This video covers registering Vantage and the Web Module.

This video will cover the Organization section of the software, showing you how to import your users and groups from Active Directory / LDAP.

This video follows on from #3, and will cover the Profiles section of the software, and how to use site categorization.

In this video we’ll look at how to import some data into a storage, use the Summaries section, and start customizing Aliases.

This video will take you through the system requirements, and the installation of Vantage and the Web Module.

This video is a high level overview, giving you a general insight into the software and its different parts.

WARNING: With storage locking disabled, it is possible to import into a storage while running a report, and doing this may cause storage corruption. It is therefore very important if you decide to enable these features to ensure that a storage is not written to while running reports.

Due to the experimental nature of these features, they can only be enabled by including a config file next to Vantage’s executable. To enable multi-instance capabilities and disable storage locking:

1. Download the following config file:
   WebSpy.Vantage.exe.config
2. Close Vantage
3. Extract downloaded zip file into Vantage’s installation folder (usually c:\Program Files (x86)\WebSpy\Vantage <flavour> 2.2). If you already have a file of the same name in that location, make a backup of it before overwriting it with the  new file.
4. Run Vantage.

You can now run Vantage again to launch another instance of the application.

Be aware of:

Simultaneous reading and writing, and multiple writes

I just want to be very clear that if you run reports while importing, or import into the same storage simultaneously, storage corruption can occur. Storages are not designed to be unlocked for these reasons. The only reason we’ve provided this ability is so that you can READ from the a single storage  simultaneously (i.e. run two or more reports). Reading and writing, and multiple writing is NOT supported, but Vantage will attempt to do it if you ask it to, with undefined behavior.  Check your Tasks configuration and note when any import jobs are likely to occur to avoid running reports at these times.

Configuration Changes

When Vantage closes it writes all of it’s state to a series of files under c:\users\<user profile>\AppData\Roaming\WebSpy\Vantage <flavour> 2.2). When Vantage opens, it loads these files into memory. When  running multiple instances, these instances will be reading and writing the same files. So if you open two instances of Vantage, make a change to a report template in one instance, then close the application, the Vantage.Templates file will be updated. But when you close the second instance of the application, the Vantage.Templates file will be overwritten with a version that doesn’t include the change.

When making configuration changes (templates, tasks, aliases, organization etc), make sure only one instance is running (check Task Manager for the WebSpy.Vantage.exe process).

It’s Experimental!

There may be other undefined behaviors that we are yet unaware of, so we advise running this configuration in a test environment.

We’re providing these feature on an “as-is” basis, meaning we will not be providing technical support for issues that arise as a result. That said, we are certainly interested to hear about any issue to help us improve the feature.

Let us know how you go!

Of note, this release includes full support for Microsoft Exchange 2010 Tracking logs (previously supported with the Exchange 2007 loader, but missing a few fields), as well as JunOS (Juniper) Traffic Logs, IronPort Traffic Monitor Logs and Squid Syslog.

We’ve also included an experimental feature to allow multiple instances of WebSpy Vantage to run on the same operating system. The goal here is to run multiple reports at the same time using multiple instances of the application. To do this, we have also included a second experimental feature to disable storage locking. This allows multiple instances of Vantage to read from the same storage at once. These features can only be enabled by including a config file next to the Vantage’s executable. More on this feature here.

Here’s the full list of changes:

Application Changes

• New: Added suffix option to Import Windows Users wizard in Aliases.
• New: Date modifiers now supports h for hour and n for minute, e.g. %[-2h,yyyyMM - HH].
• New: Added tracing to storage publish task.
• Experimental: Multiple instances of Vantage can now be run simultaneously, by adding the multipleInstance key to the application config file.
• Experimental: Storage locking can be turned off to allow multiple instances of Vantage to run reports on a single storage simultaneously. This is done by adding the storageLocking key to the application config file.
• Fix: Import Organization merge options now appends attributes if keep existing user details is selected, and replaces attributes if update user details from the directory is selected.
• Fix: Import Organization merge no longer replaces user’s passwords.
• Fix: Fixed issue where no results were returned when filtering on time less than one day – such as past n hours.
• Fix: Storages are no longer duplicated in the Import new hits task dialog.
• Fix: Fixed issues where the Site Domain summary included sub-domains for European domains (.fr, .be etc).
• Fix: SQL server inputs now commit correctly if the user edits the input and only changes the port number.

Loader Changes

• New: IronPort Traffic Monitor Logs.
• New: Juniper JunOS Traffic Logs (SRX).
• New: Microsoft Exchange 2010.
• New: Squid Syslog.
• Improved: Astaro Security Gateway: Added support for an additional different syslog header.
• Improved: SonicWall: Split syslog format into Web and Firewall schemas, added support for User field, string-type Category field and split Protocol field.
• Fix: Microsoft FTMG: Changed type of Object Source field in from Int32 to String. Users will need to clear/field select/reload their storages before this change will apply.
• Fix: Astaro Mail Gateway: Improved format detection, fixed negative size issue, and Index out of bounds errors.
• Fix: IronPort WSA: Improved format detection.

How to update

To update your software, simply click Tools | Check for updates. Vantage Ultimate users will also need to update the Web Module in order to use the new loader formats that have been added. To update the Vantage Web Module, right-click the WebSpy system tray icon and select ‘Check for updates’. If you have issues with the Web Module update process, please see: http://www.webspy.com.au/forums/viewtopic.php?f=4&t=29

Let me know if you have any questions or issues!

This time around I thought I share some tips focusing on how individuals can ensure they’re being smart and safe when engaging in social networking activities. Hopefully these tips can assist you, or the people working in your organization, in avoiding being exposed to the dark side of social networking where hackers, identity thieves, fraudsters and stalkers are lurking in the shadows.

I’ve picked five tips I thought were quite helpful and perhaps not as obvious as not sharing personal information such as birth date and address, keeping passwords safe, be selective whose friendship requests you accept, use appropriate virus/phishing software etc.

1. Limit work history details on LinkedIn

Although tempting, it is not advisable to use LinkedIn as an online resume displaying all information about time and place with previous employers and educational institutions.

Too much personal information publicly available simply makes it too easy for identity thieves to use the information to fill out loan applications or guess password security questions. A hacker recently used social reverse engineering to find information, such as post code, home town, high school graduated from etc, in order to hack into VP candidate Sarah Palin’s web mail account.

If you really feel the detailed information will help you when looking for a new job then expand the details during the job hunting process and cut back later after you have a position.

LinkedIn also offers some capabilities to restrict information. You can close off access by others to your network of contacts, something you don’t have to share if you don’t want. This is a common practice by sales professionals and recruiters not wanting to expose their valuable network to others who might poach customers or prospects from them.

2. Avoid sharing location information

Hopefully you’re already aware that sharing phone and address details online is a very bad idea. You might also think twice before posting “Away for the weekend…returning on Monday” on public sites like Twitter and LinkedIn, to avoid attracting attention from potential stalkers or burglars.

What you might not have considered is that, over time, seemingly innocent and non-specific information can be pieced together, giving lurkers a much more complete and rich picture of you, your family, your habits and other personal information.

Software like Twitter and Foursquare are often used at conferences, parties and other social scenes where alcohol is consumed, increasing chances of personal and location information slipping out. Travel plans and experiences while on holiday is often communicated via Twitter, giving clue to others that you’re not at home, leaving your family or possessions at risk for intruders.

Your Foursquare check-ins to local restaurants and shops can also make it fairly simple to determine what area you live in and your habits. Something as innocent as a Foursquare airport check-in is a tell-tale sign you’ll be away from home for at least one night.

3. Search yourself

Sometimes referred to as vanity search, it is a very good idea to search your name on Google and check out your profile as others see it on social networking sites. Understand where you show up and what information is available about you, and then adjust your profile, settings and habits appropriately.

If you unexpectedly see your name in locations you don’t frequent, it could give you a heads up someone else is using your identity online. Set up a Google alert with your name. Google Alerts will email you weekly, daily or immediate notifications when the Google robots comes across your name online.

4. Setup an OpenID account

OpenID is an open source standard for creating a single sign-on to multiple online services and applications. With OpenID, your password is only given to your identity provider, and that provider then confirms your identity to the websites you visit. Other than your provider, no website ever sees your password, so you don’t need to worry about an unscrupulous or insecure website compromising your identity

As a framework, OpenID accounts are available from multiple providers. Companies like AOL, Microsoft, Sun, and Novell are beginning to accept and provide OpenIDs. It is estimated that there are over 160-million OpenID enabled URIs with nearly ten-thousand sites supporting OpenID logins.

OpenID is making inroads into the SaaS application market to better manage user accounts. We’re also likely to see OpenID used in online social networking sites to help verify users identities and reduce impersonators and false identities. If the social networking sites you frequent don’t use OpenID or a similar technology, e-mail the site creator and lobby for adding it.

5. Don’t violate your company’s social networking policies

As blogging and social networking sites enter the workplace corporate acceptable use policies (AUP) are being updated to define boundaries for employees, contractors and the company.

Data leakage incidents (loss of corporate, confidential or customer information), making inappropriate public statements about the company, using corporate resources for personal uses and harassing or inappropriate behavior toward another employee can all be grounds for reprimand or dismissal. Social networking sites are another way those things can happen and they create an easy digital paper trail to investigate.

Data leakage (or loss) prevention is currently one of the hottest areas in security. Companies are looking for ways to prevent company confidential and proprietary information from slipping through the firewall. Most incidents probably occur via email or file transfers but IM chat tools, blog posts, Twitter messages and even online resume content could disclose proprietary company information.

Even using social networking sites on company time or using company resources could be a violation of the company’s acceptable use policy. Before you become the corporate poster child for some publically humiliating episode from using social networks at work, check your corporate AUP to make sure you aren’t violating the policy.

Other Resources
http://www.microsoft.com/protect/parents/social/socialnet.aspx
http://www.networkworld.com/community/tips-for-safe-social-networking

You can also read through these steps on this page: Analyzing SonicWALL log files with WebSpy.

Creating and Importing SonicWALL log files

Analyzing SonicWALL log files

We intend to make some SonicWALL specific report templates available on our SonicWALL how to page soon.

Until then, feel free to create your own templates, or modify our existing web reports to include the extra goodies contained in the SonicWALL logs.

TIP: To modify an existing web report, right-click the report and choose ‘Duplicate template’. Then choose the “SonicWall Web” schema. You’ll then have a report template that you can modify to include all the SonicWALL summaries, such as Categories, and Source and Destination Interface.

If you need some assistance getting the report(s) you need, feel free to contact me, or support@webspy.com.

The next morning I woke to find several more messages from my VPS host, each with a higher and more significant excess transfer than the last. At this point it occurred to me that it was unusual for my VPS to reach its quota, let alone exceed it. The excess transfer was now enough that it was going to incur significant cost, so I set about investigating the cause.

I downloaded some firewall logs for the previous few days from the server and imported them into Vantage. The first place I looked was in an analysis at the “Source Address” summary, to see where the activity was coming from. What I found was a single host with a disproportionately larger amount of transferred data than the other addresses listed, so I drilled down to the “Destination Port” summary for this source address to see what services it was accessing. I found that all the traffic was going to port 53 – my DNS. More accurately, the large amount of data was going from my DNS to the source address. Drilling down to the “Individual records” view then showed that my server was providing a large response to a small DNS request from that source address – about 20 times per second.

Curious about why this single machine somewhere on the Internet was bombarding my server with small DNS requests at such a high rate, I set my server’s firewall to deny packets from that address and began searching around online for any information.

I quickly found out that I hadn’t configured my DNS properly, and it was set to allow recursive requests, meaning that if a request came in for a domain my server wasn’t authoritative for, it would then forward the request to another DNS that could answer, or given a blank request it would respond with the full list of root servers. Running tcpdump on the VPS revealed that every request coming in was blank, and my server was responding with the full list of root servers for each request.

It still seemed odd that a server would be constantly sending small requests to my server and receiving large responses. Then it dawned on me; I was looking at a Distributed Reflected Denial of Service (DRDoS) attack. The source address in all the requests I had looked at was forged by the attackers, so that my server – and many other servers out there also receiving the requests – would send their responses to the forged source address in an attempt to flood its connection. The source address in my firewall logs was the target of the attack. I found more information about this specific type of attack here.

Having disabled recursion on my DNS, my server’s contribution to the attack was significantly reduced. However, my server was now responding with a much smaller “request denied” packet for each incoming request. I wanted some way of preventing my DNS from responding at all, so again I headed out to the Internet to see what I could find.

I discovered a package called “fail2ban”, which dynamically updates your firewall rules to block addresses that are abusing your server’s services. I installed it using this guide, and immediately my bandwidth usage dropped off as it blocked further DNS requests. Even now the requests are still flooding in, but now my VPS contributes only a handful of packets towards the attack instead of the previous millions per day.

Take a look at our dedicated Astaro pages to get an idea of what can be achieved when analyzing Astaro Web Gateway log files with WebSpy Vantage.

I’ve created some quick videos to show you how to enable the correct logging options on the Astaro Security Gateway appliance, how to import these log files into Vantage, and analyze the data on the Summaries screen.

Configure Logging

The best way to configure logging is to setup a 3rd party syslog server (such as Kiwi Syslog) on a machine in your network, then configure the Astaro Security Gateway to send syslog messages to that server. The syslog server then creates log files that can be imported into WebSpy Vantage. This video takes you through that process.

Importing and Analyzing Astaro logs

Once you have successfully configured syslogging on your Astaro Security Gateway, you can import the log files into WebSpy Vantage and analyze activity on the Summaries screen. This video takes you through that process.

We intend to make some Astaro specific report templates available on our Astaro How To page soon.

Until then, feel free to create your own templates, or modify our existing web reports to include the extra goodies contained in the Astaro logs.

TIP: To modify an existing web report, right-click the report and choose ‘Duplicate template’. Then choose the “Astaro Security Gateway – Filter with category” schema. You’ll then have a report template that you can modify to include all the Astaro summaries, such as Actions and Categories.

If you need some assistance getting the report(s) you need, feel free to contact me, or support@webspy.com.

Even though the webinars are channel focused I thought I’d share the most recent one with all of you. It includes very interesting product demos from Mark Maciw, product manager at Clearswift, and Scott Glew, Product Operations Manager at WebSpy. By seeing the products in action you’ll get a greater understanding of their capabilities and complementing aspects and hopefully learn how to:

• Maximize Internet investment, employee productivity and enjoy the benefits of a web-enabled environment;
• Reduce security vulnerabilities, to successfully protect organizational assets and employees

Enjoy!

Download Clearswift’s Research Report: Web 2.0 in the Workplace Today

From not wanting to touch social media with a ten foot pole, employers are these days increasingly aware of the benefits of social media and web 2.0 in the workplace. Clearswift used an independent market research firm and interviewed approximately 250 online office workers and 150 managers across the UK, US, Australia and Germany.

Social Media and Web 2.0 Benefits According to Managers:

• More than half (52%) of managers think web collaboration is critical for the future success of the company.
• 91% believe it can help increase brand awareness.
• 89% believe it can help in generating new business.
• 88% believe it can help improving employee productivity.
• 47% of managers believe staff are ‘happier and more motivated’ as a result of using these tools in the workplace.

Web 2.0 and security: New approach needed?

It is naturally refreshing to see that organizations are realizing the benefits of web collaboration and social media tools. Filters and blocks are gradually removed, and the great organism that is the Internet is allowed to breath more freely. However, there’s always bad seeds, internally or externally, that will take advantage of this openness and use it to commit crimes, spread viruses, leak information and ultimately make it harder for organizations to embrace the splendor of web 2.0 and social media in it’s entirety.

According to Clearswift’s report:

• Security is the biggest Web 2.0 concern, with 61% of companies having voiced concerns about security as a
  result of social media.
• More than half (51%) of managers think employees are oblivious to security concerns when it comes to IT.
• 47% of companies have had at least one security incident as a result of internet application usage
• Only 64% have specific tools in place to secure Web 2.0 exchanges

Current popular approaches to Web 2.0 security issues typically involve “big brother” style monitoring and locking down social networking sites. Such approaches may serve to erode employment relationships and diminish business value to be gained from web collaboration. It is a positive sign, therefore, that 64% of companies recognize that a new approach to security is needed in this era of web collaboration.

A New Approach to Security

Clearswift SECURE Web Gateway and Clearswift SECURE Email Gateway are trusted by organizations globally to deliver internet security for business. They maintain productivity by enabling information to flow safely into and out of the workplace. Adding WebSpy reporting to the equation enables managers to provide employees with the Internet resources they need, while resting assured the resources are used as intended.

5 Tips for Effective Reporting while taking Workforce into Consideration

1. Allow employees to view their own Internet usage
   More often than not, employees tend to underestimate the time they spend browsing non-work related sites. Allowing employees to view, for example, their productive and non-productive activity can help foster and drive responsible Internet usage behavior.
2. Help employees sticking to the rules
   If you have set a limit of, for example, no more than 10 hours of recreational surfing per month, then ensure you alert employees when they are approaching that limit.
3. Distribute reports – distribute responsibility
   Frequently IT managers and administrators are given the ultimate responsibility of managing, enforcing and communicating acceptable Internet usage for an entire organization. Take some of the pressure off the IT department and distribute organizational Internet activity reports to responsible managers or department heads. This will enable them to see how Internet usage affects the security and performance of their own department and distributes the responsibility of enforcing acceptable usage with the managers themselves.
4. Protect employee privacy
   If distributing Internet usage reports across your organization it is important to protect employees’ personal data. Make sure you use reporting software designed to protect privacy rights by only allowing authorized users to see the employee’s identity. For instance, Network Administrators may need to investigate all traffic going to a particular site but should not need to know the user names – in this case
   user names should be anonymous for them but available for HR.
5. Automation
   Use a reporting solution that easily lets you customize and automate these guidelines for you

DOWNLOAD REPORT & RECOMMENDATIONS

Cyber bullying is legally defined as repeated harassment online, although in popular use, it can describe even a sharp-elbowed, unwarranted swipe online. We all know kids can be cruel because they often lack the maturity and empathy to understand the emotional ramifications their words or actions can have on others. Adding the anonymity of the Internet, cyber bullying can be more psychologically savage than schoolyard bullying. The Internet erases inhibitions and adolescents often take the bullying much further online than in person.

The article describes a number of bullying cases played out in the US over the last few years. It also goes into detail on how the bullies, victims, parents, schools, and the authority responded in each instance.

D.C. and the forged Facebook profile

The main story focus on Marie and her son D.C. The kids at school started to avoid D.C. as he allegedly was posting horrible comments about other kids on his Facebook profile. As a matter of fact D.C. didn’t even have a Facebook account and it turned out someone had forged his identity on Facebook, and was bullying others in his name. Marie was desperate to make it stop as the ongoing online bullying had detrimental effect on, not only her son, but also the kids targeted on D.C’s forged Facebook account.

When D.C’s mum contacted school officials to help track down the students who was making her son miserable she was told there was nothing they could do. It was an off-campus matter.

Finally, after months and months of continued harassment, the police was able to subpoena Facebook for the address of the computer linked to the forged profile and much later subpoena Comcast, the Internet service provider, for the home address of the computer’s owner. Three boys were identified to be behind the scheme.

The Common Thread

The lawlessness of the Internet, its potential for casual, breathtaking cruelty, and its capacity to cloak a bully’s identity all present slippery new challenges for kids and parents. This is a dark, vicious side of adolescence, enabled and magnified by technology.

The article covered a variety of online bullying scenarios and the common thread running through all of them is the parents’ helplessness and frustration about the school’s inability and reluctance to intervene and proactively protect the students.

Yes, a large chunk of the responsibility lies with the parents. It even starts outside the borders of technology by simply raising mindful and responsible children. However, even if parents got that part right, in addition to restricting, monitoring, discussing, and educating themselves and their children about safe and responsible Internet use, the schools also have responsibility to ensure their internet resources are not used for cyber bullying. The negligent approach of passing off D.C’s case as an off-campus matter is simply unacceptable. If even one of the malicious Facebook updates happened during school hours, on the schools network, identifying the culprits could have taken a few minutes, as opposed to months!

What the school should have done

Majority of schools require students to use individual login details to access the Internet. This means an IT administrator could have easily match students’ Facebook activity with the timing of the malicious Facebook updates on D.C’s public profile and quickly narrowed down the list of suspects. Even better, as Facebook generates a specific URL every time someone updates their Facebook profile, a report filtering out all other Facebook activity would have been an even more efficient option.

Here’s how you filter based on Facebook updates using Vantage:

Let’s say you want to track down the source of malicious Facebook updates made during a specific time period.

• Make sure you have access to the log files created during the period you which to investigate. You either need to import them to a new storage or apply a date filter when running a new analysis.
• In the ‘Summaries’ screen click ‘New Analysis’ and make sure your storage is selected.
• Click through the wizard and add a date filter if your storage include dates you are not interested in investigating.
• In the ‘Filters’ section click ‘Add’ and select ‘Field value filter’.
• In the ‘Summary’ drop down select ‘Site URL’.
• Click ‘Add’ and enter value: http://www.facebook.com/ajax/updatestatus.php (This is the URL recorded every time someone updates their facebook profile).

   

  

   

• Click OK in all wizard windows until the new analysis starts running.
• Once the new analysis has been completed click ‘Users’ and you will be able to see which users/student posted Facebook updates during your selected time period and drilldown (right click) into each user and select ‘Individual Record’ to get the exact time of the Facebook updates.

