2. Protecting Organisations from Risk – How to Use Web 2.0 and Social Networking Sites Securely

Chapter 2. Protecting Organisations from Risk

The steps that organisations should take to ensure that both they and their employees using Web 2.0 sites are secure include:

  1. The use of ‘acceptable use’ policies.

  2. Staff awareness training.

  3. Filtering to control the risks linked to Web 2.0 technologies.

  4. Desktop security settings.

The introduction of comprehensive, up-to-date Internet acceptable use policies, combined with training and staff awareness, is essential if staff are to understand Web 2.0 risks and the associated preventative measures, and for them to be enforced. Filtering or similar technical controls are an additional and often appropriate safeguard that will automatically and systematically reduce and control risk where there is a potential for policies to be breached, or training and staff awareness to breakdown. The filtering technology used by each organisation will depend on their assessment of risk and what the organisation can afford. The negative aspect of any filtering software is that it may prevent staff from carrying out tasks that they need to do in order to do their jobs.

For these reasons, the respective mix of technical controls, policies and user awareness training needs to be decided by each organisation on an individual basis, depending on organisational size, requirements, risk analysis and level of funding available.

The starting point, as is usual for information security, should be a review of any existing risk assessment to identify vulnerabilities and threats to existing information assets that arise from exposure to Web 2.0 technologies. Websites and online communication channels and applications should be specifically subject to a risk assessment[43]. While a number of the risks are relatively easy to understand (e.g. data exposure, data loss, bandwidth usage), others are technically complex (e.g. variants on cross-site scripting attacks) and it may be appropriate to obtain specialist information[44] or assistance in relation to these.

Introducing policies and staff awareness training

Any existing Internet policies need to be updated to include the use of Web 2.0 tools and specific controls in relation to Web 2.0 threats. In addition, consistent and continuous adherence to these policies needs to be effected.

Employees need to be made aware of the importance of protecting company and personal data, and the risks of not doing so.

One of the greatest risks posed by Web 2.0 technologies and in particular social networking sites is the disclosure of private and sensitive personal information. This creates a risk to individuals and to companies of damage to reputation, financial loss and identity theft. It is essential that staff are aware of these risks and in particular:

  • The reasons why data needs to be kept private.

  • The types of risks associated with different types of data.

  • The privacy and security settings available with different applications and how to set these.

There is evidence which shows that many companies do not have an effective and enforceable policy covering data disclosure, or training in the secure use of Web 2.0 technologies. A survey carried out by IT Governance Ltd, May 2008 revealed that:

  • 35% of staff said that their organisation did not have a specific policy covering the private use of Web 2.0 sites.

  • 72% of staff said that their organisation had a policy which restricted the times that the sites could be used.

  • 28% had a policy which restricted the sites that could be used.

  • 22% said that when a policy is breached that ‘no one takes much notice’.

  • 6% said ‘We keep quiet and no one notices’.

  • 30% said that they ‘just get a warning’.

  • 15% said that they used the sites irrespective of employer’s policies.

  • 14% said that they felt that their employer was able to identify whether or not they were using Web 2.0 sites.

Respondents were asked how they would feel if their employer enforced the security policy through the deployment of technical controls. The results were as follows:

Source: IT Governance survey, May 2008

Figure 5. Technical control responses

Research by Forrester Research indicates that many organisations do not make the training of staff in the usage of Web 2.0 applications and user-contributed content a priority.

Source: Adapted from figures provided by Forrester Research, based on a survey of 153 senior IT and security professionals, September 2007

Figure 6. Types of training on the use of Web 2.0 technologies adopted by organisations, by percentage

Staff must also be trained on their information security responsibilities prior to being allowed access to computer systems. Thereafter, they should have regular training that covers information security risks so that they can be aware of and adequately informed about them. They will need to be able to recognise issues as they arise and know the procedures to follow and to be trained in actually using them. Social engineering attacks and many forms of e-mail-borne malware attacks – as well as targeting phishing attacks – all require a level of staff training and awareness if they are to be effectively countered. The incident reporting procedure itself requires a level of staff training and awareness just so that it can be deployed when required!

The quality of the training provided will be at least as important as the culture of the organisation and the attitude of the middle managers who will need to ensure that training is put into practice at an individual level. Managers who ‘talk the talk’ but don’t ‘walk the walk’ are ineffective at developing secure working environments.

