While a blended defense remains critical for the Secure Web Gateway, today we're going to focus on the URL rating technology used by most proxies. It's one component of the many defenses offered by proxy vendors, and probably the basis for most proxy vendor's security solution. The reason for this is that a URL database of category ratings can be stored on-box, offering quick access to a rating for a specific web site. (When a URL isn't in the on-box database, the vendor has to go to a real-time rating system and an anti-malware scanning engine, both of which can cause increased latency or delays for loading a web page).
With today's increasingly complex web pages, it's getting harder to rate a web page into a single category, so it's important to for the secure web gateway to recognize multiple categories for a single URL. A great example of this is Facebook. While a base Facebook URL (www.facebook.com) is recognized as a Social Networking site, pages within Facebook may need to be categorized as both Social Networking and a second, third or even four different category. For example, the many games available in Facebook, such as Farmville and Mafia Wars, should be rated as both Social Networking as well as Games. A dual rating can help an IT administrator allow Social Networking category while blocking Games to prevent wasted time at work, and allow the use of Social Media in promoting a company's products and services.
Unfortunately not all proxy vendors have this capability to support Web 2.0 sites, so be sure to check with your vendor to make sure they offer this important basic tool to help secure your web access.
Wednesday, October 27, 2010
Monday, October 25, 2010
Is Facebook Really a Threat?
In interesting news today, Palo Alto reported that in corporate users who have access to Facebook, 88 percent of those users are "lurkers", meaning they only watch what's going on and what their friends are posting, as opposed to posting stuff themselves, or playing games on Facebook. In fact the study found that only 5 percent of users played games and only 1.4 percent actively posted updates or comments on Facebook while at work.
It's an interesting observation that we are voyeurs, but one that may be an interesting one for companies that plan on blocking or already block Facebook. The real risks that come from Facebook are loss of productivity, and the possibility of clicking on malware. If users are really just voyeurs and not actively posting their own updates, there may be some loss of productivity, but probably not as much as employers may fear. The threat of malware should be alleviated by making sure their secure web gateway (proxy) has the latest anti-malware and URL filtering software.
The other alternative is of course to allow Facebook browsing, but only during off hours, and placing a coaching page, to alert the end-user that they should be doing so only on their own time during breaks, for example.
It's an interesting observation that we are voyeurs, but one that may be an interesting one for companies that plan on blocking or already block Facebook. The real risks that come from Facebook are loss of productivity, and the possibility of clicking on malware. If users are really just voyeurs and not actively posting their own updates, there may be some loss of productivity, but probably not as much as employers may fear. The threat of malware should be alleviated by making sure their secure web gateway (proxy) has the latest anti-malware and URL filtering software.
The other alternative is of course to allow Facebook browsing, but only during off hours, and placing a coaching page, to alert the end-user that they should be doing so only on their own time during breaks, for example.
Wednesday, October 20, 2010
The None Category
I had an interesting weekend discussion with an end-user of web filtering products, whose company takes the approach that anything that ends up in the category "None" needs to be blocked. Unfortunately for end-users that means new websites and websites that aren't visited frequently are ones most likely to have that rating. The end-user also mentioned to me frequently it prevented him from finishing his project or job he was working on, leading to a ticket submission into the IT helpdesk to get him access for those sites, a process that usually took at least a week. A week where he was unproductive.
It got me thinking about the category none, and what you can do about it as an IT administrator. There are two obvious choices, first, block it like this company did, causing a reduction in productivity, when websites that are required for work end up in this category, or the opposite, which is to allow "None" and risk allowing malware, phishing attacks, and prohibited websites from making it into the corporate network.
There is a third option of course, which is one that it seems not enough companies take advantage of, and that's the coaching page. When a website turns up with a rating of "None", instead of blocking it or allowing the page, throw up a coaching page, that explains the website was found to have no rating, and as such could be a dangerous site, with a new threat that hasn't yet been discovered. Allow the user to click through if they are certain the website should pose no risk to them and they agree they have a business purpose for visiting that website, and at the same time alert the end-user that their identity and the fact they visited the site was being recorded for accountability.
With a coaching page, most users who really have no business going to the new site will be wary of visiting the site, and only go if they have a business purpose for visiting the site. It should unload much of the hassle of creating custom exception lists for end-users when their requests get blocked, and leave accountability in the hands of the end-user. Make sure of course your proxy can create an exception page and will indeed log the user's identity and the site they attempt to visit.
It got me thinking about the category none, and what you can do about it as an IT administrator. There are two obvious choices, first, block it like this company did, causing a reduction in productivity, when websites that are required for work end up in this category, or the opposite, which is to allow "None" and risk allowing malware, phishing attacks, and prohibited websites from making it into the corporate network.
There is a third option of course, which is one that it seems not enough companies take advantage of, and that's the coaching page. When a website turns up with a rating of "None", instead of blocking it or allowing the page, throw up a coaching page, that explains the website was found to have no rating, and as such could be a dangerous site, with a new threat that hasn't yet been discovered. Allow the user to click through if they are certain the website should pose no risk to them and they agree they have a business purpose for visiting that website, and at the same time alert the end-user that their identity and the fact they visited the site was being recorded for accountability.
With a coaching page, most users who really have no business going to the new site will be wary of visiting the site, and only go if they have a business purpose for visiting the site. It should unload much of the hassle of creating custom exception lists for end-users when their requests get blocked, and leave accountability in the hands of the end-user. Make sure of course your proxy can create an exception page and will indeed log the user's identity and the site they attempt to visit.
