Category Archives: Security Threats

U.S. Department of Justice Monitors Web Use with Cyfin Reporter

The U.S. Department of Justice (DOJ) recently renewed Cyfin Reporter for the seventh consecutive year.  Cyfin Reporter enables the DOJ to conduct up to 100,000 employees’ Web usage simultaneously. The Department continues to use Cyfin Reporter because of its robust performance, accuracy and scalability and the many benefits it provides, i.e., improved productivity and decreases in bandwidth consumption, legal liability and security threats.

It’s important for employers to ensure that their employees are using the Internet in a productive manner and are not accessing sites that hurt productivity or degrade network performance.  Cyfin Reporter helps organizations do this by providing actionable and accurate employee Web-use investigations. Its features include automatic abuse detection, interactive drill-down, and a report scheduler that runs and distributes reports automatically.

Dennis McCabe, Vice President of Business Development at Wavecrest Computing, states, “the great thing about Cyfin Reporter is that it not only allows organizations to monitor ‘bad’ sites, but it also allows them to monitor those sites that employees should be utilizing on a regular basis, e.g., the company’s Web site or intranet.”  This is what makes Cyfin Reporter a truly effective tool for managing Web use.

For 12 years, Wavecrest Computing has been providing Internet filtering and monitoring solutions to business, government, and educational organizations worldwide.  Wavecrest’s customer base includes well-known names such as the Department of Veterans Affairs, Procter and Gamble, Burlington Northern Santa Fe Railway, Bridgestone, Mazda and many others.  Government agencies and educational institutions can purchase Wavecrest products through GSA’s Federal Supply Schedule at a substantial discount.

Are Some Web Domains More Dangerous Than Others?

The simple answer is “yes.”

A recent report published by McAfee showed that specific country domains and some generic domains are more dangerous than others. The most dangerous country domain is Hong Kong (.hk) with 19.2% of sites posing a security threat to visitors. Second to Hong Kong was China (.cn) with just over 11% of sites found to pose a security threat. The most dangerous generic domain is .info with 11.8% of sites posing a security threat, while government sites (.gov) still remain the safest domains.

The report also revealed that security threats from surfing the Web have increased 41.5% over 2007. So then the question becomes, “how can I protect my Internet users from accessing these sites that are prone to harboring spyware, adware, viruses, etc.?”

There are several steps you can take to help protect your network from a Web-use management perspective.

  1. If you have CyBlock, you can block access to those domains that are the most dangerous by using the wild card option in a custom category. Assuming that access to these domains in your workplace is not needed for the majority of Internet users, then simply blocking the domains is a good way to keep users from accessing them on purpose or on accident. Should a user ever have a need to access a legitimate site with that domain, then it can simply be added to an allow list in either a custom category or one of the other 69 predefined Wavecrest categories that you allow.
  2. If you are using Cyfin, while you can’t block sites with a particular domain, you can still track access to them by using a custom category and running a report against that category to see if there is any activity in those domains.
  3. Also be sure to monitor and/or block the existing Spyware/Malicious, Phishing/Fraud, Public Proxy, and Hacking categories to help protect your network.
  4. Finally, the most important step you can take to ensure that your Internet users are surfing safely is to make them aware of Web security threats and the type of sites that are more likely to harbor them.

Controlling Spyware with Cyfin and CyBlock

Introduction
Spyware – software that tracks Web surfers’ activity without their knowledge and sends the information back to a third party – is a growing concern for IT administrators. Spyware can compromise security, consume bandwidth and slow networks to a crawl. The good news is you can help protect your network from spyware with Cyfin and CyBlock software.

Spyware Problems
Spyware can get into your computer(s) very easily, and it can be extremely hard to detect. Most employees never realize their computers are infected, and those that do have no idea how it happened.

Because spyware enters a user’s system with “legitimate” traffic through an open Internet port, firewalls are not an adequate defense. Spyware remains undetected by firewalls designed to block suspicious inbound traffic rather than monitor the heavy outbound activity spyware generates. (Inbound spyware doesn’t look suspicious.)

Wavecrest Solutions
Your Cyfin web monitoring software or CyBlock web filtering software can help identify spyware and reduce your risk of downloading it in the future.

1) Use reporting tools to spot spyware activity with Cyfin or CyBlock.

