By Dan Bleaken, Senior Malware Data Analyst, Symantec Hosted Services
In the September MLI report we discussed that it is important for IT managers and HR managers to understand that there will always be a subset of employees that are likely to try and flout the rules when browsing the internet. This behaviour not only goes against company policy, but also wastes time, can be a serious drain on resources/bandwidth, and crucially increases the risk of infection by malware. Organisations can protect from this behaviour by using the MessageLabs Web Security Service (WSS).
Browsing safely and within company policy
When users are grouped together according to their browsing habits, we might expect some kind of “bell-curve” or normal distribution; at one end of the curve will be the obedient employees, who present a minimal risk to the organization, and in the middle will be the majority, who present a typical risk, some low-risk, some higher. Well, let’s have a look at that profile. For all employees browsing the web, what proportion of all requests made are blocked, either because the request is for a site against company policy, or because it is malicious? The average for an organisation is 18% of requests, or about 1 in 5 requests. But web browsing behaviour differs from employee to employee.
Figure 1. % of all web browsing requests, that are blocked. Based on 1 week of web browsing requests in September 2010. The green zone and the red zone will be discussed further below.
Figure 1 shows that employees browsing the web fall into 3 distinct groups:
- Approximately one third of users don't have any blocks among their requests, in other words all sites requested are within company policy and not malicious.
- Approximately one third of users have <10% of all requests blocked (marked green in Figure 1).
- The remaining third of users have quite a large proportion of blocks. About 20% of users have more requests blocked, than allowed! And a huge 14% of users have between 90-100% of all requests blocked (marked red in Figure 1). This represents behaviour that is firmly against company policy.
So we don't find a "bell curve". In fact we find more of a 'U' shape - employees are either very well behaved, or very badly behaved, from the point of view of their employer.
So let’s explore these groups of users a little bit deeper. All blocks made are against company policy, or malicious, but do users with a large proportion of blocks visit more sites, or worse sites, from the point of view of the employer? In many ways it’s not just about the number of blocks, but it’s also about the user’s intentions. For example, visits to social networking sites, webmail accounts, or news sites may be against company policy, but most employers perhaps wouldn’t consider it a serious issue, unless it was a serious drain on bandwidth or large amounts of time were wasted. But visits to sites containing tasteless or offensive material, or adult/sexually explicit material, would surely cause an employer great concern.
Comparing users that have 0-10% of requests blocked (the green zone in Figure 1) to users that have 90-100% of requests blocked (the red zone in Figure 1), we can compare the profile of those users. I'll refer to them simply as 'green users' and 'red users'.
Overall, the average number of blocks per user per week is 8 times higher for red users, than for green users. So not only do red users have a higher proportion of requests blocked, they have more requests blocked too.
In terms of category, almost all categories that employers choose to block as policy see a higher average number of blocks per user for red users, than for green. Red users make more attempts to visit sites against company policy. But is any particular category more likely between red and green users? The answer is, mostly no.
However, it's 5x more likely for red users to have blocks made of sites relating to 'Proxies & Translators'. This strongly suggests activity to circumvent company policy to gain access to sites.
Also, blocks of ‘Advertisements & Popups’, common with green users, are 2.6x more likely for red users. If a block is made under the ‘Advertisements & Popups’ category, the site itself hasn’t been blocked as policy, but an attempt to visit an advert on that site has. It is very common for malicious attacks to take place via advertisements (‘malvertisements’) served up on otherwise harmless sites. The increased likelihood that red users will encounter adverts is therefore of great concern.
Across all users we see an average of 0.05% of requests being blocked as malicious. That equates to an average approximately 1 malicious block per user per 10-days. That may not sound like a lot, but one visit to a malicious website by just one user within an organisation could be enough to cause serious inconvenience, damage, loss of reputation, and so on. We find that the proportion of all requests that are blocked as malicious is 7.6x higher for red users, than for green users, confirming that having a higher proportion of all requests blocked, goes hand in hand with those employees, and their employers, being more exposed to malware. It’s certain that the increased likelihood of encountering ‘Advertisements & Popups’, and therefore an increased likelihood of encountering malvertisments (discussed above), has a significant contribution to this.