   

  

   

  

  Click to enlarge

• Alternatively you can start by looking at the dates in question, drilldown (right click) into each user for a specific date and drilldown again into ‘Individual Records’ for the exact time of the specific user’s update

Every organization is different with regards to the volume of logs it creates, but I’ve averaged three data sets submitted to us by customers to produce the following estimates.

You will create roughly 0.9 MB of IronPort WSA access logs per user per day.

Once imported into a WebSpy Storage, the Storage will be about 90% of your original log file size. If you apply NTFS compression to the storage folder, the actual size on disk of the WebSpy Storage will be about 30% of your original log data.

So an organization with 1000 users will produce about 900 MBs of access logs per day. The default WebSpy Storage  will be 810 MB, but with NTFS compression, the size on disk will around 270 MB.

As I said, this is a rough guide based on the average of three sets of sample logs we have in house, so please run your own tests and if you can, let us know your values in the comments below.

But there is another advantage to switching to text. They take up considerably less disk space. Here are some figures:

Number of Records in 235 MBs of log data:

235 MB of TMG’s W3C text logs contains 326,824 records. An SQL Express database of the same size (mdf and ldf files) contains only 40,308 records. In other words, w3C text logs can store over 8 times as much data in the same amount of disk space.

A rule of thumb:

By switching to W3C text logs, the disk space taken by your log files will be roughly 12% of the SQL Express or MSDE log files. This can be reduced even further by compressing your text logs.

• MSDE/SQL logs: budget for 5 KB per record
• W3C Text logs: budget for 0.71 KB per record

How many records your ISA or TMG server creates per day will depend on the number of users in your organization and how much traffic they generate, but about 16,000 records per user is a reasonable estimate.

A real world example

If you are hitting 500 GB of SQL Express/ MSDE logs per month (about 86,128,205 records), simply switching to W3C text logs will reduce this down to 61 GB.

Once imported into a WebSpy Storage, the storage size would be roughly 53 GB (87% of the original W3C text logs).

With NTFS compression applied to the Storage folder, the WebSpy Storage would be roughly 13.4 GB (22% of the original W3C text logs).

Applying NTFS compression to your WebSpy Storages folder is certainly a good idea. This does not impact performance. If anything, it may improve performance slightly as there is less disk fragmentation within the storage.

Disadvantages and Alternatives

Please be aware that by changing your logging to text, the default reporting functionality within TMG will no longer work. However, the reporting supplied by WebSpy Vantage should more than adequately replace this feature.

If you are still concerned about changing the logging method, you can utilize a script published by Microsoft to convert your SQL Express logs to W3C text.  You can then keep the text logs and set some more stringent data retention policies on the SQL Express logs, such as clearing logs every week. You can download this script as part of the Microsoft Forefront Threat Management Gateway (TMG) 2010 Tools & Software Development Kit.

Additional Resources

• Here’s a great article by Marc Grote at isaserver.org on the pros and cons of the different logging options in ISA and TMG. It also takes you through how to exclude fields to reduce the amount of data being logged:
  http://www.isaserver.org/tutorials/Microsoft-Forefront-TMG-Logging-options-Forefront-TMG.html
• Also take a look at Richard Hicks’ blog regarding MSDE performance with ISA Server 2006:
  http://tmgblog.richardhicks.com/2009/10/31/msde-performance-with-microsoft-isa-server-2006/
• Here’s another article on isaserver.org by Richard Hicks on the logging enhancements in TMG 2010
  http://www.isaserver.org/articles/Logging-Enhancement-Microsoft-Forefront-Threat-Management-Gateway-TMG-2010.html

The figures above were produced using some sample logs received from customers with similar (but not exactly the same) logging settings. If you have changed to text logging, I’d be very interested to hear the sort of disk savings you are seeing, and I’m sure others would to. So please leave a comment below.

The Claim

According to network security firm, Arbor Networks, traffic to Google sites broke a new record this month, and now accounts for 6.4% of all Internet traffic around the world.

The 6.4% includes all sites owned by Google, including Google’s search engine, YouTube, GMail, Google Maps, AdWords and Google’s office suite of products like Google Docs and Spreadsheets. The data was obtained through more than 110 ISPs in 17 countries.

Our Test

Using Vantage I ran an analysis on web proxy traffic for July – September 2010. I am aware the Google data is for September 2010 but wanted to test a larger set of data since I’m reporting on traffic from a smaller amount of users, compared to 110 ISPs in 17 countries.

How much of your traffic is going to Google sites?

To find out simply create an Alias and add all Google related sites.

• Click on the ‘Alias’ tab in Vantage.
• Double-click the ‘Web sites’ alias on the left-hand side and make sure ‘Use wildcard matching’ is selected. Click ‘OK’.
• Click ‘Add Group’ in the Groups task pad.
• Name the group something intuitive…I named mine ‘GOOGLE SITES’.
• Click ‘Add’ and type ‘*google*, youtube.com, ytimg.com, gmail.com and adwords.com’. The *google* will add all domains with the string google in it. ytimg.com is YouTube’s DNS and also needs to be added (see previous blog post for more information).
  
• Click ‘OK’
• Click on ‘Summaries’ tab
• Click ‘Site Domain’ to get a listing of sites
• Enable the ‘Web site’ Alias on the left hand side.
  
• Click the top of the column called ‘Size’ to sort domains in descending order
• Click the pie chart icon on your right-hand side
  
• Have a look at the pie chart to identify what percentage of your traffic is going to Google related sites.
  

  % of WebSpy traffic going to Google related sites

It is apparent that WebSpy traffic to Google sites makes up more than twice than the reported average. I’m also fortunate enough to have access to one of our larger client’s (approximately 25,000 users) most visited websites. The below pie chart is from one of their reports on site domain traffic for a random period in October.

% of traffic to Google sites from Enterprise size organization

How much of your traffic goes to Google websites?

We really encourage you to add a Google sites alias and have a look at your Google traffic. Please comment below on the percentage of your traffic going to Google sites, approximately how many users you are reporting on and the time period (about a month or more) you are reporting on.

Many thanks.

If you are, or considering, blocking Twitter at your workplace please have a look through these amazing numbers and think again. Seems like Twitter is here to stay doesn’t it? The distinction between personal and professional Twitter usage is diminishing as it is being adopted by the masses as an every day tool to communicate with friends, provide networking opportunities, locate critical contacts, leads and receive timely industry news. Blocking access to Twitter, or other social media sites, means blocking an online revolution and depriving the needs of a professional workforce. This in turn can cause resentment, increase costly turnovers and reduce productivity by complicating or delaying accomplishment of tasks.

Big thank you to the guys at www.website-monitoring.com for putting together this handy infographic. Website Monitoring monitors the availability of your site, not a WebSpy competitor .

After reading the article I continued with some quick and dirty research. It is pretty clear, and not very surprising, that only a minority of aged care facilities around the world offer Internet access to their residents. An even smaller minority actually promotes and educates their residents in the use of Internet and social media.

The article mentions that research, carried out in Melbourne, Australia, has shown that while there are many challenges, older people can learn how to use computers, email and social media, and derive huge benefits from doing so. The oldest participant in the research is a 99 year old man who is currently learning to Skype, to keep in touch with relatives in France.

Internet Use per Age Group

A study titled Generations Online in 2009, confirms that surfing the web is still primarily a young person’s game – 18 to 44 year olds accounting for 53% of the total number of users – but in recent years older generations have started closing the gap. The chart below that has been borrowed from the report shows the overall breakdown by age:

So, why is the Internet still a young person’s game? Dr Murnane, involved in recent Melbourne based study, says, “The way we talk about the internet, for example by referring to digital natives and immigrants, helps to build a culture of fear among the non-computer literate. We need to stop thinking about the internet as the preserve of the young; indeed, the way the World Wide Web enables us to explore, learn and communicate might have been especially designed for the elderly or disabled.”

According to Latest Research…

Sociologist Shelia Cotten, currently researching the ability of computer use and social media networking to enhance the quality of life of elderly, says “Many elderly are increasingly isolated and grapple with depression, loneliness and declines in physical health. With an increasing number of elderly living in long-term care facilities and declines in quality of life as people age, we need innovative ways to lessen these negative impacts and to enhance quality of life”

“Internet access provides an important opportunity for mental stimulation, which is closely tied to older people’s health,” said Dr Murnane. “It is also a liberating outlet for those confined to a single building on a day-to-day basis. Everyone living in retirement facilities deserves to experience these benefits.”

Within a few decades there will no doubt be a natural increase in pressure on aged care facilities to make internet easily accessible, as a growing number of computer-literate residents will move in. However, aged care facilities should not wait for residents to demand Internet usage but rather be proactive ensuring existing residents, that didn’t grow with computers and Internet as a part of their daily life, can access the many benefits the Internet provides.

Benefits for the Elderly

• Access to a wealth of knowledge:From health resources to breaking news to how-to-guides, the internet is a robust informational tool providing an important opportunity for mental stimulation, which is closely tied to older people’s health.
• Help decrease inequalities in access to health information due to age-related declines in mobility. An increasing amount of health information is available electronically, says Cotten. “Once older adults cross the digital divide, they can access health information much more easily using the Internet than they can go to the library or visit a health-care professional”
• Increased social opportunities: The Internet allows people worlds apart to communicate with ease through video conferencing, email, social networks, chat rooms, and discussion forums. Elderly can, with the use of the internet, easily connect with sources of social support, and stay in touch with family and friends regardless of their physical abilities.
• Improved mental health: The Phoenix Center, a non-profit organization that studies public-policy issues, found that “spending time online reduces depression by 20 percent in senior citizens” after examining survey responses from 7,000 retired Americans over the age of 55.
• Enhanced brain function: A study conducted at the Semel Institute for Neuroscience and Human Behavior at UCLA discovered that “surfing the web for only a week stimulated areas of the brain that control decision-making and complex reasoning in middle-aged and older adults with little internet experience.”
• Allow families to monitor their loved one’s health and quality of care through video conversations

You CAN Teach Old Dogs New Tricks

According to the National Institute of Aging, older age is not in itself a hindrance to computer or Internet use. However, older adults’ use of electronic technology may be affected by age-related changes in vision and in cognition—for example, the ability to remember, learn, think, and reason. Cognitive abilities that change with age and that are likely to affect computer use include working memory, perceptual speed, text comprehension, and spatial memory.

Saying that, recent research clearly disputes the widely-held beliefs that residents of aged care facilities and other elderly people are too old to learn to use the internet.

I know from personal experiences that someone who is a little bit older and completely technologically unequipped can, and want to, learn how to use new technology, especially when they can see the immense benefits that arise.

At a ripe age of 60 my dear mother is still far from an elderly person at an aged care facility. However, I’d say she started off on a very similar level including lack of basic technological understanding and even fear of this perceived complex and scary technological evolution. I am very proud to say that over the years, as I (her only daughter) have travelled and lived abroad, she has gone from making phone calls to sending emails, sending text messages, chatting on msn, talking on Skype and believe it or not, I recently convinced her to get an iPhone 4. Needless to say, she loves it! She is making Skype calls on her phone, downloading applications, taking and sharing photos and videos. She is amazed and ecstatic how technology can help her stay connected with dispersed family members and instantaneously share experiences with someone on the other side of the world.

To Sum Up…

We are the computer and Internet literate generation so it is our responsibility to make it available for those who grew up without the Internet as a part of their daily life. To sum up, there’s a few key things we can do to improve the life of elderly.

• Make Internet access mandatory at aged care facilities
• Take time to educate elderly in the use of Internet, email, social media and technologies that comes with it. This is everyone’s responsibility, children, grandchildren, aged care facilities, local governments; the list goes on and on.
• Keep the elderly in mind when developing websites and applications. I came across this great document (developed by National Institute on Aging and the National Library of Medicine) full of tips on making your website senior friendly

Other Resources

• www.holidaytouch.com
• National Institute of Aging

As the term ‘hit’ can sometimes be confusing, let’s start off by properly define hits.

What is a hit?

WebSpy classifies a hit as an individual file or item that has passed through your logging device and been recorded in a log file.

The actual content and size of a hit can vary widely. A hit may consist of a small picture or text file, a large zip file or executable, or any other individual file. A hit can be a file downloaded from an Internet site, an email that’s been sent or received, a file downloaded from an FTP site and so on.

When dealing with web log files, one web page can be made up of many hits – the main page, the pictures on the page, the files on the page and so on. In some situations, a user cannot control the content of the hits they access, such as in the case of advertising pop-up messages.

How many hits on one page?

Here’s just an example of number of hits when browsing to some of the more popular sites out there:

• facebook.com – 75 hits
• apple.com/iphone – 69 hits
• youtube.com – 29 hits
• google.com – 4 hits
• yahoo.com – 40 hits
• twitter.com – 67 hits

These hit counts are just from one user (me) visiting a few sites. Imagine the amount of hits/data you’ll get for an organization with 100, 1,000 or 10,000 users!

Also interesting is the fact that out of those hits, only a small proportion actually displays in your log files as a hit to facebook.com or youtube.com. I logged into my Facebook account and at the same time ran a Firefox add-on called Firebug. Firebug allows you to see all the resources on a specific page and how long they took to download. As you can see below only one of the hits are attributed to facebook.com. The rest are from fbcdn.net. The same test on a YouTube page also yielded one out of 29 hits attributed to youtube.com. The rest was from ytimg.com, doubleclick.net, googlesyndication.com and gstatic.com.

Click to Enlarge

Using Aliases to merge your hits

fbcdn.net and ytimg.com are Facebook’s and YouTube’s CDNs (Content Delivery Network). Basically a network of servers hosting images and resources, spread out across the globe, to enable local delivery and thus improve performance. Unfortunately it doesn’t improve the accuracy of your reports, but there’s an easy way to fix this using Vantage. Simply merge the hits from the main domain (facebook.com, youtube.com, or any other site) and their CDNs by creating an Alias in Vantage’s Summaries screen.

To do this simply:

• Click on the ‘Summaries” tab in Vantage
• Click ‘Site Domain’ to get a listing of sites
• Ctrl + click the sites you want to add to the Alias (in this case facebook.com and fbcdn.net), right click and click ‘Add to Alias”
  
  

  Click to Enlarge

   

• Pick the Alias called ‘Web sites’ and name it something intuitive…why not facebook.com

   

• Now enable the ‘Web site’ Alias on the left hand side

 

• You’re good to go, from now on all your Facebook traffic will be reported on more accurately by merging actual facebook.com hit with hits on Facebook’s CDN (fbcdn.net).

If you want to find out more about using Aliases you can read about it in our User Guide (starting at page 46).

What’s New?

Clearswift SECURE Web Gateway W3C

Clearswift have just released the latest version of their SECURE Web Gateway, which includes a transaction log export function. This enables you to send transaction logs in W3C format to an off-box FTP server for analysis. If you are updating to the latest Clearswift SECURE Web Gateway, make sure you update your Vantage software to 2.2.0.55 in order to import your W3C Transaction logs. More information on using WebSpy Vantage with Clearswift SECURE Web Gateway.

Cisco Firewall Bandwidth loader

We have also introduced a new Loader for Cisco ASA, PIX and IOS Firewall devices. This new loader imports TCP, UDP, ICMP and GRE ’session close’ events into one schema, allowing you to aggregate size values across these events. This loader is called Cisco Firewall (Bandwidth) and is now available on the Loader Selection page of the Import Wizard. Previously, these events were imported into separate schemas so there was no great way to determine total bandwidth from your Cisco syslog files (without using Netflow and WebSpy FlowMonitor).

Palo Alto Networks and WatchGuard XTM

We’re also very happy to welcome Palo Alto Networks to the WebSpy supported log file list. Vantage now supports both the CSV and syslog file formats from your PA Firewall.

Another new addition is support for the latest WatchGuard XTM devices running firmware version 11.

Full List of Changes

Here’s the full list of changes included in this update:

• New: Clearswift SECURE Web Gateway W3C.
• New: Palo Alto Networks Firewall (CSV/Syslog)
• New: Cisco Firewall (Bandwidth): This new Cisco loader imports TCP, UDP, ICMP and GRE events from ASA, PIX and IOS syslogs into one schema to aggregate size values across these events.
• New: Added WatchGuard XTM: Currently http-proxy, https-proxy, smtp-proxy and firewall lines are supported.
• Fixed: ISA Server: Fixed format detection issues, and issues importing hits with very large size values.
• Fixed: IronPort WSA: Fixed format detection issues, as well as the import issue “Invalid value for DVS Scan Code”
• Fixed: Sophos WSA: Fixed format detection issues and invalid line issues.

How to update

To update your software, simply click Tools | Check for updates. To update the Vantage Web Module, right-click the WebSpy system tray icon and select ‘Check for updates’. If you have issues with the Web Module update process, please see: http://www.webspy.com.au/forums/viewtopic.php?f=4&t=29

Let me know if you have any questions or issues!

Why are we removing it?

It’s pretty simple really. Analyzer has been around for a long time and provides great log file analysis and reporting features for email and web usage. Since Vantage’s release in 2006 the Vantage range has become increasingly popular and now we’ve come to a stage where we want to focus majority of development on one product range and thus provide our clients with one superior product guaranteed to meet their current and future needs.

Why Vantage?

• In addition to reporting on email and Internet traffic Vantage can report website visitor traffic, firewalls, instant messaging, event logs, routers, anti-virus and anti-spam applications.
• Superior support for major vendors such as IronPort, Microsoft Forefront TMG, Sophos and Clearswift
• Increase import & report speed with multi-processing technology
• Can run as a 64 bit process when installed on 64 bit operating systems. This enables Vantage to utilize more than 2 GB of RAM (a restriction that exists on 32 bit operating systems)
• Import user and department information from any LDAP compatible directory server using the ‘Import from LDAP’ wizard (including Microsoft® Active Directory and Novell® eDirectory).
• Securely distribute the right reports to the right people within your organization using Vantage Ultimate’s Web Module
• Collate existing reports into one overview report. A much faster way of generating reports and freeing up storage space. For example, you can create monthly Internet usage reports, and then combine all these reports to create a yearly report.
• Trend reporting to view usage and network trends over time and predict future values.
• Much more

What does this mean to Analyzer Users?

If you own a WebSpy Analyzer perpetual or subscription license there is no need to threat. It is yours to keep and we wouldn’t dream of forcing you to change license. You will be able to continue using your Analyzer product as you always have till the end of days and we will continue provide you with all the support you need. However, as there will be no major updates to the Analyzer Range and we have a product that is far superior with major updates on a regular basis, we do recommend all Analyzer users to start thinking about upgrading to our Vantage range.

To find out more about upgrading from Analyzer to Vantage contact your local WebSpy reseller or office.

The default LDAP query when you first run through the Import Organization wizard should filter these computers objects out. The query is:
(&(objectCategory=person)(objectClass=user))

In Active Directory, computers do not generally have an objectCategory equal to Person. Computers usually have the objectCategory ‘Computer’.

If by chance your computers are not being excluded by this filter, you could exclude all objects without an email address. This of course assumes that all users you want to import have an email address populated in Active Directory. To exclude objects without email addresses, the filter becomes:

(&(objectCategory=person)(mail=*)(objectClass=user))

Another useful addition to the query is to exclude users that have been disabled in Active Directory. You usually disable an account when a person leaves the organization, but you still need their user profile in Active Directory for whatever reason. This query is slightly less obvious:

(&(objectCategory=person)(mail=*)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

For information on what the numbers mean in the query above, see How to query Active Directory using a bitwise Filter

Another question I’m often asked is how to exclude specific OUs from a query. Unfortunately LDAP does not support this concept and the only way to do this is to run multiple queries on different root level DNs. This means running through the Import Organization wizard multiple times with a different Root Distinguished Name each time, and the ‘Merge’ options set to ‘Keep users that are no longer in the directory’ and ‘Keep existing user details’.

If you have other helpful LDAP queries, please leave a comment below.

Google states that the most obvious change is that you get to the right content much faster than before because you don’t have to finish typing your full search term, or even press “search.” Another alleged benefit is that seeing results as you type will help you formulate a better search term by providing instant feedback.

Google anticipates that Instant will not slow your Internet connection. Even though they are serving more results pages, the additional load this enhancement creates is very small when compared to other types of web services such as streaming video and online gaming. Google has also worked to minimize the amount of data that is sent and received during the search process. For example, when rendering new results as you type, Google only send the parts of the page that change, without updating the static elements, such as a the page frame around the results.

How will Google Instant affect your log files?

Google clearly anticipates that Instant will significantly affect user search behavior, but what effect will it have on the data in log files and accuracy of Internet usage reporting?

To test this I turned on Instant search and typed in “london population with instant search”, turned Instant search off and typed in “london population without instant search”. I made sure both searches were typed in during a similar time frame, approximately 10 seconds. I then ran a report in Vantage on site keywords and got below results:

Looking at the above hits and size results it is clear that Google Instant search will substantially decrease the number of hits generated during a typical Google search while increasing the amount of data downloaded.

Suite 14242, 2nd Floor
145-157 St John Street
London, EC1V 4PY
Find us on Google Maps

Phone: +44 (0) 208 133 9004
Fax: +44 (0) 1509 380 036
Email: Email: europesales@webspy.com

I wanted to share this clip with the rest of you to brighten up your day AND provide you with a short an unobtrusive break, enabling your mind to rest, leading to a higher total net concentration, and as a result, increased productivity.

After all, Dr Brent Coker, from the Department of Management and Marketing, says that workers who engage in ‘Workplace Internet Leisure Browsing’ (WILB) are more productive than those who don’t.

