Connect with us

Entertainment

How Employees Bypass Workplace Web Filters & How to Stop Them

Published

on

A web filter is a ubiquitous tool for protecting networks and preventing employees or students from accessing inappropriate content. Shockingly the 2020 Insider Threat Intelligence Report from Dtex found that 95% of enterprises caught their employees actively seeking ways to bypass corporate security protocols.

In this article I will outline the methods that employees use to bypass content filtering policies and provide you with tips to prevent them from happening.

Best Practices For Dissuading Users From Bypassing Web Filters

Why Is Bypassing Web Filters a Problem?

  • Security: When users bypass web filtering policies they increase the attack surface of the network by providing themselves the opportunity to stumble on malicious websites.

Avoid Giving Users Admin Privileges

Reducing the amount of admin accounts is a strongly recommended security practice. The proliferation of unnecessary admin privileges increases the likelihood that threat actors could gain access to the network through compromised high-privilege accounts.

Establish an Acceptable Use Policy

Your company policy needs to explicitly forbid attempts to bypass security measures. An acceptable use policy (AUP) complements your web filter by providing employees with clear guidelines for using technology in the workplace.

An AUP sets a precedent for corrective action should your users attempt to bypass organizational security controls. Once you discover evidence of such attempts you must address the user(s) responsible in a timely manner to dissuade future avoidance attempts.

Use Less Restrictive Filtering

What’s more important: productivity or security?

Distracting and unproductive websites are often blocked in the workplace. Here’s the thing: if your employees really want to use Facebook at work, they’ll find a way.

If you are using a web filter to prevent distractions, disgruntled users are more incentivized to bypass your web filter than they would if it was used solely for security and decency reasons.

From a network security perspective allowing your users to access social media is a lesser concern than incentivizing them to bypass corporate web filtering policies and potentially visit high-risk websites.

Alternatively you can schedule less restrictive web filtering policies during breaks to allow your employees or students to access distracting content at designated periods.

That’s not all, though…

There’s another reason that your employees or students want to get around your web filter. Sometimes it is simply that they want to gain access to content that they shouldn’t be accessing, but that is not always the case. Your web filter may actually be blocking access to legitimate research.

Your web filtering solution needs to be easy to manage. It should allow you to easily unblock websites that have been wrongfully blacklisted. Being able to effortlessly provide access to blocked websites will reduce the temptation for your users to seek out risky filter avoidance techniques.

How Employees Bypass Web Filters

1) DNS-Over-HTTPS

What is it?

How it’s used to bypass web filters

The very same encryption that hides DNS traffic from ISPs also hides the details that network-level web filters need to effectively block websites.

Employees and students can use web browsers that support DoH to bypass network-level web filtering policies. Some web browsers such as Firefox enable DoH by default, leading to security concerns in organizations that use web filters to protect their network against phishing attacks.

The solution

  • Productivity: Administrators will block social media, games sites, and other distracting websites to improve the productivity of their organization. Actively disengaged users may try to gain access to these platforms to waste time.
  • Decency: Web filters are used to block access to adult-oriented content and other websites that are considered inappropriate. This includes domains that host pornography, hateful, or otherwise crude content.
  • CIPA Compliance: For schools and libraries a web filter is a critical component of maintaining compliance with CIPA. These organizations need to maintain CIPA compliance to receive E-Rate funding for telecommunications, internet access, and broadband services.
    • Agent-Based Filter: Use an agent-based web filter such as BrowseControl that blocks websites at the browser-level rather than using a network-level DNS filter.

    2) Web and Application Proxies

    What is it?

    Proxies are websites and applications that act as a gateway between the user and the internet. Companies often use their own purpose-built proxy servers that act as a firewall and web filter but employees can also use third-party proxies to bypass internal content filtering measures.

    How it’s used to bypass web filters

    There are three key ways that proxies can be used to break through corporate web filters:

    The solution

    Effectively preventing the use of proxies requires a multi-pronged approach. You will need to combine web filtering, user permission restriction, USB access control, and application blocking to address all of the possible methods.

  • Canary Domain: Enterprises using DNS-based web filters with Firefox can add the canary domain use-application-dns.net to their DNS filter to prevent DoH from being used by default. Unfortunately Firefox may still honor user-level settings; if your user manually enables DoH they may retain the ability to bypass DNS web filters.
  • Block Web Browsers: Use an application blocker to prevent users from launching browsers that support DoH. The list of browsers that support DoH is steadily growing so this is likely to not be feasible for the long term.
  • Active Directory: Use a Group Policy Object in Active Directory to disable DoH
  • Your users can use third-party proxies to hide their traffic from your web filter and browse the internet freely. These proxies can be accessed through one of many dedicated proxy sites.
  • Your users can modify settings in their web browser to forward traffic to a proxy server that is not managed by your company.
  • They could download purpose-built proxy programs onto USB drives at home and bring these devices to school or work.
    • Web Filtering: Add the Proxy category to your Category Filtering list to proactively block all known proxy sites. Manually adding known proxy websites and applications to your content filter is a losing battle as new sites are being created on a regular basis.

    3) Virtual Private Networks

    What is it?

    A Virtual Private Network (VPN) creates a private encrypted network between two networks. These tools are often used to provide remote workers with access to software applications hosted on their employer’s network.

    How it’s used to bypass web filters

    A VPN bypasses web filters and tunnels through firewalls by masking the network traffic of the user. This makes it difficult to detect or decipher the websites they are visiting, forcing system administrators to block the VPN connection entirely if they want to prevent it from circumventing their filtering policies.

    The solution

    4) Using Cellular Data as a Wi-Fi Hotspot for Their Laptops

    What is it?

