Web 2.0, social networking can endanger corporate security, analyst says

Computerworld - With the Web becoming central to the way companies do business, cybercriminals are taking increasing advantage of Web 2.0 and social networking sites to launch attacks, according to IDC analyst Christian Christiansen.

The Web isn't the benign resource for information that people once saw it as, said Christiansen, who spoke today at Kaspersky Lab Inc.'s Surviving CyberCrime conference in Waltham, Mass. "One of the things that's happened that's disconcerting -- and it's been growing over the last 10 years -- is the blending of people's private lives with their corporate lives," he said.

Employees' personal lives -- their online shopping habits and interactions with friends and families -- get intermingled with the interactions they have at work with customers, fellow employees, partners and suppliers, he said. "So that creates a perforated perimeter where there isn't a hard, fast separation between the corporate world and the personal world," he said.

The problem is that employees don't always follow their companies' security policies -- probably because they don't know what those policies are, just as they don't know what their companies' acceptable use policies are. The result: employees don't know what's allowed and what they're barred from doing. Sometimes, Christiansen said, the very people who set up the corporate policies don't even follow them.

Problems also occur when an IT department no longer controls the products being connected to the corporate network. That list could include everything from smart phones to new and untested laptop and desktop computers to various application environments, he said.

"We're seeing the realization that the internal security problem is growing -- the threats are coming from inside the network," he said.

The latest threats to network security now are coming from collaboration and Web 2.0 environments -- where employees casually click on links that could lead them to malware. And they're coming from the wide variety of devices that may be accessing private as well as corporate networks, he said.

"We're seeing a change in the threat environment," he said. "Instead of the threats -- the malicious code -- being distributed as e-mail attachments, we're seeing more and more that they're being embedded in Web 2.0 links," he said. "In the past, what you saw was an immediate effect. Now we're seeing much greater levels of subterfuge and much more sophisticated attacks."

To better avoid potential problems, IT departments need to control user behavior, the types of devices being used to access information, the applications being used and content contributions.

"Risk reduction requires policy managements and layered protection -- at the gateway to the Internet as well as at the endpoint [desktops, laptops and servers]," he said. "You need a whole series of checks and balances."