The Web 2.0 Threat

Leading-edge collaborative tools and interactive sites pose monitoring burden

As the Web 2.0 movement makes interactive applications and social networks such as Facebook ubiquitous on employees’ desktop computers, financial firms are facing the daunting task of monitoring these so-called greynets. Instant messaging security vendor FaceTime Communications estimates that there are more than 600 greynets worldwide, a number that will climb past 1,000 by the end of the year.

These networks are called greynets because the peer-to-peer applications they are composed of operate in the shadows, without company authorization, and are difficult to police. According to a recent survey by FaceTime’s Security Labs research unit, 90 percent of IT managers have experienced a greynet-related security incident in the last six months–despite deploying firewalls and intrusion prevention systems.

On average, IT managers spent $289,000 in 2007 to repair company computers infected by malware attacks over greynets, compared to $130,000 the previous year, according to the study. Greynet applications include IM as well as file-sharing, collaboration and other Web 2.0 tools. Some of the applications need to be downloaded; others load as a Web page, pop-up window or widget. Widgets–small interactive applications designed to perform a specific task–are becoming increasingly popular across the Internet, according to Chris Boyd, director of malware research at Belmont, Calif.-based FaceTime Security Labs.

“There’s a lot more widespread acceptance of them now,” he said. “A lot of these gadgets and applications could be incredibly useful, and only a small portion actually do some sort of harm. The problem is, as they becoming increasingly popular, more and more people will try to exploit them. Thankfully, it doesn’t seem to have hit just yet.”

Boyd noted that even sophisticated users are likely to download IM widgets that are part of social networking sites such as MySpace or Facebook or trusted research platforms like Google and Yahoo. “If the networking site is good, they think that all the applications associated with them are good as well,” he said. “A lot of people become too complacent with security in the workplace.”

Each widget has different characteristics, added Boyd, and some are not easy to identify and manage. “We can allow access to the MySpace Web page, but block the MySpace IM client–but some widgets are a different story,” said Frank Cabri, VP of marketing and product management at FaceTime. “That’s the whole challenge right now. There are all these third-party widgets that need to be researched, need to be understood.”

Site Blocking

As an example Cabri pointed to LinkedIn, a site used by many Wall Street executives for business networking and recruiting. FaceTime products, he said, can allow access to LinkedIn but not the messaging function.

“We can block individual sub-sites like the mail within LinkedIn,” he said. “But it’s tough for organizations to know all those details of all those different pages. What we see organizations doing is white-listing the places employees can go. Yes, it’s going to result in people making their voices heard to the IT team. But there’s thousands of sites and thousands of widgets.”

Web 2.0 pioneer Google has a customizable home page, iGoogle, that is made up of widgets. In addition to its Google Talk IM platform, Google offers a messaging system as part of the collaborative tools around its Google Spreadsheet product, which “allows people to simultaneously work on a common spreadsheet or document,” said Kevin McPartland, analyst at New York-based Tabb Group. “Pretty quickly, the major firms restricted access to many of these sites. Having a communications medium that is not trackable is risky.”

Google has an enterprise platform as well, noted McPartland, which might be attractive to smaller financial advisory firms or hedge funds, but the risks may outweigh the benefits.

It’s quickly implemented, “easily available, and it’s all for free,” he said. “But when it comes to analytics spreadsheets and tracking models, it’s still not robust enough. And there’s no guarantee that security is there for hedge funds.” Some online software vendors, like, are known for their enterprise-level security.

“I’m sure Google is quite secure, but they’re not geared toward securities firms,” McPartland said. Google and other Web 2.0 applications developers are putting another kind of pressure on IT departments–keeping pace with the available tools. “Everybody is always trying to keep up with Google, and financial technology is no exception to that,” said McPartland.

There is usually an equivalent, enterprise-caliber product available, he added. “All of these major firms have some form of collaboration.”

Reuters, whose Reuters Messaging has more than 100,000 users, plans to open up its platform to third-party tools.

“In the second half of this year, we are going to release the Reuters Messaging Application Platform,” said David Gurle, global head of Reuters Communication Services. About ten pilot customers are using the platform to deploy applications that run over the Reuters IM platform. These applications take the form of bots, or agents, Gurle said. An automated agent can, for instance, act as an online concierge, making dinner reservations for employees. Another agent can convert an IM into an SMS, or short message service, and deliver it to someone’s cell phone. Some applications are developed by firms and others by third-party vendors, he said. However, to ensure security, only trusted parties are allowed to deploy applications over the network, Gurle said, “and we run every application through a certification process.”

Key Behaviors

In addition to monitoring recognized IM networks, New York-based Orchestria Corp., a provider of compliance-policy management technology, tries to identify key behaviors, such as the point at which an application passes a message over the Internet.

“It’s not uncommon for someone to download a specific application to the desktop and start using it,” said Andrew Grygiel, SVP of global marketing at Orchestria. “We can certainly block or monitor that activity. For complete coverage, some major financial firms block Web 2.0-based Web sites. These sites don’t necessarily require an individual to download the interactive applications on his desktop; instead they run within online platforms like Facebook or Flickr.”

Grygiel said that Orchestria recommends a multi-level approach to security.

“One of the differentiators for us is that we have distributed, multi-agent capability architecture,” he said. “That means that there are agents that can reside on the desktop, and agents that can be placed on servers; we have an agent for Microsoft Exchange. In addition, we have network agents that sit out in the network boundary, which is the last protection point, and we can monitor anything on the client server or at the network to block any type of traffic.”

Orchestria’s distributed architecture analyzes the traffic coming across a network from Facebook or any other Web 2.0 platforms. The agents are able to detect the start and stop of the flow of information and can assemble it into a content set, according to Grygiel. At that point, the messages can be stored or checked for key words or other sensitive content, he said.

Mayur Pahilajani contributed to this report.

Article originally appeared in Securities Industry News, which has since closed.