“People who do surf the Internet for fun at work – within a reasonable limit of less than 20% of their total time in the office – are more productive by about 9% than those who don’t,” he says.

“Firms spend millions on software to block their employees from watching videos on YouTube, using social networking sites like Facebook or shopping online under the pretense that it costs millions in lost productivity, however that’s not always the case.”

According to the study of 300 workers, 70% of people who use the Internet at work engage in WILB. Among the most popular WILB activities are searching for information about products, reading online news sites. Playing online games was the fifth most popular, while watching YouTube movies was seventh.

The attraction of WILB, according to Dr Coker, can be attributed to people’s imperfect concentration. “People need to zone out for a bit to get back their concentration. Think back to when you were in class listening to a lecture – after about 20 minutes your concentration probably went right down, yet after a break your concentration was restored.

Invitation to participate in Dr Brent Coker’s continued web usage study

We’ve just completed our ‘WebSpy Reporting for Cisco IronPort’ video. Although this video is aimed at the Cisco channel we’d thought we share it with the rest of the WebSpy community as it provides a great high level overview of Vantage Ultimate’s ability to, not only import and spit out reports, but to learn about an organization’s structure in order to securely deliver the right report to the right person at the right time.

Vantage Ultimate is structured in two parts. One windows application, that handles administration of importing log files, learning about your organizational structure, creating and running reports, and one web application (aka the web module) where users can securely log in to view the report that has been produced for them.

Have a look at the short video below to find out what WebSpy’s founder, Jack Andrys, and product operations manager, Scott Glew, have to say about WebSpy’s and IronPort’s compatibility, as well as a demo of Vantage Ultimate in action.

What’s the point with secure and easy report distribution you might ask? Well, among other things:

Distribute Information. Distribute Responsibility.

IT Managers are too often left with the responsibility of managing and enforcing acceptable Internet usage for the entire organization.

Using Vantage Ultimate administrators can distribute reports to managers or department heads that show the activity of their direct subordinates, placing the responsibility of enforcing acceptable usage with the managers themselves.

Empower Users. Full Disclosure.

You can use Vantage Ultimate to distribute reports to each member in your organization detailing their own personal Internet usage (sites visited, search terms used etc). This empowers users to modify their own behavior once they understand how much of their activity is productive or unproductive and what it costs the organization. It also serves as a gentle reminder to employees that their activities are being recorded and that they should keep their online behavior within the bounds of the organization’s acceptable use policy.

From a privacy point of view, Vantage Ultimate is an easy way to provide employees with full disclosure regarding the information recorded about them.

Self Serve, On-Demand Investigation.

You can also use Vantage Ultimate to distribute original data storages to any of your organization’s members, enabling them to conduct their own ad-hoc drilldowns on any information they require. For example, distribute storages to HR managers enabling them to investigate the activity of employees that have handed in their resignation notice, but still have access to confidential company resources.

Protect Employee Privacy.

By assigning permissions to each of your Vantage Ultimate users, you can ensure they can only view the reports they are allowed to view. However, some employees need to view the traffic of all users, but do not necessarily need to identify users. For example, a network administrator may need to view the amount of traffic downloaded from a particular site per user, but does not need to know which users where involved.

This is easily achieved using the ‘Identify users’ permission, which masks all usernames with a hash code.

For more information about WebSpy’s compatibility with Cisco IronPort and free 30 day trials, visit www.webspy.com/ironport

An issue was introduced in build 2.2.0.42 when a change was made to the underlying data type of the Url Category field in the Microsoft TMG Web Schema. Unfortunately this change resulted in nulls being imported into the Url Category summary when importing from TMG’s SQL log files. Fortunately, importing W3C text logs were unaffected by this change.

This issue has now been fixed and released as an auto-update. To update your software simply select Tools | Check for updates.

If you have existing storages that have not been importing the URL Category, go to the storages screen and click ‘Reload All’. This will re-import your log files and populate the Url Category summary.

For all the customers affected by this issue, thank you for your patience and understanding.

Level 5, 34A
25 Walters Drive
Osborne Park WA 6017
Find us on Google Maps

All other contact details remain unchanged:

Toll Free: 1800 801 121
Phone: +61 8 9321 3322
Fax: +61 8 9321 3377

Avnet Technology Solutions is a value-added distributor of computer products, software and services. Within the Networking and Security segment Avnet specializes in firewall solutions, perimeter security, virtual private networking (VPN), content security, antivirus and URL filtering. Avnet’s major Network and Security vendors include Juniper Networks, RSA, Check Point and Aladdin.

Avnet and WebSpy have been formulating this partnership for the past months. The interest originated after Avnet identified an increasing demand for advanced reporting from local organizations and resellers. WebSpy has had presence in the Netherlands for many years but are very excited about working with Avnet. We are confident that working with a distributor with solid expertise in the Dutch IT security market and established relationships with local resellers will enable us to grow and efficiently support the local market.

We’ve found that an increasing number of organizations across the Netherlands require more than the basic reporting provided by their security solutions. WebSpy provides a natural fit within Avnet’s product portfolio as the solutions complement, rather than compete, with their existing vendors. Not only will WebSpy add value to Avnet’s product portfolio but, as a vendor neutral log file analyzer, it will also add value to Avnet’s resellers’ extended portfolios and naturally the end-users network and security infrastructure.

In addition to complementing a large number of Avnet’s existing blocking and filtering solutions, the partnership has also given us incentive and resources to add support to new log file formats. We recently added support for the Juniper SA series and have further interesting additions in the pipeline. You’ll be able to find out more about Juniper SA support in upcoming blog from our development team.

We are happy to have Avnet Technology Solutions on board and look forward to our joint efforts in improving security and reporting capabilities in the Netherlands. The 3-4 of November 2010 WebSpy will join Avnet at the Infosecurity tradeshow in Utrecht, Netherlands.

Here’s the full list of changes:

• New: Juniper SA Series. Vantage can import and report on web traffic and VPN connections.
• New: Microsoft Forefront Protection for Exchange 2010 format.
• New: Avencis SSOx.
• Improved: IronPort WSA: Department and Message fields were sometimes returned as null. Fixed.
• Improved: Microsoft FTMG: Removed usage of deprecated “FilterInfo” field from W3C Web format.
• Improved: Microsoft IAS Radius: Added support for Source/Destination IP and port (field code 5000).

To update your Vantage application simply select Tools | Check for updates.

To update the Vantage Web Module, right-click the WebSpy icon in the Web Module server’s system tray, and select Check for updates. If you have any issues with the Web Module update process, please see my previous blog regarding Web Module Errors and Workarounds.

Event Log Management

Every event that occurs across a network can be recorded in an event log file. The list of events that are recorded by default can be modified to reflect the needs of the organizations system. Information stored in event log files is extremely useful to organizations as it provides real-time indications of network incidents as well as an audit trail of user activity. However extracting useful information can be challenging as it is very difficult to manage and filter the vast amount of data generated.

An organizations’ event log management is only as effective as the amount of data they are including from their networks activity. To be able to provide an accurate report on any particular part of the system, data needs to be generated for that part. For example, you cannot compile a report on who accessed a confidential file if you do not set up the file to raise an event (and have the event logged) when the file is accessed.

As the required level of monitoring depends on the organization and there are many event categories in security auditing, the first step is determining which event categories need to be audited. The following are a list of available categories:

• Account Logon Events
  Track users logon and logoff events.
• Account Management
  Tracks attempts to create users or groups, rename users or groups, enable user accounts, disable user accounts or change account passwords.
• Directory Service Access
  Used with auditing tasks on domain controllers.
• Logon Events
  Records creation and destruction of logon sessions (including remote sessions)
• Object Access
  Used to record user access of objects such as files.
• Policy Change
  Records changes to user rights assignment policies such as Windows Firewall Policy.
• Privilege Use
  Records when users exercise a user privilege.
• Process Tracking
  Tracks process information such as program activation/exit.
• System Events
  Records system events such as shutting down a computer.

Each of these categories contains many subcategories and events which can be used to create a complete audit trail of system activity. It is recommended that only essential events are setup for auditing as generating a large number of events can severely affect system performance.

To enable audit log and specify the files/folders to audit in your operating system please refer to http://support.microsoft.com/

Vantage and Event Logs

After file auditing settings have been implemented on the system, it is a simple process to start managing event logs and extracting information. Although the MS provided interface for event logging and tracing has improved dramatically from the original, Vantage simply does a much better job at it. Hey, don’t take my word for it. Try out both and see for yourself.

WebSpy Vantage’s ability to translate event log data into manageable information will, among other things, enable organizations to:

• Monitor failed authentication attempts
  Identify users trying to access files and folders they are not authorized to access, or the system failing to provide legitimate user access.
• Prevent data loss and leakage
  Identify the access, modification or printing of confidential files to prevent information leakage or identify the person behind accidental or deliberate data loss.
• Ensure employees adhere to specified work schedules
  Monitor event logs that record when an employee’s computer has been powered on or shut down.

Importing Event Logs into Vantage

The first step is to import Windows Event Logs into a storage in Vantage. This process can be added to run automatically at appropriate intervals using Tasks.

After creating a storage for Windows Event Logs, reports can be generated and analysis run. This will allow useful information to be extracted from Event Log data.

Vantage uses aliases for the creation of more meaningful information, for example, event ID’s are translated to an event category to enhance readability of generated reports and analysis. A list of event ID’s and their categories has been included at the bottom of this post for reference purposes.

Importing event logs into a storage:

1. Open Vantage and click the Storages tab
2. In the left pane, click Import Logs This will start the import dialog wizard
3. Enter a name for the storage in the Create a new storage dialog box, then click Next
4. Select the Windows Event Log radio button, then click Next
5. Select the Microsoft format (description: Windows Event Log), then click Next
6. Click Add, enter the name the computer in the Server dialog box, click OK and then click Next
7. Continue through the wizard and select any filter, field or partitioning options to include, then click OK The event log data will now be imported into the storage

Generating a Report

1. Click the Reports tab
2. Select the type of Report to generate Note: Vantage includes many default templates for Windows Event Logs such as Failed Events, Application Errors and Failure Audit Trends.
3. In the left pane, click Generate Report This will launch the Generate Report wizard
4. Select the storage to report on Note: This should be the storage created previously for Windows Event Logs
5. Select the document format(s) for the report
6. Enter the report name in the Document Name dialog box
7. Continue through the wizard and select any splitting, filtering or email options, then click OK The report will now be generated

Running an Analysis

1. Click the Summaries tab
2. In the left pane, click New Analysis This will launch the Create Analysis wizard
3. Enter a name for the analysis in the Name dialog box, select the storage, and check that the schema is set to All Windows Event Schemas, then click Next
4. Select the type of Analysis to run, then click Next
5. Continue through the wizard and select any filtering or summaries options, then click OK The summary will now be generated

The summary allows interactive drilldowns to any level for data mining and information exploration.

Also see previous blog ‘File Access Reporting – How to report on who accessed a file or a folder‘.

If you have any questions about reporting on event logs don’t hesitate to get in touch with our support team.

Event ID’s and Categories

This release will be welcomed with open arms by many customers for the following reasons:

• General usability improvements in the Web Module
  Multi-select / delete options, Ajax progress indicators to avoid page refreshes, export from Dynamics Report tab and more (see below)
• Fixes to the Microsoft Forefront TMG loader
  See my other post: Microsoft Forefront TMG logs size fields the wrong way around. Also fixed ‘value cannot be null’ error when importing SQL logs.
• Fixes to storage corruption issues
  This build should prevent ‘Normalization Index’ storage corruption issues from occurring. This often occurred after importing data, editing some log inputs and reimporting.
• New loaders and more fixes
  See below for the full list

To update your Vantage application, simply choose Tools | Check for updates. To update the Web Module, right-click the WebSpy icon in your system tray and select ‘Check for updates’. If you have any issues updating the Web Module, please see my previous post Web Module Update Errors and Workarounds.

Web Module Changes:

• New: Task progress is now updated without refreshing the page
• New: Added multi-select / delete functionality to Reports, Analyses and Storages tables.
• New: Added export functionality to Dynamic Reports view.
• New: Added Performance section on the Options tab to enabling multi-processing (improves Analysis speed)
• Fix: Dynamic Reports view now supports Trend reports.
• Fix: Organization selector on Dynamic Reports view now always reflects updated data under IE6/7/8.Fix: Fixed javascript errors in IE when expanding the organization filter.
• Fix: Report template names are no longer truncated on the Dynamic Reports view.
• Fix: Fixed errors that may occur when collating reports on the Dynamic Reports page.
• Fix: Authentication errors are now logged with stack trace.

Vantage Changes

• Fixed: ‘Normalization index’ storage corruption problems.
• Fix: Report collation: Added support for collation of Min/Max aggregates on DateTime columns (time of first hit etc). Also added support for arrayed fields (for example, category fields with a comma separated list of categories)
• Fix: Import windows wizard now remembers settings for Import all or selected users
• Fix: Organization: Filtered LDIFs may now be imported when references to some users are missing (for example, if a user’s manager does not exist in the LDIF)
• Fix: Improved connection and error handling between Vantage and the Web Module.

Loader Changes

• New: BlueReef Sonar Total Management Module
• New: Microsoft Sharepoint 2007
• New: SmoothWall Guardian 7.0 format
• New: Sun One Proxy (Supported under Sun One Webserver)
• Fixed: Astaro: Improved format detection
• Fixed: Cisco: Strings in the IP fields of 113019 lines are now imported
• Fixed: IronPort WSA: Improved log format detection
• Fixed: Microsoft Exchange 2007: No longer raises issues regarding total-bytes or internal-message-id fields
• Fixed: Micorosft FTMG (Web) SQL: No longer encounters value could not be null errors
• Fixed: Microsoft FTMG: Added option to reverse bytes received/sent fields. See Microsoft Forefront TMG logs size fields the wrong way around
• Fixed: Microsoft IIS W3C: Now imports cs-method and connection ID
• Fixed: Sophos Web Appliance: Switched the outgoing and ingoing sizes so that they are now the correct way around
• Fixed: Fixed import new hits issue associated with W3C formats. You must reload your logs before this change will take affect. Formats affected include: BlueCoat, Clearswift, Microsoft Exchange 2007, Microsoft FTMG, Microsoft Windows Media Services, WebSpy Live Tracking Log

Enjoy!

Microsoft TMG Log showing Bytes Sent consistently larger than Bytes Received

This issue has been confirmed by the Microsoft Forefront TMG team, and unfortunately there is no ETA for a fix.

We obviously don’t want our reports showing incorrect usage figures, so we’ve fixed our TMG loader so that it imports the ‘bytesrecvd’ field into the Bytes Sent aggregate, and the ‘bytessent’ field into the Byte Received aggregate.

But what if Microsoft release a fix? What we’ve done is implemented a loader property to allow you to turn off this behavior. This will allow you to import your old logs with the fields reversed, and your new logs with the fields the right way around.

To access the loader property:

• On the import wizard, select the Microsoft FTMG format and click the Properties button on the toolbar
• Select Microsoft FTMG from the drop down list
• Notice the option to ‘Reverse Bytes Sent and Received to compensate for bug in TMG’s logging’. Leave this checked until Microsoft issue a fix.

Microsoft Forefront TMG Loader Option to Reverse Bytes Sent and Received

This fix is available in Vantage build 2.2.0.48 (and above) which has been released as an auto update. So simply select Tools | Check for updates to ensure you have this fix.

Richard has been working with Forefront Threat Management Gateway (TMG) 2010 and its predecessors for more than 12 years. He has designed and deployed network security solutions using TMG and ISA for SMB’s, military and defense organizations, and Fortune 500 companies around the world.

In addition to his isaserver.org blogs, Richard has his own ISA/TMG blog where he recently posted some useful tips on changing WebSpy Vantage’s scheduled task recurrence interval using the schtasks.exe command line tool. Adding more frequent import options (i.e. hourly) is on the product roadmap but until then, using the command line tool is a great alternative.

We do recommending visiting tmgblog.richardhicks.com – brimming with ISA Server and TMG information and tips, here’s just some of the latest blogs:

• Changing WebSpy Vantage Scheduled Task Recurrence Interval
• Websense Integration Support for Forefront Threat Management Gateway (TMG) 2010
• Load Balancing and Forefront TMG Firewall Clients
• How to Slipstream Service Pack 1 for TMG

So let’s use WebSpy Vantage to drill into that Anonymous user and find out what is going on.

One way to do this is to run an Ad-hoc analysis on the Summaries screen and drilldown into the Anonymous user to view all the information about that user. However, TMG and ISA tend to log a lot of information that may not be relevant to this particular investigation, so I’ve created some report templates (one for ISA and one for TMG) and a set of Aliases that pull out some relevant information.

Download our Anonymous Traffic Investigation Report

If you’re running WebSpy Vantage download the Anonymous Traffic Report Templates & Aliases

Then open the .Templates file on the Reports tab, and the .Aliases file on the Aliases tab. Once you have both files opened, go to the Reports tab and click either the ‘Anonymous Traffic Investigation (ISA)’ or the ‘Anonymous Traffic Investigation (TMG)’ report. Then click the ‘Generate report’ link and run the report template on your ISA or TMG storage.

The report gives you the ability to drill into the Allowed, Denied and Failed traffic to see a list of the unauthenticated IPs, Sites, Rules responsible for blocking or allowing the traffic, unauthenticated Applications and Result Codes.

Main causes of anonymous traffic

What you will probably find is that most of the Anonymous traffic is being denied by your TMG or ISA firewall. When a client first requests a web page, the proxy will challenge the client for authentication. These events are often logged with the result code 12209 meaning ‘authorization is required to fulfill the request’. These requests are therefore denied by the proxy until the client’s credentials are authenticated.

Have a look at the amount of traffic being denied and then checkout the Result Codes associated with the denied traffic. Chances are you’ll see ‘proxy authentication required’ appear predominantly.

If you also look at the Applications section you may also find that Windows Updates are sailing through your TMG or ISA firewall unauthenticated.

Filter out unauthenticated traffic from Reports

The most logical next step is to filter out the information you do not want in your reports. You’ll probably still want to include Windows Update traffic in your reports, but you’re probably not so interested in the ‘proxy authentication required’ information. So let’s filter that out.

To do this:

1. Go to the Reports tab and select the report you want to filter (such as your Organization report)
2. Click ‘Edit Template’, then click ‘Template Properties’.
3. In the filter section at the bottom of the dialog, click Add | Field value filter.
4. Select the ‘Result Code’ summary and select the Status Code Names (ISA-FTMG) alias.
5. On the toolbar, search for Authorization, and check the following two items:
   • The server requires authorization to fulfill the request. Access to the Web Proxy filter is denied.
   • The server requires authorization to fulfill the request. Access to the Web server is denied. Contact the server administrator.
6. Ensure the ‘Exclude’ radio button is selected and click OK.

If you decide that you don’t care about seeing ANY unauthenticated traffic in your reports, you can always simply filter out the Anonymous user from your reports.

To do this:

1. Go to the Reports tab and select the report you want to filter (such as your Organization report)
2. Click ‘Edit Template’, then click ‘Template Properties’.
3. In the filter section at the bottom of the dialog, click Add | Field value filter.
4. Select the ‘Username’ summary.
5. On the toolbar, click Add and type ‘anonymous’. Click OK.
6. Ensure the Exclude radio button is selected and click OK.

Hopefully this article improves your understanding of the ‘anonymous’ user, and gives you some actions to take for your specific reporting situation.

If you have any questions, please leave a comment below.

Trend Micro found that the use of social networking sites grew globally from 19% in 2008 to 24% in 2010.The fact that the use of social networks is growing, and will most likely continue to grow, probably doesn’t come as a surprise to anyone, but it is always interesting to attach real figures to this trend.

The report doesn’t imply whether this growth relates to the use of social networks in a productive manner to drive businesses, or employees wasting companies’ time and money. Regardless of the reasons behind the growth, Trend Micro warned that without proper oversight, the increased use merely makes organizations more viable as malware distribution points.

“Social networking is an extremely important tool both for personal and professional relationship building,” David Perry, global director of education at Trend Micro, said in a statement. “While most companies’ concerns around social networking in the office center around the loss of employee productivity, what they may not realize is that many social networking sites are built on interactive technologies that give cybercriminals endless opportunities to exploit end users, steal personal identities or business data and corrupt corporate networks with malware.”

Trend Micro are pretty clear (and we couldn’t agree more) that blocking social networking sites is not the solution. Not only is blocking counter-productive, cause employee resentment and can increase costly turnovers, the report also states that “Trying to just prevent users accessing social networks from work could potentially increase the risk to an organization as users look for ways around computer security, possibly increasing the chance of exposure to security threats”.

Damned if you Don’t, Damned if you Do

Many organizations are still fumbling in the dark when it comes to the best approach for handling, and effectively embracing, social networking. On the one hand, it is distracting for employees, productivity can definitely suffer from excessive usage and organizations become more vulnerable to cybercriminals, data leakage, malware etc. On the other hand, social networking is a great way to communicate with customers, generate leads, build brand reputation, increase SEO and can have beneficial impact on productivity if used in moderation.

Recommendations

Sadly there is no one-size-fits-all solution that can smoothly be implemented in every organization. According to a recent Symantec survey only 5% of organizations block social networking sites outright. One-third doesn’t block but do have policies stating that social networks can only be used for business purposes. Meanwhile, 42% of organizations have no policy or blocking whatsoever.

