|
Top Security News |
How Britney Spears Relates To Insider Threats
No, I am not nuts, but if you want a perfect example of personality changes that could precipitate into an insider threat to a company, look no further than...
Penetration Testing Vs. Vulnerability Analysis Tools
Over the past several years I have heard people asking the question "should I use vulnerability analysis tools to assess my web based applications or should I look to penetration testing?" I think we, as an industry, may...
Review: SpiDynamics Web Inspect
Every once in a while, you run into a tool that becomes an essential member of your tool kit, like snort for IDS, Nessus for scanning a network, the new version of...
Corporate Email Wanders
Technewsworld is running a story on company personnel who forward company e-mail to their MSN, Google, Yahoo, or other hosted e-mail accounts. So after...
Insider Threats
Organizations in many ways contribute the actions of their employees. Either through not wanting to lose a star player who sometimes does things that they...
Computer Security Still Damaged By Social Engineering
Interesting article out of CIO magazine about Vista, and that while it is a highly secure operating system, with some neat things it can do, it still is not invulnerable...
Collaborative Information Security Next?
Have anyone ever been on the phone with a client after the job, where the client wants more information, needs a copy of the report, or just wants to spend some...
|
|
|
03.28.07
Web 2.0: Broad Risk Categories
 By
Dan Morrill
There are two main broad categories of risk with Web 2.0, social engineering and flaws in developer's code. For people who are working web 2.0, having a risk table and mitigation standards for these two broad categories will help define policy and guidance when something bad happens.
Social engineering, no matter if it is pretexting, phishing, or any other means of getting people to give up information is not a new thing. But social networks make it all the more possible to influence people over a period of time to give up good information about their accounts, what they do, where they live, when they will be home, what they buy, how lonely they are, and any other human condition that a bad person can get a hook into. This is not a web 2.0 only kind of issue, rather it is an issue that has been with us for a very long time, and something that web 2.0 enhances because we interlink ourselves with each other. If I get a good deal, I want to share it with my "friends".
Web sites like EBay have been dealing with various levels of fraud since almost day one. EBay has put into effect a number of technological and oversight into the process to develop a community of buyers and sellers with a high level of trust. However, there are always going to be people who try to abuse or otherwise misuse the trust environment to steal from others.
MySpace has also been dealing with the growing pains of having a highly interconnected group of people that interact often without any form of oversight. Since anyone can do anything (relatively) on MySpace, they have had to put into practice technology and people to solve problems that come along with a highly connected group of people who might just not all like each other. Or who will use the social space to lure or attract victims.
Xbox, HP, Verizon, and a host of other companies have also learned that the person on the end of the phone, even if they have all the right answers to secret questions, home addresses, and last 4 of the social security number may not actually be the customer that is requesting information or changing around service and billing.
Important intellectual property or private corporate data accidentally or intentionally released on the network via blogs or other vehicles is also something that many companies from Google to HP to Dell have all experienced. These unintentional releases of internal information also have a major impact upon a business. People are always interested in what a big company is doing, and any leverage helps an investor or rival learn about the company, what its products are, or if there is a resource or other constraint issue.
Continue reading this article.
About the Author:
Dan Morrill has been in the information security field for 18 years, both civilian and military, and is currently working on his Doctor of Management. Dan shares his insights on the important security issues of today through his blog, Managing Intellectual Property & IT Security, and is an active participant in the ITtoolbox blogging community.
|
