Workarounds: 5 Ways Employees Try to Access Restricted Sites
Company policy may forbid access to certain web sites, but some employees try creative techniques to view them anyway. Here are five common workarounds and what security can do about them.
Wed, August 11, 2010
CSO — There may have been a time when blocking certain sites was acceptable in most office environments. But what was once considered off-limits is now essential in many organizations. Social media sites like Facebook are a major part of many companies' marketing strategy. Sites like YouTube present opportunities to share information about products or services visually. And IM and chat services like G-chat are free and efficient ways for employees to communicate.
"I think generally the business drives the policy," said Dave Torre, founder and Chief Technology Officer of IT consultancy Atomic Fission. "If you work at the Department of Defense, I don't think any time at a social networking site on a secure computer is acceptable. But if you work in a marketing department, 15 minutes a day isn't nearly enough. Obviously you have to use some common sense as an IT manager and say 'What does our organization look like and how important are these tools on the internet for our users?'"
Still, there are sites that usually have no legitimate place in the office, like gambling sites, which often tend to be as sketchy as pornography sites, according to Torre. He said he often gets calls from clients seeking help after employees have accessed gaming sites, and have been hit with a drive-by malware download.
Unfortunately blocking certain sites, such as a gambling site, doesn't always work. Industrious employees can, and do, find ways around site restrictions at work, potentially putting your network, data and even intellectual property at risk, according to Hugh Thompson, Program Committee Chair of the RSA Conference and Chief Security Strategist at People Security.
"Some workarounds can be dangerous because they might create a channel that data can flow out through that is not managed or monitored. These types of bypasses might make defenses like some data loss prevention systems less effective."
Here are five techniques--some simple, some more advanced--that your employees may be using to access the sites you don't want them to visit while on the job.
Workaround 1: Typing IP address instead of domain name
"In some cases, using the IP address of the blocked site can bypass checks that look for a domain name," said Thompson. "There are many websites that will give you the IP address for a favorite online destination."
As an example, check out the site baremetal.com where you can look up the IP address of just about any site. Plug that IP address into your browser, and it takes you there, bypassing the need to enter a domain name.