The policies, training and staff awareness will need to include the following:

  1. The different types of personal and company data and the risks associated with their loss. This should include an understanding of the reasons why such data should be kept private. Staff should be trained to give away as little information as possible.

  2. The setting of privacy controls for each Web 2.0 technology including the default privacy settings for different Web 2.0 sites. Frequently, the default setting is for personal and sensitive data to be publicly available. The default profile security settings for social networking sites should ALWAYS be checked, as well as the method of changing these.

  3. The potential extent and length of time that personal and company data is shared on the Internet and the ramifications of this.

  4. The subsequent use of personal data posted to a website in ways which may not have previously been anticipated, and which may lead to false information or false allegations.

  5. Reputation considerations. Employees should be made aware of risks to reputation from content posted to a website.

  6. The risks from downloaded content. When users surf to a website, they should make sure that they are actually using the site that they think they are and that they haven’t been elsewhere. Alternative sites may want to retrieve personal or company data and have the opportunity to download something through the browser.

Protecting an organisation from reputational risk

The viral nature of Web 2.0 technologies, the philosophy of openness and sharing amongst ‘friends’ and the permanence of data stored on the Internet combine to create enhanced risks of personal and company reputational damage.

Users of Web 2.0 technologies need to be extremely careful of the content that they put onto a web page and at all times remember that anything put there can be spidered and that it is permanent.

Chris Head, from the UK public sector portal recommends that PR teams[45] ‘monitor social networking sites in addition to traditional media and respond positively, neither denying nor responding defensively to any thread critical of the organisation’s behaviour or services’. He says that ‘private sector experience shows that reputational risk is more likely to stem from not getting involved’.

Checking a commercial website’s credentials

The European Commission offers the following suggestions for recognising reputable commercial websites[46]:

  • Clear identification of company with name of the company, address, telephone number, contact person etc.

  • Terms of contract are easily accessible and transparent.

  • The product’s features and conditions of guarantee are clearly defined and easily accessible.

  • The product price includes all additional costs.

  • A secure payment method is offered.

  • Orders are confirmed with e-mail.

  • Consumers have a clearly defined right of withdrawal.

  • Time of delivery is specified.

  • In case of a problem, it tends to be easier to handle it with online shops located in the consumers’ country.

Privacy policies

Privacy policies should be looked for and read before any personal or company data is entered. This will enable the type of personal information being requested to be understood, as well as the reasons it is being requested and how it will be used. A website asking for personal information like social security numbers should only be requesting that information if it is essential to the transaction being conducted. Be cautious about doing business with sites that request personal data and do not post privacy policies.

Privacy seals

There are several privacy seals available which set standards for websites for the handling of customer data. These are not legal requirements, but rather private standards.

Depending on the requirements of individual privacy seal standards, privacy seals may show that privacy standards are maintained. However, care needs to be taken that the privacy seals are not being used merely as a marketing tool, rather than to protect a website from malware[47].

A privacy seal is the logo of a third party agency that sets the standards for the handling of customer data. Companies pay a fee to the agency. The agency also conducts audits to ensure that the privacy standards which it sets are maintained.

The privacy criteria that agencies look for includes:

  1. The presence of a privacy policy.

  2. The presence of security policies which meet the certifying body’s standards.

  3. The presence of special policies applicable to child users of the website.

Privacy seals include BBBOnLine, TRUSTe, Privacy Secure Inc., PrivacyBot.com, ESRB Privacy Online, and Guardian eCommerceclick from the US, and EuroPriSe from Europe.

Filtering

Filtering controls include web filtering, e-mail filtering and IM filtering. Filtering software which is relevant to threats resulting specifically from Web 2.0 technologies includes both web and IM filtering. Filter technologies enable all traffic to be scanned for malware, illegal or inappropriate use, and data leaks.

Filtering technologies can be used to ameliorate the risks of inward bound and outward bound threats of:

  • Data leakage

  • Malware

  • Phishing

  • Spyware

  • Lost productivity

  • Increased bandwidth usage.

There are now filtering technologies available on a ‘software as a service’ basis.

It is essential that any technical controls which are introduced include IM. Instant messaging is a prime area for data leakage, both deliberate and accidental, of critical data. Once staff have been authorised to use IM, it can be very difficult to ensure that any content communicated through this medium is controlled, without the use of an IM filter. However, whereas e-mail filtering can enable complex searching of messages such as specific search terms and credit card numbers, the nature of IM means that the same level of control is not available and the risk of data leakage is, therefore, greater.

