Amid The Rush To Web 2.0, Some Words Of Warning

As businesses rush to get involved in Web 2.0, they must think about the security implications of all those blogs, wikis, and social networks. They could be putting their networks, employees, and customers at risk.

"Web 2.0 is all about openness and freedom," says Kris Lamb, director of the IBM Internet Security Systems division's X-Force security research organization. "You're really tearing down the traditional barriers that have kept companies safe."

Business managers and marketing heads like the idea of customer-generated content. An automobile maker, for instance, might start a social network or blog, allowing customers to write about their experiences and post pictures and video.

But just look at some of Web 2.0's darlings to see what can go wrong. Hackers and spammers can create their own pages on MySpace and riddle them with malicious code to infect their social networking peers. One worm planted in a MySpace page infected more than 1 million users. And malware writers are beginning to target vulnerabilities in Ajax applications, which help make the Web 2.0 Web sites so dynamic.

"You have to remember that you're taking all this code from the back end and pulling it down to the client," says David Cole, director of Symantec Security Response. "If you have some goofy code in there, you could be exposing it with these technologies."

Web 2.0 technologies allow data to move in new ways at faster speeds, complicated by the fact that users are so much more involved. "You've got to make sure you're protecting users from each other," says Paul Judge, CTO at security vendor Secure Computing. "You have to have some containment and control."

IT managers need to make sure they take appropriate safeguards as their companies adopt Web 2.0 techniques and technologies. If a company is going to use third-party components or widgets, it should trust the source and audit the software, says Judge. Users shouldn't be allowed to use JavaScript, and IT administrators should assume spammers will find their sites, which means setting up protections and cautioning users against posting too much personally identifying information. He also recommends scanning company blogs to make sure no malicious code lies hidden within. When To Block Businesses and other organizations need to consider the implications of letting employees tap into Web 2.0 sites from work PCs. When the Defense Department recently banned its personnel from visiting social networking and entertainment sites such as MySpace, YouTube, and 11 others, it cited bandwidth constraints and security concerns.

Web-based content is generally blocked for three reasons: to avoid liability for any illegal activity involving workers, to reduce the risk of malware infections, and to prevent drop-offs in employee productivity.

Most companies are more concerned with blocking certain Web site categories—gambling and adult sites, for example—than with targeting individual Web sites like MySpace and YouTube, says Stephen Pao, VP of product management at Web filtering company Barracuda Networks.

Of course, social networking and other Web 2.0 sites may have value to workers beyond any distractions they might cause. Half of the 162 customers polled recently by security vendor Sophos say employees should be able to access MySpace. A quarter of respondents are opposed to blocking access to MySpace because the effort would be too complicated and time consuming, while the rest worry about employee backlash at having MySpace access taken away.