Analyze Your Encrypted Traffic With CyBlock SSL Inspection

In huge numbers, more and more organizations, particularly e-businesses, are using Web-enabled applications that involve the use of personal, private, and sensitive data. Banking, online shopping, and credit card transactions are good examples, but by no means the only ones. SSL encryption is being increasingly used to protect the confidentiality of this business and personal data on the Web. Surveys show 25%-35% of enterprise traffic is SSL-encrypted, and the number can be as high as 70% in specific industries. SSL encryption is the most cost-effective way of protecting the privacy of this traffic.

While SSL encryption solves many privacy-protection problems, it can allow traffic that poses security threats–both inbound and outbound–to pass through security protection measures uninspected and unchecked.

Inbound Problem.  SSL encryption creates security blind spots in incoming traffic. The traditional security infrastructure that protects an organization is blind to the threats in inbound SSL traffic and provides an easy vehicle for criminals and hackers to hide their cyber attacks.

Outbound Problem.  In addition to the risks of incoming threats hiding over SSL channels bypassing security protections, outbound enterprise traffic is now a growing problem. This is becoming quite a “hot button” for security applications (e.g., content filtering applications) that tackle data loss prevention (DLP), compliance reporting, and lawful intercept. In the past these solutions could see what was outgoing, but now they are suddenly “in the dark” when it comes to the data transferred over SSL.

From a security standpoint, most organizations already deploy an array of network and security appliances and programs to protect their enterprise, enforce internal corporate acceptable use policies, and satisfy external government regulation. Unfortunately, in many instances, they can only inspect plaintext traffic and are unable to inspect HTTPS communications for attack signatures. This makes it difficult or impossible for network administrators to enforce corporate acceptable use policies or ensure threats, such as viruses, spam, and malware, are stopped before they reach individual users.

In addition, without the ability to examine the contents of HTTPS communications, network administrators leave open the possibility for information to be accidentally leaked out of the enterprise or worse, stolen. Regulatory compliance requirements, including identifying accidental or intentional leakage of confidential information, are also virtually impossible to meet because of HTTPS encryption.

CyBlock SSL Inspection gives network administrators the ability to monitor this SSL-encrypted traffic and to identify and respond to any undesirable content. The total HTTPS inspection process decrypts, analyzes, categorizes, and then re-encrypts the traffic. If necessary, specific standard and/or custom URL categories can be exempted from the inspection process; this is known as “tunneling.” In addition, full URL information in a number of Wavecrest audit reports is available to network administrators.

To learn more about how CyBlock SSL Inspection can protect your sensitive data, please see our SSL Inspection Tech Brief or contact Technical Support at (321) 953-5351, Ext. 4 or support@wavecrest.net.

Source:  Examining SSL-Encrypted Communications – Netronome

Downloading Windows 8 Apps

Companies that filter and monitor Web traffic by user name do so in order to enforce their Acceptable Use Policy and for reporting purposes. In order to obtain user names for filtering and reporting purposes, they enable the authentication of all Web requests. An issue that arises with authentication is that there are some Web apps that do not respond to authentication requests.  This is the case with Windows 8 apps.

In order for the Windows 8 operating system to download apps through CyBlock Software or CyBlock Appliance, entries need to be made in the Authentication Manager. This work-around puts these apps in an authentication “Bypass” list where they are exempt from authentication. CyBlock will not require authentication for any URL/User-Agent combination established in the Bypass list. Any user name cached for this connection will be used. If none is cached, the activity will be logged with the user name of “bypass.” The steps below should be followed.

  1. Go to the Advanced Settings – Proxy Settings screen, and click the Authentication Managerlink.
  2. Under Display Selection, select Bypassed or All to display the Bypassed entries. Note that the All option will display the Pending Bypass entries also.
  3. Under Bypassed, click the Add new bypass entry link. A dialog box is displayed.
  4. Enter each of the following combinations of URL or Domain and User-Agent, and click Add after each entry.
URL or Domain User-Agent
*.apps.microsoft.com *
*ws.microsoft.com *
* MSappsHost/*

 

The entries on the screen should look like the following example.

CyBlock Authentication Bypassed Entries

 

For additional assistance, please contact Technical Support at (321) 953-5351, Ext. 4 or support@wavecrest.net.

