As the Web continues to evolve, the perpetrators of cybercrimes have also been skilled at capitalizing from any lack of security, or opportunity for exploitation of vulnerabilities amongst the new interactive Web applications, and insecure client systems. One recent development in this area is a form of “SPAM 2.0”, known as “Splogging” or Spam Blogs, in which the perpetrator made use of blogs (that they set up) to simultaneously provide link to the spammers’ contents, and popular web pages to increase their ratings in search engine indexing, known as search engine poisoning. When a user searches for a keyword, the search engine’s results will include a number of Spam Blogs that have been indexed, which would then serve as “doorway” to the spammers’ contents [1].
In other online threads, numerous discussions [2] on the risks of new scripting language such as Asynchronous Javascript and XML (AJAX) and Rich Internet Application (RIA) clients are now frequent, including reports of new generation worms exploiting those weaknesses. Most of these new exploitations however share a unique characteristic in that they are highly targeted, and application-specific. For example, the Yammer worm was designed specifically to exploit a weakness found in a Web-based email application, and the Samy and Spaceflash were targeted to change profiles on MySpace, the social-networking Web site.
While these attack techniques and exploitations may appeared innovative, many are re-invention of classic or old attack patterns, such as cross-site scripting, code injection, URL re-direction, contents modification, content and data type mismatch, misrouting, data tunneling, input parameters manipulation, and scanning and enumeration for services discovery. What is new and innovative are the piecing together different attacks in orchestrated manners for highly specific purposes, such as identity theft, information theft, malicious software download, installation of backdoor Trojans, and spamming. The new scripting languages and data syntax and formats often provide another layer of obscurity for the filtering systems and developers who are not familiar with them.
When attacks are targeted, they are often more dangerous than their previous incarnations that we might have experienced. They often result in much higher loses, involving both monetary and reputation, and more difficult to recover. Because of the nature of such attack, which was targeted, some managers may develop a feel-safe syndrome, bearing the misconception that “it will not happen here”, or “we have nothing interesting for the attackers to steal”. In the case of backdoor Trojans installation, insecure client machines would become part of a larger Botnet, or “Army of Zombies” whereby the perpetrator could remotely control and manipulate for other targeted attacks, such as online denial of service (DoS) extortion, and spamming.
Today, many organizations have yet to implement an information security management system (ISMS) to effectively manage information security risks. For example, in Singapore, even with a vibrant and matured IT industry, the number of organizations that have been certified compliant with the ISO/IEC 27001 ISMS [1] standard is still less than 20. This figure is similarly very low across many countries in the Asia Pacific region, except for Japan, where ISMS was recently mandated by the government as a basic security requirement for all government IT services providers. When information security in organization is not effectively managed, securing applications using the new tools would often be neglected. Without timely and adequate training of developers, focusing on the secure use of the new Web languages, capabilities, and functionalities, the problem of securing Web 2.0 would therefore be compounded.
Such are the key risks in Web 2.0.
Figure 1: “For organizations where Web 2.0 applications are being developed, as part of ISMS, the risk relating to the development of such applications would need to be managed”
Back to the Basics
While technology evolves and the Internet applications become more interactive and richer in contents, the fundamental principles of information security have not changed. The basic approaches to information security remain relevant for addressing the security issues in Web 2.0 systems and environment. However, it is important to note that there is no silver bullet” to any information security challenges. A holistic approach is desired to manage such evolving risks effectively and efficiently. The basic steps should include:
- Implementation of an information security management system (ISMS), establishing security policies, roles and responsibilities, and development and implementation of an information security program
- Enforce the practices of a security development lifecycle
- Implement vulnerability management
- Conduct ongoing training to improve security competencies and practices
- Build defense-in-depth through the use of multi-tier security solutions at each infrastructure layer of the IT environment.