As with any other internet related issue, the high level social networking best practices should include:

1. Educating the whole organization about security threats related to social networking
2. Establishing (and communicating) social networking acceptable usage policy that is regularly updated to keep relevant
3. Monitor to ensure policy adherence
4. Re-educate

Please bear in mind that the monitoring aspect isn’t just to make sure employees spend no more than their acceptable time on social networking sites. The software also acts as a great tool to find out who in your organization may need additional assistance in identifying threats, such as phishing sites (read blog on how one of our clients used a phishing attack as an opportunity to educate the workforce), or simply to verify the configuration of the network’s firewall and other threat management systems.

Don’t hesitate to get in touch with any questions or comments.

Majority of security vendors will give you a high level overview of the categories, such as Sports, Shopping, Online Community, Streaming Media, Employment and Gambling, but rarely provides intuitive ways to further investigate the traffic going to the sites within these categories. The nifty thing about WebSpy’s solutions is that, as long as categories are logged, you can use WebSpy to analyze web browsing in relation to these categories and get a much clearer overview of your organization’s web usage.

Classify Productive & Unproductive Categories

Assessing productivity in relation to predefined categories is what I would like to focus on today. I have imported and run an analysis on TMG logs using WebSpy Vantage. As previously mentioned, you can import logs from any security device we support – if the information is in the log file WebSpy can report on it.

TMG logs contain information whether traffic has been ‘Allowed’, ‘Denied’ or ‘Failed’. Using WebSpy Vantage you can easily drill down further into this information. For example, let’s say I’m interested in having a look what categories have been allowed, i.e. not blocked, I simple expand the ‘Allowed’ node and click ‘URL category’.

Allowed Categories - Click to Enlarge

This information is great but it doesn’t tell us anything about productivity. WebSpy Vantage not only provides this assessment for your entire organization, specific department and individual users, but also gives you the ability to customize the categories that are deemed productive as this can vary wildly depending on the industry and organization.

How?

You use WebSpy’s Aliases feature to sort categories in relation to your organization’s view of their productiveness. Our software comes with a default list of aliases so you can either edit these or set up new aliases. I’ll take you through the process of setting up an Alias from scratch.

1. Creating a New Alias

• Click on the Alias tab and select ‘New Alias’ in the top left corner
• Name your Alias something appropriate and provide a short description. I’ll name mine ‘Productivity’.
• Make sure ‘Apply alias to selected summaries’ option is checked
• Click ‘Schema’ to specify the log file type and scroll down to the bottom of the list to locate and select ‘URL Category’.
• Tick the ‘Group unresolved into a single name’ box and name it something appropriate. Let’s go with ‘Uncertain’.

 

2. Add Alias Groups

Once an alias has been added, you need to add alias groups. You can have as many alias groups as you want but for this purpose it makes sense to have only two, ‘Productive’ and ‘Unproductive’. There might be certain categories, such as ‘Education/Reference’ or ‘Blogs/Wiki’, that might be difficult to correctly deem as productive or unproductive and you’d rather not specify. If this is the case you don’t need to add an alias group as it will automatically be created for any category that hasn’t been grouped under the other alias groups. Remember how we ticket ‘Group unresolved into a single name’ and called it ‘Uncertain’ before.

• Click the Add Group button in the Groups task pad.
• Enter the desired alias group name (Productive) in the ‘Key’ edit box and click OK. Repeat steps for the ‘Unproductive’ group.
• At this stage you could also add items (categories) to your group but I’m going to show you another way of adding categories.

   

  

3. Add Categories to your ‘Productive’ and ‘Unproductive’ Alias Groups

This is where customization really works its charm. What is deemed as unproductive at one company might be completely legit and considered productive at another. For example, in a recruitment company one could assume it would perfectly normal for employees to visit other employment sites but this could be considered personal and unproductive at a hospital or real estate agent.

There’s a few different ways of adding items to an Alias group. While still in the Alias screen you can click ‘Refresh Unassigned’ in the top right part of your screen. Because you haven’t assigned anything yet all categories will be displayed. From here you can simply highlight the category group, for example ‘Unproductive’ and Ctrl + click all categories you want to place in that group. Once you’ve selected your categories right click and select ‘Add to selected group’. Repeat the process to add categories to your ‘Productive’ group.

Alternatively, you can go back to the ‘URL Category’ listings in the ‘Summaries’ tab and Ctrl + click selected categories, right click and select ‘Add to alias’, select your ‘Productivity’ alias from the drop down menu and select the ‘Productive’ or ‘Unproductive’ group.

4. Assess Productivity

With aliases, groups and items set up you’re ready to assess productive and unproductive browsing. In the ‘Summaries’ screen, left hand side under ‘Aliases’, simple select your ‘Productivity’ alias and the URL categories will be sorted in accordance with your view of their productiveness.

Productive vs Unproductive Browsing - Click to Enlarge

You can also investigate further by, for example, drilling down to determine what unproductive categories are most popular, what are the most popular unproductive websites within those categories, what hours during the day majority of unproductive sites are accessed (you might have a policy that allows personal web browsing during lunch hours), and of course who spends the most time on unproductive websites within your organization.

Top Unproductive Websites - Click to Enlarge

The previous Soho Alpha version will stop working on the 30th of June 2010 – to continue testing you need to download the latest version.

If you haven’t downloaded WebSpy Soho Alpha before simply get the latest version and off you go. If you’re an Alpha tester you need to keep reading…

WINDOWS USERS:

Before installing the new build, Windows users must uninstall the previously installed version of Soho Alpha on every machine. Thanks to a bug in the previous version, you need to follow the two steps below to do this:

STEP 1 – UNINSTALL FROM START MENU

• Windows Vista/7 – Start | Control Panel | Programs and Features
• Windows XP – Start | Control Panel | Add/Remove Programs

STEP 2 – UNINSTALL MANUALLY

1. Open an administrative command line window
• Windows Vista/7: Go to Start | All Programs | Accessories, right-click on Command Prompt and select "Run as administrator".
• Windows XP: Go to Start | Run, type "cmd" and press OK
2. In the command line window that appears, type the following commands:
   • sc stop "WebSpy Soho Agent"
   • sc delete "WebSpy Soho Agent"
3. The service has now been removed from the system, and the new version may be installed without issue

MAC USERS

Simply launch the new install package and it will automatically overwrite the old one.

LATEST UPDATES:

• Now installs on Mac OS 10.5
• More stable – less crashing and freezing
• Plenty of work has been done based on your feedback. We’re hoping that the below issues are more or less fixed but would really appreciate if you could let us know if you’re still experiencing:
  • High CPU usage after sleep or hibernate
  • All computers disappearing from current activity chart except the local computer
  • Random traffic spikes

FEEDBACK

Thank you to everyone that has submitted feedback so far.

• Please let us know if your network card works or doesn’t work with Soho
• Have a feature suggestion or found a bug? Submit it and vote it up here
• Dedicated Soho Alpha Feedback thread in our forums

Thanks for being involved in our alpha testing phase. We hope you enjoy using the product and we look forward to your comments!

Here’s some news-worthy statistics you might have come across recently:

Employee Computer & Internet Abuse Statistics

• 30 to 40% of Internet use in the workplace is not related to business
• 64% of employees say they use the Internet for personal interest during
  working hours
• 70% of all Internet porn traffic occurs during the nine-to-five work day
• Internet abuse costs Irish SMBs €580 million per year
• The FIFA World cup will cost American companies about $121.7 million in lost productivity

Your Organizational Costs

So what does this mean to your organization? What percentage of the above costs does your company contribute? Quick, locate information on the number of companies in your country from the local bureau of statistics and divide it with the latest unproductive Internet usage costs …or… click link to nifty little ‘Annual Cost Calculator’ below.

Annual Cost Calculator for Unproductive Internet Usage

Annual Cost Calculator - Unproductive Internet Usage

How to use it

All you need to do is to:

• Click image link above to navigate to calculator
• Enter number of employees in your organization
• Enter average employee cost per hour
• Click ‘Calculate’

The calculator will work its magic and display an overview for different yearly cost scenarios depending on minutes of unproductive browsing per day and the percentage of employees engaging in unproductive Internet usage.

• Average Employee Cost per Hour: If you’re not sure about your average employee cost the US Department of Labor – Bureau of Labor Statistics estimated it to be approximately $29 per hour in March 2010 (including salary, overhead costs, benefits, payroll taxes, etc.).
• Percentage of Employees Engaging in Unproductive Internet Usage: Latest statistics estimates that approximately 64% of employees use the Internet for non-work related interest during work hours.
• Unproductive Usage – Minutes per day: Latest poll figures indicates at least 1-2 hours (60 – 120 minutes) per day.

Limitations

• You must navigate away from this page to be able to use it. Sorry, this a php blog platform, a language I am far from fluent in or would ever dream of trying to incorporate with JavaScript. I’m a marketing person for crying out loud – cut me some slack.
• It only takes unproductive costs into consideration. To get the true number you also need to consider bandwidth costs, legal liability costs (such as sexual harassment or hostile workplace law suits because you, as an employer, didn’t do anything to prevent inappropriate or illegal Internet usage), costs related to network disruptions or slowdowns because all your employees are streaming the World Cup, and so on.
• It doesn’t consider other human factors. It isn’t an artificially intelligent calculator that can simulate a real office environment and factor in variables such as motivation and how a certain amount of unproductive (or ‘Workplace Internet Leisure Browsing’ (WILB) as coined by Melbourne University study) can actually increase employee concentration levels and helps make a more productive workforce.

• How to import your log files and explore the information recorded by IronPort using the Summaries screen
• How to open the customized IronPort Report Templates and Aliases
• How to generate reports
• How to import your organizational structure and report on departments
• How to setup the Web Module and publish reports

PART 1: Importing log files & exploring your IronPort summaries

Once you have exported your IronPort access logs (see http://www.webspy.com.au/vendors/ironport/howto.aspx#ftp), this video takes you through importing your logs into WebSpy Vantage and analyzing data on the Summaries screen.

PART 2: Opening the customized IronPort Templates & Aliases, and running reports

This video takes you through opening the IronPort-specific report templates and aliases and generating a report that provides an overview of your organization’s Internet usage.

PART 3: Importing your Organization structure & generating department reports

This video shows you how to import your organizational structure into WebSpy Vantage from a directory server (such as Active Directory) using LDAP, and then generating a report that contains information on your newly imported departments.

PART 4: Using the Web Module.

This video takes you through configuring and using the WebSpy Vantage Web Module. Specifically, it takes you through the following tasks:

• Configuring the Web Module for Windows Authentication
• Adding a Web Module to Vantage
• Publishing reports to the Web Module
• Adding permissions for a user
• Synchronizing the Web Module
• Using the Dynamic Reports tab

PART 5: A quick word about tasks & conclusion

This video summarizes the actions taken in the previous four videos and also briefly discusses how to automate the reporting processing using scheduled tasks.

I hope this helps! Let me know if you have any questions by leaving a comment below.

The Australian Attorney-General’s Department recently confirmed ongoing discussions about implementing a data retention regime in Australia requiring ISPs to hold customers web browsing history and private emails and make both available on request from government agencies. Industry insiders said the regime being considered by the Australian Government could see data held for up to ten years, much longer than EU Directive time of 24 months.

While reading this, looming in the back of mind is the labour party’s proposed mandatory internet filtering policy. The proposed policy was originally aimed at keeping children safe online but in reality it involves blacklisting and blocking a plethora of online material deemed inappropriate by the government. Opponents of the policy don’t dispute the worth of providing tools to help parents protect their children, but take issue with the expense, side-effects and technical issues of this scheme. Find out more from Electronic Frontiers Australia’s filtering fact sheet.

Although using a slightly different approach, the ultimate goals behind the two regimes is making the internet a safer place, circumventing crimes and facilitating investigation of suspected criminals. But is snooping on individuals’ private browsing and controlling access to material really the way to go? Regardless of the questionable effectiveness and obvious drawbacks, such as costs, there are some major concerns regarding privacy and freedom. Do we really want the government to decide what we can view online and have the ability to access our own personal browsing history? I am aware the intentions are good but it does send chills down my spine.

In relation to the data retention scheme, Electronic Frontier Australia (EFA) chair Colin Jacobs said, “At some point data retention laws can be reasonable, but highly-personal information such as browsing history is a step too far”. Jacobs added, “You can’t treat everybody like a criminal. That would be like tapping people’s phones before they are suspected of doing any crime.”

Jacobs does raise valid concerns. Where do you draw the line? Is accepting government access to everyone’s browsing history a precursor to tapping people’s phones? Setting up surveillance cameras in everyone’s home? Thought police?

Extract from Orwell’s 1984:
“There was of course no way of knowing whether you were being watched at any given moment. How often, or on what system, the Thought Police plugged in on any individual wire was guesswork. It was even conceivable that they watched everybody all the time. But at any rate they could plug in your wire whenever they wanted to. You had to live—did live, from habit that became instinct—in the assumption that every sound you made was overheard, and, except in darkness, every movement scrutinized.”

Alright, I know we’re far from the dystopia described in Orwell’s 1984 but I can’t help drawing parallels between the personal privacy lost to the state. Orwell once explained that the scene of the book (1984) is laid in Britain in order to emphasize that the English-speaking races are not innately better than anyone else, and that totalitarianism, if not fought against, could triumph anywhere.

Side Note

WebSpy is pro-internet access and provide businesses, government departments and educational organizations an alternative to blocking and filtering software. We emphasizes that organizational internet usage should be managed using an honest and open monitoring approach where acceptable internet usage policies are clearly communicated to employees and students.

Employers need to ensure their internet resources are used in a productive, secure and legal manor. Private filtering and monitoring by a government is a completely different kettle of fish and we have deliberately refrained from public comments on Australia’s proposed filtering policy. However, with the new discussions on government access to private web browsing and email records we felt the need to at least raise a few concerns and if nothing else point out the difference between private and organizational internet reporting.

Whilst we do see benefits in families and individuals monitoring their own internet usage and bandwidth cost, as a company we do NOT support government legislation allowing national filtering or access to private browsing records.

What are your thoughts?

The log databases are stored in an SQL Express instance named MSFW. By default these databases cannot be accessed by a remote computer. I’d first like to say that we recommend changing TMG’s logging to W3C text files, as these logs are about 5-6 times faster to import, and you don’t need to worry about the steps below.

But if you need to stick with the SQL Express logging, here are the basic steps to enable access to the logs from a remote computer:

Enable TCP access to the MSFW instance

To do this:

1. Log into your Forefront TMG server using administrator credentials.
2. Select Start | All Programs | Microsoft SQL Server 2008 | Configuration Tools | SQL Server Configuration Manager.
3. Expand SQL Server Network Configuration and select Protocols for MSFW
4. Right-click TCP/IP and select Enable
5. Click OK on the Warning dialog informing you that “changes will not take effect until the service is stopped and restarted.”

Enabling TCP/IP on the MSFW instance

Set the listening Port on the MSFW instance

Once TCP/IP is enabled on the MSFW instance, you need to set it to listen on port 1433

1. Select Protocols for MSFW under SQL Server Network Configuration
2. Right-click TCP/IP and select Properties.
3. Click the IP Addresses tab and scroll to the IPAll section at the bottom of the list.
4. Change the TCP Port to 1433 and ensure nothing is entered in TCP Dynamic Ports (Delete the ‘0′ value  if present). Click OK and click OK on the Warning dialog.

Setting the Port on the MSFW instance

Change the listening port on the ISARS instance

The ISARS SQL instance also listens on port 1433 and this can cause connection issues. Change this instance to use port 1434:

1. Still in SQL Server Configuration Manager, select Protocols for ISARS under SQL Server Network Configuration
2. Right-click TCP/IP and select Properties.
3. Click the IP Addresses tab and scroll to the IPAll section at the bottom of the list.
4. Change the TCP Port to 1434 and ensure nothing is entered in TCP Dynamic Ports. Click OK and click OK on the Warning dialog.

Changing the port on the ISARS instance

Restart the Services

For the above changes to take effect, you need to restart the SQL Server (ISARS) and then the SQL Server (MSFW) services in that order.

1. Go to Start | Administrative Tools | Services
2. Right-click the SQL Server (ISARS) service and select Restart.
3. Right-click the SQL Server (MSFW) service and select Restart.

Test the connection from the WebSpy machine

You should now be able to connect to the MSFW databases from a remote computer. To test the connection, we recommend that you install SQL Management Studio on the machine running WebSpy and try to connect to <TMGservername>\MSFW, 1433 (replace <TMGservername> with your actual server name or IP address). For example TMGServer\MSFW, 1433 or 192.168.0.10\MSFW, 1433.

As long as you are logged into Windows with a user account that is a local administrator on the TMG server, you should be able to connect without issue.

Importing the TMG Log files into WebSpy Vantage

Once you have established a connection, you can import your logs using WebSpy Vantage like so:

Create a new Storage

Select Database Connection

Select the Microsoft FTMG Loader

Click Add

Enter TMGServer\MSFW and port 1433

Successfully Imported WebProxy Logs

The screenshots above also illustrate using a database mask of *WEB* to only import the WebProxy logs. If you only want to import the Firewall logs, set the database mask to *FWS*. If you want to import both the WebProxy and Firewall logs, leave the database and table masks set to *.

Now that you have your log files imported, you can run a quick ad-hoc analysis on the Summaries screen or generate any of Vantage’s default web of firewall reports. M

Make sure you also download our Forefront TMG specific Aliases and report template. For more information, see our Forefront TMG How To page.

If you have any questions or encounter any hurdles, please leave a comment below.

The meet-up attracted just under 20 attendees, making it the largest in Australia. A great mix of people showed up to present their business, ask questions, discuss ideas and simply interact.

Similar to the guests and callers for the TWIST podcast, majority of presentations and discussions focused on technology, innovations and start-up tips. It was a great pleasure being in a room brimming with entrepreneurship, ideas, business acumen, pizza and alcohol .

Some of the Presenters

• Madpilot
• Bonobo
• NearMap
• Digital Mapping Solutions
• Brown Beagle Software

Stuart (above), one of the partners from Bonobo, talked about their successful iPhone and iPad applications, including Yoink, iBoost (number 1 in Japan, top 5 in Australia, and top 20 in the US), as well as their iPad books and magazines.

Alex (above), JavaScript engineer at NearMap, an Australian PhotoMap media company that creates very clear, current and changing PhotoMaps and terrain data, capturing multiple views of the landscape at a fraction of the cost and time of traditional systems.

The Company’s world-leading technology enables PhotoMaps to be updated much more frequently than other providers (Google Maps!), which can be months, if not years out of date.

Matthew, from Digital Mapping Solutions (DMS) presented DMS’s local intelligence and GIS solutions. Matthew works 4 days a week to balance his day job with his own development projects including a ’self monitoring application’ that watches what programs and websites you use to stop you procrastinating. Among other things, the application minimizes the unproductive windows (as qualified by the person using the application) if left open for too long. Expected release is end of 2010.

For more information about upcoming Perth meet-ups follow WebSpy on Twitter.

Over 1,600 managers and staff were surveyed covering the UK, Australia, Germany, and the USA during the first two months of 2010. The major findings from the study, titled “Web 2.0 in the Workplace,” include:

• Over 79% of respondents said that the most important feature of a workplace for them, above job title and even pay, is to be trusted to organize their own work schedule and have free access to the Internet.
• 62% of workers thought it should be allowable to use social networking services from their desk for their own private purposes. Just 51% of management-level had the same viewpoint.

The report classifies this group of workers as “Generation Standby,” largely because they never seem to fully switch off from work or home. According to the report Generation Standby are so attuned to this way of working that even in these economically challenging times, one fifth (21%) would turn down a job that did not allow them access to social networking sites or personal email during work time.

The characteristics of this group is that they are regularly ‘home-ing’ from work due to the increased pressure to work longer hours, regularly carrying out social and private tasks at work. The trend is most pronounced amongst 25 – 34 year olds, with 57% undertaking personal tasks such as checking social networks, email, online shopping at work. Although 66% of all employees say they make up the time they spend using the internet for personal reasons by working later or through lunch.

The research includes evidence of positive steps by businesses to adopt social media across the global workplace with US companies leading the way, followed by Germany, the UK and Australia. More than half of managers surveyed believe that web collaboration technology is now ‘critical’ to the future success of their business.

Richard Turner, Clearswift’s Chief Executive, commented that, “Today’s research shows evidence of a change in attitude and confidence when it comes to Web 2.0 in the workplace – from the ‘stop and block’ mentality that many businesses adopted in previous years to an appreciation that Web 2.0 is good for business and should be implemented more fully.

Turner also added, “There is no business opportunity in stopping stuff. Businesses need to evolve their approach to security and it is clear from this new report they are starting to understand the issues that Web 2.0 creates. [...] Yes, there are security risks with these new services, but there are also tremendous benefits too. There is no black and white when it comes to business security, but companies are learning to adapt and embrace these new business technologies”.

DOWNLOAD REPORT

Recommended further readings:

• The Cost of Blocking Employee Internet Usage
• U.S Army End Ban on Social Media Sites
• Another Reason Organizations Should Avoid Excessive Internet Blocking
• Internet Monitoring Best Practices – 10 Valuable Tips

The official monthly Startup Meetup is hosted by This Week in Startups. At the time of writing there are 135 Startup Meetups scheduled to take place all over the world on the 8th of June. The purpose of the meet-ups is getting together with people sharing the entrepreneurial spirit and engaging in discussions concerning entrepreneurship, the technology industry and startup culture hosted by Jason Calacanis and the “This Week In” team.