Cyfin Release 8.8.1 and CyBlock Release 6.8.1 Now Available

We recently released new versions of Cyfin, CyBlock Software, and CyBlock Appliance. In this release, you will find several corrections as well as improvements to the Restore/Download feature and to access accounts. With the Restore/Download enhancement, you will be able to transfer all of your current configuration settings to another installation of the product. This will prove to be useful if you are transitioning to production mode or purchasing a new server. With access accounts, you can now confirm a password when creating or modifying an access account. The enhancements are described below.

  • Restore and Download.This includes the following changes:
    • The ability to transfer all configuration settings to another installation of the product has been added.
    • Transfers of configuration settings are only supported for the same product type, for example, CyBlock Software to CyBlock Software. Transfers across products are not allowed.
    • Transfers of configuration settings are only supported from this release and later. Previous restore points before this release are not transferable.
    • On the Administration – Restore – Restorescreen, the Choose Restore Type field has been added with Full and Configuration Only options.
      • The Full option allows you to transfer configuration settings from one product type to the same product type with the same restore point path on the same computer.
      • The Configuration Only option allows you to transfer configuration settings to a different restore point path on the same computer or to a different computer.
    • On the Administration – Restore – Download screen, the following has been added:
      • A Restore Point Settings section to allow you to edit or select the restore point path.
      • An Update button to reload the new restore point path.
      • A Create Restore Point section to allow you to create a new restore point using a Create button.
      • A Restore Point Filename field that displays the name of the .zip file in the format yyyymmdd+hhmmss.zip. Older restore points with file name ##.zip will still be displayed; however, they are not transferable and should not be used.
  • Access Accounts.This includes the following changes:
    • For Cyfin and CyBlock Software, the Enter Password and Confirm Password fields have been added to the following screens to allow you to enter and confirm a new password when creating or modifying an access account:
      • Administration – Access Accounts – Create
      • Administration – Access Accounts – Modify
    • For CyBlock Appliance, the Enter Password and Confirm Password fields have been added to the Administration – Access Accounts – Modify screen to allow you to enter and confirm a new password when modifying an administrator access account.
    • If the new and confirmable passwords do not match, a red x is displayed, and the Submit button is disabled.

To see the full release notes for your product, visit the Support Forum. You can download the latest release by going to the Administration – Product Update screen in your Cyfin or CyBlock product.

For additional assistance, please contact us.

Enhanced Malware Protection

Wavecrest Computing is pleased to announce an enhancement that delivers a tenfold increase in CyBlock’s ability to protect computer networks from malware and Cyfin’s ability to identify increasing security threats. Here is some background information.

Malware is the scourge of the Internet. The term “malware” includes computer viruses, worms, Trojan horses, spyware, adware, and other malicious programs that can disrupt computer operations, gather sensitive information, or gain access to private computer systems. For Wavecrest’s purposes, malware also includes Web sites that support hacking. Most malware originates and is spread from particular Web sites. Unfortunately, many thousands of such sites exist today, and to make matters worse, the number is growing steadily every day at distressingly fast rates.

The malware problem is not new to Wavecrest. For a number of years, companies have been using CyBlock and Cyfin products to protect against and identify automated invasions of malicious scripts and software, and unauthorized access to their internal networks–the two major problems caused by malware. CyBlock provided protection–under customer control–by blocking and reporting on employees’ attempts to visit sites in 3 of more than 70 URL List categories: Hacking, Phishing/Fraud, and Spyware/Malicious.

While this methodology was effective, it was not perfect. The difficulty lay in keeping the URL List up to date in the face of the relentless and rapid increase in the number of malware-spreading sites. This issue has been addressed with an enhancement that significantly improves the ability to keep the list current.

At the same time, three related categories, Hacking, Phishing/Fraud, and Spyware/Malicious, have been consolidated into one called Malware. This consolidation increases the ease of administration for customers.

This enhancement with its improved URL List is included in the latest release of CyBlock v.6.8.0 and Cyfin v.8.8.0. To realize its benefits as soon as possible, it is recommended that you upgrade your CyBlock or Cyfin product as soon as you can. Wavecrest will continue to update the enhanced list daily and make it available for download by customers. The download process remains unchanged.

You can schedule the list to be downloaded automatically every day, or you can download it manually at any time. In any case, as soon as it is downloaded, you will immediately begin to receive the added protection and see a significant reduction in the number of security threats to which you may be exposed.

