 Are Web 2.0 Applications Putting You at Risk? If you are only relying on "yesterday's" technology alone, then yes, they are. Web 2.0 applications, such as online collaboration, social networking and "mashups," are designed for two-way interactions, and that very design means these applications bypass the traditional enterprise controls.
The risks are serious. Consider the MySpace hacker from this past winter. Cybercryminals turned a compromised MySpace profile into a roosting site for the TFactory Trojan. It worked like this: Attackers sent out friend requests. People who responded encountered a download window that prompted them to install Microsoft's Windows Malicious rSoftware Removal Tool -- a real tool just released a few months prior.
The update box, of course, had nothing to do with malicious software removal. Instead, the box was actually part of a larger corrupted image. When users clicked anywhere on that image, TFactory and its nasty payload of downloaders and backdoor connections loaded itself onto unpatched Windows machines (TFactory signatures had actually been around for a while before this exploit).
How does all of this relate to corporate IT? After all, most organizations don't want their employees trolling MySpace during work hours, anyway. And there is an easy solution: you can simply block Web 2.0 applications, right?
Blocking solves the security problem, but your employees will suffer. Substitute LinkedIn for MySpace, and now you have a real dilemma. You certainly want your sales and marketing staffs to have access to LinkedIn, and you'll accept the small risk that a profile could be compromised.
Blocking is also only a short-term solution. With all of the money pouring into Web 2.0, these applications are here to stay. Moreover, with most large technology companies out there singing the praises of Web 2.0 and Enterprise 2.0, it's clear that IT will have to come up with a security strategy soon.
It's a classic Catch-22: avoiding Web 2.0 could put you at a competitive disadvantage, but adopting it too soon and without proper planning will almost certainly compromise security.
 To that end, I advise the following five steps to follow in order to protect against Web 2.0 threats:
-- The first thing you should do to prepare for the onslaught of Web 2.0 applications is to devise a concrete plan. Ask questions before Web 2.0 adoption. What will your usage policies be? Who will have rights to what? How will you approve of and deploy these new applications? How will they be updated and patched?
-- Secondly, adopt new security technologies, including application firewalls, Web filters and data-leak prevention (DLP) solutions. In other words, don't fight today's threats with yesterday's security tools.
-- Next, monitor your online environment. Establish monitoring protocols, and be sure that you adopt appropriate technologies that can monitor Web 2.0 applications and traffic. Continue to monitor on a regular, ongoing basis.
-- Fourth, when you have a choice among similar Web 2.0 applications, choose the most secure ones. This may sound simplistic, but how often is security highlighted in the feature list of, say, a business-class social networking site? Security may be on the checklist, but too often it is an afterthought, not a central part of the design. When you drill down into the software specifics, that fact should be pretty obvious. A case in point is the browser. Firefox is perceived as more stable and secure than Explorer, but it has a fraction of the adoption rate in the enterprise. Why? Security isn't a front-of-mind consideration for browser selection, nor was it a focus when Explorer was designed. Firefox, however, probably wouldn't have the popularity that it does if it weren't designed as a secure alternative to Explorer.
-- Finally, push back on application vendors. When new updates come out, request security fixes. If vulnerabilities are published, find out what the vendor is doing about them -- and what they'll do to prevent future vulnerabilities. Ask about their design practices. Sure, everyone will claim that security is of paramount concern, even if it's not, but if those sales and customer service representatives keep fielding questions about security, smart vendors will eventually respond.
Web 2.0 Defense 101
1.) Establish monitoring protocols, and be sure that you adopt appropriate technologies that can monitor Web 2.0 applications and traffic. Continue to monitor on a regular, ongoing basis.
2.) Adopt new security technologies, including application firewalls, Web filters and data-leak prevention (DLP) solutions.
3.) Push back on application vendors; when new updates come out, request security fixes. If vulnerabilities are published, find out what the vendor is doing about them -- and what they'll do to prevent future vulnerabilities.
Michelle Drolet is founder and CEO of Towerwall (www.towerwall.com) an IT security services provider based in Framingham, Mass.
| 
