I never cease to be amazed at the number of organizations that have no filter on their web content. I find myself pondering the reasons behind this—certainly some businesses have valid reasons for not filtering web content, but there are more than a few businesses that are simply unaware of the dangers posed to their IT environment by leaving known malicious websites open for access by their employees. Worse yet, some businesses know of the dangers and still take the gamble of leaving malicious sites unfiltered.
Securing your business’s IT environment from malicious web content begins with taking a basic, commonsense approach to reducing your risk of exposure to viruses, spyware and other forms of malicious software and/or malicious code.
A number of business leaders I speak with are surprised to learn that the sources of viruses and spyware can often be traced back to poorly defined outgoing firewall rulesets. One of the most important pieces to your firewall administration is the firewall ruleset. These rules define what kind of traffic comes in and goes out of your network—few things are more important to the security of your IT environment than your firewall and firewall administration.
So what’s the real risk of unfiltered potentially dangerous web content? A ruleset that allows an employee to download music, play games online, and/or view websites in a category with a known high level of risk can cause computers—including those of others—on their network to be infected. Rulesets that define what sites employees can and can’t visit greatly reduces the risk of infecting your business’s whole network.
The greater challenge for most businesses is determining which sites are potentially malicious and which are generally safe. There are millions of websites on the internet, and several million of those websites contain malicious software or malicious code. So how do you reduce the risk of spam, adware, spyware, viruses and other malware on your organization’s network? The easiest way to protect your network from unsafe web browsing is to filter web content by category (rather than by individual sites).
Most firewalls have add-ons which allow for web filtration; however, on most firewalls, one must manually add each site to be blocked. At NetStandard, we typically recommend using a web filter device, such as Barracuda, because it has many more filtering categories, better reporting and much more flexibility with web filtering—thus saving hours on discovering and adding individual sites to be filtered.
If your business has not already done so, it should seriously consider blacklisting website categories for which there is no real business purpose. If your business has already limited its web content, then take some time to review what is blocked, determine if there are any gaps in what should be blocked, and then take the necessary actions to eliminate those gaps. According to a study conducted by OpenDNS, the top ten blocked categories on firewalls are as follows:
1) Pornography – 85%
2) Sexuality – 80.1%
3) Tasteless – 77.3%
4) Proxy/Anonymizer* – 76.2%
5) Adware – 69%
6) Nudity – 67.2%
7) Hate/Discrimination – 58.7%
8) Lingerie/Bikini – 58.5%
9) Gambling – 58%
10) Drugs – 57.3%
* Websites that allow users to hide their identity or circumvent the web content filtering set up on their networks.
Blacklisting these categories and categories like these on your firewall will not only help reduce the risk of your network being infected by malware but it could also help improve productivity and lead to an overall healthier work environment.
For some organizations, such as financial institutions, the standard for firewall rulesets is even higher. For example, in the FFIEC IT examination procedures, examiners for FFIEC-covered financial organizations are to “confirm that the [firewall] ruleset is based on the premise that all traffic that is not expressly allowed is denied.” Simply stated, deny everything except that which is needed to function. This is a fairly extreme practice for most organizations, but it’s certainly a point worth considering if your company stores personal and/or financial information. If your organization is regulated, then you will want to ensure your firewall practices are in accordance with the regulator’s guidelines.
Taking simple actions of limiting what is allowed to come in and out of your network via firewall rulesets is an easy way to reduce the risk of having your network compromised, and doing so just might save your organization the headache of having to deal with unnecessary network disruptions, loss of data, loss of money and the loss of your organization’s good reputation with the public. What Benjamin Franklin said in 1735 still holds true today: “An ounce of prevention is worth a pound of cure.”