I had an interesting discussion with my Associate Director and our Lead Forensics Analyst last week. I am responsible for the URL filtering solution for my employer, and once a year, we review the filtering categories provided by the vendor. The vendor sometimes splits an existing category into two or updates the definition of an existing one. We review these categories to ensure that we are restricting sites under the organization's policies and directives.
Some of the most apparent site categories are blocked; Pornography, Drugs, Criminal Skills etc., and some not so obvious ones; Gambling, Provocative Attire (Victoria's Secret), Media Downloads and Streaming Media. We blocked Media Downloads (iTunes, Napster) and Streaming Media (YouTube, Google Video) because the fat pipe of the corporate network is just too tempting for some people.
One category that we have chosen to allow (after much-heated discussion) is Hacking. The challenge with the category is that many excellent security analysis tools and techniques have been placed in this category. That means that tools like SysInternals would be blocked. So we decided that the benefits of the tools outweighed the risks. The vendor must have received feedback on this issue. The new category list includes a new Information Security category. According to the definition:
This category includes URLs that have a legitimate purpose of providing information about data protection, but in doing so present a risk that the information provided may be exploited by users in order to breach security or commit unlawful acts. This applies to detailed information intended to safeguard business or personal data, intellectual property, privacy, and infrastructure on the Internet, private networks, or in other bandwidth services such as telecommunications.
I think we may decide to block Hacking and allow Information Security.
The one new category that got our attention and resulted in many discussions was Interactive Web Applications.
This category includes URLs that provide access to live or interactive Web applications such as browser-based office suites and Groupware. Interactive Web applications can present security risks such as leaking or loss of proprietary data. Sites categorized as Interactive Web Applications include those with business, academic, or individual focus. Sites providing access to interactive Web applications that do not take critical user data or offer security risks, i.e. Google Maps, are excluded.
So what are Interactive Web Applications? Applications such as Google Docs & Sheets (word-processing and spreadsheet), BasecampHQ (project management), and Salesforce.com (customer relationship management) would be included in this category.
The reason this category resulted in a lengthy discussion is the sentence "Interactive Web applications can present security risks such as leaking or loss of proprietary data." From my boss and coworkers point of view, these applications should not be used because the company already provides productivity tools (Microsoft Office, SAP etc.). From my point of view, the business side of the company was already using these tools and restricting access would be suicide. The genie was out of the bag, and all we could do was find ways to educate the business of the risk and methods for mitigating those risks. They came around to my point of view; we will not be restricting access to this category.