ebook img

The Benefits and Security Risks of Web-based Applications for Business. Trend Report PDF

15 Pages·2013·0.373 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview The Benefits and Security Risks of Web-based Applications for Business. Trend Report

The Benefits and Security Risks of Web-Based Applications for Business The Benefits and Security Risks of Web-Based Applications for Business Trend Report Kathleen Kotwica AMSTERDAM(cid:129)BOSTON(cid:129)HEIDELBERG(cid:129)LONDON NEWYORK(cid:129)OXFORD(cid:129)PARIS(cid:129)SANDIEGO SANFRANCISCO(cid:129)SINGAPORE(cid:129)SYDNEY(cid:129)TOKYO Elsevier TheBoulevard,LangfordLane,Kidlington,Oxford,OX51GB,UK 225WymanStreet,Waltham,MA02451,USA Firstpublished2013 Copyrightr2013TheSecurityExecutiveCouncil.PublishedbyElsevierInc.Allrightsreserved. Nopartofthispublicationmaybereproducedortransmittedinanyformorbyanymeans, electronicormechanical,includingphotocopying,recording,oranyinformationstorageand retrievalsystem,withoutpermissioninwritingfromthepublisher.Detailsonhowtoseek permission,furtherinformationaboutthePublisher’spermissionspoliciesandourarrangement withorganizationssuchastheCopyrightClearanceCenterandtheCopyrightLicensingAgency, canbefoundatourwebsite:www.elsevier.com/permissions Thisbookandtheindividualcontributionscontainedinitareprotectedundercopyright bythePublisher(otherthanasmaybenotedherein). Notices Knowledgeandbestpracticeinthisfieldareconstantlychanging.Asnewresearchand experiencebroadenourunderstanding,changesinresearchmethods,professionalpractices, ormedicaltreatmentmaybecomenecessary. Practitionersandresearchersmustalwaysrelyontheirownexperienceandknowledge inevaluatingandusinganyinformation,methods,compounds,orexperimentsdescribedherein. Inusingsuchinformationormethodstheyshouldbemindfuloftheirownsafetyandthesafety ofothers,includingpartiesforwhomtheyhaveaprofessionalresponsibility. Tothefullestextentofthelaw,neitherthePublishernortheauthors,contributors, oreditors,assumeanyliabilityforanyinjuryand/ordamagetopersonsorpropertyasa matterofproductsliability,negligenceorotherwise,orfromanyuseoroperationof anymethods,products,instructions,orideascontainedinthematerialherein. BritishLibraryCataloguinginPublicationData AcataloguerecordforthisbookisavailablefromtheBritishLibrary LibraryofCongressCataloging-in-PublicationData AcatalogrecordforthisbookisavailablefromtheLibraryofCongress ISBN:978-0-12-417001-8 FormorepublicationsintheElsevierRiskManagementandSecurityCollection, visitourwebsiteatstore.elsevier.com/SecurityExecutiveCouncil. EXECUTIVE SUMMARY Web-based applications provide more information and greater inter- connectivity, and many businesses see value in the ability to increase market reach or collaboration at a lower cost. But can these applica- tions be misused? In The Benefits and Security Risks of Web-Based Applications for Business, current thinking and research on this topic are explored. Included is an overview of the evolution of web-based applications, as well as statistics on the corporate adoption of these technologies. The specific threats to corporate security that come from the use of web-based applications are also described. This report is a valuable resource to any security professional whose company does, or will in the future, endorse employee use of web-based applications in the workplace. WHAT IS A TREND REPORT? A trend report is a document that highlights emerging and fast- growing trends with significant impact for corporate security and risk management. Based on first reports from initial responders to the issue and confirmed by research, these reports help industry leaders and practitioners learn the key elements of an important topic, and provide insight, guidance, and options for applying what has been gleaned from a real-world environment. These reports can be utilized by mid- to upper-level security managers, instructors at institutions of higher education, or by human resources professionals in training sessions. INTRODUCTION WHAT IS WEB 2.0? The introduction of web-based applications to the business world began nearly a decade ago with the concept of Web 2.0. Web 2.0 doesn’t encompass a set of new technologies, but is simply a revolution in the way existing technologies are used: It is a philosophy of open online communication that is often interactive and user-driven. According to founder and CEO of O’Reilly Media, Inc., Tim O’Reilly, who is credited with coining the term Web 2.0 in 2004, Web 2.0 is a category of applications that meet the following seven criteria: 1. They use the web as a platform; 2. They harness collective intelligence (they include content from users and other sites through tagging, permalinks,RSS,etc.); 3. They are backed by specialized databases (such as Google’s web crawl and Amazon’s productdatabase); 4. They are delivered as services,not products; 5. They supportlightweightprogramming models; 6. They are not limited to use ona single device; 7. They offerrich user experiences.1 According to this definition, then, wikis, blogs, mashups, online docu- ment creation and collaboration, social media, and video and photo shar- ing are all considered Web 2.0 technologies. The features of Web 2.0 are exemplified in sites