    Smartphones include a feature known as “tethering”, which lets you use your phone’s mobile data to create a private Wi-Fi hotspot. This hotspot can be used to connect another phone, tablet, or computer to the internet.

    How it’s used to bypass web filters

    If you are filtering websites at the network level with a DNS filter or firewall your employees can bypass your web filter by disconnecting their work laptop from your filtered network and connecting to their cell phone’s private Wi-Fi hotspot.

    The solution

    An agent-based web filter that blocks websites at the device level cannot be bypassed using this method. The software agent will cache web filtering policies locally, allowing the last known blacklist to be enforced even when your employees connect to an outside network.

    5) Launching a Web Browser from USB

    What is it?

    Your users can use services such as PortableApps.com to install portable web browsers on a USB flash drive. This method is more difficult to detect than the other methods as the browsers can be launched directly from the removable media device without the need to visit a website or install a program on their computer.

    How it’s used to bypass web filters

    These USB-based web browsers are configured to route their internet traffic through a proxy address that bypasses the internet filtering policies of your network.

    The solution

  • Employee Monitoring: Monitor employee search engine activity for queries that indicate they are trying to find unblocked proxy sites. You can also track the applications used and URLs visited in your network and check if employees are using unblocked proxy sites and applications.
  • Policy Restrictions: Use a Group Policy Object in Active Directory Prevent to prevent users from making changes to browser settings. You should also block employees from using USB devices – if this is too restrictive for your organization you can whitelist company-provided devices and have your users keep them on-site.
  • Block VPN Ports: If you do not need VPNs in your organization you can simply block them altogether. To do this, block any network ports that support VPN connections. The exact ports used vary by the VPN, with the most common ports being 443 (TCP), 500 (UDP), 1194 (TCP/UDP),1701 (TCP), 1723 (TCP), 4500 (UDP), and 10000 (TCP/UDP).
  • Block VPN Extensions: Prevent your users from installing VPN browser plugins.
  • Block Apps: Use an application blocker to block your users from using app-based VPNs. You can also restrict privileges on employee/student accounts to prevent them from installing software without an admin password.
    • Block USBs: Block USB devices or provide users with Read-only permissions. If USB devices are critical an admin can whitelist a manageable selection of approved devices.

    Conclusion

    Web filters are excellent tools for preventing employees and students from accessing high-risk and inappropriate websites. Over time tech-savvy users have discovered increasingly complex and creative ways to bypass local security policies.

    To protect against this trend, restriction-based policies must be combined with computer monitoring and administrative safeguards. Network administrators can further bolster the integrity of their filtering policies by including the use of agent-based web filters that enforce website blacklists when users are off the main network.

    Read More

    Continue Reading

    Entertainment

    Radhika Apte reveals real reason why she got married

    Published

    on

    By

    Radhika Apte needs no introduction to Kollywood fans after her appearance as Superstar Rajinikanth’s wife in ‘Kabali’ directed by Pa Ranjith.  The intense actress impressed with her performance of a meek girl to a mother of a grown-up and especially her reunion scene with Rajini took the audience on an emotional ride.

    Radhika is happily married to her British boyfriend Benedict Taylor who is a singer and she shuttles between Mumbai and London to balance her personal and professional life.

    Radhika Apte in her most recent interaction with Vikranth Massey on social media from London has admitted that she does not believe in the institution of marriage.  When asked why she got married the talented performer replied that it is easier for married people to get a British visa and that’s why she and her man opted for it in 2012.

    Radhika is currently chilling with Taylor in their London home during the lockdown and will soon start filming her next English film ‘Noor Inayat Khan’ in which she plays a spy based on a true story.

    Read More

    Continue Reading

    Entertainment

    Jacqueline Fernandez shares picture of her being in ‘happy place’

    Published

    on

    By

    Actor Jacqueline Fernandez is working on a secret project where she found herself in a ‘happy place’. Taking it to Instagram on Sunday, the 35-year-old actor shared a picture dressed up like a traffic police officer as she is seen laughing her heart out.

    “How was everyone’s Sunday?? Fun project coming up soon! #myhappyplace,” wrote Fernandez along with a picture where she is also seen holding a coffee mug. The ‘Kick’ actor also shared a few Instagram stories of her getting ready for the upcoming project.

    Recently, the actor extended gratitude to her fans after the number of Instagram followers hit the 46 million mark.

    Keep scrolling to read more news

    Read More

    Continue Reading

    Entertainment

    Why an ‘active’ approach to risk modelling is key to navigating markets today

    Published

    on

    By

    Whether investors are aiming for a cautious approach or a riskier investment profile with the potential for higher returns, Architas’ Blended Fund range is designed to match a range of investor risk appetites. And like many asset managers, Architas predominantly uses two approaches to define asset allocation within the five risk bands used in the Blended Range – strategic and tactical.

    Whilst risk model provider EValue’s quantitative approach to asset allocation takes into account the long-term performance of different asset classes and the likely future performance given current valuations, along with long-term measures of volatility and correlations with other asset classes. Yet as with most systems of its kinds, EValue focuses on the long term; it is unable to analyse short-term market movements and fluctuations. So whilst it would have seen that in Q1 2020 markets fell by a record percentage before rebounding, it will not be able to factor in the cost of the coronavirus and lockdown and its impact on markets. Similarly, it is not able to consider ongoing Brexit woes, geo-political trade wars or the outcome of the US election in 2020.

    Click here for the full article and to access more about the flexibility of the Architas Blended Range by clicking on the box below.

    Read Guide Here

    Read More

    Continue Reading

    Hot Stories