Re: Blocked URL Categories

[Adam Maynard <AMaynard () CLARKU EDU>]

The only URL categories we block are malware, command-and-control, and phishing. Anything else is a grey area of 
censorship. For instance, I visit hacking websites, not to become a black hat, but to educate myself on hacking TTP.

You get into 1st amendment arena if you decide to block others. If any illegal activity is happening, it’s likely 
occurring over encrypted channel or TOR. Everything else can be justified for research or educational purposes. If you 
blocked those other categories, it would be a burden to manage and process exception requests.

Unless there’s a plausible cause, how do you show they’re using it for illegal activity? You’d have to set up some kind 
of behavioral based monitoring.

Occasionally, sites get miscatorgorized as malware. Then I’ll have to look into it. Reputation databases are pretty 
helpful with that.


-Adam

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Ronald 
King
Sent: Friday, October 27, 2017 12:57
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Blocked URL Categories

Good afternoon,

We are a public institution in Maryland. We are being questioned by our state auditors as to why we permit access to 
the URL categories abused-drugs, extremism, hacking, and gambling when our AUP states IT resources are not to be used 
for illegal activities or "for commercial, religious, political (including activities supporting the nomination of any 
person for political office or attempting to influence the vote in any election or referendum), solicitation, or 
profit-making purposes."

Along with academic freedom, the perspective I have been arguing is one to permit access to the sites. The argument is, 
just because a student accesses a gambling website does not mean they are gambling.

So, my questions to the group are:

  *   Do you block these URL categories by default?
  *   If so, how do you address the request to research in areas that might require access to these URLs?
  *   How did you convince the auditors it was necessary to allow access to these categories?
As always, responses can be addressed directly to me or via the listserv.

Thank you for your input!
Ronald A. King, CISSP
Chief Information Security Officer
Morgan State University                                                                                           
Office: (443) 885-3372
1700 E. Cold Spring Ln.                                                                                           
Email:  ronald.king () morgan edu<mailto:ronald.king () morgan edu>
Baltimore, MD 21251                                                                                 URL:    
http://www.morgan.edu

                                                Growing the future ... Leading the 
world<http://www.morgan.edu/Documents/ABOUT/StrategicPlan/StrategicPlan2011-21_Final.pdf>