Study: Enterprise Filters Miss High-Risk Sites
Company filters are blocking sites based on mistaken assumptions that allow security risks to slip in, according to a new study
For most companies, blocking a cloud service such as Netflix is a no brainer, as it saps both bandwidth and productivity.
However, IT administrators need to think differently about cloud services to better secure their company and its data, Rajiv Gupta, co-founder and chief executive of cloud security firm Skyhigh Networks, told eWEEK.
In a study released last week, the company found that customers are more likely to block popular safe services than more risky services that could compromise security or cause data leaks.
The study, based on data from customers that use Skyhigh’s network monitoring service, found that 46 percent of firms blocked Netflix, 45 percent blocked Foursquare and 39 percent blocked Apple iCloud, but that no companies blocked MovShare, myCapture or FileFactory – all considered high-risk services by the firm.
“Companies are taking yesterday’s approach to blocking,” Gupta said. “IT is still taking a productivity and bandwidth based approach rather than risk-based approach to what they need to block.”
As a greater variety of cloud services appear, companies need a more risk-based strategy to determine which services employees can use, he said. With workers using an average of more than 500 different cloud services, the task is not an easy one.
Moreover, if employees are not educated about the reasons why certain services are blocked nor given alternatives, they will adapt as well, Gupta said. In one instance, a company blocked backup service Carbonite for fear that data would be leaked or exfiltrated using the service. Soon after, an employee started using another service known as Elephant Backup instead. Skyhigh rates Elephant as risky.
“What you find is that our IT organisation is so in the dark about what is risky that they are making the wrong decisions,” Gupta said.
Two big categories that are considered high risk are tracking services and development services, according to the report. Typical web tracking services, such as KISSmetrics and AddThis, do not deliver any value to a company but can offer attackers enough insight into employee habits to help target waterhole attacks. Such attacks find websites visited by company employees, attempt to compromise the sites and then deliver malicious code to employees through the sites.
Development services can be used as a way of exfiltrating data or as an infection vector. Even social media sites can be used to communicate data outside the company firewall, according to Gupta. One customer found a user who sent out a million tweets in a day, but in reality, their compromised systems was exporting data 140 characters at a time via the tweets.
“This is all about shedding light on shadow IT,” he said.
Are you a security pro? Try our quiz!