Re: Blocked URL Categories

["Bradley, Stephen" <bradlesw () MIAMIOH EDU>]

We block CnC, phishing and malware as well.  We also block P2P but that is
in our AUP policy and has been for 13 years now.

On the occasion we get a complaint we run it by our ISO and get the okay to
whitelist the URL and that is maybe twice per month.

steve

On Fri, Oct 27, 2017 at 1:23 PM, Adam Maynard <AMaynard () clarku edu> wrote:

> The only URL categories we block are malware, command-and-control, and
> phishing. Anything else is a grey area of censorship. For instance, I visit
> hacking websites, not to become a black hat, but to educate myself on
> hacking TTP.
>
>
>
> You get into 1st amendment arena if you decide to block others. If any
> illegal activity is happening, it’s likely occurring over encrypted channel
> or TOR. Everything else can be justified for research or educational
> purposes. If you blocked those other categories, it would be a burden to
> manage and process exception requests.
>
>
>
> Unless there’s a plausible cause, how do you show they’re using it for
> illegal activity? You’d have to set up some kind of behavioral based
> monitoring.
>
>
>
> Occasionally, sites get miscatorgorized as malware. Then I’ll have to look
> into it. Reputation databases are pretty helpful with that.
>
>
>
>
>
> -Adam
>
>
>
> *From:* The EDUCAUSE Security Constituent Group Listserv [mailto:
> SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Ronald King
> *Sent:* Friday, October 27, 2017 12:57
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* [SECURITY] Blocked URL Categories
>
>
>
> Good afternoon,
>
>
>
> We are a public institution in Maryland. We are being questioned by our
> state auditors as to why we permit access to the URL categories
> abused-drugs, extremism, hacking, and gambling when our AUP states IT
> resources are not to be used for illegal activities or "for commercial,
> religious, political (including activities supporting the nomination of any
> person for political office or attempting to influence the vote in any
> election or referendum), solicitation, or profit-making purposes."
>
>
>
> Along with academic freedom, the perspective I have been arguing is one to
> permit access to the sites. The argument is, just because a student
> accesses a gambling website does not mean they are gambling.
>
>
>
> So, my questions to the group are:
>
>    - Do you block these URL categories by default?
>    - If so, how do you address the request to research in areas that
>    might require access to these URLs?
>    - How did you convince the auditors it was necessary to allow access
>    to these categories?
>
> As always, responses can be addressed directly to me or via the listserv.
>
>
>
> Thank you for your input!
>
> *Ronald A. King, CISSP*
>
> Chief Information Security Officer
>
> Morgan State University
>                                          Office: (443) 885-3372
>
> 1700 E. Cold Spring Ln
> <https://maps.google.com/?q=1700+E.+Cold+Spring+Ln&entry=gmail&source=g>.
>
>                                   Email:  ronald.king () morgan edu
>
> Baltimore, MD 21251
> URL:    http://www.morgan.edu
>
>
>
>                                                 *Growing the future ...
> Leading the world*
> <http://www.morgan.edu/Documents/ABOUT/StrategicPlan/StrategicPlan2011-21_Final.pdf>



-- 
Puppy---Monkey---Baby

Stephen W. Bradley CISSP GNFA GCFA GCIH GWAPT SSCP
Senior Security Engineer
Miami University
IT Services
bradlesw () miamioh edu
513-529-1809