While the next generation of tech has arguably arrived, it is simply a fact now that social networking sites and the blogosphere have become an integrated part of many peoples lives – some may even call them home (at least to their browsers). In 2008, we predicted the wave of spam that would hit these “Web 2.0″ platforms as it was a natural target for spam to migrate to after years of living inside of mass mailers. Indeed, throughout the year of 2008 we witnessed a barrage of attacks on these sites: malicious social applications, “Spam 2.0“, worms such as Koobface, XSS exploits, and various phishing campaigns. Here we are, a year and a half later and the spam attacks not-surprisingly continue.

Amongst all of this activity, more platforms with further complexity continue to arise and gain popularity, such as micro-blogging site Twitter. Naturally, some of the similar aforementioned attacks have followed as well. One of the effective mechanisms of next-generation worms traversing through linked accounts on social networking sites is that malicious links are sent out from one connected contact to another. Since most of these contacts presumably know each other, there is a higher level of trust – and a tendency for any recipient to let their guard down when clicking on these links. Most threat activity we have seen on social networking sites come from harvested accounts, from worms like Koobface and phishing campaigns. These accounts are typically used in ad-hoc fashion to blast out messages or invites to their contacts. Mass mailers, now typically hosted on botnets, follow the same pattern: they harvest accounts, and send out spam to as many contacts as possible – and have been doing this for a very long time. Enter targeted attacks.

There has been an increasing trend of targeted attacks, ones that are premeditated and delivered to usually only a handful of recipients, if not just one. These are often delivered as poisoned documents that trigger exploits, and drop malware such as keylogger trojans. For a detailed investigation, you may read further here. In parallel with the increasing targeted attack front, we have witnessed an increase in document exploit activity. Figure 1 below shows a 6 month window of detected activity for common exploited document formats: XLS, DOC, and PDF:

With the amount of attacks that are circulating on next generation platforms, “Web 2.0″, whatever you want to call it – it is only a matter of time until cyber criminals become more aggressive and innovative with their methods. They have already started this transition and are in full-swing with targeted attacks through traditional e-mail, so it is likely that they will follow suit and expand their horizons to new channels. Harvested accounts from social networks are primed for targeted attacks, and in theory would be even more effective than the already dangerous targeted attacks through traditional e-mail. This is because of several factors:

1. Social networks host a wealth of information that would assist in social engineering hooks (think personal information and profiles, messages archived / posted, etc)
2. User bases have exploded on popular social network sites, and everybody is participating: from end users, celebrities / officials and enterprise (marketing, PR, executives, the list goes on)
3. Next generation platforms not only support the basic attack vectors that e-mail does (files and malicious links), but offer much more opportunities for attack, innovation and expansion
4. As I already pointed out, social networking rings / established contacts have a high degree of trust already

Framework is already in place to siphon account credentials with ease, as we have witnessed over the last year. With favored targeted attack methods becoming quite active (Figure 1 – poisoned documents), and ample opportunity on the horizon, it is suffice to say that the Internet is indeed a scary and hostile place. Always try to validate the identity of any contact, especially when file attachments or malicious links are involved.

Web 2.0 and SaaS providers have finally fulfilled the promises that ASPs made a decade ago – widespread business adoption of “applications for hire.” These providers’ success has been growing for some reasons that appeared unattainable with the original ASP attempt. How is this possible? Quite simply, advances in browser technology and simplified Web-based application development using a lightweight client approach provide a great universal enablement platform. The second significant piece of the puzzle is the ever-needed “eye candy” and customization that were previously unavailable due to limited “agentless” Web-based applications. Finally, simplified deployment also aids in the success. Given the power of these applications, the increasing need for focused tools and stretched IT resources, it is no wonder that many companies are seeking hosted, turn-key based solutions.

So, the fundamental question surrounding adoption of this technology is, “How does this comply with security policies?” and, more important, “Do IT managers need to adjust security tools and safeguards so that department managers can use these tools?” The answer is an overwhelming “Yes!” Adopting hosted applications will have an impact on security that can vary from minimal to significant.

Intellectual property leakage is a definite concern. If your engineering, finance, operations, management or other departments are seeking hosted tools, what kind of confidential information is being held outside of the corporations boundaries (in this case IT boundaries)? It could be anything from product plans, financial statements, HR records, product shipments…and the list goes on. If this information is highly critical to the business, is it acceptable to host this information external to the company? Chances are the answer is no, so what can you do to prevent this type of policy violation?

This is a where an integrated network-based DLP technology can be utilized to provide appropriate protection mechanisms. By keying on some aspect of the data (keyword held within the contents, watermark used for corporate documents etc.), the DLP technology is able to trigger an appropriate action to protect from this leakage. To truly enforce this policy, the DLP solution needs to detect the content in transit and deal with it prior to exiting the corporate boundaries, which needs to include inspection of multiple protocols, applications and traffic types – especially as users try to circumvent these safeguards.

Now, if your policy accommodates SaaS adoption for corporate confidential / proprietary information, minimizing (not completely eliminating) the need for DLP – some information may be OK to be SaaS’d while other information should never be SaaS’d. So if some SaaS is acceptable, are there other concerns that should be considered? Again, yes. Consider a user base that incorporates remote users (obviously one of the attractions for SaaS), can you be 100 percent sure that their systems are free of any compromises (trojans, viruses, spyware, etc.)? If these users upload collaborative documents, they can be a threat when a corporate user needs to access that compromised document. This is again a concern for the corporation and highlights the need for a solution that can incorporate detection of malicious code injected in documents / files, etc.

Unless your SaaS vendor provides real-time document scanning for these types of threats, you will need to deploy a solution that inspects of data / documents transferred to and from these Web 2.0 sites ensuring trouble-free content collaboration.