that they could divulge proprietary information about themselves or their employers.

With the ability to post photos, video and audio recordings to sites, employees can inadvertently "leak" confidential company information and post inappropriate personal information that puts both the employee and the business at risk, from both reputational blackeyes and litigation.

Authenticity and transparency are major issues. Malicious attacks (cyberbullying) via social networks by unscrupulous individuals posing under another identity have been well publicized. Many of the most active Web 2.0 sites are social networks such as MySpace and Facebook that, while initially identified with teenagers, are being rapidly adopted by the 35-and-over crowd as a business tool. The rapidly growing professional social network LinkedIn is being tapped as a job and talent search tool, and Twitter (a free social networking and microblogging service that uses instant messaging), Short Message Service (SMS) between mobile phones and RSS are also gaining traction.

As two recent incidents demonstrate, the threats to corporate and individual security and privacy show why companies should be concerned. These threats, and others like them, have led some companies to consider curtailing employee access to social networks altogether.

In January 2008, a social networking attack called "Secret Crush" duped Facebook users into inviting friends to join them in downloading the "crush calculator." This catchy application turned out to be a malicious "social worm" widget that downloaded adware without the user's knowledge. According to web security company Fortinet, which discovered the problem, the widget acts as a social worm. It was being used by more than one million unsuspecting Facebook users, who "freely" chose to install the widget at the cost of disclosing their personal information.

Even more recently, ExxonMobil was snared by a case of online impersonation involving someone posing as a company employee on Twitter. While the comments made by "Janet at ExxonMobilCorp" were largely positive, they were nonetheless unauthorized by the company. According to Jeremiah Owyang, a senior analyst at Forrester Research, this was a case of "brand-jacking," an increasingly common tactic in which people falsely adopt the identity of another person or company on the web.

Another mainstream communications tool subject to many of the same security concerns as social networking is blogging. A number of popular free blogging platforms in use by millions of individuals and businesses contain vulnerabilities that make them subject to hacking. Likewise, a study by SPI Dynamics, a web application security assessment company, noted that RSS content feeds may be used as a means to exploit vulnerabilities in newsreader clients.

Equally troubling to business are the actions and behavior of their employees online. A growing number of companies are considering or developing policy guidelines or codes of practice governing safe and appropriate conduct, as a way to limit the risk of inadvertent disclosure of company secrets and risk to the company's reputation.

We have all read of instances where an overzealous employee posted a derogatory comment about a competitor on a blog, forcing senior executives to apologize and backtrack. Thus, most companies that are blogging today moderate all corporate posts prior to publication. They also append language to their blog's comment area, dictating the tone of the blog and warning that inappropriate comments will be removed.

Publicly traded companies have another level of concern and must consider applicable regulations, especially given the recent SEC announcement that companies can now use corporate blogs for public disclosures. Under certain circumstances, companies will now be able to rely on their websites and blogs to meet the public disclosure requirements under Regulation FD (Fair Disclosure). Notably, the SEC outlines boundaries for sharing information as well as holding companies and their employees liable for the information they post on blogs and discussion forums.

Balancing Risk with Flexibility

The challenge for businesses in a Web 2.0 world is how to make use of these technologies while ensuring that they do not open themselves up to any new threats. Despite the fact that we are in an era in which more and more applications are moving to the web, a large number of websites still have vulnerabilities, so visitors' information, despite privacy settings, remains susceptible to security exploits. Applying content-control mechanisms to protect networks from malicious activity and maintain maximum organizational productivity is vital.

A website security audit should be a first step to determine vulnerabilities. Security software and web security appliances that scan the actual content of web traffic coming in and out of the network for malware, spyware, viruses, worms and Trojan horses should also be considered.

DNS (domain name system, the system that translates domain names to numbered IP addresses for routing through the internet) web filtering software for the enterprise and managed web and content filtering services (particularly for small and medium businesses that may not have significant internal IT support) provide another security tool to help mitigate internet risks and keep employees away from potentially harmful sites altogether. URL and content filtering technology continuously crawls the internet and scans both new and existing domains. New domains are detected and classified, and updates are pushed out on a near real-time basis to provide web filtering. Requested sites are compared against a list of allowed or known safe sites and blocked sites or known malicious sites, and users are either allowed to continue to the internet or denied access. The process is fast and transparent to the user and complements any secure firewall to help eliminate the threat of known malicious websites by preventing customers, employees and other users from gaining access to them.

Like any emerging technology, Web 2.0 applications can offer a wide range of benefits to modern businesses, but greater interconnectivity can also expose a company to unanticipated risks. Companies must remain vigilant in order meet these challenges and avoid becoming casualties of the digital age.