An increasingly large number of organisations now have web content filtering tools in place as a part of their information security regime.  Of course, in addition to being part of a “defence in depth” approach to security, these tools will also usually support an additional “management” agenda of increased productivity (i.e. less work time spent by staff surfing the net in pursuit of activities that have nothing to do with their jobs).  They will also potentially reduce the risk of the organisation suffering legal problems as a result of illegal activities being carried out by their staff using the company’s IT infrastructure to – for example – download pirated videos in breach of copyright laws, or publish defamatory material on Internet bulletin boards.

Web content filtering systems control access to websites by users, and provide the organisation with an automated method of preventing its users from accessing websites that the organisation regards as “inappropriate”.  They typically work by classifying web sites (or, more accurately, URL’s) into categories.  The organisation decides which categories of site its users may or may not access, and then automatically applies the “allow” or “deny” rule whenever a user attempts to access a particular site.

The implementation of these controls needs to be approached with some sensitivity.  Internet access at work is now regarded as a basic “right” - particularly by “Generation X” employees - and any attempt to significantly curb this “right” will be viewed with scepticism and concern by some sectors of the employee population.  Users expect to have a reasonable level of freedom to use the Internet for non work related activities, and resent the implication of a lack of trust that an overly authoritarian stance by their employer can convey.

So basically it’s a question of “where do you draw the line?”

When it comes to making decisions based on grounds other than security, views on this will vary from organisation to organisation depending on the “culture” that is in place.  Just as you can walk into some car workshops and find the walls decorated with racy pictures of women, it would be unlikely that you would find the same phenomenon in an international law firm’s office (unless, perhaps, they were original Rubens’ art works…): in the same way, different types of organisations will take different views as to what kind of Internet content should be off limits on the basis that it is “inappropriate” (a word that crops up in a lot of Acceptable Use Agreements).

However, when it comes to deciding which categories of URL’s to deny on the basis of potential compromise of information security, there is significantly less scope for debate.  Allowing users access to web services that enable them to send or receive attachments bypassing perimeter controls that have been carefully put in place clearly results in an increased security risk - irrespective of where one stands on such questions as whether web sites falling into the “Provocative Attire” category should be on or off limits within the work environment on the grounds of “appropriateness”.

Of course, even where there is an undeniable increased security risk associated with allowing access to a particular type of site, there is still a judgement call to be made from an overall risk management perspective as to whether the increased security risk is overridden by some other factor which supports allowing access to that kind of site or service – user convenience, staff morale etc.  However, that judgement call (it is recommended) should ultimately be taken outside of the IT / information security function, as it is a decision about what level of business risk the organisation’s senior management team collectively wishes to accept.  In that scenario, the role of the IT / information security function is to ensure that the final decision is an informed decision, based on a real understanding of the increased security risk that an “allow” decision would bring.


Security Driven Recommendations
One of our clients recently asked us to create a policy document containing a set of detailed recommendations (and justifications) for the implementation of their web content filtering system – what categories of sites should be allowed, and which should be denied.  The company was implementing this type of control for the first time and, anticipating resistance from the user community, the company’s senior management team wanted to satisfy themselves that the right balance was being struck between protecting the organisation, without being unnecessarily repressive.  They also felt that if a policy document was published demonstrating that care had been taken in setting the restrictions based on a clear set of objective criteria, there would be a greater likelihood of acceptance of new restrictions by users.

Our brief was actually broader than looking at this purely from the information security angle – we were also asked to take into account legal issues and “management issues” (productivity etc.). However, given that this is a Safecoms Newsletter article we will focus on the conclusions that were reached on the basis of information security issues.

The start point was to establish some basic criteria to determine whether a particular category of URL could potentially cause an increased security risk (other criteria were also established from the legal and management perspectives, but they are outside the scope of this article).  These were as follows:

•    Types of sites / services that could increase the threat of the introduction of Malware (including viruses, spyware or any other dangerous code) into the organisation’s systems

•    Types of sites / services that could increase the risk of unauthorised disclosure of any data (other than that intended for the public domain)

•    Types of sites / services that could providing the user with information or tools which may be directly or indirectly used to compromise the security of the organisation’s computer systems

•    Types of sites / services that could result in existing security controls being bypassed

Applying these criteria, our recommendations were that the following categories of sites / services should (subject to any contrary overriding business criteria) receive a “deny” rating:

•    Anonymisers - used to support hacking activities, and could result in other existing software control functions being bypassed

•    Chat rooms - users can upload, download and share files bypassing normal controls

•    Forums / Bulletin Boards (excluding legitimate technical / business forums) – significantly increases the risk of confidential documents and other data being uploaded to the Internet (and therefore entering the public domain) either intentionally or accidentally (we recently saw a spectacular example of this where a multi-tasking user inadvertently posted a highly sensitive corporate report on an Internet general news forum visited by millions daily – and once published, it could not be retrieved)

•    Gambling sites – this category of site has a tendency towards harbouring malicious software which the user can inadvertently download

•    Games sites – again, significantly increased risk of contact with malware

•    Hacking sites – users can download tools such as password cracking or packet sniffing software

•    Instant Messaging services - users can upload, download and share files bypassing normal controls

•    Known Malicious sites – obviously

•    Personal Network Storage / Personal Pages – users can upload sensitive documents or download illegal or banned material in an uncontrolled way

•    Phishing sites – obviously

•    Remote access sites (other than those services specifically set up for specified users) – potentially giving unauthorised “backdoor” access

•    Shareware / freeware sites - again, significantly increased risk of contact with malware

•    Web Mail services - users can upload, download and share files bypassing normal controls

Other categories were denied as a result of the application of legal or “management” criteria (e.g. sex sites, sites dedicated to promoting criminal skills etc.).

Based on our experience of rolling out web content filtering policies, the recommendation that usually causes the biggest stir is the denial of web mail services.  In addition to their “work” email account, most users also have a “private” web mail account (e.g. Hotmail) for mailing with their friends and family and for other non work related activities, and they expect to be able to access this on a regular basis during working hours.  Indeed, it is not uncommon to find IT departments who rely on web mail services as a back up in case of emergency if their mail server goes down.  However, the increased security threat – in terms of bypassing the established controls for mail (particularly attachments) coming through the organisation’s email system – are significant.  This may well be an instance where an overall risk management judgement call needs to be made outside of the IT / information security function – but with strong recommendation coming from that function.


Conclusions
New rules and restrictions are nearly always unpopular in the workplace.  However, Safecoms’ experience has been that if a policy document is published explaining the underlying rationale for the restrictions and also demonstrating that there has been a carefully considered exercise based on the consistent implementation of objective criteria, the majority of people will come onside.  This approach is particularly important in specialist areas like information security, where most users have very little awareness of the underlying issues (for example, it would be surprising if more than 10% of a typical user community had any idea that web gambling sites were notorious for harbouring malware).

It is also important that the implementation of these kinds of controls are demonstrably driven by the senior management team collectively, rather than by the IT department – particularly where a “deny” decision is based on legal or management criteria as opposed to pure information security considerations.  Ultimately this type of control is all about managing the risks of the organisation in the broadest sense and – particularly if the new regime is likely to be perceived initially as restrictive or authoritarian – it is important that the management team collectively should stand up and argue the case, rather than ducking the issue saying “don’t ask me, its an IT thing…”