Weekly Industry Round-up, Week of 5/31
Posted by hyperguard on June 4, 2010
Facebook Clickjacking Worm Infects Thousands
Last week we mentioned how clickjacking attacks use malicious iFrames inserted into a Web page to hijack a user’s Web session. Then, over the weekend, a Facebook clickjacking worm affected thousands of users, spreading malware and unwanted code onto users’ computers when they clicked a link that indicates they “like” the maliciously created Web page. Users have been encouraged to view recent activity on their Facebook news feed and delete entries related to the malicious links. They should also click on their Info tab on their personal profile and remove any of the links connecting to Web pages via their “likes and interests” section.
Enterprise Networking Planet…
Web Application Security: Are You Doing Enough?
This article by Paul Rubens discusses last month’s “State of Application Security ” survey carried out by the Ponemon Institute. Many organizations are leaving their data vulnerable to theft because they spend too much of their security budgets protecting their networks and too little securing their Web applications. Securing both network and Web applications should be key priorities so what this comes down to is a problem of resource allocation: if you spend too much of your security budget on your network, hackers will steal data via your Web applications, but if you spend too much on your Web applications, there won’t be enough of your budget left to prevent them stealing data by breaking in to your network. If companies decide to allocate more of the security budget to Web application security, Paul suggests performing regular scanning for known vulnerabilities and coding errors using a specialized Web vulnerability scanner, or even full scale penetration testing.
The Virtualization Practice…
Defining Tenants for Secure Multi-Tenancy for the Cloud
This post by Edward Haletky discusses that there is more to securing multi-tenancy (SMT) than one would imagine. So how would you define tenant when nearly everyone has their own definition of tenant for a multi-tenant solution? Attorney, David Snead, defined tenant as “whatever definition is used within the contract.” If there is no definition within your contract then assumptions are made, so I tend to fall back to the definition of tenant to be “the legal entity responsible for the data” so you need to read your contracts carefully. Edward believes that once we can define tenant appropriately, the provider needs to offer some level of security far above what any one tenant may desire, but can at some point in time acquire as necessary. After we define tenant satisfactorily, we should start to look at what we need from the provider and what is really left to the tenant to implement in other words: roles and responsibilities.