Blocking Web Content

C.O.Y.B.I.B

Quick question aimed at getting an idea of what other organisations do in this area. We are a large company with 800 users some quite tech-illiterate and we would block all the standard types of web sites using a web proxy and it works well generally.
Recently however we are coming under pressure to allow Webex sessions , dropbox and other business related functions which are legitimately needed .

Our main concern and the reason for blocking these types of site in the first instance is that we are trying to limit our exposure to malicious content on our network . We dont want someone syncing their Dropbox at home and then bringing that content in house. We also dont want individual users giving access into our network using goto , teamviewer or similar.
Do others allow this type of activity and if so do you rely purely on endpoint protection for detecting malicious files ?

Thanks

Speedwell

I worked in the IT department of a multinational engineering corporation with more than 70K employees worldwide and a huge interest in patents and intellectual property. We also had to do some thinking about users sharing information over the Internet. Our feeling was that the Internet was an essential business tool, we set policy and treated users like adults, and if people were irresponsible with the rights we gave them, we dealt with it at a user training and user account policy level, not by hamstringing our "good" users. Reflect that no "foolproof" system survives the ingenuity of fools, and the only secure system is one that is completely disconnected from all other computers and has no means of input at all. If you have a problem with people misusing the system and refusing to adhere to policy, you have an HR and user account permissions administration problem, not a software or hardware issue.

To me you are just infantilising your user base and being the productivity bottleneck.

ItHurtsWhenIP

+1 on Speedwell's response. User training and ensuring compliance with HR policy is paramount.

You should also consider, if you have some serious IP or sensitive data (PII) that you need to protect from being leaked, then you will need to look into a DLP solution.

C.O.Y.B.I.B

Speedwell wrote: »

I worked in the IT department of a multinational engineering corporation with more than 70K employees worldwide and a huge interest in patents and intellectual property. We also had to do some thinking about users sharing information over the Internet. Our feeling was that the Internet was an essential business tool, we set policy and treated users like adults, and if people were irresponsible with the rights we gave them, we dealt with it at a user training and user account policy level, not by hamstringing our "good" users. Reflect that no "foolproof" system survives the ingenuity of fools, and the only secure system is one that is completely disconnected from all other computers and has no means of input at all. If you have a problem with people misusing the system and refusing to adhere to policy, you have an HR and user account permissions administration problem, not a software or hardware issue.

To me you are just infantilising your user base and being the productivity bottleneck.

I do agree with your point about the user base and I have long been of the opinion that they should be treated like idiots until proven otherwise , but maybe thats an outdated opinion and like the other poster says, beter to work on training and developing robust policies with consequences .
Thanks

seamus

^^
I agree with Speedwell here.

The attitude of "lock down everything" is old-fashioned at this stage, and most companies tend towards freer access to the internet that would have an early 2000s sysadmin screaming nowadays.

Restricting web access is a "security through obscurity" technique. And it will fail. The more competent/inventive of your users will find ways around it, ways that get the job done for them and without any control on your part. Someone will find out some way to access an unsecured web portal running on an open AWS server that bounces an RDP-like session into their work computer and is 20 times less secure than just letting them use teamviewer.

At the very minimum you should already have robust endpoint protection in place, along with well-defined access controls - software ones such as user permissions, as well as hardware ones such as firewalls to isolate server access from the general user population.

Obviously some basic filtering needs to take place, such as removing access to outright porn, but to rely on it as a "job done" or front-line is to make assumptions about the security of your network that just aren't true.

Speedwell

C.O.Y.B.I.B wrote: »

I do agree with your point about the user base and I have long been of the opinion that they should be treated like idiots until proven otherwise , but maybe thats an outdated opinion and like the other poster says that work on training and developing robust policies with consequences .
Thanks

Well, I'm certifying in Salesforce administration at the moment so I have to put on hip waders before I get into the six plus levels of user security that Salesforce layer on top of each other like a Viennese torte Your approach is a bit outdated just because it seems from what you're saying that some users have too much access and some not enough to do their work. If you have a solution that uses account and object administration rules, you can fine-tune the access each person needs to each item, and be prepared to tell them "this is why your colleague has more rights than you do". The primary emphasis, in my opinion, is to prevent users from "social sharing" tactics like a senior engineer giving his secretary his user ID and password so she can do work for him while he's out of the office (we had to make this a potential firing offense!). Blanket policies that affect the entire user base with respect to an entire software package may be way too arbitrary for your needs.

