FaceBook, Hairy Bikers and Learning Lessons from the Anti-Virus Industry
I can’t help predicting futility when I see stories about companies blocking FaceBook. For a long time the anti-virus industry has been forced to find better ways to detect and protect from “variations on a theme” yet inside sources who implement web filtering at some big banks tell me filter rules in products are updated and maintained very much like early anti-virus applications. In fact I am told some products implement general block rules so there is no chance of getting access to the excellent cooking program on the BBC “The Hairy Bikers” (great Veitnamese crispy beef last week BTW) but Jamie Oliver is OK.
The economic model alone for this strategy to be effective in a world where we have added 20.4 million new web sites this year alone doesn’t pass the sniff test. Google has added 592,000 sites in July 2007.
How effective are these web filtering tools?
July 29, 2007 at 3:59 am
Web filtering started primarily to address productivity concerns later it added value by blocking malicious websites too. Obviously you can’t block them all but you can block the most popular ones. If 90% of people like to waste time on sites A and B then that means that 90% of your employees do to. Then there is always the knowledge that you are being watched when you trying something non-work related and you get your acceptable use policy displayed instead. That works as a deterrent for future violations.
I don’t understand the argument that AV is useless, it’s not. It’s not perfect but it does considerably reduce your risks. If it’s useless why don’t we just turn it off?
As for web filtering and productivity, there are other ways to waste time, reading magazines, gossiping with colleagues, looking out of the window, talking on the phone, talking on the mobile phone etc.
Web filtering purely for productivity control is an excuse for bad managers. They just don’t have any insight if their subordinates are productive or not. You don’t need a web filtering software to tell you someone is not performing well.
July 29, 2007 at 8:22 am
Osama
I think you have minterpreted somethings. There was never an argument that AV was “useless”. The argument was being made that the web filtering vendors could learn a lesson from the early days of the AV industry and not try to write singular signatures when the web is growing at a rate that it has no hope of keeping up with.
July 29, 2007 at 4:02 pm
In my opinion, web filtering is useless. Productivity a concern? Get rid of employees that slack off all day and don’t get anything done. Institute a network monitoring policy that states your internet browsing habits are logged and regularly reviewed for high-risk sites.
At this time in the industry, security personnel don’t deal with virus infections — we let the helpdesk and level 1 techs fix it. What I would do is set up a proxy with web filtering enabled, but allow you to confirm yes/no if you still want to view the site. So if a user goes to a porn site, the web filter detects it is porn, you allow the user to click yes or no to continue and the action is logged.
What do you guys think?
July 29, 2007 at 4:09 pm
Marcin
Thanks for the comment. I def agree that many things have been and should be operationalized. Many things security are just part of everyday life. Way back when (showing my age) I remember having really strong arguments with an old boss who wanted to keep securID and password resets within info sec. I argued it was futile and much like never trusted your kids to go out on their own. At that time it was common for infosec to do user admin and things like fw provisioning. Thank god things have changed.
I also think web filtering is futile. Cleaning the web pipe from trojans or whatever makes sense but if you think shutting off access to facebook will stop people going to facebook in work time is pure futile. 3G phones alone, 3G and GPRS cards etc are all so common that it better to spend the time and effort on education and culture IMHO.
July 30, 2007 at 2:26 pm
Web filtering is a bit touchy to me, and I really agree with most of the points given above! Besides, if someone is going to goof off at work, they will do so even if you block the obvious sites and methods. It just doesn’t work to have blacklists, whether detailed or extremely vague. That’s like trying to shut out part of someone’s life and who they are, when they are at work. That makes for unhappy employees…
I think there are only four things that should be blocked and should push web filtering:
1- porn sites and other flatly inappropriate content
2- blocking of stuff that sucks away too much bandwidth (YouTube, GoogleVideo, popular web radio sites…) Obviously you can’t keep up, but your network will breath a bit easier and your entire campus/site can be more productive (even if the single user won’t).
3- stopping web-borne malware (basically AV for the web pipe-better than nothing)
4- log the rest so you can track back any incidents or infractions; not necessarily for managers to have something to do by reviewing all the sites you go to at work (this can make for an extremely oppressive work environment which itself can drive down productivity); it really shouldn’t be waved in employee faces, and rather used as a support for IT just like any logging mechanism.
July 30, 2007 at 4:22 pm
What’s interesting to me is the different categories that most of the vendors have.
The obvious ones:
Pr0ns
spyware
spyware callback
phishing
spam image repositories
shock sites (goatse, tubgirl)
And then some that are judgement calls:
political parties
pro-gun
pro/con abortion
swimsuit/intimate apparel
hacker
automotive
finance and investing
filter evasion/proxies
blogs
social networking sites
zombies
flyfishing
And then the responses:
block
warn
log and get on with it
direct notification of the legbreaking squad
I like this approach because it lets you pick how “free-love” or “batten down the hatches” you want to be–think IT security consultancy v/s government network v/s church youth group. Most people/organizations would come in along the more liberal side of the spectrum.
Important thing to remember is that none of these solutions are 100%, but who really cares? You’re not spreading malware (with notable exceptions), you’re just telling people that they can’t do something on your time with your equipment.
July 30, 2007 at 5:50 pm
Kinda like making a personal phone call on company time with company equipment?
August 4, 2007 at 8:43 pm
You’re right, content filtering is something which can only really effectively be used for stopping things getting in, not people getting out. However, if people are going to use facebook, I’d rather they did it on their phones and not on the company pcs. As long as they understand they are doing something wrong, then there’s no confusion when they get reprimanded.
If they are looking at porn on company time, they should get a warning from the filter, have it logged, and if it happens repeatedly, a warning from the company should follow.
Content filters will not do your policy work for you, but they can certainly make the enforcement clear, and can help to spread the word. In my last company, as soon as you logged onto the web in the morning you had to click a button which said “I abide by company policy” with a “click here to read it” in case you needed reminding.
All the techies surfed through the unfiltered lab connection instead…