By Dan Campbell
Special to GCN
Defense-in-depth protection for agency Web sites is the recommendation
from Justice and Commerce department representatives who spoke during
the FOSE 2008 Conference and Exposition about the dangers of targeted
.[The] Web is a collaboration method, but the benefits of collaboration
will not be realized unless that collaboration is done securely,. said
Michael Castagna, Commerce.s chief information security officer.
.We must understand the promise and peril of technology,. he added.
.Criminal syndicates are targeting intellectual assets such as credit
card data and personal information and then are selling that
Castagna also spoke about Web 2.0 risks. He described the three
components of Web 2.0 as service-oriented architecture, application
program interfaces, and rich Internet applications that use technologies
and Extensible Markup Language.
Web 2.0 is about the user experience, with an emphasis on
user-contributed content. In Web 2.0, the Web has become the
application, but in Web 3.0, the Web becomes a database. Castagna
asserted that although Web 2.0 presents its own security risks, he is
also looking ahead to Web 3.0 and the risks it might present. .Web 3.0
will consist of a database of machine-to-machine content,. he said.
.Search moves from contextual to semantic where it is interactive and
powerful and must be secured..
Mischel Kwon, deputy director of IT security at Justice, spoke about the
danger of the relatively new IFrame attacks.
An IFrame (short for inline frame) is an HTML element that makes it
possible to embed another HTML source inside the main document. In an
IFrame attack, malicious code is injected into Web pages that redirect
visitors to third-party malware sites.
Despite the persistence of such attacks, Kwon acknowledged the power of
Web applications. .To be effectively used, Web applications require ease
of access, connectivity to other applications and rich functionality,.
she said. .The last thing you want to do is inhibit it via security. You
must balance security with mission necessity and do risk analysis to
decide what risks we are willing to take to allow that rich
Subscribe to InfoSec News