There may have been a time when blocking certain sites was acceptable in most office environments. But what was once considered off-limits is now essential in many organisations. Social media sites like Facebook are a major part of many companies' marketing strategy. Sites like YouTube present opportunities to share information about products or services visually. And IM and chat services like Gchat are free and efficient ways for employees to communicate.
"I think generally the business drives the policy," said Dave Torre, founder and Chief Technology Officer of IT consultancy Atomic Fission. "If you work at the Department of Defence, I don't think any time at a social networking site on a secure computer is acceptable. But if you work in a marketing department, 15 minutes a day isn't nearly enough. Obviously you have to use some common sense as an IT manager and say 'What does our organisation look like and how important are these tools on the internet for our users?'"
Still, there are sites that usually have no legitimate place in the office, like gambling sites, which often tend to be as sketchy as pornography sites, according to Torre. He said he often gets calls from clients seeking help after employees have accessed gaming sites, and have been hit with a drive-by malware download.
Unfortunately blocking certain sites, such as a gambling site, doesn't always work. Industrious employees can, and do, find ways around site restrictions at work, potentially putting your network, data and even intellectual property at risk, according to Hugh Thompson, Program Committee Chair of the RSA Conference and Chief Security Strategist at People Security.
"Some workarounds can be dangerous because they might create a channel that data can flow out through that is not managed or monitored. These types of bypasses might make defences like some data loss prevention systems less effective."
Here are five techniques, some simple, some more advanced, that your employees may be using to access the sites you don't want them to visit while on the job.
Workaround 1: Typing IP address instead of domain name
"In some cases, using the IP address of the blocked site can bypass checks that look for a domain name," said Thompson. "There are many websites that will give you the IP address for a favorite online destination."
As an example, check out the site baremetal.com where you can look up the IP address of just about any site. Plug that IP address into your browser, and it takes you there, bypassing the need to enter a domain name.
"The older style of approach here would be to use some sort of IP blacklist database," said Torre. "Many companies provide these. However, a better approach is to ignore the IP/URL altogether and examine the data on the web page itself. This is a little more resource intensive, but far more effective. It's much more accurate since a website such as Google or Yahoo can call data from other sites. The "parent" site would almost always be whitelisted, so any malicious or inappropriate content would also be trusted. Examining the content line by line regardless of where it comes from is recommended. "
Workaround 2: Finding a cached version
"You can also view the contents of many sites by accessing cached versions on search engines like Google," said Thompson. "Search providers, like Google, cache websites on a regular basis - which basically means that they save a version of the site on Google's servers. You can navigate to a cached site in Google by clicking the 'cached' button after the search result and you are still at an address run by Google that may be unblocked.
In other words, if an employee looks for a restricted site through a Google search, the search results will often offer a cached version of the site. Site restrictions can sometimes be bypassed by going to the cached version.
"From a security perspective, when a user surfs a web page from cache, the client workstation is actually talking to the cache holder rather than the original server," said Torre.
The strategy for the security department here is the same as with IP addresses: Disregard the URL and inspect the content itself, said Torre.