such as Google, Amazon, YouTube, and Wikipedia, and are now inseparable from all web-based applications available today. MILLENNIAL WORKERS One of the greatest driving forces of the adoption of web-based appli- cations in the workplace is the influx of a new generation of workers, (cid:1) frequently referred to as the Millennial generation. In June 2008, Accenture sent a survey to 400 Millennial generation students and (cid:1)TheMillennialgenerationiscommonlydefinedasindividualsbornbetween1977and1997. x Introduction employees to explore what they expect from an employer in regards to personal technology preferences.2 Key findings showed: (cid:129) Employer-provided technologies do not meet the expectations of twenty percent of the respondents (cid:129) Thirty-two percent expect to use the computer of their choice (cid:129) Thirty-four percent expect to access the technology applications of their choice once in the workforce (cid:129) Sixty percent of Millennials are unaware of IT policies or are not inclined to follow them The findings of the Accenture survey suggest that significant chal- lenges for security professionals are coming, and coming fast. In partic- ular, it appears that security historically has not adequately communicated the importance of protecting company information and assets to younger workers. Compounding this issue, security profes- sionals are now facing a growing population of workers that have cer- tain expectations about technology in the workplace. According to a 2013 report from Forbes,3 by 2014 “[Millennials] are expected to com- prise 36 percent of the U.S. workforce, and by 2020, Millennials will be nearly half of all workers.” This dramatic change in workplace demographic will result in the need for improved information technol- ogy security policies—a shift security needs to be prepared for. Research Findings THE BENEFITS OF WEB-BASED APPLICATIONS AND CURRENT ADOPTION RATES.....................................................................1 THE RISKS OF WEB-BASED APPLICATIONS IN THE WORKPLACE........................................................................................2 SUMMARY....................................................................................................4 ADDITIONAL RESOURCES..........................................................................5 THE BENEFITS OF WEB-BASED APPLICATIONS AND CURRENT ADOPTION RATES Companies adopt web-based applications to improve communication and workflow within their businesses and improve their relationships with clients. A June 2012 McKinsey global survey of over 3,500 execu- tives showed that 83 percent had adopted at least one social technol- ogy, with 90 percent of those respondents reporting “measureable benefits” from the use of those technologies.4 Established resources, such as the E2 Conference, are available to help companies leverage the benefits of new technology in their businesses (www.e2conf.com). When the Web 2.0 concept really began to take hold in 2006 and 2007, corporations tentatively dipped their toes into the social media sphere by instituting company blogs to help them communicate with customers and employees. Early adopters included Wells Fargo,5 GM, and Sun Microsystems.6 Blogs provided the sense of a more direct line of communication with corporate executives, adding to perceptions of customer service and employee care. They also gave companies a new method of collecting and responding to valuable customer and employee feedback, as well as a way to share information from the top down. Then arrived the behemoths: Facebook and Twitter. These two social media platforms in particular have revolutionized social media, quickly surpassing the use of blogs. According to the Center for Marketing Research at the University of Massachusetts Dartmouth, which conducts an annual survey7 on the adoption of social media 2 TheBenefitsandSecurityRisksofWeb-BasedApplicationsforBusiness across Fortune 500 companies, 28 percent of companies surveyed in 2012 maintained a corporate blog. In comparison, 73 percent of Fortune 500 companies had a corporate Twitter account, and 66 per- cent had a company Facebook page. More recently, the same research- ers have found that among Inc. 500 companies (the fastest-growing private companies in America, defined annually by Inc. magazine), 81 percent were using LinkedIn in 2012—exceeding both Facebook and Twitter use.8 One of the first collaborative creation tools to emerge was wikis. According to Bill Ives, Novell first used wikis for team collaboration in projects like requirements generation, documentation, and bug fixes.9 Wikis allow employees to collaboratively edit documents and processes in real time, without the bother of emailing, uploading, or downloading previous versions. Similarly, Google apps such as Gmail, Calendar, and Drive allow business users to easily collaborate, com- municate, and stay organized. As Inc. magazine reported, “the applica- tions that Google has built for business productivity make folders and filing no longer an important part of business. It’s all part of doing business on the cloud.”10 THE RISKS OF WEB-BASED APPLICATIONS IN THE WORKPLACE In 2009, the Security Executive