The first meeting will take place at the WebSpy lair Level 3, 9 Colin Street, West Perth.

Register your interest or post comments

“I would like to know how much of my bandwidth is being eaten by each protocol. I will then use this information to determine if circuit may need to be increased due to increased traffic”.

This customer was collecting syslog messages from a Cisco Firewall, then using WebSpy Vantage to generate reports. In theory, this sounds like a fair plan. Unfortunately, the Cisco Firewall logs many different types of messages. Some to do with denied packets, some to do with authentication, some for vpn and so on. The information contained within each message changes. Some events include the size information that is required for any type of bandwidth assessment and some don’t. Correlating the required events to get any sort of accurate ‘bandwidth’ representation is a bit of a nightmare.

Fortunately, there’s a simpler method. If you search the Cisco website or the Internet for bandwidth utilization reporting, you’ll no doubt be pointed in the direction of NetFlow.

NetFlow is a network protocol developed by Cisco Systems to run on Cisco IOS-enabled equipment for collecting IP traffic information [Source Wikipedia http://en.wikipedia.org/wiki/Netflow]

There are a couple of commands to enter on your router to turn NetFlow on, and then you just need a NetFlow collector to receive the Netflow information and generate reports.

Fortunately WebSpy has developed a little tool called FlowMonitor that collects the Netflow information and writes a log file that can then be imported into WebSpy Vantage and reported on.

The FlowMonitor Management Console

Once your FlowMonitor logs are imported into WebSpy Vantage, you can run the default FlowMonitor report to see the size of traffic flowing between IP addresses, subnets, router interfaces or protocols. Alternatively you can create your own custom reports to see exactly what you want to see.

NetFlow doesn’t record usernames or URLs so it’s not great for reporting on the web sites your users are visiting, but it is great for network administration and trouble shooting. Identify chatty IP addresses, protocols that are chewing too much bandwidth, the times throughout the day when incoming or outgoing links become heavily utilized and so on.

For information on how to configure your router and deploy FlowMonitor, see the FlowMonitor Installation and User Guide. You can also download a free trial here.

FlowMonitor is a handy little tool. Ask your friendly WebSpy account manager about it today!

Vantage uses multiple threads to perform certain tasks. As general rule, the more threads being used simultaneously, the higher the CPU utilization. There are a few situations where Vantage uses multiple threads simultaneously:

CPU usage when importing log files

When importing more than one log file, each log will be imported with a separate thread. As CPU usage increases when more threads are used, importing a single log file won’t push your CPU, but importing a folder full of logs will.

CPU usage when generating reports

CPU performance can also be affected by the structure the report you are running. Report templates have what we call ‘Nodes’ in them. You can go into a report template, right-click | add node. Think of each node as an SQL query. When generating a report, each node gets processed in a separate thread, and if the nodes are ‘at the same level’ they get processed at the same time.  Here’s a screenshot showing what I mean by nodes at the same level.

A report template with two 'levels' of nodes

The three ‘red’ nodes will be processed at the same time, and then the three ‘green’ nodes will be processed at the same time. The green nodes won’t be processed until the red nodes have been processed. The more nodes being processed at the same time increases the number of simultaneous threads and the amount of CPU being used.

CPU usage when filtering reports

CPU usage is also affected by the number of records being processed from your storage. If you are running a report on your entire storage with no filters, then Vantage will be pushing all records in your storage through the reporting engine. If you run the same report but with a filter for a specific user, then Vantage will seek through the records in the storage until it finds a record for that user, then push that record through the reporting engine. This results in a ‘trickle’ of records being pushed through the reporting engine so it doesn’t get a chance to really push your CPUs.

A filter that excludes a lot of information that exists in your storage is the most common reason for low CPU utilization while running a report.

In Short

The number of logs, report template structure and filters can all have an effect on the way Vantage utilizes your CPUs.

We also have some exciting ideas on our roadmap to ensure Vantage utilizes as many CPUs as you can throw at it. Until then, I hope the above information helps you understand when and why your CPU usage will and won’t be pushed.

This is a great update for Vantage Ultimate users as we’ve introduced a new feature/tab into the Web Module called ‘Dynamic Reports’.

If you’re publishing the same report to the Web Module each day, you can use the Dynamic Reports tab to select a date range and a department (or whatever organizational groups you have defined) and the Web Module will collate all the daily reports that match that filter into one report. This allows you to report on entire week, month or year by simply ‘reporting on reports’, rather than reporting months of raw storage data.

Here’s the full list of changes since the last auto update (2.2.0.32 on the 14th April 2010).

Application Changes

• Added Dynamic Reports feature to the Web Module.
• Rewrote the Web Module transfer protocol. New protocol adds version checking, connection checking, and integrity checking for high latency environments.
• Purge data from storage task no longer prevents importing new hits when all data is removed from an input within a storage.
• IPv6 addresses now show IPv4-mapped addresses as plain IPv4 addresses in summaries.
• IPv6 and IPv4 addresses are now freely interchangable in filter expressions.
• Fixed IPv6 drilldowns on the Summaries screen
• SQL inputs can now be resumed from the previous position. Previously any input that was partially imported would be skipped when importing new hits.
• Template-based analysis has been fixed, no longer results in blank/non-existent analysis.
• Added new string manipulation functions to expression language; Contains, StartsWith, EndsWith, IndexOf.

Loader Changes

• Astaro: Now checks that the ID field is present in a line before attempting to read it.
• Barracuda Web Filter: Added this format to replace Spy Filter.
• BlueCoat Proxy SG W3C: Added support for gmttime, timestamp, x-bluecoat-surfcontrol-is-denied and x-bluecoat-transaction-id.
• ClearSwift: Added a new loader group for ClearSwift that includes the MimeSweeper loaders
• ClearSwift SECURE Web Gatway: Now supported with the Web Appliance loader
• Clearswift Web Appliance: User summary displays Source IP if Username is blank.
• IronPort WSA: Fixed memory usage issues.
• Microsoft FTMG: Added category name lookup to SQL loader.
• Microsoft FTMG: No longer fails to import lines where the rule field contains square brackets.
• Microsoft FTMG: URL Category field is now a string instead of an integer. Added URL Categorization Reason field.
• Microsoft FTMG: Fixed memory usage issues.
• Microsoft IIS W3C: No longer hangs or crashes when loading a file that isn’t IIS W3C.
• NetAsq: Added support for srcname field. The Username summary is populated with user first, and then srcname if user is blank. The User summary is also now populated with Source IPs if the Username summary is blank.

To update WebSpy Vantage, simple select Tools | Check for updates.

To update the Web Module, login to the Web Module server, right-click the WebSpy system tray icon, and select Check for updates.

As always, please contact us if you have any issues or questions.

A 16 year old teen was recently arrested for bringing a partially completed bomb to school. It is alleged that that the crude bomb was one out of four he planned to detonate at his high school in Florida.

The teen’s locker was searched after school administrators were alerted about his internet activity on the school’s computers. Investigators said the teen’s online search for “dry ice bombs”, “how to make a grenade” and subsequent bomb making websites triggered the school’s monitoring system and school officials acted quickly to get the police involved.

The teen was in possession of three out of four materials necessary to complete the bomb. The one missing element was gasoline, which was accessible in his second-period marine mechanics class. Police said he wrote out elaborate maps and locations on school grounds that would cause maximum damage to students and faculty. Watch police press conference

This case clearly highlights the importance of ad-hoc AND real-time internet reporting abilities. If you’re a WebSpy Live user you can set up customizable triggers to receive alerts on online behavior you deem inappropriate. Once a users does something online to activate a trigger you can use WebSpy Vantage or Analyzer to further investigate the user’s browsing behavior and search queries to determine if there is a genuine need to be concerned. Triggers can be set on anything from long browsing sessions, large downloads, large emails, certain file types and, in this case, based on website content.

Create an Alert Trigger in WebSpy Live based on Website Content

There’s two pretty straightforward ways to create triggers to alert on website content using WebSpy Live; setting up triggers based on ‘Keywords’ and setting up triggers based on ‘Profiles’. The main difference between the two is that ‘Profiles’ allows you to exclude certain keywords. For example, let’s say you want to be alerted on users visiting websites that contain keywords related to making bombs but not on keywords or URLs that simply include the the letter string bomb. Setting up a profile allows you to exclude these words, for example ‘bombastic’.

In addition, WebSpy Live already contains a default set of keywords and URLs relating to default ‘Profiles’ such as Adult, Gambling, Entertainment and Piracy.

(If you don’t have version of WebSpy Live you can download a free 14 day trial here. Please follow the instructions in the ‘Inputs’ view to specify the proxy server or gateway products you use to log traffic.)

Setting up Triggers based on Keywords

1. Open WebSpy Live
2. Click ‘Triggers’ view
3. Click ‘Add New Trigger
4. The ‘Triggar Wizard’ will appear, click ‘Next’
   

 

5. Tick ‘Single Hit Trigger’ and click ‘Next’
   

 

6. Tick ‘Keywords’ and click ‘Next’
   

 

7. Click ‘Add’ to enter each keyword followed by ‘OK’
   

 

8. Name your Trigger and give it a Low, Medium or High Priority
   

 

9. Specify email address(es) to send alert notifications to and click ‘Next’
   

 

10. Click ‘Finish’ and you’re done!

From now on, each time a user access any web resources containing the keywords you just specified an email will be sent out alerting you as it happens. Any alert triggers will also immediately be displayed on the WebSpy Live status display.

One of Forefront TMG’s major strengths is obviously its URL categorization and filtering abilities. Since TMG now takes care of the threat management aspects, clients converting from other solutions, such as ISA Server, no longer need a third party filtering solution and will most likely save a considerable amount of money.

However, the reporting functionality included in Forefront TMG are not much different from ISA Server 2006, i.e. very little flexibility or customization for those with reporting requirements beyond general overviews cluttered with irrelevant information.

We’ve blogged a lot about TMG reporting in the past and have now uploaded new and dedicated WebSpy Vantage and Microsoft Forefront TMG pages outlining:

• 10 Reasons to Use WebSpy Vantage to Report on Forefront TMG
• How to:
• Set-up TMG Logging for WebSpy
• Import TMG Logs into WebSpy Vantage
• Forefront TMG Report Templates and Aliases (created to make your life a lot easier)
• Run Reports
• Analyze and Drilldown into Data

Have a look at WebSpy Vantage and Microsoft Forefront TMG.

Hopefully it can assist you in your quest for sophisticated Forefront TMG reporting.

A large chunk of our clients use WebSpy Vantage to report on a wide spectrum of devices (web proxy server, email server, firewalls, routers, switches etc) from more than 150 different vendors and not solely as a web analytics tool. Saying that, many WebSpy Vantage users do take advantage of its web server reporting abilities and have experienced first hand the benefits of log file analysis over GA’s JavaScript tagging. Clients generally like the way they can work with the data in GA, but not completely happy with the data GA provides and therefore use WebSpy Vantage to complement and provide detailed drilldowns into certain areas.

Log File Analysis vs. JavaScript tagging

In order to enable Google Analytics to report on incoming traffic you need to copy and paste a custom JavaScript to every page within your site or site template. Since Google Analytics is relying on JavaScript the following issues are very likely to affect the accuracy of your data:

• Not reporting on visitors who disable JavaScripts in their browsers
• Overestimating visitors who regularly clear their cookies
• Limited or no reporting for non-standard page extensions

Limited or No Reporting for Non-Standard Page Extensions

This is the area I want to expand on today. GA won’t give you any information on resources accessed within the site that is not an actual page containing the custom JavaScript. You won’t be able to see how many times visitors downloaded your documents, such as white paper, product catalog or PowerPoint presentation, in file types such as .doc, .pdf, .txt, .pps, .zip, .xls, etc.

Alright, I’m telling lies, there are roundabout ways of tracking these downloads but it includes tagging all document links with a _trackPageview() JavaScript. This piece of JavaScript assigns a pageview to any click on a tagged link. Not only does this involve a pretty cumbersome process of adding scripts to all your website document links, you also need to take into account the error in reported document downloads that will occur since you are not always in control, and can tag, all instances of your document links appearing on the inter-web. For example, if other websites are linking straight to your documents, or if people are arriving at those resources from other external sources (e.g., an email containing an url to the pdf).

Reporting on your web server log files is a much more reliable way of getting the accurate information you need. It’s pretty darn easy as well.

Using Vantage to Analyze Non-Standard Page Extensions

Below is just a brief example of how easy it is to use WebSpy Vantage to get the reliable information on different file type downloads.

After importing my web server logs, for a randomly selected period in April, into Vantage I can get an overview of all the different file types accessed by simply clicking ‘Site Extension’.

Let’s say I am curious to find out more about the .pdf documents accessed by visitors during this period. I click on the .pdf site extension and am immediately presented with a variety of options to further investigate .pdf downloads.

For example, I can drilldown into .pdf ‘Site Resource’ to get a list of all the pdf documents accessed. To locate the most popular pdf I simply sort the list by number of hits.

It seems like the most popular .pdf document on this particular day one was our ‘5 Reasons to recommend WebSpy Reporting with 44 hits. Again, I can now drilldown further into any site extension to find out relevant information on referring sites, search engines used, the keywords used search engines etc.

Referrer Keywords

Dr Brent Coker is seeking organizations who are interested in participating in a study to examine how WILB affects their employees’ productivity and loyalty. Initial evidence from Dr Coker’s research suggests certain levels of WILB can result in improved productivity.

This research is to be completely anonymous; data will be de-identified before analysis, and is subject to the privacy conditions provisioned in the University of Melbourne research statute. University of Melbourne ethics approval (#0828412.1) has been granted for this research.

We strongly encourage our clients to get involved in this unique opportunity to get a concrete insight into how WILB affects their organization’s operations and:

• Ensure your organization is successfully embracing technological developments while taking employees’ changing needs into account.
• Understand the extent to which your employee productivity is being affected by WILB.
• Understand your employee’s loyalty and motivation to excel in the workplace.
• Proactively take measures to create a more harmonious and productive working environment.
• Use Dr Coker’s expertise and findings to ensure your Internet investment is used to its full potential.

Research Methods

Dr Coker stipulates that the degree to which organizations participates is optional, but recommends a two pronged questionnaire approach to managers and subordinates using a modified version of the Endicott Workplace Productivity Scale (EWPS). EWPS is currently the best way to measure self-report worker productivity in this context. The subordinate questionnaire also includes a loyalty scale. Although never empirically tested, Dr Coker’s initial study indicated that freedom to surf is highly correlated with loyalty, through autonomy.

To find out more information or to register your interests to participate in the study please contact:

Dr Brent Coker
Department of Management and Marketing
Level 9, 198 Berkeley Street
The University of Melbourne Victoria 3010 Australia
Tel: +61-3-8344-1933
Fax: +61-3-9349-4293
Email: bcoker@unimelb.edu.au

Read “Freedom to Surf” media release from the University of Melbourne
Read WebSpy’s media release discussing findings from previous study

WebSpy’s Industry Fit

WebSpy is a global leader in reporting and analysis on Internet activity when used in partnership with security vendors such as Microsoft ISA Server, Microsoft Forefront TMG, Cisco IronPort, Blue Coat, Sophos, Astaro, Barracuda, Squid Proxy, and many more.

Below image neatly summarizes how WebSpy report on log files from vendor devices in the Unified Threat Management (UTM) and Secure Web Gateway (SWG) sectors, and specifically focus on reporting and analysis on Internet activity aspects within the SIEM sector.

THE REASONS

1. WebSpy Adds Value to Existing Product Portfolio

There’s a multitude of reputable, solid and reliable security vendors that frequently form a part of our resellers’ product portfolio. Their network and security devices do a great job providing network structure and actively protecting against security issues.

However, analysis and reporting is not their forte, not their core, and more often than not reporting is only a feature within their complete network and security solution.

Gartner’s latest Magic Quadrants on SWG and UTM vendors (or “SMB Multifunctional Firewalls” as labelled by Gartner) clearly highlights the security vendor’s weakness in reporting.

Straight from the horse’s mouth, here’s some vendor reporting issues as highlighted by Gartner:

• “Lacking enterprise-class administration and reporting capabilities.”
• “Advanced ad-hoc reporting features are lacking and custom reports are limited to filter settings on existing reports.”
• “Reports are very basic, and there are only a limited number of pre-developed reports.”
• “Per-user reports and forensic investigations are weak.”
• “On-box reporting is very basic and requires Windows and SQL database licenses for the reporting server.”
• “The number of canned reports is low and some reports do not have obvious features, such as pie graph options. Some customers complained about the scalability of the reporting interface.”
• “Users describe the vendor’s reporting and alerting as difficult to use.”
• “Although management is strong, users cite quality of reporting as a deficiency.”

With this information at hand it comes as no surprise that resellers want WebSpy’s reporting solutions to complement and add value to existing Internet security devices and provide their clients with valuable, advanced, customized and scalable reports on the exact use of web servers, web proxy, servers, email server, firewalls, switches, routers, and spam and virus application.

2. WebSpy Helps Generate and Facilitate SWG and UTM sales opportunities

You’ll be surprised by the amount of clients who base the decision of which Internet security device to purchase on reporting abilities.

WebSpy has a proven track record of assisting both Internet security vendors, such as IronPort, Microsoft ISA Server, Sophos, and their resellers in securing sales of their Internet security appliances. On numerous occasions our resellers have been able to secure deals, which could have been lost to a competing vendor/reseller, simply because they were able to throw advanced reporting into the mix.

3. WebSpy Substantially Increase Sales Revenue through Add-On Sales

Our resellers have found that recommending WebSpy reporting with every Internet security and network installation gives them the ability substantially increase add-on sales revenue with limited efforts involved.

The fact we offer competitive upgrade rebates if a reseller’s client have already invested time and money in a competing third-party reporting solution, or on-appliance reporting, naturally makes the transition to WebSpy even smoother.

Not convinced? Have a look at these:

• 10 Reasons to report on ISA Server using WebSpy
• 10 Reasons to report on IronPort using WebSpy
• 10 Reasons to report on Sophos using WebSpy
• 8 Reasons NOT to Use Microsoft Forefront TMG’s Reporting

Unfortunately there are two issues with the Web Module auto update process. Everyone on a 64 bit operating system will encounter issue #1 (Unable to locate installation location), and some of you may encounter issue #2 (System.IO.FileLoadException).

This article describes the errors and how to work around them to successfully update the Web Module.

Issue #1

The usual process to update your Web Module is to log into your Web Module server, right-click the WebSpy system tray icon and select ‘Check for updates’.

If you do this on a 64 bit operating system, you will receive the following error:

Web Module Updater error: Unable to locate installation location

You can fix this issue by clicking Yes, and specifying the Web Module’s installation location, which is usually somewhere under c:\inetpub\wwwroot (or just c:\inetpub\wwwroot if you didn’t specify a virtual directory when installing).

This will allow the updater to continue and you will be prompted to download and install the latest update.

Issue #2

Unfortunately, you may encounter another error during the update installation. The text of the error will be something along the lines of:

System.IO.FileLoadException: Could not load file or assembly ‘ICSharpCode.SharpZipLib, Version=0.84.0.0, Culture=neutral, PublicKeyToken=1b03e6acf1164f73′ or one of its dependencies. The located assembly’s manifest definition does not match the assembly reference. (Exception from HRESULT: 0×80131040)

Work Around

We are currently working on solutions to both of these issues. In the mean time, here is a work around to install the update. On the Web Module server:

1. Download this file:
   http://update.webspy.com/autoupdate/files/vantagewebmodule/vantagewebmodule2.2.0.18.zip
2. Stop IIS (See instructions below).
3. Right-click the WebSpy system tray icon and click Exit.
4. Backup your existing Web Module installation by copying everything in your Web Module’s installation folder (usually under c:\inetpub\wwwroot (or just c:\inetpub\wwwroot if you didn’t specify a virtual directory when installing) into a completely separate location (i.e. don’t keep it in a sub-folder).
5. Extract the downloaded zip file to your web module’s installation folder. Overwrite all the existing files.
6. Start IIS (see instructions below).

Your Web Module will now be updated to the latest version.

Stopping and Starting IIS

In IIS Manager (Start | Control Panel | Administrative Tools | Internet Information Services (IIS)) , right-click the site you want to start or stop, and click Start or Stop

We sincerely apologize for the inconvenience and will hopefully have a solution out soon. If you have any problems with the process above, please contact support at webspy dot com.

For those that don’t know what Soho is all about, check out this video:

Soho is a dashboard application that displays download and upload traffic statistics for each computer in your network. If you haven’t yet tried Soho, please give it a go and download it here.

It is our intention to keep our Alpha testers up to date with our ongoing development. Right now, I’d like to inform you about some issues experienced by a handful of testers and how to go about resolving them.

Learn to restart the Soho Agent

First of all, one of the handiest things we can tell you right now is how to restart the Soho Agent. This single step is resolves 99% of all Soho issues, at least temporarily. If these steps seem too complicated, rebooting your PC also has the same effect.

To restart the Soho Agent on Windows:

1. Launch the Services Console by going to Control Panel | Administrative Tools | Services. Or if you like handy short cuts, try Start | Search (or Run), Type ‘services.msc’ (without the quotes) and press enter.
2. Right-click the “WebSpy Soho Agent” service and select Restart. If you get a ‘time out’ error message or warning, ignore it and right-click the service again and select Start.

