Is Anybody Watching?
Everybody knows that many of today's compromised devices result from end user visits to infected Web sites or downloads of unapproved applications, however, few organizations are taking the time to carefully monitor or police people's online hygiene.
While many companies are beginning to look at applications white-listing technologies, and organizations in heavily-regulated industries such as financial services have tightened the clamps on larger numbers of users and begun restricting access to more sites, in particular social media applications, many companies are still not looking closely enough at this critical stream of intelligence which could help them improve their security quickly, proponents of monitoring technologies claim.
Among those evangelizing the increased use of traffic monitoring for security purposes are a number of network management tools providers, who for the most part maintain that along with helping organizations ensure matters of uptime and performance, their technologies should be used by customers to play a larger role in driving security programs.
One such company that will be showing off a free, browser-based traffic monitoring tool at this week's RSA Conference 2009 is Cymphonix, which hopes that it's Revealer, offered to organizations at no charge for a 30-day trial, will open some people's eyes about why they might be handling so many infected endpoints.
"Internet traffic is increasing at a rapid rate and most organizations do not have full visibility into the types of Web traffic and applications running on their respective networks. In addition, most organizations agree that employee use of inappropriate and bandwidth intensive websites can negatively impact security and productivity," the company said in touting its capabilities. "As Internet content such as YouTube, Facebook and MySpace continues to evolve, such inappropriate use will become even more prevalent. The key to achieving control over these impending challenges lies in an organization's ability to achieve true visibility into users, applications and threats."
Once companies gain an idea of where infections are coming from, they can funnel problematic users into security training programs, or simply begin shutting off access to unapproved sites, or classes of programs, the philosophy goes.
At the SOURCE Boston 2009 conference last month, a panel of experts speaking in a session devoted to bridging the gaps between security strategists and their line of business counterparts devolved at times into debate over whether companies should begin preventing more of their workers from visiting non-work sites using their company-issued computing devices or over corporate networks.
The group, which included both security consultants and business technology executives, specifically found itself hotly debating the prospect of social networking sites, many of which have harbored malware attacks - and the ability of organizations to retain top quality workers if they choose to become more restrictive with their usage policies.
"It's a challenge, because to enable collaboration we have to use collaborative tools, but my advice is that companies restrict something like social networking based on the security implications," said Adriel Desautels, a senior partner and co-founder at security consulting specialists Netragard LLC. "To be most secure, companies need to try to lock down everything as best as they can; you can take things like chat and e-mail and other tools and keep them inside your networks, and that's just as effective as open tools like Facebook."
The expert also contends that organizations face major security risks by allowing their employees to advertise their place of work on sites like MySpace and Facebook, as they create an opportunity for targeted attacks that use information or trust relationships gleaned from the Web 2.0 sites to create more believable social engineering campaigns.
At the same time, even some leading security experts defend that users must be presented with a model that allows them more freedom than Desautels suggested.
"Today's workers need have to have these tools to develop and maintain closer relationships, and many companies need to employ the types of creative people who want to use these sites," said Adam Shostack, a well-known security researcher employed by Microsoft - who challenged the consultant from the audience, noting that some top workers might not want to work for companies that tightly restrict access, especially younger professionals who have become dependent on social applications.
"People need a security model that aligns with both sides of this challenge," he said.
Is anyone in your organization actively policing your web habits? Should they be?
No matter what you think about tighter restriction of Web access, the answer would seem pretty clear.
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.