There are far too many numbers in this TechNewsWorld story, which reports results of a survey on Web 2.0 threats conducted by Forrester Research for Secure Computing. The survey, released in conjunction with the introduction of the vendor's Secure Web 2.0 Anti-Threat (SWAT) initiative, shows that IT folks are unaware, untrained and don't have consistent policies for this dangerous and increasingly popular way to use the Internet. SWAT aims to raise awareness of the issues, offer tips and in other ways help companies protect themselves.
The story quickly devolves into a sea of percentages. The saving grace is that the big picture is aptly summed up by Ken Rutsky, Secure's executive vice president of product marketing:
The report reveals a security blind spot. Some 90 percent of enterprise organizations are still deploying security measures designed for the last generation of attacks.
This Computerworld piece uses data -- thankfully, more selectively -- from what appears to be a different Forrester survey. The piece focuses on the initial reluctance, and now apparent grudging acceptance, of Web 2.0 by IT. Like wireless and other emerging technologies, IT ultimately must bend simply because the folks they serve are using the new approach.
The piece features several short and interesting vignettes on different companies' approaches and offers eight steps for Web 2.0 proponents to take in order to implement a secure and beneficial platform. They should create awareness; find supporters in the company; get IT on their side and present a proposal to senior management. Web 2.0 fans also should work closely with business units; compile and distribute best practices; resist the urge to force adoption and be patient. IT, for its part, is well advised to seek and create alliances with Web 2.0 proponents who are wise enough to take up these procedures.
In a related story, Computerworld reports on comments by Christian Christiansen, an IDC analyst, at a recent Kaspersky Lab's conference on cybercrime. Christiansen identifies two overlapping threats to corporate security. The line between employees' online personal and business lives is increasingly porous. At the same time, employees don't follow their employers' security policies -- probably because they don't know what they are. The bottom line is that all sorts of things people do at work and at home -- including the connection of untested devices and the use of possibly malevolent Web 2.0 sites -- can compromise security.
Those seeking more specifics about the threats -- the statement that "Web 2.0 is dangerous" is as nebulous as it is threatening -- should look at video. vnunet.com says that Chris Rouland, the CTO of IBM's Internet Security Systems (ISS), made a presentation at the annual summit of the George Tech Information Security Center in which he suggested that video may be the next big target.
More sophisticated Web 2.0 networks hide less fully developed applications and devices that are latent or active threats to security, according to this piece at eChannelLine. The writer, using research from WatchGuard, maintains that the placement of servers running collaboration, VoIP and other advanced services in data centers heightens the risks. These servers are not as mature as older applications and are therefore more vulnerable to clever hackers. This, combined with the fact that the goal is to create more open and interactive networks, means there are more opportunity for hackers.
ZDNet Australia uses the subpoena of Facebook by the Attorney General of New York State for failing to adequately protect young subscribers as a jumping off point for a look at consumer use of Web 2.0 applications. This is an important issue for IT security staffs because it is a given that employees will use consumer services for work purposes or, at least, on the same devices they use in their jobs.
These social sites often are free in exchange for permission to use tracking and data aggregation tools. The problem is a microcosm of Web 2.0 in general: What the site is trying to achieve involves actions or policies that are the exact opposite of good security practice.