Finally, on average the red users have blocks for twice as many distinct domains, as the green users. Red users have 1.4 domains blocked per user per week compared to green users who have 0.7 domains blocked per user per week. Not only do red users have more blocks, and a higher proportion of requests blocked, than green users, but they also have blocks on a wider variety of websites, which again goes further against policy and presents additional risk for the employer in terms of malicious infections.
Roaming users can add risk
One of the greatest challenges for IT managers in recent years has been how to secure an increasingly mobile workforce. With many businesses finding themselves in a fiercely competitive market as the economy begins to recover, more workers are spending longer hours on the road, or perhaps working from home.
The September MessageLabs Intelligence report featured analysis of roaming user's web browsing habits. Let’s explore those browsing habits a bit further.
What if we compare the average browsing habits discussed above, to the habits of users that roam? By roaming users we mean users that use corporate property such as laptops or mobile devices, on networks other than the corporate network.
We separated out two more groups of users, from the main set of all users browsing the web:
- Those that only roam.
- Those that are both static and roam (in and out of the office).
Figure 2. % of all web browsing requests, that are blocked. Comparing all users, to those that only roam, and those that both roam and are static. Based on 1 week of web browsing requests in September 2010
Users that only roam actually have a slightly lower % of requests blocked, their behaviour is slightly better than the average for all users, so the 'U' shaped curve shifts to the left.
Users that both roam and are static have behaviour that is better than the average for all users, but slightly worse than users that only roam.
As suggested in the September MLI - we see those that only roam, actually exhibiting relatively good behaviour. It's the staff that browse both in and out of the office, that show worse behaviour when roaming - we found that 35% of users that are both static and roam, have a higher proportion of requests blocked when roaming, compared to when static.
Why this is we are not sure, but it’s possible that users roaming all the time, are more likely to behave in a manner that would be acceptable in the office; in a way their roaming status is the ‘norm’ for them. Whereas those that browse in the office, leave, and continue to browse outside of the office, may feel a slight sense of added freedom, and (consciously or subconsciously) loosen their browsing habits.
Worsening browsing behaviour not only goes further against company policy, but increases the risk of malicious infection, which could be brought back to, and further proliferate across, the corporate network.
Take a look at the examples in Figure 3a and 3b, below. These are two of many examples of users browsing behaviour worsening as they leave the corporate network, but continue to use corporate equipment. MessageLabs Web Security Service (WSS) meant that those users, despite trying, couldn’t access the sites requested.
These are the kind of users that come under the ‘35%’ figure quoted in the MLI report and above – they have a higher proportion of requests blocked when roaming, compared to when static, and in the case of these users the category of sites blocked would arguably be of great interest to their employers.
Figure 3a
Figure 3b
Figures 3a and 3b. Examples of user’s behaviour worsening as they leave the corporate network, but continue to use corporate equipment.
It’s a team effort!
Although technology plays a fundamental role in reducing risk from employee behaviour, equally important is end-user education. It is important that staff understand the importance of the organization’s security policies; individual employees need to understand that they also have a role to play in their company’s security. It is a three-pronged approach - leave any one of these elements out then the business may be vulnerable to exposure.
More information
For more information on roaming user’s browsing habits and all the latest threat intelligence, take a look at the September MessageLabs Intelligence Report: http://www.messagelabs.com/mlireport/MLI_2010_09_September_FINAL_EN.PDF.
For more information about malicious web threats, where they come from, and how they strike, take a look our recent whitepaper ‘Web Threats 2010: The Risks Mount Up’: http://downloads.messagelabs.com/dotcom/Whitepaper_web_threats_2010_EMEA_UK_June10.pdf.
For more information about the effects of employee browsing behaviour on bandwidth usage, see our recent whitepaper ‘Bandwidth Bandits’: http://downloads.messagelabs.com/dotcom/EMEA_UK_Bandwidth_Bandits_Apr10.pdf and a case study on requests for streaming media during this summer’s FIFA World Cup: http://www.symantec.com/connect/blogs/messagelabs-intelligence-finds-dramatic-increase-requests-streaming-media-during-world-cup.