There’s a standard consulting proverb that warns against celebrating after solving your number one problem, because at that very instant, number two gets promoted and you’re back where you started. Similarly, as network administrators we sometimes feel smug knowing we’ve implemented a solid firewall to fortify our network perimeter. But, once it is secured and outsiders are kept at bay, the next biggest threat, attacks coming from the inside, becomes the number one pervasive threat.
It’s not that your employees suddenly are all un-trustworthy, only that a common behavior formerly considered benign is now highly risky. Surprisingly, that common act is simple internet web browsing.

What are the Risks?

Unrestricted web browsing brings with it some obvious problems: lost productivity, bandwidth hogging by streaming media (including internet radio and rich media advertisements), and the presence of content that may be construed as creating a hostile work environment.
Employees may also use web access to subvert corporate usage polices. For example, web-based mail permits access to personal email that may include attachments which are invisible both to the corporate and desktop anti-virus software.
It gets worse.
Just by browsing certain websites, malicious software (also known as “malware”) can be automatically downloaded and installed on an employee’s machine. This type of software includes adware, spyware, ActiveX components, and keystroke loggers. In their mildest form, they can take over a user’s home page and present a flurry of pop-up ads. More insidious software can capture keystrokes (logon credentials, passwords, social security numbers; anything!) and transmit that information outside your network to a third party.
Currently the most popular web browser in use is Micosoft’s Internet Explorer (IE). Some users are not even aware that there is a choice amongst worldwide web viewers including Netscape, FireFox, Mozilla, and Opera. Among Businesses, the use of IE is probably even higher than the general population because many vendor partners require it in order to use their on line   applications. This popularity of IE is regrettable because its design makes it the most prone to rogue installation of malware.

How did we get here?

Microsoft integrated functions into IE that made it easier to install and run software from within it. This was done for competitive reasons but the net result was that this feature was to become its Achilles’ Heel. Virus & Trojan authors began to leverage some of this operating system integration to get their malware on users’ machines.
Other avenues of infection exploit bugs in IE such as the recent vulnerability which gets triggered by the display of photos on a web page. Users did not have to click anything; just browsing a site with hacked images could infect them.

Steps for Avoidance

In most cases, victims of these browser exploits could have saved themselves if they had simply stayed out of “bad neighborhoods” on the web. Some organizations have responded to this by configuring firewalls (or web proxies) to limit access to an explicit list of permissible sites. Whitelisting, as this practice is known, works but requires frequent updates and can often be an impediment to business when site access is necessary for a non-listed location.
A more flexible approach is the use of a web content filter (WCF) system. A WCF acts as a go-between your browser and the web. When a user enters a web address, or clicks a link on a page, the request is sent to the WCF where it checks its internal database of websites to see whether the target site is permissible or not. Blocked requests are dropped, and the user is presented with a canned “Access Denied” page. WCF systems break the web down into categories (for example: Shopping, Games, Gambling, Sports, Adult, etc.) which permits administrators to granularly define categories to block. Further, job role based group policies can be created that allow, for example, staff to see one class of sites, and management another.

"We have met the enemy and he is us"
(Walt Kelly's Pogo)

In many organizations, it is often not the line employees who are bringing in malware, but managers themselves who are reluctant to restrict their own unfettered access to the internet. Your IT staff already knows this but they may be reluctant to confront you. Because infections can occur without any specific action on your part, you need to face the reality that your own web browsing needs to be reigned in. Do recreational surfing at home; don’t introduce risk into your institution.

Recommendations
for IT managers

1. Create a strict Web Usage Policy to supplement your Acceptable Use Policy.
2. If practical, consider an alternative to IE. FireFox is not immune to exploits, but historically, bugs have been acknowledged and fixed more quickly than those in IE.
3. Restrict browsing by implementing a Web Content Filter; if reasonable consider a Whitelist only.
4. Log all web usage. Reports can be used to discover violators both by content and volume.   Documentation may also be legally required in some disciplinary situations.
5. Implement an Intrusion Detection System (IDS) to catch malware as it arrives. Even known reputable websites can be hacked and caused to deliver an ugly payload. An IDS is the best method to detect the installation of rogue software giving you time to speedily contain any damage.
6. When vendors or visitors must be provided with internet access, segregate this uncontrolled traffic by creating a DMZ on your firewall that will limit their ability to access your internal network.

For the safety and security of your organization, unrestricted use of the web must now come to an end.

Assurity River Group
can help with Information Security Practices

Assurity River Group offers specific services to help you assess and improve your information security program:

1. Our comprehensive Risk Assessment will provide you with detailed, practical findings.
2. Assurity River Group’s Information Security Program Charter and policy architecture define a policy structure that starts with board approved policies and extends down to specific policies that protect all information assets.
3. Our consultants can help you with mitigation projects that resolve numerous vulnerabilities with one effort, while improving your overall security stance on an ongoing basis.
4. Assurity River Group offers Managed Security Services such as Web Content Filtering, and Intrusion Detection and Prevention that will aid in the protection of your computer network.

Assurity River Group’s consultants are available to assist you, regardless of where your institution is in the development of a complete and effective information security program.
Contact Jeff Olejnik (jolejnik@assurityriver.com) at 651.259.6888 for more information.