To download the latest release, go to the Administration – Product Update screen in your CyBlock or Cyfin product. For additional assistance, please contact Technical Support at (321) 953-5351, Ext. 4 or support@wavecrest.net.

Cyfin Release 8.8.0 and CyBlock Release 6.8.0 Now Available

We are excited to announce the release of two major enhancements in the new version of Cyfin and CyBlock. The first major enhancement is the new SSL Inspection feature that allows our CyBlock products to decrypt, analyze, and fully inspect all HTTPS traffic. In order to defeat security threats facing companies today, SSL Inspection is essential. The second major enhancement is an innovative technique for protection against automated invasion of malicious scripts and software and/or unauthorized access to internal networks. Enhanced Malware Protection automates the process of identifying large numbers of new malware-spreading sites daily. To facilitate identifying and blocking malware traffic, three security threat categories have been consolidated into a new Malware category.

Other enhancements in this release include the rebranding of our products, new product icons displayed after installation, and new product Help. We also have a number of corrections in this release. The details of the enhancements include the following:

  • Product Rebranding.The Wavecrest products have been rebranded as follows:
    • The products offered are CyBlock and Cyfin (formerly Cyfin Reporter).
    • Three deployment options are available for CyBlock:
      • CyBlock Software (formerly CyBlock Proxy)
      • CyBlock Appliance
      • CyBlock ISA/TMG
    • These changes are reflected on the Wavecrest Web site and the Forum. They will eventually transition to the products and associated documentation.
  • SSL Inspection.This includes the following changes:
    • Ability to view the full URL including path, embedded URLs, and parameters.
    • Domain, path, and parameter matching.
    • Ability to filter detailed HTTPS traffic by Web categories and Web content types and display blocking messages for both.
    • Safe Search blocking (where applicable).
    • Ability to view full URLs in the Real-Time Web Monitor.
    • Ability to view full URLs in the following reports (where applicable), not just domains:
      • Category Audit Detail
      • Category Audit Summary
      • Site Audit Detail
      • User Audit Detail
      • User Audit Summary
    • A new SSL Inspection screen that allows you to select groups and/or IDs and standard and custom categories to be inspected. To access this screen, go to Advanced Settings – Proxy Settings – SSL Inspection. For inspection to occur, you must select a group and/or an ID, and set a category to Inspected. The Financial category is set to Tunneled by default for privacy reasons, but this can be changed to Inspected.

Note:  Before using SSL Inspection, the Wavecrest Certificate must be installed. Refer to the Wavecrest Certificate Installation Guide for instructions on how to install/distribute the certificate. For more information on this enhancement, see the SSL Inspection Tech Brief.

  • Enhanced Malware Protection in URL List.This includes the following changes:
    • Extensive malware site additions were made to the URL List. You will receive the enhanced protection when the list is downloaded manually or automatically.
    • The Hacking, Phishing/Fraud, and Spyware/Malicious categories were consolidated into a new Malware category.
    • Custom URL entries categorized as Hacking, Phishing/Fraud, and Spyware/Malicious are now categorized as Malware.
    • The Hacking, Phishing/Fraud, and Spyware/Malicious categories were replaced by the new Malware category on appropriate screens and in all category drop-down boxes.
    • For CyBlock, on the Block Web Categories screen, the Malware category is set to “Block” in the Default policy in new installations by default. In existing installations, previous settings will not change when the product is upgraded, that is, the Malware category will be set to the previous Spyware/Malicious category setting.
    • The Malware category is displayed on the Help – Reporting – Check URL screen under URL Category Match when there is a category match.
    • Scheduled reports now report on the Malware category if they were set up to report on the Hacking, Phishing/Fraud, and Spyware/Malicious categories.
  • Product Icons. The Wavecrest product icon has been replaced with new CyBlock and Cyfin product icons on the Start menu and on the browser tab (favicon).
  • Product Help. The QR pages in the product have been replaced by a new searchable Help system. The Help system has a similar TOC as the product manual, but also includes an Index and a Search box. If a search result indicates “Web site,” you can right-click the entry to open the page in a new tab or window. You can also print a displayed Help topic by clicking the Print button.

To see the full release notes for your product, visit the Support Forum. You can download the latest release by going to the Administration – Product Update screen in your Cyfin or CyBlock product.

For additional assistance, please contact us.

March Madness

Wavecrest Computing has heard about it every year for 15 years–companies complaining that their bandwidth is slow and their overall productivity is down, all during March and early April! What is going on? Madness, they say…March Madness!

