9 ways to use web proxies to limit Internet exposure

Featured eBooks
Whole-of-State Cybersecurity
The State of Trust in Government
Cybersecurity in State and Local Government
 

Connecting state and local government leaders

By

The Internet is a dangerous place. But there are concrete steps an organization can take to manage the risk while still allowing employees the access they need.

The web has been central to the information age over the past 26 years, fundamentally changing how billions of people around the world communicate. While web use and dependence on the Internet have continued to grow, adversaries have also increasingly leveraged the web for cybercrime, including espionage, fraud, intelligence gathering and a number of financial schemes. According to Menlo Security’s State of the Web 2015 report, more than 33 percent of the top 1 million Internet websites are considered “risky.”

The web is used in a variety of attacks, ranging from phishing messages with an embedded link to poisoned Internet search results. Also common are watering hole attacks, in which a valid website is leveraged to either compromise visitors directly or redirect users to another malicious website. Adversaries can easily create their own malicious site or compromise a legitimate site in order to exploit visiting users.

Even sites that are not directly compromised can be used to serve up malicious content to users in the form of advertisements. Malvertising has more than tripled over the past year, according to a recent study by Cyphort, and has continued to impact a number of high-traffic sites over the past several months, including Forbes, Realtor.com and Match.com.

Government agencies can protect their own systems, networks and data by reducing exposure to Internet resources. Leveraging the following web proxy and gateway technologies can limit exposure to potentially dangerous Internet resources while maintaining and enabling access to the content needed to support business processes.

1. Limit default Internet access

Full Internet access from government and corporate networks should be based on business requirements, not granted as a default privilege for every employee. While the majority of employees will likely have legitimate needs, there should be no reason why security guards or mail clerks require the same level of access to web resources as IT specialists. Agencies should have processes and procedures in place to request and approve user access to web resources. In an Active Directory environment, this policy could be enforced by placing approved users in an “Internet” group, and allowing these users access through the web proxy systems. Isolated guest or public networks can also be set up to provide Internet access from employees’ personal devices or on a temporary basis without impacting internal systems and networks. 

2. Prevent access from privileged accounts

If a user running as administrator visits a malicious site, successful exploitation essentially provides adversaries with the same full administrative access to the system. Accessing the same malicious site as a non-privileged user substantially limits potential damage and may prevent successful exploitation entirely. Therefore, organizations should never allow administrative access to Internet resources and should restrict such access via web proxies. This can be accomplished in an Active Directory environment by ensuring only unprivileged accounts are placed in an “Internet” group that allows Internet access.

3. Inspect SSL/TLS

Although encrypted SSL/TLS communications provide valuable data integrity and confidentiality, these communications also present a risk to organizations if not properly inspected. Most web proxy technologies can be configured to proxy encrypted web communications so that such web communications can be inspected and monitored entering and leaving the enterprise. A recent GCN article titled “Removing the blindfold to inspect encrypted communications” provides additional recommendations for gaining the necessary visibility into SSL/TLS communications.

4. Restrict by categorization

Web proxy technologies have built-in or third-party URL categorization services that should be implemented to not only enforce organizational policies but also to prevent access to known malicious or other risky categories of content. In addition to static categorization of websites, some vendors offer dynamic categorization/classification services for URLs not previously assessed.

5. Implement dynamic/custom blocks

Vendor categorizations of URLs can prevent access to known risky content. However, URL categorization is often a cat-and-mouse game with sophisticated adversaries that  leverage new techniques and new domains that may not have been properly categorized. Because of this, agencies should also establish custom categories for organization-specific policies or override vendor categorizations when needed. Administrators can also develop regular expressions to look for specific URL characteristics based on known indicators of compromise or patterns used by adversaries.

6. Restrict by user agent

Internet browsers not maintained or supported by the enterprise and other unauthorized client software can be restricted from accessing the Internet by assessing the user agent string and allowing only those that are explicitly approved. This approach can also be used to prevent exposure to the Internet from unpatched, vulnerable software versions. For example, requests from out-of-date Java versions can be blocked -- not only to limit the external exposure, but also to provide additional incentive or instructions for the client to upgrade. It’s important to note that this is a useful but not an infallible solution on its own, because a given application could modify the user-agent string the proxy would see.

7. Restrict by media type

Over the past year, there have been a number of zero-day vulnerabilities leveraging Flash. Google and Apple have taken a firm stance opposing the support of Flash, and agencies can do so as well by restricting Flash or other risky media types at the proxy. By looking at the URL file extension, mime-type from HTTP headers and results from proxy programs such as libmagic that identify file types, undesired content can be effectively identified and blocked to limit organizational exposure. This technique can also be used to prevent the introduction of unapproved executable content from the web. If needed, exceptions can be granted for specific websites while preventing exposure to the Internet at large.

8. Restrict by top-level domain

Unless there is a business need, exposure to significant portions of the Internet can be restricted by blocking TLDs by default to significantly reduce the attack surface. Exceptions can be made where necessary, but default blocks can be implemented for many country code TLDs (e.g., .cm for Cameroon or .cn for China), ICANN-era generic TLDs (e.g., .review or .science) and internationalized/punycode TLDs (e.g., domains using Arabic or Chinese characters).  As noted in a recent analysis and report from Blue Coat on “The Web’s Shadiest Neighborhoods,” a number of domains have over 95 percent of websites that are considered suspicious. Access to these and other risky TLDs should be restricted by default and permitted only in rare cases with a valid business need and appropriate risk assessment.

9. Formalize granular exception process

To limit Internet exposure by default and permit required access by exception, organizations must have a formalized and robust exception process in place. If users do not know how to request an exception for a valid business need, or if the exception is not processed timely, they may resist or circumvent the policy. While there will be some organization-wide exceptions, the exception process should also be as granular as possible to minimize exposure to the extent practical. For example, if an employee responsible for obtaining and testing new Oracle client software needs to download executable content blocked by default, an exception should be placed to allow access only from the specific individual to the specific domain, versus allowing the same access for all employees or the ability to download executable software from anywhere on the Internet. Time restrictions can also be enforced for access that is temporary in nature.

In closing, a combination of the aforementioned approaches may be used to limit Internet exposure while minimizing the impact to critical business capabilities. For example, instead of completely blocking access to a given foreign TLD, it may be acceptable to allow access to only a subset of the websites using that foreign domain, and only for users within a specific business unit working with companies in that country. Using this approach, new malicious websites not yet analyzed by the filtering services would not be accessible, while other legitimate categorized sites could be reached.

By using some or all of these techniques, web proxy and gateway technologies can significantly reduce the attack surface and limit an agency’s exposure to the “big bad Internet” while allowing access to the portions of the web required to support critical business functions.

NEXT STORY: How states stack up on cyber readiness

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.