To restart the Soho Agent on Mac OS:

1. Open the terminal from /Applications/Utilities/Terminal
2. Type sudo launchctl stop “WebSpy Soho Agent”
3. Enter your user password if requested.
4. Wait about 5 seconds.
5. Type sudo launchctl start “WebSpy Soho Agent”
6. Again, enter your user password if requested

OK, now you have the skills, here are the issues and work-arounds:

100% CPU usage after sleep or hibernate

Some users reported Soho’s impressive ability to consume 100% of their CPU when their computer wakes from sleep or hibernation. A few users experienced a slow and sluggish PC, and uninstalled Soho immediately.

If you’re looking for the Soho process in Windows Task Manager you will not see it until you click the Show processes from all users button (or checkbox in XP). This is because the Soho Agent runs under the System user account in order for it to run, no matter who is logged onto the PC.

From here you can end the WebSpy.Soho.Agent.exe process and everything should return to normal. You can then restart the “WebSpy Soho Agent” to get Soho working again (see steps above).

We believe we have fixed this and are in the middle of some final testing. All going well, we should have a new build ready for you very soon. In the mean time, you may like to disable sleep and hibernation in your PC’s power options.

Soho doesn’t install on Mac OS 10.5??

Our first Alpha release did not install on Mac OS 10.5 (Leopard). This was due to a silly checkbox in our packaging system not being checked. We’ve checked the checkbox and uploaded a new build to our web site. You can download it from here:
http://www.webspy.com.au/products/soho/download.aspx

Note: Soho will only install on Mac OS 10.5 (Leopard) and 10.6 (Snow Leopard). Versions 10.4 (Tiger) and below are not supported.

All computers disappear from the Current Activity chart except the local computer

Sometimes all computers will disappear from the Current Activity chart leaving your local computer all by itself. This happens when the communication between Soho Agents becomes jammed. You can usually resolve the issue by restarting the Soho Agent on your local computer (see steps below). If this doesn’t work, restart the Agents on all other computers running Soho. We are currently working on a fix for this issue.

The Soho User Interface is completely blank

If there is no information in the Total, Current Activity or History chart, this is because the Soho Agent has stopped running. Reasons for this may vary, so please let us know if this is regularly occurring. Restarting your agent usually resolves the issue (see steps above).

Feedback

Thank you to everyone that has submitted feedback so far.

Just a reminder to please let us know if your network card works or doesn’t work with Soho on this page:
http://www.webspy.com.au/products/soho/supportednics.aspx

You may also like to review the current list of features and bugs and vote them up or down at:
http://webspysoho.uservoice.com/

There is also a dedicated Soho Alpha Feedback thread in our forums at:
http://www.webspy.com.au/forums/viewtopic.php?f=8&t=12

We will let you know when fixes are available to the above issues.

As the VM starts, it will present a boot prompt. At this prompt, type

boot> boot -c

This will boot you into  “User Kernel Config”. Once in there, type the following commands;

UKC> disable uhci
UKC> quit

This will exit User Kernel Config, and continue a normal boot. The “nvram: invalid checksum” error still appears, but the OpenBSD VM should now boot correctly. However, it will fail again on next reboot of the VM, so to make the change permanent, log in to the VM as root and enter the following commands;

# config -e -f /bsd
ukc> disable uhci
ukc> quit

Now the change is permanent, and the OpenBSD VM will boot correctly in future.

I posted this because I was unable to find any English information on how to fix this problem. I got the solution from an article written in Japanese.

When imported into WebSpy Vantage, the result is shown in a new summary called ‘Group’ which you can add to your reports.

We also added support for the custom fields Bytes Sent and Bytes Received. Due to the absence of a header in the IronPort access log, Bytes Received and Bytes Sent fields must both be present to be detected, and the Received field must precede the Sent field.

We also added support for the custom fields Request Body Size and Response Body Size. These fields can be included in your access log by adding %q (Request body size) and %b (Response body size) in the ‘Custom Fields’ edit box. Due to the absence of a header in the IronPort access log, Request Body Size and Response Body Size fields must both be present to be detected, and the Request field must precede the Response field.

We’ve also noticed that the values in the Bytes Sent and Bytes Received fields do not necessarily add up to the value logged for ‘Size’. We’re discussing this issue with our friends at IronPort and we will hopefully post a solution or explanation soon..
The information we first received about these fields indicated they represented Bytes Sent and Bytes Received. This is the way they are represented in the builds below (2.2.0.29). We will release a new build soon, with the field names changed to Request body size and Response body size. Body size is different to bytes sent/received as it does not include bytes from packet headers etc.

We’re yet to issue an automatic update for the Vantage applications, so in the mean time you can download the latest builds here:

Vantage Ultimate:
ftp://ftp.webspy.com/webspy/Builds/VantageUltimate2.2.0.29.zip

Vantage Web Module:
ftp://ftp.webspy.com/webspy/Builds/VantageWebModule2.2.0.8.exe

Vantage Giga:
ftp://ftp.webspy.com/webspy/Builds/VantageGiga2.2.0.29.zip

Vantage Premium:
ftp://ftp.webspy.com/webspy/Builds/VantagePremium2.2.0.29.zip

To apply the Vantage update, close Vantage and extract the downloaded file into Vantage’s installation folder (Usually c:\Program Files\WebSpy\Vantage <flavour> 2.2). Overwrite the existing files.

To apply the Web Module update, uninstall the Vantage Web Module from Add/Remove Programs (Programs and Features in Windows 7/Server 2008), then run the downloaded exe file, making sure you specify the same server, virtual directory and data location that your Web Module was previously using.

We will be releasing this as a public auto-update soon. Let us know if you have any issues.

Check your version in Help | About. If you are running 2.2.0.27 or above, then you already have this update. If not, make sure you update to your software by selecting Tools | Check for updates.

There’s TWO things you need to do to for the chance to win software and earphones:

1. Register your Interest in WebSpy Soho at www.webspy.com/soho
2. Tweet this message:

Register your interest in @WebSpy Soho & tweet this msg for a chance to win Bang & Olufsen Earphones & free software http://bit.ly/9xViFT

If you have already registered your interest in Soho simply tweet the above to be in the running.

Why the earphones you might wonder? We understand all previous WebSpy Soho winners are anxious to get their free version of the software and we are very busy perfecting it. To show you how much we appreciate your patience we want to provide yet another opportunity to win something of extremely high quality.

We will announce the winner of the earphones on Twitter and email the 100 additional winners of the one year subscription of WebSpy Soho before the 31st of March 2010. Probably a good idea to follow WebSpy on Twitter to make sure you don’t miss out on important announcements.

About WebSpy Soho

WebSpy Soho is our soon-to-be-launched dashboard application for anyone who wants to know the full story on their computer and network bandwidth usage and Internet connection speed. WebSpy Soho is perfect for small offices, home offices, families, shared student households and even a single computer home user.

No longer do you need to be a network administrator to monitor your computer or network, Soho makes it easy and user-friendly for everyone.

WebSpy Soho will help you answer some of these questions:

• How much is each computer on my network uploading and downloading?
• Which computer is slowing down my internet connection speed?
• Am I getting close to reach my ISP internet quota?
• Is Malware eating up large chunck of my bandwidth?
• Is someone freeloading on my wireless connection?

What makes WebSpy Soho so special?

There are already many of network and bandwidth monitor solutions out there, both free and paid versions. However, all of these seem to miss the mark when it comes to assisting the new generation of people who want to use them. Gone are the days when only Network Administrators wanted to monitor bandwidth usage and internet connection. Today every other household (and small office) has a network of computers. And guess what? Majority of these users are not Network Administrators or super technical. More often than not it is just your average person who wants to find out more about their network usage.

This is where WebSpy Soho comes in – WebSpy Soho has been specifically designed with these users in mind. Don’t get me wrong, a Network Administrator will be thrilled with WebSpy Soho’s functionalities as well. He/she just won’t have to use any technical skills to set up and use Soho.

WebSpy Soho is different from competing products because:

• WebSpy Soho lets you monitor 1- 15 computers on your network. Majority of free bandwidth monitoring solutions only lets you monitor your local computer.
• Compared to many paid network bandwidth monitoring software, WebSpy Soho is very easy to set up and start using.
• WebSpy Soho is interactive and customizable. You can view real time data as well as specify historical date ranges you want to investigate. WebSpy Soho also lets enter your ISP billing periods and quota allowance to easily keep track of your usage. Majority of other bandwidth monitoring software only gives you a static overview you cannot customize.
• WebSpy Soho distinguishes between internal and external network traffic. Soho will only display actual internet uploads and downloads to prevent skewing your result.
• WebSpy Soho provides you with alerts when your internet connection becomes overloaded, when you are approaching your ISP quota limit, and when an unknown machine is using your network.

Find out more and register your interest for the chance to win one year FREE subscription of WebSpy Soho at http://www.webspy.com/products/soho/default.aspx

LEGALLY

Every country has its own set of rules and regulations regarding invasion of privacy but the majority firmly holds that employees have no rights to privacy when using a company machine for private use.

If an employee feels that, for whatever reason, his/her privacy has been invaded two main aspects are important – The employee’s reasonable expectation of privacy, and the employer’s justification for taking the action.

In following hypothetical situations I think we can all agree that there is an existence of high expectation of privacy and very poor justifications.

Situation 1:
Your employer secretly installs hidden cameras in all bathrooms and changing areas at work. Your employer never informs anyone he/she is doing this as he/she is driven by control and slight perversion.

Situation 2:
After you have filled out latest health questionnaire your employer leaks the answers to your fellow co-workers and drug manufacturers. Why? Because he/she just doesn’t like you and want to earn some extra cash.

Let’s apply the two aspects to workplace internet and email monitoring.

Employees’ expectation of privacy

This day and age it is (or at least should be) common knowledge that employees cannot expect privacy at work whilst using their employers’ computers and online resources. Proactive employers ensure some form of Acceptable Usage Policies are communicated throughout the organization, and might even ask employees sign off on them, to officially ensure everyone is on the same page.

Employer’s justifications for taking the action

This list can be made very long but at a high level employers generally want to monitor employee internet usage to reduce liability and unproductive behavior.

Liability – Employer’s and Employee’s
As employee use of email and the Internet increases, so does the potential for the employer to be held liable for employee misconduct. For example, employers have been sued for copyright infringement when an employee downloaded copyrighted material from the Internet, for racial discrimination when employees circulated offensive emails, and for sexual harassment when employees posted harassing comments on an electronic bulletin board. It is also the employer’s responsibility to protect employees from getting themselves into sticky situations using the internet at work.

Productivity
Recent research suggests that the average U.S. employee spends approximately six hours a week searching the Internet for personal reasons while at work. At sixty-two percent of U.S. employers, employees surf for sexually explicit materials. The two most frequent search keywords on the Internet are “sex” and “pornography/porno.” Seventy percent of all Internet porn traffic occurs during working hours. It has recently been estimated that the cost to employers from this lack of productivity is $5.3 billion and the average employee wastes about 1.5 hours per day browsing the internet, using computers for personal use, Instant Messaging, social networking etc.

Considering the amount of time, money and potentially damage to reputation and overall work environment, I think we can all agree that employers have just cause AND responsibility to monitor employee internet usage.

PRACTICALLY

Hopefully we can all understand why an employer wants to monitor the use of online resources. We might not be thrilled about it, but can understand and respect it as much as we understand that we shouldn’t call geographically dispersed friends while at work just because we have access to a phone, or print thousands of leaflets for our weekly campaign against fur coats just because we have access to a printer. However, the way an employer goes about monitoring Internet activity will highly affect perception of invasion of privacy.

A bad way of going about it is not being open about monitoring, not explaining exactly what is allowed, when, for how long and what isn’t allowed, trying to catch employees out instead of trying to help them sticking to rules. Sadly this is the case at many organizations. Legally it cannot be classified as invasion of privacy but it will sure make employees feel like their privacy is compromised.

My previous blog on Internet Monitoring Best Practices covers 10 valuable tips of how to undertake effective internet monitoring without upsetting or alienating your employees.

Here’s a quick video outlining some of the differences between TMGs Reporting, and what can be achieved using WebSpy Vantage. The video does not illustrate all the limitations outlined below, so please read on.

Whats is in the Forefront TMG report?

The default TMG report contains the following sections

• Summary
• Web Usage
• Application Usage
• Traffic and Utilization
• Security
• Malware Protection
• URL Filtering
• Network Inspection System

Each section contains overviews such as ‘Top users’ and ‘Top Sites’.

If your reporting requirements can be satisfied with these overviews – that’s great! Unfortunately, when you start thinking about what system administrators and other people in your organization actually need to make informed decisions, this report is quite limiting.

The 8 Limitations of Microsoft Forefront TMG’s Reporting

Here is what I consider to be the 8 main limitations of Microsoft Forefront TMG’s reporting functionality.

1. No Drilldowns

Want to see the sites that the top 5 users accessed? Want to see the users that downloaded the most traffic from youtube? These are fairly standard reporting requirements that simply cannot be achieved using the inbuilt TMG reporting.

WebSpy Vantage lets you either interactively drilldown into a user or site, or produce a regular report that includes further details about what your top users have actually been up to.

2. No Filtering

When you generate a report in TMG, you can only filter the report by a date range. There is no way to filter out anonymous (unauthenticated) traffic or exclude traffic coming from advertising servers (such as doubleclick and 2mdn.net) that tend to dominate most of the top 10 sites.

This can easily be achieved using WebSpy’s software. Check out my video on how to remove clutter from your web reports.

3. No Customization

Customization of each overview in the TMG report is limited to the number of items to show (e.g. top 5 or top 50 users), and the sort order (Incoming Bytes, Outgoing Bytes, Requests and Total Bytes).

What about the time a user spent browsing the web, or the number of users that visited a specific site? There is no way to add custom columns such as total browsing time, average session time, or number of users/sites/IPs to the report tables.

Or say you simply want to change your top users chart from a bar to pie to easily see the percentage used. Nope sorry!

If you do make one of the two available customizations in a TMG report, you then get the annoying Apply / Discard message to save changes to the configuration database.

All of these customizations can be achieved using WebSpy Vantage, and it doesn’t touch your TMG server to apply a change to a report.

4. Limited Report Distribution

When you generate a report, you get the option to email it to a specific email address. What if you would like to create a report for every department, and then email it to the managers of each department? Or better yet, host the report on a secure web server where department managers can log in and view their reports?

WebSpy Vantage Ultimate comes with a secure ‘Web Module’ specifically for this purpose and managers still receive a link to the report via email.

5. Cluttered ‘Top Sites’ List

The ‘Top sites’ list can become particularly cluttered due to the inclusion of sub-domains. I don’t want to mentally add up the size values from farm1.static.flickr.com, farm2.static.flickr.com, and farm3.static.flicr.com – I just want to know how much was downloaded from flickr.com.

This is compounded by the inability to exclude sites that are merely placing advertising banners on the actual sites users are visiting (as mentioned in the ‘No Filtering’ limitation above).

WebSpy Vantage breaks URLs down into separate components and lets you analyze each part separately. Look at the Site Domains summary to remove sub-domains and see only flickr.com. Or perhaps you want to see the keywords a user entered into search engines like Google? Or perhaps the top pages accessed within a website? No problem. Just include the Site Keywords or Site Resource summaries in your Vantage reports.

6. No Grouping or Aliasing

There is no way to group users into departments or locations, or IP addresses into subnets, or extensions such as .html, .pdf or .exe into file types. The ability to group and represent raw log data in more meaningful ways, as offered by WebSpy Vantage, can increase the value of a report tremendously.

7. No Productivity Assessment

One of the major features introduced in TMG since ISA Server 2006 is the included URL categorization technology.

Although the TMG report gives you an overview of the categories that have been visited, the report does not use this information to display a productivity assessment for your users.

WebSpy Vantage not only provides this assessment, but also the ability to customize the categories that are deemed productive as this can vary wildly depending on the industry and organization.

8. Not browser independent

This is a minor limitation that can be a major annoyance. The report that TMG produces is a HTML report that only displays correctly in Internet Explorer. As Forefront TMG is a Microsoft product, this is not exactly surprising, but still very annoying if IE is not your default browser.

How to get awesome reports from Forefront TMG

If you have had personal experience with any of the above limitations, you’ve probably been hunting for an alternative solution. I strongly recommend checking out the WebSpy Vantage range of products, and if you would like secure report distribution via the ‘Web Module’, Vantage Ultimate is what you are after.

If you agree or disagree with anything in this article, I encourage you to leave your thoughts in the comments.

Cheers!

Scott

Macquarie issued a statement saying an internal review of the events of February 2 has been completed and that the employee will remain an employee. The statement also says, “Macquarie and the employee apologize for any offense that may have been caused.”

Regardless of the findings during the internal review I really do praise Macquarie Group for making this decision. Why? Well, this might seem like a bold statement but here goes:

In general, it is the employer’s fault when employees misuse the Internet or Email and NOT the other way around!

Having Acceptable Usage Policies doesn’t mean employers can wash their hands of the consequences that may arise when employees don’t stick to them.

Internet at Work = Dangerous Machinery at Work

The training and usage of internet at work should be as rigorous as the training, usage, continuous checks and risk assessment when operating dangerous machinery at work. In a sense it is the same thing. No, you won’t accidentally lose a finger if it gets stuck in the keyboard, but there is a real danger of losing your job, embarrassment, identify theft, developing internet addiction (suffered by between 5% and 10% of Web surfers) and heavy fines (or even jail) if downloading illegal or copyrighted material.

The Internet is an absolute necessity as well as an occupational hazard. We’ve said it before and we’ll say it again – No employee should be fired for misusing the internet. Hiring and firing should be based on if you have a good or bad employee. It is the employer’s responsibility to ensure Acceptable Internet Usage Policies are put in place AND adhered to. If clear rules are communicated and monitored no one should have to be sued or fired.

We are all well aware of the less desirable effects this behavior has on a business. Loss of productivity, wasting precious bandwidth and potential for sexual harassment law suits.

Now imagine that the financial advisor’s near-nude photo browsing is being captured and broadcasted live on one of Australia’s national news network for millions of people to see, and later watch on YouTube. Wait, you don’t have to imagine. This actually happened.

Another wealth advisor at the bank was being interviewed on the financial market’s reaction to the Australian Reserve Bank keeping interest rates on hold. However, I don’t think anyone paid attentions to the interest updates as all eyes were on fixed on the computer screen in the background.

Hopefully this will act as a a reminder to all organizations – No matter how strict your acceptable Internet/Email usage policy is, it is worthless if adherence to it is not properly monitored.

The 90 year old Winnipeg-based magazine, The Beaver: Canada’s History Magazine, boasts a subscriber base of 50,000 and an estimated total readership of more than 350,000. Starting April the Beaver will change name to plain old Canada’s History.

Deborah Morrison, president and CEO of Canada’s National History Society, which publishes The Beaver, said, “The innuendo of the old name was causing problems for the magazine online.” Morrison explains that during the last two years ‘Beaver’ has become one of those keywords increasingly blocked by web filters and that the magazine’s electronic newsletter often lands in spam filters instead of reaching subscribers.

You can’t help but sympathize with Canada’s National History Society. Even though a name change might have been on the cards in due course nonetheless, this story sheds yet another light on the inflexibility and rigidness of web filtering and blocking.

Unfortunately all magazines or associations do not have the ability to change name. I wonder how much of a pain web filtering has been for; Breast Cancer Associations, Tourist Bureaus in Essex, Sussex and Middlesex and MS-Exchange resellers?

Related Links and blogs

Article in Reuters
The Cost of Blocking Employee Internet Usage

But seriously…

If you always treat corporate communication as though the evil boss was listening in on the other end, at all times, you cannot go wrong. Personal correspondence with loved ones should be kept to decent content; employees have been fired, and reputations have been destroyed, over ignoring Acceptable Usage Guidelines. It is also doubtful whether the tone of the conversation would be so explicit if conducted, for instance, over the phone, where the entire open-plan office can eavesdrop, so bear this in mind when sending personal emails from work.

Spending time browsing for porn at work is also a bad idea, as not only does it put you at risk (sexual harassment suits have been started over nothing less), but you are also exposing your employer to further liabilities. In addition, not all pornographic web sites are “healthy”, and will often attempt to upload malicious software to your machine. Think of it as a new, 21st Century vector for the sexually transmitted disease…

The same is also true for most software and music download sites. More often than not, these are simply hotbeds of malware that will be disastrous for you, should it end up on your local machine. Having to petition your sysadmin to perform a complete reinstallation of your desktop because you were browsing unproductive sites at work is one of the fastest ways of irritating someone you should try to keep happy!

Gambling and games sites also occupy more time than we like to think – try not to let yourself get sucked into them and set your alarm if you know you are one of those who gets easily distracted.

Internet connectivity need not be a tool for wasting time

If you are responsible with your browsing habits, you should have no reason to ever be fired for them. Employers who wish to avoid the confrontations that are the end result of such reckless browsing habits should concentrate on training, motivating and retraining employees; keeping staff turnover low has the knock-on effect of creating a stable workplace environment where employees feel valued and want to stay on.

Why lose your most experienced and best workers simply because they do not understand the nature of consequence? Showing them their browsing habits encourages them to see their usage for themselves and its effects on the workplace, without the need for blocking, which can also be incredibly depressive for morale.

Internet connectivity need not be a tool for wasting time. Maintain an Acceptable Usage Internet Policy and monitor your usage wisely.

