Welcome to Volume 2, Issue 11 of The Internet Security Conference Newsletter, Insight. Insight provides commentaries and educational columns, authored by some of the best minds in the security community. Many of our columnists teach and speak at The Internet Security Conference. The editorial calendar at this time includes:
For previous Insights issues, click here.
TISC is about sharing clue. So is the newsletter. We promise to provide some- thing useful each issue. If we don't, flame me at mailto:dave@corecom.com.
Enjoy, and be safe,
Dave
In this issue, I'm including an editorial on content inspection. The column is neither intended as a promotion nor a disparagement of content inspection. It discusses what every organization should come to terms with when considering content inspection and security policy. This article was originally broadcast to WatchGuard LiveSecurity subscribers as one of a series of ongoing editorials Fred Avolio, Rik Farrow, and I publish monthly. Our thanks to WatchGuard for permission to redistribute this article.
In the beginning, content inspection programs were concentrated on discovering and eliminating viruses, worms, macros, malicious mobile code and other mal-ware from files, mail, mail attachments, etc. These are worthy precautions and reason enough to implement content inspection. But it is "Cyber-slacking" -- employees spending a disproportionate time on-line in non-productive or irresponsible activities -- that has brought content inspection into the limelight. Whether the considerable hoopla over the purported dramatic rise is vendor push, yellow journalism, or an honest-to-goodness concern, cyber-slacking has become 'A Problem'. A Georgia Tech study reports that only 36% of the time employees spend on the Internet is work-related. In a 1999 CSI/FBI survey, 97% of companies reported employee abuse of Internet access. Some content inspection proponents claim that productivity loss associated with cyber-slacking is also measured in enterprise bandwidth that could have otherwise been put to better use. Think of large numbers of employees running streaming applications for Internet radio, stock and news tickers. It adds up.
This column is about what every organization should come to terms with when considering content inspection. This column is not intended as a promotion of content inspection. Organizations should evaluate for themselves whether recent studies are alarming or alarmist. If the decision is made to deploy content inspection, is the incentive to free bandwidth, protect information assets, or monitor acceptable use?
What is Content Inspection?
Content inspection is a form of network security where a program opens a transmitted packet to determine the nature of the content inside. Content inspection embraces a variety of content types, including mail messages and attachments, requested Web pages (URLs), downloadable executables, documents, presentations, spreadsheets and more.
The process of inspection includes automated and user-activated:
These functions are often accompanied by incident notification, to the administrator, and the user.
These and even more advanced context sensitive filtering techniques can be used to determine whether, by accessing or transmitting certain content, a user's behavior falls within acceptable use and non-disclosure policies (as configured into an inspection policy). "Web filters", for instance, can help protect an organization from liability when employees obtain illegal copies of software, MP3 audio files, etc. Take this seriously: the Business Software Alliance has filed suit against and earned substantial financial settlements from Temple University, America Life, and North End Composites for use of unlicensed software that may have been downloaded from the 'net (for details, visit http://www.nopiracy.com).
Appreciating the breadth of the problem
We live in an age where the Internet is fast becoming the de facto media for publishing, collaboration, and information distribution -- whether in traditional on-screen data and print formats, or voice and video formats. This is likely to be a wonderful thing. "Everything over IP" is a decades old mantra. When everything is over IP, "everything" will include phone and fax calls, video conferencing, broadcast television and radio.
For now, enterprises have the ungainly task of reconciling traditional and emerging policies across different media. Content inspection technology for packetized data is bleeding edge when compared to how we might go about monitoring telephone calls, fax transmissions, and snail-mail. This creates a conundrum: You can impose more stringent rules for appropriate use of one media than for others, or you can strive for consistency in policy across all media. The real-time nature of Internet communications tempts organizations to impose stricter policies. In the long run, consistent policies will be easier to manage and enforce.
If you are not consistent, your employees will have a difficult time remembering what policy applies to what medium. They will also have a more arguable case should you attempt to take punitive action, to wit: "I'm allowed to bring Playboy magazine to my office, you even tolerated my posting of a centerfold behind my door, but you dismissed me for visiting http://www.playboy.com."
The need for consistency works both ways. Make sure your Internet use policy is as stringent as your other acceptable use policies, and consistent with federal, state, and local government guidelines.
Avoid throwing the baby out with the bath water
In developing your policies, consider employee benefits and entitlements. Internet access has become something most employees expect at work, as they do access to a phone. Before you tackle the non-trivial process of blocking sites, consider whether you would be as willing to manage your PBX such that only business phone numbers can be placed? Think also about postal mail -- would you discard or return all non-business related mail?
Compare cyber-slacking against other idle time: Is it eplacing it, or adding to it? Are employees decompressing on the 'net instead of in a lounge, or at an extended lunch?
My opinion? When you have an employee who is truly abusing Internet privileges, you have a problem that's not solved by a wholesale elimination of non-business use of the 'net. Your best bet? Let that employee surf freely at findaslackerajob.com and get him or her off your payroll.
A proposed "best practice" for applying content inspection
Separate proactive security countermeasures -- antivirus and malware scanning -- from appropriate use. Security countermeasures benefit everyone and are recommended whenever possible.
Don't develop your policy in a vacuum. Consider all the media your organization uses, and all existing policies. Define a single policy. Inform your employees that the policy applies to all media. Go so far as to enumerate the media. Obtain legal review, both to ensure you are within your rights to enforce your intended policy and to ensure you have protected your organization against criminal and civil liabilities. Then implement Internet content inspection in parallel with tools and practices appropriate to other media.
Wrapping your arms around the entire spectrum of appropriate use issues for all media before you apply content inspection on Internet access makes sense -- if for no other reason than the Internet may one day be your only medium.
About the Author:
David Piscitello is president and founder of Core Competence, Inc., and the founder of The Internet Security Conference. He is a member of the boards of advisors for Covad Communications, CoSine Communications, Villa Montage, and a member of the Watchguard LiveSecurity Advisory team. David has been involved in the development of networking and internetworking technology for 25 years. He is a past Internet Area Director for the IESG and has written several Internet RFCs. He has authored books on internetworking and remote access, and publishes and speaks regularly on a variety of subjects including broadband local access, Internet security, Internet appliances, and virtual private networking.
© 1999-2006Core Competence & Mactivity, Inc.