Posted on behalf of Dan Bleaken, Malware Data Analyst, Symantec Hosted Services
Symantec Hosted Web Security Service blocks millions of web requests every day to protect employees from content that is either against company policy, or malicious. In a typical week Messagelabs Intelligence performs 50 million blocks on 10 million distinct URLs for several thousand clients. That’s tens of thousands of blocks per client per week.
99.95% of blocked URLs are policy based. Of these, by far the greatest proportion is for advertising, mostly pop-up ads or auto-forwarding to ads. Also, Messagelabs Intelligence blocks sites related to Games, Chat, Personals & Dating, Adult/Sexually Explicit material, Violence, Tasteless & Offensive material, Weapons, Criminal Activity, Gambling, Illegal Drugs and so on. Clients have full control over what they consider to be against company policy. Each day, roughly 39% of clients have URLs blocked as policy, and on average there are just over 6,000 policy blocks made for each of those clients. Over a period of one week, almost all clients would have had a URL blocked as policy at some point.
The remaining 0.05% of blocks are malicious (but that could still be several tens of thousands of blocks in a week). The malicious blocks are tiny in proportion to all blocks but very important as they are of great risk to the client. Malicious websites are not a matter of policy and they do not come under any particular category. In theory, almost any website is capable of serving up malware or forwarding to a site that does. Sites can be set up and hosted by criminals, or legitimate websites can be compromised. In fact the vast majority (approximately 80%) of malicious blocks are for legitimate compromised sites. The proportion of blocks that are malicious has been steadily increasing in 2009, and MessageLabs Intelligence expects it to continue to increase in 2010, as the sheer number and variety of malicious web threats continues to expand.
MessageLabs Intelligence analyzed URLs blocked as policy (99.95% of all blocked URLs) across several thousand clients to explore the particular categories being blocked, and when they are being blocked.
Overall, ‘Advertisments and Popups’ account for almost 2 thirds of blocked sites. ‘Streaming Media’ accounts for about one eighth of blocks. Following that ‘Games’, ’Chat’, ’Downloads’, ’Personals & Dating’ (equivalent to Social Networking) account for between one and eight percent of blocks. ‘Adult/Sexually Explict’ (porn, basically) accounts for 1.4 percent.
A deeper dive into the time of day the above blocks are made, reveals that 87.4% of policy blocks are made during the working day, defined as 8 a.m. and 6 p.m. This is not surprising as Symantec Hosted Services clients are almost entirely businesses. By far, the busiest time of day for blocks is the lunch hour, between Noon and 2 p.m. when 32.6% of blocks are made. To summarize, one third of all blocks are made in a small window of time which accounts for just one fifth of the working day, or one twelfth of the whole day. Lunchtime is clearly a very popular time for employees to look at sites that the company doesn’t consider appropriate.
‘Chat’ is about four times more popular in the morning, than in the afternoon. In particular, late morning.
‘Weapons’, ‘Adult/Sexually Explicit’, ‘Hacking’, ‘Games’, ‘Violence’ all have a relatively high number of blocks outside working hours, compared to other categories. For example, ‘Adult Sexually Explicit’: 68 percent of blocks are within working hours and 32 percent are outside of working hours. The other four are split similarly to that. Blocks on ‘Adult/Sexually Explicit’ peak at lunchtime, like most other categories, but also peak again from Midnight to 2 a.m.
Interestingly, ‘Web-based email’ is remarkably flat. Employees visit web-based email consistently throughout the working day. The same applies to ‘Shopping’, which is fairly flat throughout the day, apart from a small uptick towards the end of the afternoon 3 p.m. and 6 p.m.
‘News’ sites show a tremendous burst at lunchtime, with little at other times. Fifty-two percent of all ‘News’ blocks are made during lunchtime. This shows that one of the most popular ways for employees to spend their lunch break is reading news stories. There are a number of categories that are very popular during the lunch break, things such as ‘News’, ‘Politics’, ‘Fashion’, ‘Personals & Dating’ (includes Social Networking). Online banking is also very popular among employees. Accordingly, we see a peak in blocks of phishing/fraud blocks (44% of Phishing/Fraud Blocks happen at lunchtime).
Businesses can configure Symantec Hosted Services Web policy blocking to be as relaxed or as strict as they wish. This includes opting in/out of the set of core policies discussed above, but also includes the ability to create custom policies that block/allow specific URLs in addition to, or as an exception to, the core policies. Also, clients can configure policies to be active or inactive at different times of the day, for example, allow social networking and web-based email at lunchtime, but don’t allow it at other times.