About WebSpy Soho

WebSpy Soho is our soon-to-be-launched dashboard application for anyone who wants to know the full story on their computer and network bandwidth usage and Internet connection speed. WebSpy Soho is perfect for small offices, home offices, families, shared student households and even a single computer home user.

No longer do you need to be a network administrator to monitor your computer or network, Soho makes it easy and user-friendly for everyone.

WebSpy Soho will help you answer some of these questions:

• How much is each computer on my network uploading and downloading?
• Which computer is slowing down my internet connection speed?
• Am I getting close to reach my ISP internet quota?
• Is Malware eating up large chunck of my bandwidth?
• Is someone freeloading on my wireless connection?

Jason Calacanis and Jack Andrys talking about Soho in TWiST ep #31

What makes WebSpy Soho so special?

There are already many of network and bandwidth monitor solutions out there, both free and paid versions. However, all of these seem to miss the mark when it comes to assisting the new generation of people who want to use them. Gone are the days when only Network Administrators wanted to monitor bandwidth usage and internet connection. Today every other household (and small office) has a network of computers. And guess what? Majority of these users are not Network Administrators or super technical. More often than not it is just your average person who wants to find out more about their network usage.

This is where WebSpy Soho comes in – WebSpy Soho has been specifically designed with these users in mind. Don’t get me wrong, a Network Administrator will be thrilled with WebSpy Soho’s functionalities as well. He/she just won’t have to use any technical skills to set up and use Soho.

WebSpy Soho is different from competing products because:

• WebSpy Soho lets you monitor 1- 15 computers on your network. Majority of free bandwidth monitoring solutions only lets you monitor your local computer.
• Compared to many paid network bandwidth monitoring software, WebSpy Soho is very easy to set up and start using.
• WebSpy Soho is interactive and customizable. You can view real time data as well as specify historical date ranges you want to investigate. WebSpy Soho also lets enter your ISP billing periods and quota allowance to easily keep track of your usage. Majority of other bandwidth monitoring software only gives you a static overview you cannot customize.
• WebSpy Soho distinguishes between internal and external network traffic. Soho will only display actual internet uploads and downloads to prevent skewing your result.
• WebSpy Soho provides you with alerts when your internet connection becomes overloaded, when you are approaching your ISP quota limit, and when an unknown machine is using your network.

Find out more and register your interest for the chance to win one year FREE subscription of WebSpy Soho at http://www.webspy.com/products/soho/default.aspx

This concern was also raised in our recent “Notes on E-Security Development” blog.

Majority of schools and educational institutions in developed countries are investing in sophisticated security solutions to help protect their internet resources. However, by using public proxy sites students are able to bypass security solutions and disguise their inappropriate activity from being detected.

When a proxy server is used a student will appear to be visiting only one site, the proxy itself, and not the blocked or banned target site. Any internet surfing they do after that is effectively invisible.

IBT also states that the number of public proxy sites has increased dramatically over the past few years. In 2006 M86 Security estimated the number of proxy sites to be 7,111. By 2009 the new estimate had risen to an amazing 91,490.

Using proxy sites to access blocked sites puts both the schools and the students at risk. The schools are at risk because the virus ridden proxy sites can contaminate their entire network and enables students to access the blocked sites already deemed as high risk. Students (and teachers for that matter) can personally suffer if a proxy site hosts malware, such as a trojan. Once a trojan has spread to computers, hackers can access them remotely and steal data, log keystrokes, and thus easily grab personal passwords and credit card numbers.

So what to do then? A spokesman for JANET, which carries data traffic between many local school networks in the United Kingdom, said: “I would agree that using proxy servers to get around security systems is indeed a problem. Technical solutions need to be used as one aspect of a wider approach to protecting users, including educating children, teachers, and parents in how to use the web safely.”

Education is certainly the key but it is also important to make the most out of security and monitoring solutions. Yes, it is impossible to effectively identify and manage all the 91,490 proxy sites out there. However, you might find that out of those 91,490 around 20-40 are commonly used and shared among the students at a specific school. Many public proxies use IP addresses (as opposed to site names) to avoid easy detection, so a spike in a certain IP address could be an indication that it is a popular proxy site.

Read our “How to Improve Public Proxy Management and Control” blog for tips on detecting public proxy usage.

We take great pride in this versatility and the fact that our software is virtually vendor neutral, or universal. At the time of writing our software support 128 different vendors, and more than 250 log file formats. But what does all this actually mean? What’s all this log file format gibberish and why is better to use a universal log file analyzer than a reporting solution that can only analyze a limited set of log files?

Let’s break it down…

What is a Log File?

A log file is a set of data that is automatically created and maintained by a security or network device of activity performed by it.

Web proxy servers maintain log files listing details on every request, from outgoing traffic, made to the proxy server – who is accessing external sites, what sites are being accessed, when the sites were accessed, what page or search phrase referred the user to the sites, and the type and size of data downloaded from the sites. Email servers store log files containing data about the sender, the receiver, timing of delivery or receipt, subject line, and size of attachment. Firewalls, and other security devices, normally contain data about network activity and the external and internal traffic that has been blocked or filtered.

Log files contains bundles of information and are usually not very structured or easy to decipher. Here’s what a  log file can look like:

Can you see the need for a log file analyzer?

Who are the Network and Security Device Vendors?

There’s a bunch of them to say the least. A recent WebSpy customer survey showed that Microsoft, Novell, Squid, IronPort, Blue Coat and CheckPoint were the top vendors whose products our clients wanted to analyze.

Checkout the whole list (128) of vendors we support at http://www.webspy.com.au/resources/logformats.aspx

What is a Log File Format?

When we state we can analyze more than 250 different log file formats we take into account the different log files formats produced depending on the vendors’ product, product version and log type

For example: Microsoft develops products such as Exchange, IIS, Proxy Server and ISA Server. ISA Server comes in different versions (2000, 2004 and 2006). Each version can log and store different types of log files (file, MSDE Database and SQL Database). So, ISA Server MSDE Database 2004 is one log file format we support, ISA Server file 2000 is another.

Benefits of a Universal Log Analyzer

The 250 something log file formats WebSpy analyze and report on are simply the most common ones. It is very rare that we come across a client who need to analyze a log file that is not already on our list of supported log files. On the odd occasion this does occur, the client can simply request support for their specific log file format, our developers work their magic and wham – we support one more log file format.

Most competing log file analyzers are hard-coded to analyze a particular log file type. When this is the case their clients will need a different log analyzer to achieve each individual reporting requirement, increasing the time and costs involved to produce all the required reports.

WebSpy’s clients, on the other hand, reap the rewards of using one application to achieve all their reporting requirements, spending less on software maintenance, hardware and administration.

We have now decided on the future look of our upcoming software and would like to thank all of you who took the time to vote. We were pleasantly surprised by the amount of votes coming in.

Soho Logo

When asking for our audience’s opinion we had narrowed the selection of logos down to three.

We thought all three logos did a pretty good job of representing WebSpy Soho’s key elements; innovativeness, ease of use and kick-all-other-home-and-small-office-internet-monitoring-applications-ass-out-of-the-ballpark. However, as any Highlander fan knows too well – There can be only one! After plenty deliberation and mock-up testing we had two internal favorites. Our audience, you guys, shared the same favorites but in the end logo #2 received the majority of your votes.

We asked for your opinion and, as you would expect, highly value it. We are more than happy to let our audience have the last say in the look of our new software. Thanks again to everyone who submitted their votes, here is your favorite logo – WebSpy Soho’s new logo:

About WebSpy Soho

WebSpy Soho is our soon-to-be-launched dashboard application for anyone who wants to know the full story on their computer and network bandwidth usage and Internet connection speed.

We have combined all our resources and expertise in developing innovative B2B solutions to develop WebSpy Soho – Finally making it easy for home users and small offices to achieve network transparency.

WebSpy Soho is perfect for small offices, home offices, families, shared student households and even a single computer home user. Soho will be FREE for those of you who want to monitor a single computer. If you want to monitor a small network (up to 15 computers), the full version of Soho will be available at a small charge.

Find out more about this amazing application and register your interest to receive exciting Soho updates as we are getting closer and closer to launch date at www.webspy.com/soho

TMG or UAG? What is the difference?

TMG is an outgoing proxy that protects your internal users from malware, viruses and the like. TMG generates some great web proxy log files to import into WebSpy Vantage allowing you to monitor where your users are going on the Internet, how much they’re downloading etc.  TMG, unlike ISA, now has deep packet inspection for HTTPS traffic, plus a bunch of other new features.

UAG is an incoming proxy that provides employees, partners and vendors secure remote access to corporate resources such as Outlook Web Access (OWA) and Sharepoint (MOSS). It utilizes the TMG engine, but this is mainly just to protect the UAG server (more on this topic here http://technet.microsoft.com/en-us/library/ee522953.aspx).

TMG can also publish your OWA and MOSS sites, but this is no longer recommended by Microsoft. They recommend using a dedicated UAG server to perform this function.

Upgrading to TMG

If you’re thinking about migrating your ISA server (2004 or 2006) to TMG, you may like to check out this migration guidance video with Mohit Saxena (Senior Technical Lead) and Jim Harrison (Program Manager). http://edge.technet.com/Media/ISA-to-TMG-Migration-Guidance/

Microsoft Forefront TMG Migration Video

Reporting on TMG

If you’re using TMG at the moment, we invite you to analyze your web proxy and/or firewall logs using WebSpy Vantage and tell us what you think!  Download your copy of WebSpy Vantage here, and import your logs using the Microsoft FTMG format:

Microsoft Forefront Threat Management Gateway

TWiST features entrepreneur Jason Calacanis and a rotating group of guest experts who bring you a weekly take on the best, worst, most outrageous and interesting from the world of Web companies.

The entire episode is well worth watching. Jason chats to Jack about his background, WebSpy, internet monitoring, and gives his inventive start-up insights and opinions during the “Ask Jason”, “Shark Tank”, “Dead Pool” and “News with Lon” segments. Due the length of the episode (2h 40min) I’d thought I’ll provide you with a short summary and selected clips of WebSpy’s and Jack’s golden TWiST nuggets.

Selected Clips & Short Summary

Talking about Monitoring

Jason starts of chatting about his own experiences when it comes to Internet monitoring, or should I say the lack thereof. Jason’s acquaintance was running a start-up and one of the employees was downloading copyrighted materials to his work computer. Lo and behold, one day a letter from a large entertainment conglomerate arrives holding the start-up company responsible of stealing.

Jack also recollects an incident where a large number of government employees were let go because they had been doing inappropriate things on the internet during a six month period. Jack clearly states his, and WebSpy’s, view: No employee should be fired for misusing the internet. It is tragic when this happens, and it is not the reason to get rid of people, hiring and firing should be based on if you have a good or bad employee. It is the employer’s responsibility to ensure Acceptable Internet Usage Policies are put in place and adhered to. If clear rules are communicated and monitored no one should have to be sued or fired.

Jason enquires about the best way for an employer to implement a monitoring solution without seeming like a draconian maniac boss. Jack highlights that all the information (logs) of what internet and email are being used for are already there. WebSpy simply make sense out of the vast amount of raw data and turn it into clear, searchable, categorized reports. Jack says that using monitoring solutions makes you less of a draconian boss. You are opening up what is already there while taking control of the valuable information.

Although blocking is a way some companies are trying to control their employee’s internet usage both Jason and Jack agrees that blocking is ineffective, gets in the way, and it is not what the internet is about. The internet is there to be used and by monitoring employers help employees to use it productively.

WebSpy Soho

Jack officially announces the upcoming launch of WebSpy Soho – WebSpy’s brand new home and small office dashboard application. Soho is designed for small offices, home offices, families, shared student households and even a single computer home user. It will display download and upload activity and history for all computers on your network and alert you when the network load is high, and which computer is causing the overload. Soho will also alert you when an unknown machine is using your network, which is great if you use an open wireless connection.

I will blog MUCH more about Soho over the next few weeks. For now, though, please register your interest in the product at www.webspy.com/soho for the chance to get a free copy of the full version AND vote for you favorite Soho logo (before the 11th of December).

If you get a chance I do recommend you watch the full episode (below). You can also download the video and/or audio version free from iTunes.

Watch the full TWiST episode

Marketboomer provides supply chain management software to help businesses (such as InterContinental Hotel Group, Emirates Airline Catering, Hyatt and more) take cost out of their supply chain. The solution enables businesses to trade with each other more effectively using the Internet, allowing purchasers to buy from suppliers at the best possible price at a given point in time, and by improving processes. Marketboomer typically reduces clients’ procurements costs by between 8 and 20%, and additionally creates process savings and efficiencies of 20% or more within the procurement function.

The completed acquisition is great news for all stakeholders and will provide significant synergy benefits and strategic expansion opportunities. Marketboomer’s software is highly complementary to WebSpy’s, in the areas of cost management and productivity improvement, and its customer base represents a strategic and natural market for WebSpy’s software. Both WebSpy and Marketboomer products are B2B, based around Internet and large data manipulation, and can be applied to any industry sector and any size business.

The acquisition will also enable WebSpy to gain additional operational and development capability in Europe, the Middle East, China and South East Asia. The Marketboomer Group has established marketing presence in Australia, Ireland, China, Indonesia, Thailand, Saudi Arabia, the UAE and Singapore. These additional marketing centers will strengthen WebSpy’s own marketing resources. WebSpy on the other hand has been operating in the United States for nearly 10 years and will be able to assist Marketboomer’s entry into the region.

ASX Announcement – Marketboomer Acquisition Completed
ASX Announcement – Details of Proposed Acquisition

In the mean time, you can do it by editing an XML file manually.

If you go to the Web Module’s data folder you will find a file called “Vantage Web Module.Reports”.  If you open this in Notepad, you’ll notice chunks of xml for each report:

<WebReport>
<Guid>89208266-42e5-44bc-baa2-157c404c9688</Guid>
<Title>Business Unit Report</Title>
<Date>633945813293343143</Date>
<Type>Analysis</Type>
<Access>
<Everybody>False</Everybody>
<Attributed>True</Attributed>
<Specific>True</Specific>
<SpecificEntities>
<item>person:CN=Luke,OU=Users,OU=Australia,OU=Webspy,DC=wsy,DC=com</item>
</SpecificEntities>
<Managers>True</Managers>
<ManagerLevelRestriction>3</ManagerLevelRestriction>
</Access>
<Attribution>person:CN=Scott,OU=Users,OU=Australia,OU=Webspy,DC=wsy,DC=com
</Attribution>
</WebReport>


Depending on how you published your reports, the unique ID of the person that currently has access to the reports will be mentioned in either the ‘SpecificEntities’ or ‘Attribution’ section.

You just need to find/replace this with the unique ID of the person you would like to transfer these reports to. You can find the unique ID of a person on the Organization screen in Vantage.  It’s called ‘Distinguished Name’:

Finding a user's unique ID in Vantage

A few more things:

• Make a backup of your original “Vantage Web Module.Reports” file before making any change.
• As you can see above, people need to be entered into this XML file using the syntax
  “person:<uniqueID>“
• You will also need to stop IIS before making any change as the web module caches this data in its memory while running.

As mentioned, creating a user interface to do this is a planned feature so follow us on Twitter, or subscribe to our RSS feed for updates!

These courageous words were uttered by Richard Schaeffer, information assurance director at the NSA. He also added that simply focusing on adhering to common best practices would substantially raise the bar.

Wired reports that the Senate Judiciary Subcommittee on Terrorism, Technology and Homeland Security recently heard from a number of experts offering commentary on how the government should best tackle securing government and private-sector critical infrastructure networks.

Larry Clinton, president of the Internet Security Alliance, declared that public indifference and unawareness played as much a role in the current state of cyber security as the unwillingness of corporate entities to take responsibility for securing the public’s data.

Clinton, whose group represent banks, telecoms, defense, technology companies and other industries that rely on the internet, said that corporate and government entities that collect and store the public data “do not understand themselves to be responsible for the defense of the data.“ He added that, “The marketing department has data, the finance department has data, etc, but they think the security of the data is the responsibility of the IT guys at the end of the hall.”

Clinton does not believe federally mandated cyber security standards are the answer as they can be seriously counterproductive to national economic and security interests. To improve cyber security, the public sector would have to institute sufficient market incentives to motivate companies to protect the public’s interests. His group plans to release a proposal next month laying out some recommendations.

What do we think?

Although Schaeffer and Clinton are discussing cyber attacks and security on a national level they make it painstakingly obvious that solving the problem requires joint efforts from the government, the public, network administrators and ALL OTHER members of an organization.

At WebSpy we continuously preach that Internet and Network monitoring should not just be the network administrators’ responsibility. In fact, Vantage Ultimate was developed exclusively to increase the effectiveness of IT policy adherence while taking the pressure off the IT department. Vantage Ultimate enables secure distribution of organizational Internet and network reports across an entire organization, whilst protecting employee privacy. Why does this matter? Because distributing the responsibility for IT security starts by efficiently distributing IT security information.

Find out more about Vantage Ultimate

Related Links:
Wired Article
NSA
Internet Security Alliance

In the mean time, I thought I’d share a way to re-brand the main elements in the Web Module by editing a few files and replacing a few images.

The only issue with this technique is that any future auto-updates for the Web Module will overwrite your edited files, so you just need to keep a copy of your customized files, so that you can restore them again after the auto-update.

Before you begin

In order to edit anything, you first need to know where your Web Module is located on your web server’s hard drive. This can be found by opening IIS Manager (Start | Control Panel | Administrative Tools | Internet Information Services (IIS) Manager) expanding the left hand server/site tree to find your Web Module.

• In IIS7, select the Web Module and click Basic Settings… in the right hand ‘Actions’ panel. The location is specified in ‘Physical Path’.
  

  Finding the Web Module's physical path in IIS7

• In IIS6, right-click the Web Module and select Properties… then go to the Home Directory tab. The location is specified in ‘Local Path’.

Windows may also prevent you from editing these files directly due to permissions issues. I’ve found a good technique is to copy the files you want to edit to your desktop, edit them, and then copy them back into the Web Module’s physical path. Windows will then prompt you to elevate to administrator and the copy/replace will succeed.

Ready To Go…

There are a few places where the WebSpy logo and WebSpy Text is presented.

• The login page
• The header bar
• The welcome Page
• Report cover pages

The Login page

The logo displayed on the login page can be found at /images/logo.png. Replace this image with your own logo. Then open Default.aspx in the Web Module’s root folder in a text editor such as notepad, and replace the following line

<img runat=”server” alt=”WebSpy” src=”~/Images/Get.ashx?image=Logo” />

with

<img runat=”server” alt=”WebSpy” src=”~/Images/logo.png” />

Before

Web Module's Login Page Before logo.png Change

After

Web Module Login Page After logo.png change

The header bar

The header bar utilizes the image located a /Images/bauble.png. Replace this image with your own custom image.

Then open Navigation.Master in the Web Module’s root folder in a text editor such as notepad, and replace the following line

Also look for the text:

Before

Web Module's Header Bar Before Bauble.png and Text Changes

After

Web Module's Header Bar After Bauble.png and Text Change

The Welcome Page

When you first login to the Web Module, you are presented with a Welcome Page. The first line on this page reads “Welcome to the WebSpy Vantage Web Module. You can change this by editing the first line in the Welcome.aspx file located in the Web Module’s root folder. Edit the section in bold below:
<%@ Page Language=”C#” MasterPageFile=”~/Navigation.Master” AutoEventWireup=”true” CodeBehind=”Welcome.aspx.cs” Inherits=”WebSpy.Vantage.WebModule.Welcome” Title=”Insert Custom Text Here” %>

Before

Web Module's Welcome Page Before Text Change

After

Web Module's Welcome Page After Text Change

The Report Cover Pages

The Image used on the cover page of reports is much easier to change.

1. Login to the Web Module as Administrator
2. Go to the Options Tab
3. Click ‘Report Logo’ under Web Module Options
4. Click Choose File, and select the image or logo you would like displayed on your report cover page
5. Click Upload

Before

Web Module's Report Cover Page Before Report Logo Change

After

Web Module's Report Cover Page After Report Logo Change

Summary

The changes above cover a majority of the areas your users will come into contact with in the Web Module. There may be a few more instances of the word “WebSpy” but for the most part, it should just be a matter of opening the relevant .aspx file and editing the html.

As I mentioned, if you auto-update the Web Module (via the system tray icon on the Web Module server), your edited files will be overwritten. I recommend keeping a copy of your edited files in a safe place outside the Web Module’s physical folder, so that you can copy them back in after the update. If the only changes you make are the ones above, then you’ll need to keep a copy of:

• /Navigation.Master
• /Default.aspx
• /Welcome.aspx
• /Images/logo.png
• /Images/bauble.png

We will also be adding the functionality to make these changes ‘properly’ in a future build, so follow us on Twitter, or subscribe to our RSS feed for updates!

Cheers!

Most frequently suggested bypass methods includes the use of public proxies, circumventors and http tunneling. I don’t wish to go into details on any of these methods as their use is NOT recommended. However, it does prove a point: The main reasons organizations block certain websites is to prevent security risks and unproductive internet usage. Although, it is an indisputable fact that employees’ use of virus ridden public proxies, and other elaborate methods, to overcome blocking efforts can in fact increase security risks and unproductive behavior – making matters even worse.