Information Security Management Systems (ISMS)
At the management level, a system for managing information security across the organization, including people, process, and technology is fundamental. A reference standard for such a system is the ISO/IEC 27001 standard [1]. An ISMS system includes the establishment of an information security organization to develop and operate a Plan-Do-Check-Act cyclical process for address ongoing information security requirements and expectations from the various stakeholders involved. “Plan” relates to the establishment of context and the conduct of risk assessment. “Do” refers to the design and implementation of the ISMS system, including security policies, controls, processes, and procedures. “Check” involves continuous monitoring, review and assessment of the implementation and operation status of security controls against the policies, objectives and practical experiences, with results reporting to management for review and decision. “Act” refers to taking corrective or improvement actions to enhance the ISMS, based on the learning and decisions from the “check” process.
Fig. 2: ISMS Cycle: The Processes and Benefits
Ongoing iteration of the PDCA cycle ensure that the organization would continue to manage existing, emerging, and new risk issues in the business organization and IT environment as they change and evolve over time. The outcome of each PDCA cycle is a managed information security environment in the organization. Such a system provides a way for the management to ensure adequate governance of information security in the organization. Information security requirements, expectations, and issues would then be proactively identified and dealt with before they affect the continuity of the business. When ISMS is in place, the security risks relating to the adoption and use of Web 2.0 technology in the business and users would be identified early in the adoption and use cycle, during the “Plan” phase of the ISMS. Proactive action plan to train developers, administrators, and users on the secure development, administration/operation and use of the new technology would then be possible, through the “Do” phase, with assurance of their compliance provided via the ‘Check’ process, and any necessary changes for improvement made in the ‘Act’ phase.
Establish a Secure Development Lifecycle Process
For organizations where Web 2.0 applications are being developed, as part of ISMS, the risk relating to the development of such applications would need to be managed. A system for secure software development would be necessary, as specified in one of the control requirements in ISO/IEC 27002 – “Code of Practice for Information Security Management” standard to manage such application development risks. While the control requirements are specified in the standards, the actual implementation may vary from organization to organization. For example, in Microsoft, the Trustworthy Computing Security Development Lifecycle (SDL) [2] approach was devised and adopted as part of the product development process to ensure the security quality of the software products. Within Microsoft IT environment, similar lifecycle processes are also adopted for the development and implementation of internal business applications.
An important component of SDL is the development of Threat Models [3] relating to each component of a software product. The Threat Model captures the known and anticipated security threats that may affect the function, integrity, and availability of the software component and hence the security of the overall systems. The Threat Model goes beyond the identification of security threats, and forms the basis for the security design and subsequent development of each software component to be accepted for review and integration to the overall secure systems or software product. The Threat Model also provides a basis for determining developmental decisions and designing security test relating to the security functionality and composition of each software component and the final system or product.
On implementation, defensive coding practices [4, 6] such as mandating input validation, enabling buffer overflow checking using complier switch (for example, /GS in Visual Studio), and employing the principle of least privileges should be enforced. Security checking and testing tools should be deployed to automate the discovery of security bugs, and improve the security quality of the code base of each application or software product.
Vulnerability Management
At the infrastructure level, vulnerability management is another critical function to enable swift testing and deployment of security updates to application, platform systems, and network devices in a timely manner, depending on their business criticality and priority. As in the ISMS cycle, vulnerability management is an ongoing cyclical process. An effective vulnerability update management process should include each of the following [5]:
- Detect: use tools to scan the systems for missing security patches. The detection should be automated and will trigger the security update management process.
- Assess: if necessary updates are not installed, determine the severity of the issue(s) addressed by the updates and the mitigating factors that may influence the decision. By balancing the severity of the issue and mitigating factors, determine if the vulnerabilities are a threat to the current environment.
- Acquire: if the vulnerability is not addressed by the security measures already in place, download the security update for testing.
- Test: install the security update on a test system to verify the ramifications of the update against the production configuration.
