February 10, 2008   Sign In |  About ebizQ |  Contact Us |  Join ebizQ Gold Club
Peter Schooff
Peter Twenty-Four Seven Security
 Peter Schooff's blog is a daily look at what's going on in the world of computer security with an emphasis on how it affects businesses.

« The Human Element of Security | Main | The Unique Security Challenges of SOA »

October 11, 2007
Security Rules for Web 2.0

As Web 2.0 gets adopted by more and more employees for both work and extracurricular online activities, several rules of thumb are developing.

Rule Number One: The more feature rich a social networking site is, the more risk you have going on it.

Whereas going on LinkedIn does carry risks, it does not nearly compare to the risks of MySpace or Facebook. As Dark Reading relates, the risks of Facebook are more related to the information that can be easily pulled off the site by just about anybody. "You can log onto LinkedIn without authentication and claim to be part of a group, and suddenly you have an organizational chart that is typically confidential information," says Tod Beardsley, lead counter-fraud engineer for TippingPoint

That type of information is perfect for social engineering type email scams in which, using a LinkedIn email address, a hacker can pretend to be a headhunter or a friend of a friend or any number of ruses to disarm someone in the organization into opening up a malware loaded email.

Rule Number Two: With Web 2.0, all of your security systems must work well. The bottom line with Web 2.0 is that it opens up the company to almost a 360 degree vector of attacks. If a cybercriminal can’t get attack you using email, they can try a denial of service, or a cross-site scripting attack, or try to get access to the network and look for unprotected data. Simply hoping against a security attack is no longer a reliable form of security.

Rule Number Three: Be careful what data you give the various social networking sites. Facebook relies on third-party Java applications, meaning be careful of all the information you provide Facebook because you don’t know who keeps it, how long they keep it, or even if it's encrypted.

Everyone should have a gmail/hotmail/yahoo type of account that they treat as replaceable, and which can be used (and often abused) by social networking sites. In terms of Web 2.0 and the information you give up, I am always reminded of the movie Reservoir Dogs where Mr. White, or Harvey Keitel, almost gives up his real name to Mr. Pink, or Steve Buscemi, who screams, “NO NAMES,” explaining, "the closer they get to you, the closer they get to me."

As far as Web 2.0 is concerned, have them call you Mr. Secure (or Mrs. Secure).

Posted by pschooff in |Digg This|Add to del.icio.us

Trackback Pings

TrackBack URL for this entry:
http://www.ebizq.net/mt/mt-tb.cgi/2744

Comments Post a comment




Remember Me?

(you may use HTML tags for style)

We ask that you type your code (displayed below) in the text box.This code is an image that cannot be read by a machine. It prevents automated programs from submitting comments.


Code:



Most Recent ebizQ Blog Entries
ADVERTISEMENT
Subscribe
News Feed
Recent Posts
Categories
Archives
Blog Roll
Blogosphere
This Work
Accountability:The opinions expressed in this blog are solely representative of the blog's author, and not of ebizQ
Subscribe to our Newsletters
ebizQ Weekly Gold Club Update
Live Webinar Updates
Updates from ebizQ Partners
ebizQ SOA Update
ebizQ BPM Update
ebizQ Security Update
ebizQ BI Update
ebizQ Open Source Software Update
Virtual Show Newsletter
Your E-mail Address:
BAM: The Killer App for CEP
Date: Feb 12, 2008
Time: 12:00 PM ET
(17:00 GMT)
I WANT TO ATTEND
Event Processing Market Pulse
Date: Feb 14, 2008
Time: 12:00 PM ET
(17:00 GMT)
I WANT TO ATTEND
Archived Webinars | Upcoming Webinars

Marketing Solutions | Feedback | About ebizQ | Unsubscribe | Privacy Policy | Site Map