Why Enterprises Shouldn't Limit Web Traffic
NEWS ANALYSIS: The business world is deathly afraid of allowing workers to access any site on the Web. A new attack called Nine-Ball, which targets legitimate sites and then redirects users to malicious sites, is just the last security issue that keeps IT administrators up at night. But in the long run, blocking employee access to Websites might be a mistake.It's become commonplace in the business world to limit employee Web traffic. At many firms, regardless of their industry or size, IT managers are being asked to block access to some sites and in some cases, limit the amount of time users spend on the Web. By doing so, they can limit the impact malware could have on the network as employees spend time surfing the Web. They also believe that the more employees visit their favorite sites and check their email, the less productive they are. And that translates to poorer business performance.
To some, that argument might make perfect sense. And it's only bolstered by the recent report that over 40,000 Websites have been compromised in a mass attack.
According to researchers at Websense, an attack called Nine-Ball has targeted legitimate sites and redirected users accessing those pages to a malicious site. The attack is the result of a Trojan that used FTP credentials to input automated bots on the sites. When a Web surfer visits a site that has been infected, they are brought to a page that contains the exploit code. The person is then pelted with drive-by attacks that attempt to exploit Microsoft, Adobe Reader, and QuickTime vulnerabilities. So far, Websense said the Trojan has a very low detection rate.
For some companies, that's all they need to know. There are real threats on the Web and if an employee even makes one mistake, they can be subject to malware that could put the entire network in danger. The end result could be lost, or worse, stolen data.
But perhaps that solution is nothing more than a quick fix to a much broader issue. The reality is this: more malware than ever is affecting company networks, even though the enterprise is doing everything it can to limit the amount of access employees have to the Web. Doesn't it stand to reason, then, that if blocking their access was such a smart move, it would actually work to limit company-wide outbreaks?
Companies don't need to limit the amount of access employees have to the Web -- they need to learn how to more effectively deal with the threats.
Nowhere is that more evident than in employee education. Simply blocking an employee's access to certain sites won't help the company stay safe. Malware is a real issue today because most people don't know what they have to do to keep themselves safe. Does a company's employee know not to open attachments from someone using an unknown e-mail address? Do they know not to visit untrustworthy pornographic sites? Do they know not to click on every link they see without making sure they're being redirected to the desired page? Do they know what phishing is and why it's such a major concern? Do they have apps installed on their computer that are designed to warn them about possibly malicious sites? And do they know how to react to those warnings?
These are some basic questions that most companies would probably answer "no" to. Most companies don't do enough educating of their employees. And in general, they simply look towards the easy solution -- blocking Web traffic -- instead of looking for the smart solution: educating employees on the perils of the Web. If employees don't know any better, how can they be expected to stay safe when faced with an attack like Nine-Ball? That Trojan uses trusted sites to gain access to a person's computer. Only education can stop it.