The bandwidth strain can be a big problem. According to a recent survey, 66 percent of workers say they’ll follow the games during work hours, with 20 percent expecting to spend one to two hours following games, 14 percent spending three to four hours, and 16 percent saying they will spend five hours or more watching games instead of working.*

How do you control this type of bandwidth usage? While you may or may not allow your employees to follow the games at work, you will want to ensure that it doesn’t interfere with your network. Wavecrest Computing offers Internet filtering by category or site, white list filtering, real-time Web monitoring, and detailed Web-use reports on a particular category or site and bandwidth usage. Some of the many Wavecrest CyBlock features that monitor bandwidth or access to sports sites are:

  • Real-Time Bandwidth Monitor
  • Top Sites Bandwidth Chart
  • Top Groups Bandwidth Chart

For more information on CyBlock and a free trial download, see CyBlock Core Features.

* March Madness – Challenger, Gray and Christmas, Inc. 3/13/2013

Are the URLs in Your Categories Set Correctly?

If you are upgrading your CyBlock or Cyfin product, you will be using the Wavecrest URL List 7. List 7 supports wildcard entries in domain, path, and parameter matching in URLs. In List 6, wildcard entries were possible, but limited, and thus, the URL matching was slightly different. Therefore, we recommend that you recheck and reset the URLs that were added to your standard and custom categories.

To do this, go to the Advanced Settings – Category Setup – Edit URLs screen and select the category you want to change. In the Supplemental URLs or Custom URLs box, modify your URLs according to the List 7 rules. List 7 allows you to use the following wildcard rules to add multiple URLs simultaneously.

  1. Wildcards With Domain Matching.This URL matching method categorizes Web sites whose pages all contain the same type (category) of content, e.g., Shopping, News, and Sports. In these relatively simple cases, one category applies to the entire site. Under this method, if the Web log entries are in any of the following formats, and the URL List contains a matching URL, the product will categorize the visit on the basis of the domain name.
    • www.mydomain.com
    • *.mydomain.com
    • www.mydomain.*
    • *.mydomain.*


    Note:
     For this method to work, and as reflected in the examples, the entry in the URL List must contain a complete domain name element. That is, the domain name between the periods (dots) must be complete and must not be augmented with an asterisk or any other character. For example, the list must not contain mydomain*.com or *mydomain.com.

  2. Wildcards With Domain and Path Matching.This URL matching method categorizes Web site visit-attempts at the path level. This method enables individual pages to be categorized. If the URLs visited (as documented in the Web logs) are in any of the following formats and there is a corresponding entry in the URL List, the product will categorize the visit on the basis of the domain name and path.
    • www.mydomain.com/path/*
    • www.mydomain.com/*/path/*
    • *.mydomain.com/*/path/*
    • *.mydomain.com/path/

    Notes: For this method to work, the entry in the URL List must contain a complete path element. That is, the path element between the forward slashes must be complete and must not be augmented with an asterisk or any other character. For example, the list must not contain /path*/. As indicated at the end of the fourth example above, the asterisk is not always required, i.e., an exact path can be entered. However, as indicated in all four examples, forward slashes are always required.

  3. Wildcards With Parameter Matching.This method adds parameter matching to the two methods defined above (domain alone and domain-plus-path). It focuses more on syntax found in URL parameters than on content of the site being evaluated by the product. The parameter method works as follows. If the Web log entries are in any of the formats listed below, the product will categorize the visit on the basis of (a) the domain name plus the parameter, or (b) domain name plus path and parameter. Note that the first three bullets are examples of the former (no path included).
    • www.mydomain.com/*?keyword=value
    • www.mydomain.com/?keyword=value
    • www.mydomain.com/?id=*
    • www.mydomain.com/?id=*&sr=* (example of multiple pairs)
    • *mydomain.com/*/path/*?id=*

    Notes:  Parameter matching always requires the use of “?”. If a question mark is placed at the end of the domain or the path, the URL List will perform this matching method.The “/” is also required for this method. However the “&” is optional and is only needed when more than one “keyword=value” pairing is involved (as indicated above). Note that the “&” is added between pairs, and the pairs do not have to be in any particular order.

For additional assistance, please contact Technical Support at (321) 953-5351, ext. 4 or support@wavecrest.net.

