Justice, Commerce warn of Web 2.0'and 3.0'security risks
- By Dan Campbell
- Apr 03, 2008
Defense-in-depth protection for agency Web sites is the recommendation from Justice and Commerce department representatives who spoke during the FOSE 2008 Conference and Exposition about the dangers of targeted attacks.
'[The] Web is a collaboration method, but the benefits of collaboration will not be realized unless that collaboration is done securely,' said Michael Castagna, Commerce's chief information security officer.
'We must understand the promise and peril of technology,' he added. 'Criminal syndicates are targeting intellectual assets such as credit card data and personal information and then are selling that information.'
Web 2.0 is about the user experience, with an emphasis on user-contributed content. In Web 2.0, the Web has become the application, but in Web 3.0, the Web becomes a database. Castagna asserted that although Web 2.0 presents its own security risks, he is also looking ahead to Web 3.0 and the risks it might present. 'Web 3.0 will consist of a database of machine-to-machine content,' he said. 'Search moves from contextual to semantic where it is interactive and powerful and must be secured.'
Mischel Kwon, deputy director of IT security at Justice, spoke about the danger of the relatively new IFrame attacks.
An IFrame (short for inline frame) is an HTML element that makes it possible to embed another HTML source inside the main document. In an IFrame attack, malicious code is injected into Web pages that redirect visitors to third-party malware sites.
Despite the persistence of such attacks, Kwon acknowledged the power of Web applications. 'To be effectively used, Web applications require ease of access, connectivity to other applications and rich functionality,' she said. 'The last thing you want to do is inhibit it via security. You must balance security with mission necessity and do risk analysis to decide what risks we are willing to take to allow that rich functionality.'
Dan Campbell is a freelance writer with Government Computer News and the president of Millennia Systems Inc.