Re: And yet another one from the mind of Lohkee!
From: Lohkee (Lohkee@worldnet.att.net)
Date: 01/19/03
- Next message: Benjamin Goldberg: "Re: Random"
- Previous message: Paul Crowley: "Re: Random"
- In reply to: Karl Levinson [x y] mvp: "Re: And yet another one from the mind of Lohkee!"
- Next in thread: DaveK: "Re: And yet another one from the mind of Lohkee!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Lohkee" <Lohkee@worldnet.att.net> Date: Sat, 18 Jan 2003 23:24:53 GMT
"Karl Levinson [x y] mvp" <jamescagney90210@excite.com> wrote in message
news:uwooRyzvCHA.1624@TK2MSFTNGP10...
> That's an interesting idea, and it might be very effective for some...
> though I would think it would take a LOT of work to set it up, whether
> you're a large corporation, government entity or a home user. Plus it
would
> be very frustrating, because when you do say a www.google.com search to
find
> information that you need to do your job, you can bet the sites that come
up
> won't be pre-approved, and you might have to go through 10 or 20 before
you
> find the answer.
If you review and categorize, say, six months worth of sever audit logs, you
will find that most of the sites visited are not work-related. Those that
are, turn out ot be very few and far between. Granted, There will always be
exceptions to the rule, however, experience has taught me that for the
average business (including some very large organizations), this is, in
fact, extremely rare. This is one of the myths of the Internet. Most
people DO NOT need it to do their jobs effectively. For those who do, it is
often a matter of allowing access to one or two very specific sites.
Because of this, setting up a rule base is not as labor intensive as one
might think, about a week or so, on average. Everyone talks about critical
business need, but most audit trails simply do not support this.
>
> Web browsing is permitted at companies because it has become an essential
> tool for many people's jobs. Removing that tool would be about as
effective
> as trying to remove everyone's email software, e.g. not very.
See above.
>
> The fact that web sites on the internet are constantly changing and
> appearing is one reason why the current negative databases don't work, but
> it's also a reason why a positive database like you propose would often
> require a fair bit of work to maintain.
You lost me on this one. Negative databases require constant updating
(albetit by the vendor - who doesn't do it for free) After the initial
setup, positive databases require very little work. Not many employees
submit requests for inappropriate material when they know it is routed
through their manager for review. In fact, you would be suprised how many
people no longer seem to care about the Internet at all.
>
> One big benefit of paying for third party content filtering is that
they've
> already done the work of setting up the database. Of course, if customers
> wanted the option of choosing a positive database, those third party
> products could easily be rewritten to do this.
I disagree. Where is the benefit of paying someone to do the work when the
final product is of such poor quality? In testing some of tese products I
was able to google "XXX" and get to many of the sites returned by the
search. I see no benefit in spending thousands for a product that does not
solve the problem for which I bought it for in the first place (I'm sorta
funny that way). I'm not sure vendors would support the alternative
because there is no money in it - they essentially put themselves out of a
job - not something any vendor that I know of would volunteer for.
Lohkee!
>
>
> "Lohkee" <Lohkee@worldnet.att.net> wrote in message
> news:nohW9.1662$zF6.138164@bgtnsc04-news.ops.worldnet.att.net...
> > Here is another one of my ramblings for your amusement. I am, as
always,
> > very interested in (and appreciative of) feedback. The rules are the
same
> > as before, i.e., I will only respond to serious comment on the paper:
> > questions/clarification regarding a particular point, technical
> > inaccuracies, things that should be added, things that should be
deleted,
> > etc. (just don't have the time to do indulge the trolls these days -
sorry
> > losers).
> >
> >
> > Internet Content Blocking Software (DRAFT FOR COMMENT)
> > Copyright (C) by Lohkee
> > All Rights Reserved
> >
> >
> > Just fifteen minutes of recreational surfing per day can cost a company
> with
> > five hundred employees ($25.00/hour/employee) over $800,000 per year in
> lost
> > productivity. Some organizations that allow employees to surf the net
> have
> > learned the hard way that doing so greatly increases the risk of
> unfavorable
> > litigation (hostile work environment, various types of discrimination,
> > sexual harassment, etc.). Others have discovered how much bandwidth can
> be
> > diverted from critical business needs by a just few employees
downloading
> > their favorite MP3 files. Some have even seen their networks crash as a
> > result of an employee downloading hostile code and running it on their
> > workstation. And the list goes on. Personal use of the Internet
creates
> > numerous very serious problems for an organization. One of the more
> popular
> > solutions within the professional security community is the use of
content
> > filtering software.
