WEB 2.0

When Tim Bernes-Lee conceived the web in 1989, its original design was more of an informational platform. It provided content to users; it was a one-way vehicle to obtain information about companies, news, or people. The static page environment evolved from a platform of obtaining information to a repository of submitting and storing users’ information. This transition enhanced the user experience to a world of data sharing, which started the era of Web 2.0. Tim O’Reilly coined the term Web 2.0 (1), but there is no finite definition of the term, however, the following definition seemed relevant:

Web 2.0 is the network as platforms, spanning all connected devices; Web 2.0 applications are those that make the most of the intrinsic advantages of that platform: delivering software as a continually-updated service that gets better the more people use it, consuming and remixing data from multiple sources, including individual users, while proving their data and services in a form that allows remixing by others, creating networks effects through an ‘architecture of participation”, and going beyond the page metaphor or Web 1.0 to deliver rich user experiences (2)”.

The Web 2.0 world serves as a platform for people to create and share content, videos, and photos. (3) This was a large leap from a read-only content environment that only provided information. The interaction of pulling data and pushing data to the web increased usage on the internet and also increased peoples’ competitive nature. Companies started to concentrate on how many people were hitting their pages and bloggers received compensation when their blogs received a certain amount of hits. Design became important once companies realized the correlation between interactive design and user experience. “By making this platform as user-friendly and accessible as possible, people were encouraged to visit, post, and view content (3); and as stated by Fuchs definition, it “gets better the more people use it”, The objective of Web 2.0 was to enhance the user experience and engagement, which was accomplished by web design and user interaction.

The evolution of Web 2.0 impacted how web pages were designed. Instead of displaying information, obtaining information become more relevant. Data became a commodity to companies once they were able to associate how certain data increased sales and tailored customize products and services, which lead companies to focus more on how the pages were designed to promote user engagement. To maintain a continuous volume on a web page, developers were tasked with creating user-friendly pages that appealed not only to the expert user but the novice one. From the client-side, web pages transitioned from table layouts, hyperlinks, and plain text to interactive forms, drop-down menus, upload components charts, and many more interactive features. From the server-side, web pages transitioned from static pages, filesystem loads, frames, and table layouts, to dynamic pages, relational database loads, and interactive component layouts. The most pertinent impact of Web 2.0 was user collaboration, the ability to shared information among groups.

The user-to-user experience was a new concept for web developers because users controlled the content they published. Not only did user collaboration allow users to control their content but users started to create communities among friends, family, and business associates. “Google now has a total database measured in hundreds of petabytes which is swelled each day by terabytes of new information, much of which is collected by users (4)”.

Advanced technology generated algorithms for the server-side that allowed companies to tailor products and services to a particular audience based on the user information collected. Similar technology for the client-side became more user-friendly and people started to publish their website with tools like WordPress, they shared videos with YouTube, and published pictures with Myspace. User Collaboration was responsible for making user input important. User Interaction contributed to the social aspect of Web 2.0 which conceived social media. “Social media is understood as the different forms of online communication used by people to create networks, communities, and collectives to share information, ideas, messages, and other content, such as videos (5)”. User interaction not only gave Web 2.0 social media, but it gave it shared content, advance algorithms, and user content owners, which gave birth to the following web services and applications:

· Facebook – Social Media & Networking

· Twitter – Social Networking

· LinkedIn – Business Networking

· Six Degrees – 1st Social Media site (5)

· Wikis – Data Sharing {files, video, projects{

· YouTube – Video Sharing
 

· SEO – Search Engine Optimization

· WordPress – Blogs

· Wix – Website & Podcast

Web 2.0 evolved into a platform designed to promote user engagement, however, this new environment has formed a new wave of criminals called cyber-criminals. The innovation of Web 2.0 has formed communities, enhance business operations, and profited not only companies but criminals. Based on all the latest news reports, it appears that the more profitable a company, the higher the risk of attack. However, regardless of a company’s revenue, web “applications are highly accessible, viral, and dynamically generated, which makes them risky (6)”. Allowing users to create and host content for blogs, uploading pictures, sharing documents online have created more vulnerabilities and thereby more security risk. User collaboration on the web has caused “links to fraudulent websites, malicious code, and other security threats such as spyware (3)”.

There is no longer an implied trust between the user and the web page due to security concerns. The “Implied trust between a community of individual developers and the sites hosting content (3)” is a thing of the past. The information that companies obtained to better service their customers are now at risk because hackers have found that data is also an asset to them.

Unfortunately, users are posting personal and sensitive information about themselves, which is valuable on the black market. Recalling the public and costly incident Target encountered that cost them 18 million dollars in damages, the hackers intended to steal sensitive data, such as credit card information, to sell on the black market. Trust among social networks is a vulnerability because “information shared on these particular websites has been deemed as personal and users generally tend to trust the content posted by the community (6)”, but unfortunately hackers attempt to attack content shared in this environment. The advantage of users controlling their content and having the ability to load content is also a disadvantage when it comes to security threats because the data can be manipulated by hackers.

This vulnerability is not exclusive to the client-side environment, Web 2.0 technology used on the server-side to enhance user interaction is also at a risk. For instance, the Ajax technology “fetches XML documents by making calls asynchronously to the server from which it was loaded without having it to wait for pages to reload (6)”, this becomes a vehicle for hackers to inject malicious code. The idea of fast and interactive pages has opened the door for hackers to alter the content before the server can detect any suspicious activity and it has allowed them a key to sensitive data.
 

