In an enterprise like Washington Group International Inc., which has 20,000 employees and locations across the globe, there's always the chance someone will try to visit Web sites or use programs that are forbidden by company policy.
Ed Biancarelli, senior IT security director for the Boise, Idaho-based engineering, construction and management firm, has strict Web-use policies banning peer-to-peer (P2P) programs as well as porn and gambling Web sites. He uses an intrusion prevention (IPS) appliance to block workers from violating that policy, but he's found that even the strongest of security tools can't keep everyone from doing what they shouldn't.
"We are not a high-tech company, so the threat of people circumventing the policies is not widespread," he said. "But we have had instances of uncovering P2P file sharing and there are people using IM and we don't allow that."
For Biancarelli and other IT pros, there's another problem: office Web surfers who may not be malicious, but think security blocking programs are a tool of Big Brother. Employees of this mindset are finding places in cyberspace where they can get help with circumventing corporate security measures, according to Joseph Cortale, senior VP of worldwide sales and marketing for Vericept Corp.
"Companies are trying to protect customer data and intellectual property, and they're concerned [because] so many breaches are perpetrated by people on the inside," said Cortale, whose Denver-based company helps Biancarelli monitor the content employees access online. "There's URL filtering technology that prevents employees from going to various sites," Cortale said, "but there are some Web sites that tell employees how to circumvent these programs."
"If your employer or corrupt, undemocratic, dictator-based government uses a filtering service … to block access to BoingBoing.net or anything else online," the blog said, there are a variety workarounds. One of which is a piece of proxy software called Circumventor, created by Peacefire; a group that represents "the interests of people under 18 in the debate over freedom of speech on the Internet," according to its Web site.
"Install this software on your home computer and allow others to use your proxy to access the Web," BoingBoing said, "or use your proxy from work or school to access any Web site."
The Peacefire Web site and mailing lists are managed by Bennett Haselton, a freelance programmer based in Seattle. In an e-mail interview, Haselton said his group's goal isn't to undermine information security. In fact, he said some of the sites enterprises choose to block are far from threatening.
"With regard to BoingBoing specifically, it's highly unlikely that they would knowingly link to something that could harm someone's computer, at least not without giving the user a warning of what could happen," he said. "And a URL linked from BoingBoing is probably less likely to be dangerous than a URL selected from the Web completely at random."
Besides, he said, even if an outside attacker were to use a malicious Web page to run an unauthorized program on someone's computer, nearly any corporate firewall would make that task almost impossible. Furthermore, he said, companies should have internal network restrictions in place so that even if one person's machine were compromised, "their user account should not be able to access sensitive information unless they've been specifically approved to access it."
He said people who have access to sensitive information should only be those educated enough to follow rules that protect them from things like spyware.
Haselton stressed that his group does not advocate circumventing enterprise security controls.
"Peacefire is mainly about fighting censorship aimed at young people or citizens of oppressed countries, in both cases because they're the ones who don't have a choice," he said. "If you choose to work for someone, on the other hand, you kind of have to play by their rules."
However, Cortale said, even when the intentions of a group like Peacefire or an organization's employees are good, there's always the risk that some company insider will take a tool meant for legitimate use and twist it for malicious purposes.
"Our customers recognize there are employees who will try stealing assets for monetary gain," Cortale said. For those in the workplace who feel they should be able to browse any Web site they want, he said, "That's what home computers are for."