Web 2.0 technologies, with their ability to let users create communities, work collaboratively and interact in various online settings, are powerful tools. Some businesses can't get enough of them for interaction with consumers, networking, marketing, training and project management.
Unfortunately, in the rush to create these powerful tools, security was an afterthought. Some of the more notable Web 2.0 attacks were the Twitter Trojan, the Facebook worm, the Samy worm and Spaceflash attacks on MySpace in which cross-site scripting was used to change user's profiles. The German version of Wikipedia was used to spread links to malicious sites, and one of the most popular blog platforms, Blogger.com, was used to set up blogs that injected malicious links in valid blogs in the form of comments. Right now, as you're reading this, the koobface worm is wreaking havoc on Facebook users and their contacts.
The fact is that users like the interactive capabilities of social networking sites like Twitter, Facebook and LinkedIn, and they will continue to use these sites regardless of security concerns. Security professionals play an important role by educating users on potential risks of Web 2.0 tools and how to avoid them. They can also decrease the chances of their organization having a problem by developing security policies for the Web 2.0 world. These policies should include:
- Implementation of data protection controls.
- Implementation of an acceptable use policy to limit who can use them.
- Blocking unacceptable sites.
- Monitoring content.
- Reviewing potential vulnerabilities on a weekly basis.
- Using a firewall between the Web 2.0 tool and the rest of the network (if hosted in-house).
- Conducting regular penetration tests to check for vulnerabilities.