The Perils of a Web 2.0 Transition on Your Business Processes

Email Print Digg This Add to del.icio.us

Back in the roaring 90s, every company on the planet wanted a web presence no matter if it was just a single page of HTML or a site that actually had a functional business purpose. In the race to accomplish this, we saw the birth of web defacement and related hacks. Even so, senior management generally ignored or were blind to the far worse consequences waiting down the road.

Once everyone had a web site, it was not considered that corporate data might be stolen, mistakenly released or completely lost due to insufficient analysis of the business and security requirements for such a service.

Fast forward 10 years and you land in the mess we have today with web site attacks, back-end data loss and the tons of dollars that must be thrown at the issues. Sys admins are in the familiar position of, “going back to fix it later,” which we all know isn't very productive.

With new technologies permeating both personal and business computing, we’re once again looking down the barrel of a loaded gun with blissful ignorance as to the potential hazards that come with the adoption of these new technologies.

Web 2.0. Yes! We need a Facebook page!

Many organizations have rushed to put up a Facebook page much like what was done back in the '90s. I have seen organizations create a Facebook page long before their own Internet use policy allowed for employees to access Facebook. This flying by the seat of your pants approach should be a red flag that history is going to repeat itself.

What if this happened to your organization?

Similarly, many organizations have adopted smartphone use for their road warriors, C-level execs and even regular staff. Given the huge number of mobile devices accessing Facebook via the AT&T network, suddenly a non-employee lands on your organization’s Facebook page with access to all of the information and the ability to change, delete or steal all of it. That's exactly what happened two weeks ago when AT&T sent users to the wrong Facebook accounts via what they are calling a "routing" problem.

What likely happened here?

Back when mobiles first started accessing sites like Facebook, they did not support cookies locally on the device. To get around this issue, carriers, such as AT&T, placed cookie support on a cookie-caching proxy where the information could then be forwarded on to Web 2.0 sites like Facebook for authentication and authorization. As time went on, the solution was left in place and surely as smartphones began supporting cookies, Java and so on locally. This Band-Aid probably fell off the priority list over at AT&T. Given that proxying cookies is a complex game to begin with, the inevitable happened where users landed on the wrong site because the solution lost track of who was who.

Nowadays, the phone call is one that no security engineer ever wants to receive. Someone got onto your corporate Facebook page and removed all the data. Who is responsible? What is the mitigation plan? Even if you have a very diligent security team and they've come up with a strategy for something like this, how do you handle the legal and public relations end of the incident, especially when you don’t have a contract with the carrier? The answer is you will certainly face a legal and public relations nightmare. This last AT&T/Facebook incident was a shot across the bow for all of us. We’re not going to stop baking in things like Web 2.0 into our business processes. That means we must start aligning carefully with legal to prepare for events such as this. IT security is no longer about counting packets. As an IT security professional, you must start considering every last step and consequence of rapid adoption of new technologies.

What next?

Along with Web 2.0 rushing to the front of the importance list, organizations are now concentrating on mobile app offerings. This too, will present the challenge of considering risks that fall outside the current models currently in use.

The bottom line is that when technology goes through a major phase change, as it is today, many things can and will go wrong. The trick here is not to back off moving ahead. Instead, begin thinking differently about risks, where they are high, what new mitigation strategies can be applied and, of course, the liabilities of operating your business with all the new technologies involved.

Email Print Digg This Add to del.icio.us