A. Look for unusual patterns of Web activity. Run a Site Analysis report at least once a week and be alert to changes in the volume and pattern of outbound Web activity. For example, if a single user is suddenly logging thousands of visits a day, chances are it’s a spyware issue. That’s because “human” activity is usually more random than spyware activity. Here’s another clue. If you notice that every morning at 3 a.m. a user appears to be accessing the same Web site repeatedly, most likely the activity is being automatically triggered by a spyware program.

B. Watch the IP Address category. High activity in this reporting category should raise a red flag for administrators. Most spyware programs send information back to an IP address, while actual user activity is almost always driven by a domain name. Wavecrest software will categorize all IP Address activity automatically. High traffic volume here warrants further investigation.

C. Identify the source of the problem. Dig deeper by running a Category Audit Detail report to uncover both the spyware site and the affected user. If your Category Audit Detail report shows an unusual number of hits to a specific Web site, that site is most likely the source.

2) Use CyBlock’s filtering tools to control surfing.

A. Create a strict “allow” list. One way to prevent spyware is to strictly control employee Internet access. With CyBlock, you can limit online access to only the Web sites you know to be trustworthy and automatically block access to any Web site not on your “allow” list.

B. Block access to social networks high-risk sites. Another less restrictive way to minimize exposure to spyware is to block user access to high-risk site categories. These include spyware/malicious, hacking, phishing/fraud, music downloads, download sites, social networks, games, chat and pornography.

3) Update your Web-use management tools.

A. Update your Acceptable Use Policy. Employees need to understand the risks of Web surfing. Minimize risks of Internet abuse by implementing a policy to curtail at-work surfing and communicate it clearly to employees.

B. Update your Wavecrest list. The Wavecrest control list is updated daily, adding Web sites known to host spyware. We recommend downloading your Wavecrest control list daily to minimize the number of visits categorized as “Other” and ensure the best coverage possible. You can set Cyfin and CyBlock to do this automatically on the Administration – URL List – Schedule screen.

(Note: If you spot a Web site you suspect may be spyware, email it to us at sites@wavecrest.net. Our OtherWise research team will review the site and categorize it appropriately.)

C. Update your operating system. Download updates to your operating system on a regular basis. Spyware multiplies on your network by exploiting weaknesses in OS software. Frequent updates will help plug these holes and minimize the damage if you become infected.

4) Work with your employees.

Counsel employees about the dangers of spyware. Brief your employees on the dangers and detrimental effects of malicious software, and tell them about the actions you’re taking as well as the actions they should take and the sites they should avoid.

The Dangers of Public Proxies

Introduction.
Public proxies are often used by employees or students who want to get around Web filters and/or avoid being identified by Internet logging. In other words, public proxies allow individuals to surf the Web “anonymously.”

The way public proxies work is by making the requested Web site appear to be going to a Web address other than the address of the site actually being requested. They act like a “middle man.” When a Web site is requested, the request is sent to the public proxy, which forwards the request to the original destination, and then returns the site that was requested.

Problems with Public Proxies.
The claim that a public proxy hides a user’s identity may sound safe, but the fact is that public proxies that are used to get around filters can be very dangerous to the user and his/her company or school.

Many public proxies promote spyware or malware activity. They are created to gather user information, or even worse, company information on an employee’s computer. They often log an individual’s online browsing, emails, and chat sessions to gather user names, passwords, credit card or banking information. Some of the information gained, e.g., email addresses, is often used to sell to other companies for marketing purposes.

Solutions.
An enormous and fast-growing number of dangerous public proxy sites exist around the world with new ones popping up every day. Many of them even change their IP addresses at frequent intervals. For these reasons, it is totally impossible to completely solve the problem with technical approaches alone.

Instead, there are several steps you can take to prevent or identify the use of public proxies. The first is to make sure your company or school’s acceptable use policy and consequences of breaking that policy are clearly communicated.

Secondly, back up your AUP by filtering and/or monitoring employees and students’ Web access. Many public proxies use IP addresses to avoid easy detection, so a spike in IP address visits could be an indication that an employee or student may be using one. Wavecrest Computing’s CyBlock and Cyfin Internet filtering and monitoring software have categories for both public proxies and IP addresses.

Finally, make sure that your employees or students are aware of the security dangers associated with public proxies. Many are not aware of the security risk associated with public proxies and may be less inclined to use one if they are educated on the dangers they pose to the user and his/her company or school.