Web 2.0 and Information Security
All it takes is one person
As we move the common denominator down to make web2.0 appealing, we run the risks of more social engineering attacks. There is so much technology out there, that trying to figure out how all of it works, and how all of it can be made to work safely is an entire industry vertical for information security.
Web 2.0 is here, it is happening, and it is a part of many businesses desire to reach out and make web sites more accessible, more interesting, more entertaining for the end user. We have all those things that we can do from calendaring, social web sites, picture sharing, end user support, blogging, podcasts, vcasts, and everything else in between. So what is a security engineer supposed to do to keep up with this?
Be vertical and understand the basic underpinnings behind each vertical.
Think evil act good. Be the bad person when reviewing technology, be the good person and work with the basic underpinnings of the technology to make it safer or simply reduce the risk of the technology through sand boxing, and other risk management approaches.
Think separation of territories, individual VLANS or LANS for various technology systems, ensure separation of the properties, and control the communication paths, entry and exit points. Know what is supposed to travel between VLANS/LANS, and monitor for the exception first. Then monitor everything else.
We know that “all user input is not to be trusted”, work on your web application penetration skills, there are some interesting free tools out there, and some interesting demo tools that you can get keys for. Learn them, get the company to buy them, or find a company that will be willing to do this for you before you go live with the web site. Make all the web sites and the applications running on them part of the annual security 3rd party pen test.
Keep up to date, if you know you run drupal, apache, IIS, flash, LDAP or other technologies, pay attention to the patches, regression test, and float those into production. It is something that security folks still have to mention, patch management for applications (beyond the OS) is just as important as patch management for the OS.
Hack your UAT web sites, learn XLS/XSS, CSS, Ajax, see what cool things you can do with a web site, grow your skills in the pre-prod environment. The reason fro specifying pre-production is that this is the closet you are going to get to production quality, and testing production web sites usually annoys people unless it is part of an established audit cycle.
If you do not have an established network, OS and Web application audit cycle, start one, start one today. Your management might begrudge the time, but they will mind a major hack success more.
Web 2.0 holds a lot of promise, and it is more and more real every day. Your developers are thinking about this if they are not implementing widgets already. As the security person, stop by the developer’s corner of the company, introduce yourself, and ask them to show you the latest cool thing they are building. Learn how it works so you can test it once it gets out of QA.
Get management to back you up on this one, you might even be able to work yourself into a promotion by being the “go to security person for web 2.0” in your company.