Workarounds: 5 ways employees try to access restricted sites
- 12 August, 2010 00:29
There may have been a time when blocking certain sites was acceptable in most office environments. But what was once considered off-limits is now essential in many organizations. Social media sites like Facebook are a major part of many companies' marketing strategy. Sites like YouTube present opportunities to share information about products or services visually. And IM and chat services like G-chat are free and efficient ways for employees to communicate.
"I think generally the business drives the policy," said Dave Torre, founder and Chief Technology Officer of IT consultancy Atomic Fission. "If you work at the Department of Defense, I don't think any time at a social networking site on a secure computer is acceptable. But if you work in a marketing department, 15 minutes a day isn't nearly enough. Obviously you have to use some common sense as an IT manager and say 'What does our organization look like and how important are these tools on the internet for our users?'"
Still, there are sites that usually have no legitimate place in the office, like gambling sites, which often tend to be as sketchy as pornography sites, according to Torre. He said he often gets calls from clients seeking help after employees have accessed gaming sites, and have been hit with a drive-by malware download.
Unfortunately blocking certain sites, such as a gambling site, doesn't always work. Industrious employees can, and do, find ways around site restrictions at work, potentially putting your network, data and even [[xref:http://www.csoonline.com/article/204600/intellectual-property-protection-the-basics|Intellectual Property Protection: The Basics - CSO Online - Security and Risk]] at risk, according to Hugh Thompson, Program Committee Chair of the RSA Conference and Chief Security Strategist at People Security.
"Some workarounds can be dangerous because they might create a channel that data can flow out through that is not managed or monitored. These types of bypasses might make defenses like some data loss prevention systems less effective."
Here are five techniques--some simple, some more advanced--that your employees may be using to access the sites you don't want them to visit while on the job.
Workaround 1: Typing IP address instead of domain name
"In some cases, using the IP address of the blocked site can bypass checks that look for a domain name," said Thompson. "There are many websites that will give you the IP address for a favorite online destination."
As an example, check out the site baremetal.com where you can look up the IP address of just about any site. Plug that IP address into your browser, and it takes you there, bypassing the need to enter a domain name.
"The older style of approach here would be to use some sort of IP blacklist database," said Torre. "Many companies provide these. However, a better approach is to ignore the IP/URL altogether and examine the data on the web page itself. This is a little more resource intensive, but far more effective. It's much more accurate since a web site such as Google or Yahoo can call data from other sites. The "parent" site would almost always be white-listed, so any malicious or inappropriate content would also be trusted. Examining the content line by line regardless of where it comes from is recommended. "
Workaround 2: Finding a cached version
"You can also view the contents of many sites by accessing cached versions on search engines like Google," said Thompson. "Search providers, like Google, cache websites on a regular basis - which basically means that they save a version of the site on Google's servers. You can navigate to a cached site in Google by clicking the 'cached' button after the search result and you are still at an address run by Google that may be unblocked.
In other words, if an employee looks for a restricted site through a Google search, the search results will often offer a cached version of the site. Site restrictions can sometimes be bypassed by going to the cached version.
"From a security perspective, when a user surfs a web page from cache, the client workstation is actually talking to the cache holder rather than the original server," said Torre.
The strategy for the security department here is the same as with IP addresses: Disregard the URL and inspect the content itself, said Torre.
Workaround 3: Hiding behind encryption
Entering HTTPS in front of the web address will often give you a stripped down version of the restricted site and can be used as another technique to gain verboten access.
"There is also SSH, encrypted SOCKS, all of these different alternative channels that masquerade as web traffic on not-so-intelligent network devices," said Torre. "They run on part 80 or port 443 and they run under the assumption that the network devices are going to assume it is web traffic and they have zero visibility into the channel. Once you have no visibility, you can do whatever you want."
"This has been a big challenge and was a hot topic at the last RSA Conference, said Thompson "If the content is encrypted through a Secure Socket Layer (SSL) tunnel that begins at user machine A and continues to web server B,outside the company, it is very difficult to inspect."