What employers need to know about online holiday shopping

It’s that time of year again. Christmas is coming, and it’s time to find the best deals and research the best products. And where does everyone go these days to find the deals and do their product research?  You guessed it. The Internet.  Should employers be concerned with this? Absolutely!  Online shopping results in significant productivity losses, excessive bandwidth usage and serious threats to cybersecurity.

Lost productivity can mean big bucks for your company. A recent study by Comscore found that 50% of all online holiday purchases occur during working hours. For the companies in the study, the typical productivity loss during the short holiday season averages $15,000.

Adding insult to injury, the additional traffic will lead to network slowdowns due to significant increases in bandwidth usage. Just as they did in previous years, online retailers are now preparing bandwidth-hogging promotional videos to help sell their products. Remember last year?  On Cyber Monday 2011, video views increased by 897 percent over the previous year. And now the number of views this coming Cyber Monday are expected to exceed last year’s. So, it is critical to prevent vital bandwidth from being consumed by non-productive Web-use.

Contributing to the danger, hackers and identity thieves are very aware of these online shopping patterns. They are fully prepared to deceive online holiday shoppers with very appealing schemes – “deals” that require them to click a link to special discount or filling in personal information before they can get the deal. These acts can lead to malware infection or pose significant risks to your organization’s network and sensitive data.

The peak period for all these holiday-related problems is coming soon. The Comscore study tells us that 80% of all annual online purchases occur between Nov 26th (CyBer Monday) and Dec 14th.  So now is a good time to remind your employees of your organization’s Web-use policy and make sure you have the right protections in place.

Dennis McCabe, President of Wavecrest Computing, recommends that companies monitor and/or filter employee Web-use to better protect themselves from lost productivity, excessive bandwidth usage and security threats. His company is ready to help them do this.  Easy to use and priced to fit any budget, Wavecrest products are tailored to address all aspects of Web-use management reliably and cost-effectively.

About Wavecrest

Since 1996, Wavecrest Computing has developed, marketed, and supported a spectrum of innovative Internet usage monitoring, analysis, filtering, and reporting solutions. Their products help all types of organizations manage employees’ online activities, ensure compliance with acceptable use policies, preclude legal liability and prevent bandwidth abuse. Founded 15 years ago, their client base has grown to more than 3,000 organizations, including many prominent Fortune 500 companies and high-profile government agencies.

Navigating the User Guide

With the new release of Cyfin 8.7.2 and CyBlock 6.7.2, we are pleased to provide enhanced user guides with improved readability and navigation. Some of the changes include a hyperlinked table of contents, additional hyperlinks in the chapters, and color-coded chapter and section headings, notes, cautions, and important information. Here are some tips on navigating the user guides in the browser.

Locating the User Guide. The user guide can be accessed through our Web site www.wavecrest.net. On the Home page, click the Support link on the left. The CyBlock and Cyfin products will be listed. Click the product name and then click Documentation. The Documentation page will be displayed with the different versions of the product manuals. Select the latest version.

The user guide can also be accessed through any of the Cyfin or CyBlock products. In the product, from the Help menu, select Documentation and then click the Product Manual link. The latest version will be displayed in your browser.

Viewing the PDF Layout. When you open the user guide in your browser, you will see the Bookmarks panel on the left, and the user guide in the middle of the screen. The page layout is set to show two pages side-by-side. Maximize the window by double-clicking the title bar of the window.

Adding Toolbar Tools. Take advantage of the page navigation and page display tools in the Acrobat toolbar available with the Adobe PDF 10.x add-on. Right-click the toolbar, select Page Navigation, and then select Show All Page Navigation Tools.

 

Again, right-click the toolbar, select Page Display, and then select Two Page View.

Finding Information. There are many ways to find information in the user guide. You can use the bookmarks in the Bookmark panel, the hyperlinked table of contents, and the hyperlinks within the chapters. Remember to use the page navigation tools on the toolbar also. The Previous View tool is a handy one.

To search for specific words, press Ctrl+F on your keyboard. In the Find toolbar, type your search term, and click the arrows to locate each occurrence of the term or press Enter.

 

Another way to search is by using the Search panel. In the browser, click the binoculars icon on the left, type your search term, and click Search or press Enter.

Printing the User Guide. If you want to print the user guide, it is formatted to be printed double-sided.

For additional assistance, please contact Technical Support at (321) 953-5351, ext. 4 or support@wavecrest.net.