Christian Harris[48] argues that, rather than blocking the use of IM, organisations should manage the risk by a combination of acceptable use policies and controls which monitor IM traffic. He says that many organisations block IM completely through fear of productivity loss and data loss. However, he points out that ‘tomorrow’s workforce’ is more used to IM rather than e-mail and so are likely to expect to be able to use this communication tool in the workplace. In addition, he says that

‘Blocking access completely means missing out on all the benefits that IM tools can bring. Simple features like presence monitoring, rapid file transfer, and the ability to get answers to questions very quickly can streamline the working day. Have a meeting with your IT bigwigs and agree on a single system to be used company-wide. Then set parameters around when employees can use the system for personal conversations. Ensure that staff know what appropriate use is and enforce policies with a monitoring system, the cost of which can be more than offset by the gains in productivity’.

Web filters can be used to discover, remove and terminate threats from spyware, adware and malware. Whether deliberately or inadvertently, users could also download malicious software directly from a website which, once installed on the network, corrupts existing data. Web filtering software can block access to known spyware, phishing and malicious software and can be customised to limit download bandwidth in such a way as to block the (sometimes unintentional) download of malicious applications, and to limit user web access to specified times (i.e. the workday) during which they are unlikely to attempt unauthorised web activity.

Jason Short, from Risk Management magazine, says that[49] domain name service (DNS) based filtering software enables requested user sites to be compared with a list of allowed or known malicious sites, preventing users from visiting the harmful sites. The ‘domain name service’ is the system which translates website domain names to numbered IP addresses.

Web filters can also help deal with internal and outgoing bandwidth availability issues through its precise bandwidth controls and bandwidth prioritisation features, its configurable time-based and time-volume rule applications and its music and video management functionality.

Policy driven web filters enable administrators to configure specific policies for different departments, user groups, individual users, time of day, destination websites and so on. For example, the level of access provided to a sales group may be different from that of an engineering group. A web filter is applied at the point that a local client is connected to the Internet. Inbound and outbound traffic is monitored. This traffic is analysed to determine whether it contains potentially damaging data or commands. Any damaging data will then be isolated and, depending on the type and user settings, either deleted straight away or set for manual review.

Web filtering can also be carried out according to ‘payload identification’. ‘Payload’, within the context of web filtering, is the amount of damaging material contained within a packet of data. Identifying web traffic and file payload provides the following benefits:

  • Organisations can set policies on the files that are or are not allowed to be received or sent by users, and to where.

  • Organisations can set policies on file transfers depending on the direction in which they are travelling. This is particularly important for office type documents being sent to WebMail sites.

  • Security controls are not fooled by false data types. One of the means by which malware and spyware can be downloaded is by masquerading as a different file type which is recognised as safe.

  • Determines content that breaches policy such as that containing the words ‘confidential’, project names, credit card numbers, personally identifiable information, DRM tags and watermarks.

Payload content analysis enables policies to be set on any traffic generated using files, blogs and IM between an individual browser and Web 2.0 applications.

Vulnerability management

The type of malware that makes it past the web filtering gateway may be of the ‘zero-day’ variety. These need to be tracked using behavioural or heuristics based detection. This type of detection is based on analysing data behaviour which is abnormal and probability analysis, rather than tracking known vulnerabilities.



[43] For more information on risk assessment, see Information Security Risk Assessment for ISO27001/ISO17799, by Alan Calder and Steve Watkins (ITGP, 2007).

[44] One source of information on application security is Application Security in the ISO27001 Environment, by Vinod Vasudevan and others (ITGP, 2008).

[45] ‘Web revolution heralds bright future’, Chris Head, The Information Portal for the Public Sector, October 2008, www.publicservice.co.uk/feature_story.asp?id=10653.

[46] ‘Safer Internet Programme: Safety Tips’, Europe’s Information Society Thematic Portal, http://ec.europa.eu/information_society/activities/sip/safety_tips/index_en.htm#5.2_trustworthy_websites.

[47] ‘Is a privacy seal useful for an ecommerce website?’, Joel Dubin, December 2006, http://searchsecurity.techtarget.com/expert/KnowledgebaseAnswer/0,289625,sid14_gci1242826,00.html#.

[48] ‘Should Instant Messaging Be A No-Go?’, Christian Harris, ZDNet, http://community.zdnet.co.uk/blog/0,1000000567,10007915o-2000537720b,00.htm.