the secure:channel

Click here to read more about SpamStopsHere, the e-mail security company that brings you this blog.

October is National Cyber Security Awareness Month, as designated by the US Department of Homeland Security. As a result, I’ll be focusing my articles on protecting your users and your network.

If you haven’t seen my previous articles on phishing, you may want to check those out to help your users. Today, I’m going to be writing about protecting your users from themselves.

Unfortunately, in this day and age, many workers with desk jobs where Internet connectivity is readily available will be tempted to use the Internet for non-work related activities during work hours. Although this is or should be against policy at most organizations, our easily distracted work force is finding it easier and easier to get away with it.

Notifying Your Users

The first thing that I would recommend is notifying your users that their Internet use at work is being monitored. Although I’m not an attorney, and don’t know if this covers you legally, it is just common courtesy. If you let your users know what to expect, there won’t be any surprises.

Monitoring

The next step is likely to monitor your users’ Internet activities, to see if your organization has an obvious problem and to help form any new policy.

I would recommend setting up a transparent web proxy. A transparent proxy is set up by having your network firewall intercept all requests for web traffic, sending them through a proxy server that proxies all of the web requests and responses. Logging is then enabled on the URLs being visited, as well as the local network IP addresses that are visiting them.

Squid is a caching proxy that supports HTTP, HTTPS, and FTP. It available as a package for most UNIX/Linux distributions, or can be built from source, which is readily available. There are also instructions available for configuring Squid as a transparent proxy.

Besides the Squid logs, you will also want to monitor and log any other Internet traffic. This will show everything that isn’t web traffic, including Internet applications other than web browsers such as instant messaging clients, as well as attempts to bypass your web proxy. You will want to enable this on your firewall itself. Simply log all other traffic leaving your network workstations that are destined for the Internet.

Policies and Enforcement

Coming up with an Internet usage policy is difficult for employee relations, but it can protect your organization’s assets from malware. If your users aren’t visiting non-work related web sites and aren’t checking their unprotected personal e-mail at work, they’re less prone to being infected by malware.

If you come up with a sensible policy, it can help your workers become more productive. Many organizations choose to allow their employees to use the Internet for non-work related things during their breaks. However, even this usage should be limited to paying bills and checking personal e-mail. I would recommend against allowing any file sharing, gaming, or instant messaging, especially.

One way to do this and still protect your workstations and prevent workers from always being on break, is to have one or two terminals in a common area available for non-work related use. The terminals can be running Windows under a non-administrative user, or have the machines simply be dump terminals capable of running a web browser only. This will ensure that no workstations use the Internet for non-work related purposes. Additionally, it will be easy to see who is using the shared terminals the most, and the users will often police eachother. It will also encourage your users to get up and leave their desk during their break.

Policy enforcement is also very difficult. Many organizations are short staffed, and typical  punishments like unpaid time off are simply not an option. Many organizations choose to instead award those who are following the policies, however this likely is not an option when it come’s to your organization’s information security. Information security policy violations should be stopped immediately, but this doesn’t necessarily require punishment. Try these steps:

• Ask the employee why they broke the policy, and ensure that the policy is clear and can be easily followed.
• Ask the employee what they need from you in order to follow the policy.
• Offer alternatives that can help the employee from repeating the mistake.
• Try retraining the employee and provide goals that must be reached before the training is complete.
• Establish goals and consequences of failing to meet them, such as deduction in pay, change of position or termination.

I will be going into more detail on computer usage and locking down your network in my next article.