Data leakage is an issue on both the client-side and server-side of Web 2.0. Users are at risk of not only their content been leaked from obtaining information from a trusted source, but they are also at risk of spyware taken over the personal machine and data been exposes from that data point. Companies that have incorporated Web 2.0 technology in their business models are responsible for protecting the data, not just for one user but a community of users, which requires them to incorporate several security tools. Certain companies are governed by agencies and are required to protect users' information based on HIPAA and ERPA regulations.

Unfortunately, the risk does not end with data leakage, but “copyright issues related to videos, pictures, and other posted comments are prevalent (3)”. Recently there was a news report of how a lady posted a view regarding a particular hair product and the company’s competitor hijacked the reviewer’s post and displayed it on their page as if the consumer was rating them. Users are “vulnerable to misinformation and anonymous authors could make malicious or unauthorized changes to information being published” to the web (3).

As security threats increases, IT professionals need to implement controls to reduce the vulnerabilities on their sites.

There are several security measures that IT professionals and users can implement to reduce risk and for this illustration, I have layered them into three categories; preventive, detective, and corrective measures.

Implementing proper controls is important to secure websites; however, some risk is unknown so IT professionals must do their due diligence and monitoring risk exposure frequently, but at the bare minimum an annual security audit should be implemented. However, some security measures are known and preventive controls can be implemented for those known risks. In particular, “implementation of the proper authentication controls, input validation, error handling controls, and so on, is essential to avert threats that may result in an unauthorized intrusion (3)”. Authentication and authorizations are two key controls that developers can integrate into their infrastructure, not only to confirm that users have access but that they are authorized to view sensitive data. As learned in class, not only is authorization and authentication policy a preventive measure for companies that implement the CIA Model, these controls follow the confidentiality aspect. Implementing strong password policies, ensuring that the login name is not part of the password, and one rule that may not be common is preventing username from visibly appearing on a web page login form. Auto hiding username should be a part of the login credential policy because once a hacker has a user name, half of the login credentials are obtained. However, ensuring that only authorized users can view sensitive data will ensure that there are no data leaks.

It is important that “possible leakage of sensitive or proprietary information (1)” is protected. Web 2.0 programs should undergo vigorous vulnerability testing to identify loopholes and uncover any weaknesses, including command injection; cross-site scripting, and buffer overflow vulnerabilities. This measure would ensure that the data integrity is maintained and prevent “a hacker from adding malicious content to or exploit the vulnerability in web pages (6)”. It is important that data is not stolen, modified, and also deleted because the aftermath can be costly not only to the business, as in Target’s 18 million security breach, but also the time and money users lose if their identity is stolen. Therefore, from a detective perspective, on the server-side, anti-malware can be installed to protect against unknown threats or code injections. Web filtering can also be implemented to prevent users from accessing sites that execute malicious code; blocking websites that don’t meet certain security policies.

As a corrective measure, notifying agencies and users of data breaches and removing threats is a starting point to mitigate future attacks. Hackers’ goals are to breach a security policy and they may have more time to hack them users have to protect. Data breaches seem to be more common, so users are aware that this is a possibility, however, providing them with the appropriate notification will allow them to take measures to prevent further security damages, so notification is an important measure.

Other corrective measures that follow the CIA triad is availability. From the server-side, it is important that services are available and when a security breach occurs, ensuring that the downtime is short. One of my clients experienced a data breach which prevented their client portal from being active for over a week; this was a costly lesson, however, they have implemented malware that will alert them of an intrusion, but more importantly, they have made changes to their DR site, which will eliminate future downtown.

“Empirical analysis shows that, on the one hand, information provision is still the most important function of the web, but that, on the other hand, co-operative functions of the web (community building, data sharing, and collaborative information production) have become more important(2)”. As technology advances and data demands increase, so will these co-operative functions. There are more talks of Web 3.0 where there are more advanced application services. As user design and user interaction continue to be prevalent, so does data security risk. Identifying vulnerabilities and assessing threats, will allow users both on the client-side and server-side to be more vigilant at assessing and mitigating risk with Web 2.0.

1. O'Reilly, Tim. What is Web 2.0. design patterns and business models for the next generation of software. O'Reilly. [Online] 30 September, 2005. [Cited: November 16, 2019.] https://www.researchgate.net/deref/http%3A%2F%2Foreilly.com%2Fweb2%2Farchive%2Fwhat-is-web-20.html.

2. Web 2.0 Presumption, and Surveillance. Fuchs, Dr. Christian. Surveillance & Society, p. 309.

3. WEB 2.0 and Security. 2008, The Government of the Hong Kong Special Administrative Region, pp. 1-13.

4. What is Web 2.0? Ideas, technologies, and implications for education. Anderson, Paul. Feb 2007, JISC Technology & Standards Watch, p. 64.

5. Terrell, Keith. History Cooperative. https://historycooperative.org. [Online] June 06, 2016. https://historycooperative.org/the-history-of-social-media/.

6. Security Infrastructure for Web 2.0 and Social Networks. Chauhan, Ankur. Fall 2009, Security Systems, p. 5.