- Deploy: deploy the patch to production computers. Make sure the applications are not affected. Employ the rollback or backup restore plan if needed.
- Maintain: subscribe to notifications that alert the administrators to vulnerabilities as they are reported. Begin the vulnerability update management process again.
By maintaining an updated infrastructure that is free from known vulnerabilities, the infrastructure should at least be as secure as the updates have provided. In this regards, the administrator would only require to monitor for new updates and attacks that have not been known or addressed previously. Such monitoring efforts should be supported by an infrastructure architecture that allow for other remediation actions such as isolation and traffic re-directions to be activated when such attack of exploiting vulnerability that have yet to be patched emerges.
Education and Awareness
As part of the ISMS implementation, besides establishing the practice of secure application development, and vulnerability management, educational training and awareness program is another basic ongoing requirement. This includes training the designers, developers, testers, administrators, operators, managers, and end-users on security relating to their respective roles and responsibilities. Such training may range from simple awareness program to expose users to the security risks relating to their systems environment and related secure use and practices, to the specific, periodic, in-depth training and workshops covering the tools, processes, and procedures that individuals and groups need to master in order to undertake competent and secure delivery of their respective roles in the organization.
Build Defense-in-depth
It is often said that security is only as strong as the weakest link. As such, building defense-in-depth is an important principle to protect against the weakest link attacks. Briefly, this should include the following layers.
At the organization level, the network infrastructure should be designed with a tiered network architecture comprising at least three tiers of access level, namely, public, semi-public (also known as Demilitarized Zone, or DMZ), and private (or internal). Further segmentations may be architecture in each of these levels to further segregate application traffics within each zone depending on their sensitivity or classification. In addition, IP Security may be enabled on critical servers and client systems to ensure only authenticated machines can communicate between each other.
At the platform level, individual server, depending on their functionality, should be security hardened to expose only application-required services to the network interfaces where the service access is needed, but not all interfaces. Anti-malware, including anti-spam software may also be installed, continuously updated, and run in servers where malicious code may be received, such as emails, email file attachments, and other forms of documents and executable objects. To ensure continuous security, intrusion detection and configuration change management technology may also be deployed to monitor and manage changes to the critical platform systems.
At the client systems, client firewall (such as Windows Firewall), Automatic Updates, and anti-spyware (such as Windows Defender) should be enabled and updated to protect the system from being infected or attacked by the various forms of malicious software. To protect against Phishing attacks, use of secure browser such as Internet Explorer 7 enabled with Protected Mode browsing and Phishing filter. In the near future, where Windows Vista client systems have been deployed, User Account Protection (UAP) capability may also be leveraged to minimize privilege exposure for non-administrative users in the environment, further reducing the risk of unauthorized code execution by malicious programs.
Across the enterprise, users and machine level identity and security policy management and enforcement should preferably be designed through the deployment of a single or multi-domain directory structure, using Active Directory (AD) or other similar technology. The use of AD provides the additional advantage of centralized security policy enforcement and management for all servers and client platforms requiring such controls.
Conclusion
Although Web 2.0 may create another wave of technology innovation and evolution on the Internet, introducing various forms of rich and interactive web-enabled and web-services oriented applications to enterprises and users, the fundamental principles and approaches for ensuring information security along with such developments have not changed. What have changed are the security rigor and timeliness of responses that are necessary to ensure continuous improvements in the security practices along with the introduction of those new technologies. This requires a solid foundation implemented in the organization’s ISMS. The ISMS should encompass critical elements of security across the infrastructure, processes, and people built on the principle of defense-in-depth, with capability to enable timely updating of the technology systems, processes, and peoples’ knowledge and competency to manage the evolving security risks and challenges. This article has described the elements of the basics of a solid security foundation necessary for preparing for the future.
Additional references to support the implementation of the above suggested approach can be found in the bibliography.
Kang Meng Chow is Microsoft's Chief Security and Privacy Advisor.
|
