Protecting the Enterprise: On Appropriate Limitations of Employee Web Browsing Activities
February 23, 2009 | POSTED BY BRETT EDGAR IN UNCATEGORIZED
By now everyone who has data to protect and is aware that the Internet exists is using (at the very least) a basic firewall to protect the computers storing the data (and often client workstations, too) from unnecessary connections from the Internet. But most organizations, even large ones, have many or all of the following shortcomings in their firewall implementations:
There is no outbound filtering of traffic from client workstations
There is often minimal restrictions of outbound connections from servers storing the important data
The firewalls offer only partial mediation of connections ? a concept I will explain later in the article ? between what should logically be considered different segments of the internal network (many organization have some segmentation, but poor mediation of connections crossing the segment boundaries)
The firewalls don't protect mobile devices (off the corporate network communications)
Today I want to focus on one particular aspect of the first shortcoming from the above list. My colleagues and I receive many dozens of alerts each day from the Network Security Monitoring sensors deployed on the networks of customers subscribed to our NSM service. But the greatest number of alerts arrive as a result of poor traffic filtering on the part of the organizations, coupled with reckless web browsing habits by the employees of these organizations. Most of our NSM customers perform little or no useful outbound filtering of traffic from workstations. This is a major hole in corporate security posture.
All outbound traffic from workstations should be limited to only what is necessary and appropriate. For web traffic, the best way to accomplish this task is by installing a web proxy. Many organizations bristle at the thought of installing a web proxy for various reasons, but three of the more often cited objections are: "I don't want to spy on my users"; "it's too onerous to have to configure every workstation to use the proxy"; and, "if I limit my employees access to the Internet, they'll see me as Big Brother and I'll have less happy employees." There are three very good responses to each of these concerns.
As to the first objection: Do you really want to risk having sensitive data exfiltrated from your network? Many organizations have no qualms with installing a web application firewall (many do so to comply with Payment Card Industry (PCI) regulations) to protect their websites. Such a device is, in effect, spying on all visitors and customers who access those website(s). So why should an organization be nervous about appropriately monitoring its employees? The employees should have no expectations of privacy on the corporate network since all of the equipment was bought and paid for by the company. Is the risk associated with failing to monitor these web communications worth it?
For the second objection: There is an indispensible trick that can be applied to web proxying. Many web proxies can be installed in 'transparent' mode where all web traffic is directed through the proxy by either physical ("bump in the wire" setups) or technical (routing and firewall policy) means. The most popular open-source web proxy, Squid, can be installed in this way. For the cost of a small server with dual network cards and some setup time, you can have a completely free web proxy that requires no further configuration on your network.
And now to answer the final objection: Big Brother. Nobody wants to be Big Brother. Orwell's most famous book, 1984, has done a magnificent job in warding off this behavior. However, in the case of corporate oversight of employee communications on the Internet, the idea seems to have been over-applied. While I am a fan of complete mediation?the idea that all network communications should be strictly controlled and only the bare minimum allowed?there is no reason that it must (nor realistically could) be applied to review of employee web browsing activities. Indeed, if I were to try to review all the web connections that originate only from my computer in the course of a single day, I would overwhelm myself in the first few minutes. However, web proxies can perform some very useful amount of mediation automatically. There is little need for human intervention unless a particular computer is exhibiting a pattern of accesses that is reckless, malicious, or well-outside the realm of casual browsing on company time. When these patterns do occur, the web proxy software can usually automatically alert an administrator with enough information so that the administrator can quickly make a determination as to whether further escalation is useful or necessary. No Big Brother necessary.
Of the dozens of daily alerts related to reckless web-browsing behavior on customer networks, there are three major categories:
Malicious automated accesses due to spyware and/or malware (trojans, viruses, botnets)
Reckless manual accesses due to employees visiting websites controlled by questionable organization and serving up questionable or objectionable content
Porn (really, a subclass of #2)
Most web proxies coupled with a properly configured firewall that is regularly updated with one of the freely available 'known malicious' IP lists can eliminate the first class of alerts and notify administrators of the problem. The second and third classes of alerts can be minimized with a similar list of known malicious websites, URLs, and a wordlist to help gauge the amount of questionable terms in a particular webpage.
While I cannot gauge (or even guess) the damage caused to date by network infiltration and data exfiltration due to poorly mediated web surfing by employees, I can say that True has generated dozens of incident reports responding to these alerts. The aggregate cost due to response time required by our individual customers to appropriately respond to these incidents would have already been made up with the purchase and installation of a minimally invasive web proxy.
I cannot recommend strongly enough the use of a web proxy to filter, log, and alert on outbound web requests from your corporate network. It will save you time. It will save you the potential embarrassment of a data breach. It will save you potential legal trouble when an employee accesses objectionable content.
For questions and recommendations on web proxying, please do not hesitate to contact me or my colleagues at True Digital Security. We are more than happy to help you protect your corporate network!