Wednesday, October 13, 2010
Spyware Effects
In reviewing the categories that Blue Coat offers in its URL database, one of the categories looked to be unique to Blue Coat, and has a name that might be a little confusing if you don't know what it means. Blue Coat has a category called "Spyware Effects/Privacy Concerns". It's not triggered as you might imagine when an end-user tries to go to a site that contains spyware or malware (instead "Spyware/Malware Sources" is used for that)
"Spyware Effects" refers to when a workstation or PC attempts to go to a site that is known for collecting personal and private information or a site known for sending out instructions to a botnet. The purpose of this category is to alert the IT admin to the possible existence of infected workstations or PCs that have spyware, malware and may have been compromised and are now part of a botnet/zombie net.
It also allows the IT admin to set policy to prevent the compromised PC or workstation from sending out possibly private or confidential information out of the network, as well as preventing the PC or workstation from performing possibly illegal operations.
This is a unique and valuable category and one I'm surprised that I've only found in one proxy vendor's offering.
"Spyware Effects" refers to when a workstation or PC attempts to go to a site that is known for collecting personal and private information or a site known for sending out instructions to a botnet. The purpose of this category is to alert the IT admin to the possible existence of infected workstations or PCs that have spyware, malware and may have been compromised and are now part of a botnet/zombie net.
It also allows the IT admin to set policy to prevent the compromised PC or workstation from sending out possibly private or confidential information out of the network, as well as preventing the PC or workstation from performing possibly illegal operations.
This is a unique and valuable category and one I'm surprised that I've only found in one proxy vendor's offering.
Tuesday, October 12, 2010
Free Public Wifi
If you ever wondered about the "Free Public Wifi" SSID being broadcast in many public locations like airports, NPR recently took the time to explain the plethora of wifi hot spots sporting this name. As I'm sure you already suspected these aren't legitimate wifi hotspots, and are instead PC's that have been infected with a virus and are acting like zombies, broadcasting an "ad hoc" network (rather than an infrastructure network). If you were to connect to the network, you'd be connecting your computer directly to the infected PC (and not a wifi hotspot), and of course, infecting your PC in the process.
It turns out there's an easy solution for most PC's running Windows XP to prevent yourself becoming part of this zombie network. According to Microsoft, upgrading to Windows XP Service Pack 3 should solve the problem, and prevent you from being affected by this virus. So if you haven't done it yet, there's now a good reason to upgrade your PC.
It turns out there's an easy solution for most PC's running Windows XP to prevent yourself becoming part of this zombie network. According to Microsoft, upgrading to Windows XP Service Pack 3 should solve the problem, and prevent you from being affected by this virus. So if you haven't done it yet, there's now a good reason to upgrade your PC.
Thursday, October 7, 2010
Cisco adds Web Filtering to VPN Client
In news that might have been hidden by their Security Appliance announcement, Cisco also announced that their VPN Client, now called "AnyConnect" is adding services from ScanSafe, their Cloud service that offers web filtering.
It's an interesting development and a timely one given yesterday's discussion on Mac vulnerability. It provides another avenue for those users who are browsing without the advantage of a Secure Web Gateway to get protection from malicious websites, malware and spyware.
If you're not using the Cisco VPN client, you can also still get this protection on a corporate basis using clients offered by web security companies like Blue Coat and Websense, both of whom offer clients for remote workers surfing the web from hotels and other web access points.
It's an interesting development and a timely one given yesterday's discussion on Mac vulnerability. It provides another avenue for those users who are browsing without the advantage of a Secure Web Gateway to get protection from malicious websites, malware and spyware.
If you're not using the Cisco VPN client, you can also still get this protection on a corporate basis using clients offered by web security companies like Blue Coat and Websense, both of whom offer clients for remote workers surfing the web from hotels and other web access points.
Wednesday, October 6, 2010
Macs are vulnerable to spyware too!
This morning on Facebook, my cousin posted that his Gmail account had gotten hacked (the IP traced to one in China), and that bogus emails were sent to everyone in his address book. The bogus emails included a link to a malicious website. I felt pretty confident in clicking on the link, since I was using Blue Coat's free web filtering program K9, and sure enough, it blocked me from getting to the URL, claiming the site was "Illegal/Questionable".
In the comments to my cousin's post on Facebook, I mentioned to him he should scan his computer for spyware, as that was likely the culprit that caused his Gmail account to get compromised. His response? "Impossible, I'm using a Mac". I think his response is a classic one that many Mac users give, when discussing spyware, malware, viruses and trojans. A basic, "it can't happen to me" attitude. Unfortunately, it can happen on Macs, and spyware, and even malware exists on Macs. Spyware is easier to implement since it can just be embedded into javascript on a website, and the browser makes you vulnerable.
Consider this post a friendly reminder, that just because you're using a Mac doesn't make you immune to spyware, malware and viruses. If you're not browsing behind a proxy that's protecting you with anti-malware and URL filtering, consider installing a free web filtering program like K9 (www.getk9.com).
In the comments to my cousin's post on Facebook, I mentioned to him he should scan his computer for spyware, as that was likely the culprit that caused his Gmail account to get compromised. His response? "Impossible, I'm using a Mac". I think his response is a classic one that many Mac users give, when discussing spyware, malware, viruses and trojans. A basic, "it can't happen to me" attitude. Unfortunately, it can happen on Macs, and spyware, and even malware exists on Macs. Spyware is easier to implement since it can just be embedded into javascript on a website, and the browser makes you vulnerable.
Consider this post a friendly reminder, that just because you're using a Mac doesn't make you immune to spyware, malware and viruses. If you're not browsing behind a proxy that's protecting you with anti-malware and URL filtering, consider installing a free web filtering program like K9 (www.getk9.com).
Subscribe to:
Posts (Atom)
Posts
