Organisations have long struggled with how they should, or should not, monitor their employees use of the internet and, more specifically, the Web and Web 2.0 tools. The prevalence of social media platforms and applications has increased the risk of security breaches on the network and highlighted the need for closer management. Given the range of security threats that can manifest themselves from social media sites, organisations need to be extra careful about their employees' use of those sites in the workplace.
While traditional security tools, such as URL filtering, firewalls, and Intrusion Prevention Systems, continue to play an invaluable role in perimeter defences, they do not provide for, secure, or manage these new, highly evasive applications. Designed specifically to communicate, they are capable of hopping from port to port, using encryption and non-standard protocols, and tunnelling over HTTP to ensure a seamless end user experience. As far back as 2007, Gartner was saying that secure Web Gateway's must, at a minimum, include URL filtering, malicious-code detection and filtering, and application controls for popular Web-based applications, such as instant messaging and Skype, yet many organisations still have little if any control over web 2.0 apps.
First and foremost, organisations seeking to protect their users, data and networks from Web-based threats must establish policies about acceptable use of all of their online tools: email, instant messaging, Web 2.0 applications, collaboration tools, and the Web itself. Successfully addressing the problems associated with the Web must start with an acknowledgement of the threat landscape and corresponding policies about how tools will be used before technologies are deployed to address the problems.
Furthermore, there must be buy-in across the organisation in order for policies to be effective. For example, a blanket prohibition by IT on the use of Twitter or Facebook may seriously impact a marketing department's effectiveness at building the corporate brand. Similarly, disallowing the use of unauthorised file transfer tools may prevent users from sending large files to prospects or customers in a timely manner. URL filtering can be an effective technique to help an organisation reduce its exposure to Web-based threats.
For example, using URL filtering can minimise employee access to obviously dangerous websites that have no legitimate business value, such as those focused on gambling, adult entertainment, shopping sites and other largely consumer focused content. However, URL filtering is limited in its ability to protect against Web-based malware and other exploits. Databases of inappropriate or suspect sites are continually out-of-date, resulting in potential access to malware-laden sites that are not in the database, or false positives - an inability to access a legitimate site that is mistakenly identified as off limits.
URL filtering does not provide a real-time defence capability, since URL databases are updated only periodically. Many websites are mash-ups that present content from a variety of sources - a single component on an otherwise safe site can expose visitors to malware. Furthermore, URL filtering is largely incapable of protecting against exploits that may come through Web 2.0 applications or via short URLs. Most Web 2.0 applications circumvent URL filtering technology through a variety of means, from HTTP tunnelling to port hopping. Equally, Web 2.0 sites such as Facebook, contain tens of thousands of applets that do not use the HTTP protocol and avoid Web filtering controls.
Today a large proportion of organisations lock down employees' computers, preventing access to various applications, denying them the ability to install unauthorised applications, not allowing them to have administrator rights, or preventing them from changing firewall settings. In the BYOD world, this isn't possible.
The use of application controls is essential to ensure that Web 2.0 applications like Skype, Twitter, peer-to-peer file-sharing software, streaming media and the like cannot be used in violation of corporate policies or best practices. These application controls should be sufficiently granular so that individual users or groups can be given access to specific applications while other users are blocked from accessing them.
Web exploits are a serious issue for any organisation and they are getting worse. Growing use of the Web and Web 2.0 applications, coupled with increasing corporate reliance on cloud-based systems that employees access via Web browsers and adoption of BYOD, are making organisations more vulnerable to a variety of Web-focused exploits and attacks. The cost of doing nothing to address the issue is enormous. An organisation's losses from even a single Web exploit can be in the millions of pounds in hard costs, not to mention the ongoing costs of a damaged corporate reputation, lost business from existing customers that switch to a competitor, lost business from prospective customers that will no longer consider a firm that has been victimised, and loss of competitive advantage of not using Web 2.0 tools securely.
We are now at a stage where it makes perfect business sense for organisations of all sizes to deploy a secure Web gateway, from vendors such as Actiance, Bluecoat, Clearswift, McAfee, or Cisco, that will protect against Web exploits on the corporate network in real time. Solutions that use both cloud-based and local content analysis techniques will safeguard the network against current and future security risks, as well as providing granular policy management and application controls which integrate with messaging security capabilities, and provide support to users who access the Web and Web-based applications on mobile devices.