Council conducted a survey about evolving attitudes toward web-based applications. Although 86 percent responded that web-based applications were allowed within their orga- nizations, access ran the gamut from no restrictions, to access approved case-by-case depending on business need, to completely blocked access. As one survey respondent explained: [Adoption of web-based applications] is very limited right now; however, there is a cross-functional collaboration team (including security) exploring different technologies to understand the business benefits, risks, mitigatingcontrols, bandwidth considerations, HR implications,etc. The cross-functional collaboration approach described above should be considered by any business that employs web-based applications. This may be easier said than done. Even Wikipedia, one of the most ResearchFindings 3 recognized sites to emerge since the Web 2.0 revolution, has fallen vic- tim to a common breach—a fraudulent link once led users to a fake page where they were fooled into downloading a bypass for anti-spam software.11 Because web-based applications are interactive, more data is exchanged than in traditional web transactions. The client’s computer plays a bigger role, opening up more vulnerabilities—though not always new ones. As many observers have pointed out, the web has never been secure. Web-based applications suffer the same problems the Internet has always faced, such as cross-site scripting, phishing, and malware, but they’re more dangerous because of the way they are now used. When the web is the platform, more users are at risk. Traditionally, web transactions involved two trusted parties, but with web-based applications, one site may incorporate content from any number of sources—other users and other sites—not all of which are trustworthy. If one of these sources is compromised or malicious, it could easily and quickly compromise or infect the whole range of visi- tors. One mashup site may, for instance, use RSS to import compro- mised information from a previously trusted site, giving the malicious source access to a whole new set of victims and the host of the mashup. What are the most malicious and looming threats for 2013? According to a press release for the annual cyber threats report from the Georgia Tech Information Security Center (GTISC) and the Georgia Tech Research Institute (GTRI), 2013 “will feature new and increasingly sophisticated means to capture and exploit user data, esca- lating battles over the control of online information and continuous threats to the U.S. supply chain from global sources.”12 Some of the specific threats projected for the year include: (cid:129) Information manipulation—attackers capitalize on the same tools search engines use to provide personalized search results in order to control the kind of information that reaches the user; search history may also become a target. (cid:129) Mobile malware—with the rise of mobile device usage in both the home and business environments comes an increased opportunity for attackers. The number of malicious apps in the Android operat- ing system, for example, grew exponentially over the course of 2012. 4 TheBenefitsandSecurityRisksofWeb-BasedApplicationsforBusiness (cid:129) Cloud security failures—as more and more companies turn to the cloud for data storage, the threat of cloud security breach is more present than ever. It is particularly problematic for cloud service providers to ensure the integrity of account authorizations. While the threats described above come from outsider attacks, insi- ders may also generate risks. Internal company wikis and blogs may contain sensitive information on product development or corporate news that should not be shared with the public. Shared links could expose such information to competitors. Outsiders hacking into an inadequately secured intranet could result in exposure as well. SUMMARY The use of web-based applications in the business setting—despite the security risks outlined in this report—is not going away. Security pro- fessionals must learn to play an enabling, yet protective, role in helping their organizations utilize these applications. A thorough risk assessment is the first step in determining how to mitigate risk to any organization. How is the organization using web- based applications? What are its assets? What are the threats to these assets? How can these threats be prioritized? The answers to these questions will help security decide which steps to take to mitigate risk, and which risks to mitigate. Some risk mitigation strategies that businesses should implement when using web-based applications in the workplace include: (cid:129) Avoid using web-based applications for sites that will handle sensi- tive transactions (cid:129) Examine online traffic, both outgoing and incoming (cid:129) Deploy strong, layered network security applications (cid:129) Create a policy for network use and information protection that addresses web-based application vulnerabilities (cid:129) Educate employees on the use of internal and external web-based applications (cid:129) Purchase web-based applications with security features

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.