> >
> > Content filtering software attempts to block access to inappropriate
> > websites by matching the address of the website requested by a user
> against
> > a database of websites that have been categorized by type of the content
> > they offer. Some add a dynamic component that attempts to categorize
> > requests "on the fly" in an effort to compensate for the dynamic nature
of
> > the Internet, i.e., the requested website has not yet been categorized
and
> > put into the database. Like many other so-called "state of the art"
> > solutions offered by the professional security community that do not
> really
> > solve a problem, this is another idea that sounds fairly reasonable (the
> > absolutely ridiculous price of these products notwithstanding) until you
> > start taking it apart.
> >
> > Content filtering software is generally based on a negative database
> model;
> > if the web site requested by a user is not in the product's database of
> > prohibited destinations the filtering software has no choice but to pass
> it
> > through. Obviously then, the accuracy of the monitoring database is
> > paramount to the quality of the product. There is nothing wrong with
> > negative databases, per se, however they do not work at all well in
> dynamic
> > environments, particularly in those that are as fluid as the Internet.
It
> > is virtually impossible to maintain any semblance of an accurate
database
> > when the data involved is subject to rapid and constant change. There
are
> > three reasons for this. The first involves the sheer volume of data and
> is
> > self-explanatory. The second is that you have to first know about the
> > existence of a web site before you can categorize it. The third is
that,
> > once categorized, a given web site must continue to exist and remain
> > constant in terms of content to be relevant, i.e., a database of web
sites
> > that no longer exist is pretty much worthless.
> >
> > One of the more expensive products on the market claims to have
> categorized
> > more than 900 million web pages. This sounds pretty impressive until
you
> > compare the size of the filter's monitoring database to the size of the
> > Internet which has been estimated by researches to contain over 550
> billion
> > pages with 7.5 million new ones being added each day (no one really
knows
> > how many web sites change their names or are taken down each day).
> > Essentially, this product has categorized less than two tenths of one
> > percent of the content freely available to anyone on the Internet and
> there
> > is no guarantee that all of the web sites in their monitoring database
> even
> > still exist. With 99.8% of Internet content still available to the
> employee
> > it is a pretty safe bet that you have not solved, or even addressed in
any
> > meaningful way, any of the problems enumerated in the first paragraph.
> Not
> > bad for a product than can easily cost the organization cost over
$25,000!
> > And this is a good deal?
> >
> > In addition to not working well in dynamic environments, negative models
> are
> > more difficult to defend in terms of adverse actions for inappropriate
> > conduct. The organization blocks access to inappropriate sites,
> therefore,
> > if a given site is not blocked it is reasonable to conclude that access
is
> > permitted. Any other line of reasoning burdens the employee with the
> > impossible task of being able to read management's mind at any given
point
> > in time with regard to a particular web site. This problem is further
> > compounded by a rather interesting conundrum inherent to the use of a
> > negative database; how can you hold someone accountable for attempting
to
> > access a prohibited web site when they have no way of knowing that it is
> > prohibited until after the fact? The typical response to this question
> > (albeit simple minded and technologically ignorant) is that the employee
> > should know a given site is inappropriate by its very name.
> Unfortunately,
> > in many cases the content of a website is not readily apparent by its
URL
> > (name), for example: www.whitehouse.com is a very well known porn site,
> > whereas, www.whitehouse.gov is the home page for the United States
> > government. Another closely related issue is that web sites often mix
> > content, for example: The Register (www.theregister.co.uk) is an
excellent
> > source of industry related information that often also contains material
> > many would consider to be inappropriate. Let us not forget that
> > pornographers are famous for hijacking links to popular mainstream web
> > sites. The user clicks on what he thinks is a "legitimate" website and
> > then, without warning, twenty windows appear on his screen displaying
> porn!
> > Unfortunately, the system's audit trail will show that the user
attempted
> to
> > access each of these sites. Perhaps the pertinent question is not
whether
> > you can make an adverse action stick, but how much it will have cost by
> the
> > time your attorney advises you to settle out of court because you have
> > inadvertently accused an innocent person. While we are on the subject
of
> > being sued, how much will it cost you to settle a discrimination suit if
> you
> > allow employees to access Christian web pages but prohibit access to
> Wiccan
> > web pages? Both are, after all, legitimate established religions in the
> > United States.