C.O.Y.B.I.B

Speedwell wrote: »

Well, I'm certifying in Salesforce administration at the moment so I have to put on hip waders before I get into the six plus levels of user security that Salesforce layer on top of each other like a Viennese torte Your approach is a bit outdated just because it seems from what you're saying that some users have too much access and some not enough to do their work. If you have a solution that uses account and object administration rules, you can fine-tune the access each person needs to each item, and be prepared to tell them "this is why your colleague has more rights than you do". The primary emphasis, in my opinion, is to prevent users from "social sharing" tactics like a senior engineer giving his secretary his user ID and password so she can do work for him while he's out of the office (we had to make this a potential firing offense!). Blanket policies that affect the entire user base with respect to an entire software package may be way too arbitrary for your needs.

Thanks again and to the other posters . I think its time for a bit of a shakeup alright in realtion to this . The tools and skills are there , but not the policies , so thats probably the starting point .
Does anyone worry about malicious files coming onto the network through OneDrive/Dropbox etc... or is that the job of decent Endpoint Protection ?

seamus

My experience is that malware coming through cloud file services is relatively rare, since most people use them as file archives or file shares, so there's no reason for anyone to upload or run malware unless they expressly choose to. Ultimately email is still the primary vector here - hacked dropbox accounts sending "John has shared a file with you" emails.

Malware simply sitting in a dropbox account won't do anything unless someone tries to run it. So your endpoint protection will quickly pick it up and delete (consequently deleting it from the user's home machine too).

AnCatDubh

OP, if you have data which is sensitive or considered personal data then you may still have good reason to keep your tech in the age of central responsibility rather than the age of trust everyone.

Don't get me wrong - when I first read your post I thought like others that policy was the cure for you, but by the end of reading everyone else's posts I think that only you may know the risk associated with the potential of data leakage from your organisation never mind malicious code.

There may also be middle ground in the 'corporate' space. Dropbox will be quick to give you a call when they see x number of accounts assigned to your domain setup on free accounts, to encourage you to a dropbox enterprise edition account. This may be useful, as it gives what as a corporate body you need - that is visibility and manageability. Now that means that dropbox (and possibly others) are available for potential personal access and usage and this is where your organisation's policies (and might I add, more importantly the intent to use them), and continued education processes come into play.

ie. yes, of course you can use <our organisations> dropbox facilities, but policy will forbid the placing of certain data onto your personal google account's google drive.

We had something similar, and with similar concerns, and yes the temptation is to go back to the inkwell and quill and say no, but imho info security should be the enabler of getting business done and to do things efficiently. This has its compromises, costs, and consequences and it is important that your business understands what these compromises, costs, and consequences are.

eg. Compromise = allow use of any fileshare platform that you can get a free account on (sure it'll be grand lad, won't it?), Cost = free (woo hoo - the CFO will be pleased - I am a rockstar, Maybe we can run our entire organisation from every staff members bedroom), and potential Consequence is that oh f*ck, Johnny who left us in a sh*t storm has gigs of data gone into his personal google account and we don't know what it is, whether it is important, who it affects, or if it causes us legal liability. Oh f*ck, the CEO aint gonna like that one (I am no longer a rockstar but a washed up has-been).

Anyhow, you get the message.

I don't disagree re: policy and I think policy is a good approach but responsibility is important too - both of your user base yes, but the corporate responsibility on your organisation too can't be ignored. If you are an organisation who doesn't have corporate responsibilities then maybe you don't have reason for concern.

Like many things in the ICT world, info security may not be absolute but a considered exercise in risk management.

ishotjr2

Yep, explain how much a sandboxing solution will cost possibly a SIEM also and then the overhead in support of managing DPI on SSL traffic and that any of these may not work at the end of the day.

Look at using some kind of restricted cloud browser (e.g. https://www.authentic8.com/), I think may be a fair compromise, but not for file sharing.

Like the other folks said your the only one who can do the risk analysis and maybe there are other technologies that you can use to compromise.