Thompson said in response, many companies are now opting to implement web proxies and gateways that allow this type of content to be analyzed by creating a pit stop along the way. Torre offers similar advice.
[xref:http://www.csoonline.com/article/474078/the-4-security-rules-employees-love-to-break|Also see "The 4 security rules employees love to break"|The 4 Security Rules Employees Love to Break - CSO Online - Security and Risk]]
"With the exception of an inline, or transparent, HTTPS proxy, you cannot sniff traffic inside of an encrypted session. It's just not possible," he said. "The only way around this is to put something in the middle that terminates your session and creates a new one."
Workaround 4: Using proxy servers and other privacy-friendly tools
"Another bypass technique is to use proxy servers," said Thompson. "Employees can setup their browser so that their web queries go through an encrypted tunnel to an external server which may give them unrestricted online access."
GhostFox, a Firefox browser extension, has a privacy bar just below the URL bar where users can select a proxy that is privacy friendly. (Read more in "Anonymous proxy servers: Necessary or evil?".)
Torre said he has also seen an increase in the use of tools like Hamachi, an VPN tool for creating direct tunnel to a server, and Tor, an 'onion router' that bounces Internet connections through a series of anonymous relays. While these tools were built with protecting privacy in mind, they are being used by people who want to hide their internet activity from employers, too.
"It's a cat-and-mouse game. Whether you're talking about Hamachi or Tor, people are obscuring the traffic with encryption. A lot of enterprise-class filtering devices have very limited visibility into encrypted channels," Torre said.
"If the proxy server is unencrypted, then you can inspect the traffic and block either by blocking proxy connections at your firewall and/or by looking at web page content," said Torre.
If the traffic is encrypted with a tool like Tor, then blocking becomes difficult, if not impossible, said Torre.
"There may be ways to fingerprint Tor with something like an Intrusion Detection System," he said. "But remember that tools like Tor or Hamachi are highly decentralized and operate in a peer-to-peer fashion, which makes trying to keep track of IP blacklists and endless, uphill battle."
Workaround 5: Using smartphones
"The use of personal smart phones to stay connected to Twitter and Facebook is very common," said Thompson.
While using a personal smartphone isn't necessarily tampering with a company computer, it can still be a violation of policy if it is being used to access blocked site. In some cases Facebook or YouTube may be blocked for productivity reasons. Accessing these sites on a smartphone while on the job is really no different than using the company's computer, because either way, company time is being wasted.
Options for security are limited here, unless the device is company issued.
"Devices such as Blackberries that are owned and managed by the business can be restricted through group policies and proxy servers, much the same way that laptops and desktops are," said Thompson. "For unmanaged and employee-owned devices there is little that can be done other than not allowing devices in the building. Ultimately, if a user wants to access the web from a personal device, there's not much that can be done to stop them."
"Smart phones or personal laptops that connect to sites via open Wi-Fi or cellular are very difficult to stop because the traffic is totally out of band and never touches your infrastructure," said Torre.
Torre said perhaps for some extremely secure organizations, such as a government agency dealing with very sensitive information, an RF firewall or something which blocks a signal might be considered. But that would be an expensive and extreme measure. For the most part, smartphone use is unstoppable unless well-meaning employees are willing to comply with a company rule not to use them.
"Workplace policies are your friend here," he said. (See "4 tips for writing a great social media security policy".)
And Thompson reminds us that frequently the efforts made by employees to access blocked sites aren't always with malicious intent.
"Ironically many employees are driven to bypass restrictions in order to do their jobs better," he noted. "It might be emailing a work document to a Gmail account to work on it from home, or using LinkedIn to stay in touch with potential clients. These productivity related bypasses are a clear sign that we need to do a better job at aligning corporate policy with employee needs."
Read more about network security in CSOonline's Network Security section.