We have a number of employees who use Tor for legitimate business purposes, but it seems like it's increasingly...
under attack by black hats and the U.S. government. Does it still provide realistic anonymity, or is lack of Tor security making it easier for attackers and the NSA to access data?
Tor is one of those gray areas of IT and security where usage is questionable and security may or may not exist. Case in point: Kaspersky recently discovered hundreds of botnets and darknet markets within Tor, not to mention the involvement by the NSA and countless other government agencies. Given this fact alone, if I were a security manager, IT director or savvy executive who understands security, I'd have a big problem with my employees using such an environment.
Legitimate business purpose or not, from the network to the endpoints, it might be risky for your business to work in and around Tor. I suggest that you get together with some sharp minds in your business (i.e., your security committee) and ask the following questions:
- Who is using Tor?
- What's the legitimate business reasoning behind this usage?
- What policies and contracts are being violated and what business risks are being generated by doing so?
- How are your systems and sensitive information vulnerable due to this usage?
- What are your alternatives?
This can be a tough situation to handle. We honestly just don't know much about the deep Web. In the end, if there's a strong enough business case (i.e., for journalists who use Tor to protect their confidential sources, as recommended by the Electronic Frontier Foundation and ACLU), you might have trouble eliminating Tor usage in your organization. Perhaps you can find a happy medium and only allow Tor usage from certain systems (i.e. virtual machines) on certain network segments (i.e. non-production virtual LANs or guest networks) that are protected with effective antimalware software and closely monitored. For now, the most important thing you can do is inform management of the situation and let them make the final decision.
Ask the Expert!
SearchSecurity expert Kevin Beaver is ready to answer your enterprise security questions -- submit them now! (All questions are anonymous.)
Dig Deeper on Web application and API security best practices
Related Q&A from Kevin Beaver
Android Oreo replaced the allow unknown sources setting with a new feature that enables users to selectively install unknown apps. Kevin Beaver ...continue reading
Several vulnerabilities were recently discovered in Android bootloaders via the BootStomp tool. Kevin Beaver explains how they work and what risk ...continue reading
Equifax's Apache Struts vulnerability was an example of a scan not being read correctly. Kevin Beaver explains vulnerability scans and how issues can...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.