> >
> > Connecting mission critical production systems to the Internet is a very
> bad
> > idea. Allowing employees to surf the net at work is even worse. The
> risks
> > are great with no tangible return on investment. That being said, the
> above
> > issues can be easily addressed without spending a fortune, by simply
> > reversing the paradigm and using a positive database. This approach
works
> > by allowing only those requests that have been pre-authorized and is
> > therefore extremely effective in highly fluid environments such as the
> > Internet. Best of all, it is essentially FREE! Most firewalls, and
many
> > operating systems, have the ability to block outbound traffic based on
> > predefined rules. Non-business (work-related) sites, such as banks,
etc.,
> > could be added to the "approved" list by request after they have been
> > reviewed for content thus enabling employees to conduct personal
business
> > such as banking, filling prescriptions, etc., while at work. This
process
> > is not as labor intensive as it might first appear, even for very large
> > organizations. Suppose, for example, that you want employees to have
> access
> > to the daily news. You do not have to make a rule for every news site
on
> > the web. Simply make a rule for a few of the major networks such as
ABC,
> > NBC, CBS, CNN, etc. People will squawk and some will try to argue that
> they
> > might be missing "critical" information when searching the net. As a
> > general rule this is simply not true. One does not need access to every
> > site dealing with a particular subject when access to one or two of the
> > major subject matter sites will suffice. There will also be the few who
> > need access to some obscure web site. No problem, have them submit the
> > site's address to the administrator through their manager. The point
here
> > is not to deny access to information, rather to ensure that the
> information
> > is appropriate and does not put the organization at risk. True,
employees
> > will no longer be able to "surf at will" but so what? Contrary to
popular
> > opinion, Internet access at work is a privilege, not a right.
Protecting
> > your business, on the other hand, is! One method of making the
transition
> > relatively painless is to analyze your audit trails and build a list of
> > approved sites. Do not automatically add every site you find.
Categorize
> > them by content and then add only the major providers. When the rules
> goes
> > into effect many, particularly those who do not abuse the Internet, will
> > never notice the difference. The initial setup will take about two
weeks,
> > however, that cost pales in comparison to spending several thousand
> dollars
> > for products that will never work well (and take about a week to
install).
> > You will be surprised how small your database of approved sites is.
Even
> in
> > very large organizations it is unlike to exceed fifteen hundred items
and
> > can easily be less than one hundred.
> >
> >
> > Comparing the two methods side by side is a real eye-opener:
> >
> > Negative: Very expensive.
> > Positive: Essentially FREE
> >
> > Negative: Mandatory long term relationship with the vendor.
> > Positive: No external relationship required.
> >
> > Negative: Frequent updates to very large database.
> > Positive: Infrequent updates to a very small database.
> >
> > Negative: Low coverage, inherently inaccurate.
> > Positive: Complete coverage, extremely accurate.
> >
> > Negative: Does not save bandwidth.
> > Positive: Does save bandwidth.
> >
> > Negative: Inherently discriminatory.
> > Positive: Not discriminatory.
> >
> > Negative: Not effective in reducing lost productivity.
> > Positive: Enhances productivity.
> >
> > Negative: Creates enforcement problems.
> > Positive: Eliminates enforcement problems.
> >
> > Negative: Threat is not appreciably reduced.
> > Positive: Threat is greatly reduced.
> >
> > Negative: Method inconsistent with principal of "least privilege"
> > Positive: Method consistent with principal of "least privilege.
> >
> > Negative: Often requires additional hardware.
> > Positive: Does not require additional hardware.
> >
> > Negative: Does not promote security.
> > Positive: Promotes security.
> >
> > You can pay thousands of dollars for a so-called "solution" that does
not
> > really solve a problem, or you can save your money and implement one
that
> > does. The choice is yours.
> >
> > Lohkee!
> >
> >
> >
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.443 / Virus Database: 248 - Release Date: 1/10/2003
>
>
- Next message: Benjamin Goldberg: "Re: Random"
- Previous message: Paul Crowley: "Re: Random"
- In reply to: Karl Levinson [x y] mvp: "Re: And yet another one from the mind of Lohkee!"
- Next in thread: DaveK: "Re: And yet another one from the mind of Lohkee!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