Obviously all employees do not take these measures, but isn’t it enough that some do? Yes, the same high risk and time consuming bypassing “techniques” could be used when trying to stay anonymous from internet monitoring software. However, there are two main differences:

1. Using internet monitoring software reduces the need to block. Employees will be able to access the legitimate sites that often end up blocked thanks to a “block worthy” word in a corporate blog, or something of similar virtuousness. Not blocking means less time and effort spent trying to bypass blocking solution. After all, my mailbox is not full of alerts on how to bypass internet monitoring software.
2. Using internet monitoring software will allow employers to detect who is up to no good trying to bypass blocking rules or browse anonymously. For example, if an employee continuously use public proxies or tunneling, an internet monitoring solution (or at least a good internet monitoring solution) can assist the employer in tracking down the offender. (Please have a look at “How to Improve Public Proxy Management” blog for more info.)

This blog simply adds to the convincing case against organizations’ excessive use of blocking and filtering solutions. Porn sites, known malicious virus and phishing sites – by all means, block the living daylight out of them. But as for the rest, as for news site, online shopping sites, social networking and general interest sites – Don’t block, monitor.

I want to avoid repeating myself so please have a look at previous blog for the full story on “The Cost of Blocking Employee Internet Usage”

Gallup has reported that Christmas spending intentions are currently down, compared to last year. Americans are planning to spend an average of $740 on gifts this year; somewhat less than the $801 recorded the same time last year.

Despite this monetary shopping decrease there are no sign that there will be a decrease in the amount of time spent shopping online. According to ISACA, a non-profit association of 86,000 IT professionals, employees plan to spend nearly two full working days (14.4 hours) on average shopping online from a work computer this holiday season.

Ho, Ho, How will this affect your workplace?

ISACA reports, “The potential danger of shopping online is that it can open the door to viruses, spam and phishing attacks that invade the workplace and cost enterprises thousands per employee in lost productivity and potentially millions in destruction or compromise of corporate data.”

Lost Productivity

This almost goes without saying – 14.4 hours spend online shopping means 14.4 hours being unproductive. The survey estimates that employers lost $580 million in lost productivity on Cyber Monday (Nov. 30) in 2008. This year, Cyber Monday is anticipated to be the number one online shopping day. The busiest hours are from 2pm to 4pm, while people are supposed to be working.

Increased Vulnerability

ISACA reports that “employees who shop online using a work computer are also likely to engage in other high-risk behaviors. Survey participants also bank online (51%), click on e-mail links redirecting them to shopping sites (40%) and click on links from social network sites (15%). Yet nearly one in five says they are not concerned that their online shopping habits may affect the safety of their organization’s IT infrastructure. “

Recommendations:

• Monitor – Don’t Block

Don’t start blocking online shopping sites in an attempt to circumvent the problem. Depriving the internet needs of a professional workforce can cause resentment and increase costly turnovers. Blocking Internet access also has potential to reduce productivity by complicating or delaying accomplishment of tasks. In addition, blocking sites may also encourage employees to seek out less secure ways to access block sites.

• Monitor Employee Internet Usage Openly and Respectfully

It is not 1984, overly intrusive practices can easily create the negative perception that Big Brother is watching and make employees feel frustrated and uncomfortable. The effectiveness of Internet monitoring directly relates to employees’ awareness of the content of the policy, their perception of its fairness, and corresponding breach consequences. Please have a look at previous blog “Internet Monitoring Best Practices – 10 Valuable Tips” for a complete list of best practices.

• Educate, Update, Iterate

Educate employees about the risks of online shopping in relation to viruses, malware, spam and phishing attacks. The online threat is constantly changing so ensure your online safety training and education is up to date. Iterate to ensure employees always have internet security at the top of their minds.

If you are using WebSpy’s software you can easily see who may be in need of further online safety training by viewing who is clicking on phishing links and who is trying to access unsafe websites blocked by your organization. Read recent user case: “How to Educate your Workforce and Strengthen Security with Internet Monitoring“.

• Join the Spirit of Christmas

It is Christmas after all. Being more lenient with your Acceptable Internet Usage Policies during the holiday season, as long as work related expectations are met, can significantly assist your employees during this busy time of year. This day and age many employees are working longer hours and have less time for personal tasks, such as holiday shopping. Increasing their online shopping allowance can save employees’ time and let them achieve a better work-life balance.

Related Links:

ISACA
Gallup

Unfortunately, the WebSpy Twitter account fell victim to a phishing scam, and as a result sent phishing spam to all our Twitter followers. We are embarrassed by the incident and we apologize to all of our followers, especially the ones that clicked the link in the DM and were caught by the phishing scam themselves.

Here’s a rundown of the event in the hope that it will help others know what to look out for.

What Happened?

The phishing scam works like this:

1. You receive a strange yet intriguing Direct Message from someone you follow and likely trust. This is the key element to the scams success.
2. The DM contains a link using a shortened URL such as dwarfurl.com/blah. In our case, most of them were using dwarfurl.com, wapurl.co.uk, and 3.ly
3. You click the link and get taken to what appears to be the Twitter login page. But if you look at the URL it is actually something like blogs.videos.dsfasdc.com or videos.twitter.dsfasdc.com. Checking the URL is the key to making sure the scam doesn’t get you too!
4. You enter your Twitter login details. Reports of what happens after this login page vary. You may see the Twitter fail whale, or a blank page, or a random blog.
5. Now that the phishing site has your login details, the same Direct Messages is sent to all your Twitter contacts.
6. You eventually discover what happened. You feel like a violated idiot and start scrambling to fix everything.

What to do if it happens to you

If the above sounds familiar, you need to login to Twitter right now and change your password to make sure the phishing site can no longer access your account. You also need to go to the Connections tab and disable any third party applications that look suspicious. You’ll then need to update the credentials in all the twitter clients, website/blog plug-ins, and anything else that may be using your old Twitter credentials.

Fortunately, we were still able to login to our Twitter account and change our password and disable third party connections. Thankfully there were not any new suspicious connections that we needed to worry about.

Lessons Learned

Now that we’ve fixed everything and regained control of our Twitter account, it’s good to sit back and reflect on what just happened and how to avoid it in the future.

You’ve probably heard all of this before. We had too. But it takes an incident like this to really think about and address any shortfalls in your own organization. Some of our followers were also caught out by the scam and these are people that are in the tech industry and generally know about these sorts of scams. We were definitely surprised that we fell for it! So take a moment of your time to imagine your own Twitter account was compromised in the same way, then imagine all the possible ways it could have happened. Now go and take every precaution to ensure it doesn’t happen.

Having now been through it, here are some tips to help you avoid the same fate in the future.

1. Just because a Direct Message comes from someone you trust, does not mean it is trustworthy. Always use caution!
2. Educate your employees – especially those that know your company’s Twitter credentials. The main goal you want to achieve here is getting your employees into the habit of glancing at the URL in the address bar of their browser before entering ANY login details. We used our own log analysis software (Vantage) to find out who ended up on the websites in question, and then spoke to them directly to ensure they understood what to look out for.
3. Use a Twitter application that can display the actual URL behind a shortened URL before clicking on the link. For TweetDeck users, go to Settings | General, and check ‘Show preview information for short URLs’. Please note, however that this function only works for a few specific URL shortening services.
4. If you’re using the Twitter web page directly, use a browser and plug-in that can expand shortened URLs such as Mozilla Firefox with Long URL Please.
5. Use a browser with integrated anti-phishing security (such as Firefox or Google Chrome) and keep it up to date, or ensure you have good third party anti-phishing / anti-malware software installed.
6. As always, keep your security software and OS up to date.

Our friends at Sophos also have some good information about the scam that you may like to read: http://www.sophos.com/blogs/sophoslabs/?p=7366

Sorry!

An event like this makes you realize how important Twitter is to the overall public perception of a company. Our followers trust us to deliver relevant and useful content about our key areas of expertise – log file analysis and reporting. We spend a large amount of effort researching and writing content to ensure our tweets provide our followers with a good source of information. Having a breach like this certainly degrades this public perception that we work so hard at trying to maintain.

I would therefore like to thank all our followers who have kept with us and not clicked the ‘Unfollow’ button. Now that everything is under control again we will continue to bring you the best content we can provide about the log analysis and surrounding industries.

Once again, many many apologies to all of our followers, especially those that were affected.

Supported on Windows 7

The following WebSpy products support Windows 7:

• WebSpy Analyzer (Standard, Premium and Giga)
  Analyzer customers will need to download the latest version of their product as support for Windows 7 was uploaded today (9th November 2009).
• WebSpy Vantage (Premium, Giga and Ultimate)
  All products within the Vantage range have officially supported Windows 7 since version 2.2 was released on  24th June 2009.
• WebSpy Insight for Microsoft SBS Premium
  Although Insight for Microsoft SBS Premium does not mention Windows 7 support in its documentation, it will install and run on Windows 7 without issue.

Not ‘Officially’ Supported on Windows 7

WebSpy Live, Sentinel and FlowMonitor are not yet officially supported on Windows 7 and will be updated soon. In the mean time, here are some instructions on how to get these products working on Windows 7 right now.

WebSpy Live

The existing version of Live will install and run on Windows 7 with one minor issue. When you run the application, there will be no Triggers, Aliases, or Profiles available.

To fix this:

1. Install and run WebSpy Live on Windows 7.
2. Shutdown WebSpy Live by right-clicking the Live icon in the Windows system tray and selecting ‘Shutdown’
   

   Shutting down WebSpy Live on Windows 7

3. Download the following file containing WebSpy Live’s default Triggers, Aliases and Profiles:
   WebSpy Live Default Files (zip – 19.7 KB).
4. Extract the zip file to C:\Users\<your user profile>\AppData\Roaming\WebSpy\Live 2.2 and overwrite the existing files.
5. Run WebSpy Live. You will now be able to see a list of Triggers, Profiles and Aliases on the respective Configuration screens in WebSpy Live.

WebSpy Sentinel

WebSpy Sentinel will not yet install on Windows 7 due to an issue with the included version of WinPCap (the packet driver used by Sentinel).

To fix this:

1. Download and install the latest version (4.1.1) of WinPCap from http://www.winpcap.org/install/default.htm
2. Install WebSpy Sentinel. The product should install and run without issue.

FlowMonitor

Unfortunately no work around is available for WebSpy FlowMonitor. We will update the product to work with Windows 7 as soon as possible.

Got a problem?

If you experience an issue running these products on Windows 7, or any other Windows operating system for that matter, please let us know!

Gartner has just released its latest report, Gartner Perspective: IT Spending 2010, anticipating that our 2008 and 2009 economic recession is finally starting to give away to growth.

Majority of IT vendors and professionals have suffered in one way or another during the decline – shrinking revenue, budget cuts and redundancies have become all too familiar terms in the IT industry. Yet, all recessions come to an end, and so will this one. Gartner’s report indicates that now is a great opportunity to plan for growth and enable your organization to take advantage of a recovering economy.

On a more subjective note, I would like to highlight that WebSpy directly address four, out of Gartner’s top five, recommended business priorities for 2010 (listed below).

Worldwide IT Spending Forecast

IT spending is forecast to total $3.2 trillion in 2009, a 5.2% decrease from 2008 spending of $3.4 trillion. Worldwide IT spending is expected to return to growth in 2010 as revenue is projected to reach $3.3 billion, a 3.3% increase from 2009.

Gartner believes initial growth in IT spending in 2010 and 2011 may come as the result, directly or indirectly, of the various government stimulus packages announced around the world in recent months, there will be a return to more sustained growth in IT spending in 2012 and 2013 as the economic recovery unfolds.

IT spending includes spending on hardware, software, telecommunication and IT services. Compared to 2009, in 2010, spending on hardware is predicted to stay the same, software to increase by 4.8%, telecommunications to increase by 3.2% and IT services to increase by 4.5%.

CIO Agenda 2010

CIOs report that unlike past recessions, they are being pulled in two directions at once. The business needs cost savings to protect financial results—yet it also needs new solutions to retain current and attract new customers.

Gartner recommends CIOs should reassess their metrics and scorecards and look to connect their IT operations and solutions to positive changes in these areas.

Top 10 Business Priorities Ranking

1. Business process improvement*
2. Reducing enterprise costs*
3. Improving enterprise workforce effectiveness*
4. Attracting and retaining new customers
5. Increasing the use of information/analytics*
6. Creating new products or services (innovation)
7. Targeting customers and markets more effectively
8. Managing change initiatives
9. Expanding current customer relationships
10. Expanding into new markets and geographies

*WebSpy’s software improves business processes by taking the headache and time out of log file analysis and reporting. Our software provides a highly automated way of creating clear and actionable reports. In addition, WebSpy’s clients only need one application to achieve all their log file reporting requirements, spending less on software maintenance, hardware and administration.

Our software assist in reducing enterprise cost by significantly decreasing costs related to unproductive behaviour, bandwidth usage, and network management issues.

WebSpy improve workforce effectiveness by enabling IT staff to accomplish their reporting objectives with limited effort and by maximizing employee productivity.

I’ve been in touch with ComGuard’s Product Manager, Amir Mohsen Abedinifar, who was present at the event, and he said,

ComGuard's busy GITEX stand

“Overall GITEX proved to be a great networking and interactive marketing experience. The turnout this year was not as high as the previous year, most likely due to the economic downturn. However, we did notice that the majority of visitors we talked to had a sincere interest in the products we where showcasing.”

Mr Abedinifar added,“Security information vendors, such as WebSpy, are in high demand during these budget slashing times thanks to the software’s productivity improvement and cost savings abilities.

WebSpy’s solutions add tremendous business benefits to organizations that are struggling with unproductive Internet usage, unjustifiable bandwidth costs and other network management issues. We are excited to follow-up on our new contacts and encourage all GITEX visitors to take advantage of ComGuard’s and WebSpy’s GITEX offer.”

"WebSpy's software in high demand"

Here at the WebSpy lair we have indeed noticed a sharp increase in software downloads and inquires from the Middle East. This is in addition to the large amount of free 30 day software trial CDs that visitors picked up at ComGuard’s GITEX stand. It is apparent that investment in technology, that reduces costs and increase productivity, is more sought after than ever before.

About Gitex

GITEX is an annual trade show taking place in Dubai, United Arab Emirates. It is held at Dubai Trade Center exhibition halls with a typical turnout of 120,000 people visiting from all over the Persian Gulf each year. GITEX presents a great opportunity to source from over 3,000 suppliers, network with thousands of ICT professionals, see the latest launches and hear about the latest hot topics.

Related Links
GITEX
ComGuard

New research from Robert Half Technology indicates that over half of chief information officers (CIOs) do not allow employees to visit social networking sites for any reason while they’re at work. This information comes from a survey of 1,400 CIOs from companies around the US with 100 or more employees.

Is this strictness justified? Amber Naslund makes some good points in a WebProNews interview. Among other things she says that instead of employers telling their staff how they should not be using social media, they should try balancing that by giving them some ways that they should use it.

What I say – People are not robots, employers need to find a middle-way

In some parts of the world, bandwidth is charged at exorbitant rates, so some sort of safeguard and watchfulness are required from a pure cost standpoint.

I feel it is unreasonable, however, to expect employees to work without some sort of social interaction, especially in a client-facing role. Humans are social creatures and being social stimulates all sorts of wonderful brain activity; production CAN be increased as long as employees understand what REASONABLE use of the Internet entails.

“Phone bills are itemized, and web browsing should be too!”

More often than not, this distinction is not explained or understood. We all have telephones on our desk these days, but it would be unthinkable for us as employees to spend all day chatting to our wives, husbands, girlfriends, boyfriends. Phone bills are itemized, and web browsing should be too.

While this may come across as a plug for our products, it is far more than that. I truly believe that blocking defeats the purpose and the spirit of the Internet in general. I’ve dealt with companies that lock down everything except for 50 sites. I’ve also dealt with companies that perform no monitoring, reporting, or any such user governance. Both forms of policies (if you can call the latter example a policy) are extreme and do no good in the long term.

At WebSpy we have found the majority consensus of our customer base to be alike: they return to us and tell us that their bandwidth usage, and their employee browsing habits have all changed for the better when their employees have it explained to them that before work, after work and during lunch, no one really cares what you do or where you go – within reason (and seriously, browsing for porn at work is unbelievably stupid) – and that everything you say and do online bears some reflection back to your employer.

Education always triumphs over draconian measures!

Rather than sneer at your user base with some ideological feeling of moral superiority, educate and explain to them what the consequences of their browsing habits are. Ultimately, they will still appreciate their pay cheque arriving and will avoid the chance of jeopardizing such things. Inserting Internet usage policies into contracts protects the employer and informs the employee exactly where he stands.

Would love to hear YOUR thoughts on this subject!

Vantage’s Storage Location

If you’re using Vantage Premium or Giga, there’s only one location you need to be aware of. That is where Vantage keeps its storages (Vantage’s custom database that log files are imported into). This setting is easily changed by going to Tools | Options | Paths and double clicking the Storages path. Easy.

Web Module Storage Locations

If you’re using Vantage Ultimate, you also need to be aware of the Storage location mentioned above, but you also may need to adjust where the Web Module stores its data.  There are two locations you need to be aware of here:

1. The Web Module Data Location
   This is where the Web Module permanently keeps it’s storages, reports and settings
2. The Windows temporary folder
   This is where Vantage keeps storages while they’re being processed before uploading them to the Web Module’s data location

The Web Module Data Location

The data location for the Web Module is specified during installation and defaults to C:\Vantage Web Data. If you have already installed the Web Module, you can change this location using the following steps:

1. Find the Web Module’s Web.Config file. The Web.Config file can be found in the Web Module’s physical folder. If you don’t know where the Web Module’s physical folder is:
   1. Open Microsoft IIS (Control Panel | Administrative Tools | Internet Information Services (IIS) Manager)
   2. Select the Web Module in the left hand side (e.g. Server-> Sites ->Default Web Site -> webmodule).
      • If you’re using IIS 6, Right-click the Web Module site and select Properties then go to the Home Directory tab to find the physical folder.
      • If you’re using II7, select your Web Module site and click Basic Settings…
2. Open the Web.Config file in Notepad.
3. Find the line that looks like this:

   <add key="SettingsPath" value="C:\Vantage Web Data"/>

4. Change c:\Vantage Web Data to the location you would like to use and save the file.
5. In Windows Explorer, copy all files and folders from C:\Vantage Web Data (or where ever your original location was) to the new location you specified in step 4
6. Restart IIS by going to Start | Run and type iisreset /restart

The Windows Temporary Folder

The Windows Temporary folder can also be modified, but please note this is a system wide change.

1. Right-click ‘My computer’ and select Properties.
2. Go to Advanced and Click the Environment Variables button
3. Change the location for the ‘TEMP’ and ‘TMP’ environment variables (do not use the same location specified in step 4 above)

Vantage and the Vantage Web Module (Ultimate only) will now use your new locations to temporarily and permanently keep your Storage files.

If you’re considering upgrading your ISA Server to TMG, this means that you can start your deployment using the Release Candidate, and simply switch it to a licensed version with no additional configuration changes once the full release is available. At least, that is what Vladimir Holostov (Lead Program Manager, Release Manager for Forefront TMG 2010) states on the Forefront TMG (ISA Server) Product Team Blog:

“The final product will be released later this year and you can expect it to behave exactly like the Release Candidate. You can install Forefront TMG 2010 RC today and upgrade to a licensed version once available without changing the configuration of your deployment.”

To offer some peace of mind for organizations considering the deployment, Vladimir also mentions that “Forefront TMG 2010 RC is deployed at three major Microsoft sites located around the world in Haifa, Bellevue and Redmond. More than 20,000 employees are already protected by TMG and these deployments have already accumulated more than 5,000 hours of runtime, performing extremely well under heavy load”.

No major features have been added to the Release Candidate since Beta 3, however there have been improvements geared around tightening up security, reliability and performance and telemetry. For more information about the release candidate, please visit the
Forefront TMG (ISA Server) Product Team Blog.

You can also download the release candidate here

I mentioned in my last blog posting that WebSpy has introduced support for reporting on Microsoft Forefront TMG log formats in the Vantage product range. To try it out, please make sure you have installed Vantage 2.2 (any flavour – Premium, Giga or Ultimate), and then select Tools | Check for updates to download build 2.2.0.10 or above. You can then import your TMG log files by selecting the Microsoft FTMG loader in the import wizard.

Importing Microsoft Forefront Threat Management Gateway Log Files

We’re very interested to hear your thoughts on the reporting functionality, so please go ahead and give it a go!

So, who is Marketboomer and why has WebSpy proposed to acquire them?

Marketboomer provides supply chain management software to help businesses (such as InterContinental Hotel Group, Emirates Airline Catering, Hyatt and more) take cost out of their supply chain. The solution enables businesses to trade with each other more effectively using the Internet, allowing purchasers to buy from suppliers at the best possible price at a given point in time, and by improving processes. Marketboomer typically reduces clients’ procurements costs by between 8 and 20%, and additionally creates process savings and efficiencies of 20% or more within the procurement function.

The acquisition is great news for all stakeholders and will provide significant synergy benefits and strategic expansion opportunities. Marketboomer’s software is highly complementary to WebSpy’s, in the areas of cost management and productivity improvement, and its customer base represents a strategic and natural market for WebSpy’s software. Both WebSpy and Marketboomer products are B2B, based around Internet and large data manipulation, and can be applied to any industry sector and any size business.

The acquisition will also enable WebSpy to gain additional operational and development capability in Europe, the Middle East, China and South East Asia. The Marketboomer Group has established marketing presence in Australia, Ireland, China, Indonesia, Thailand, Saudi Arabia, the UAE and Singapore. These additional marketing centers will strengthen WebSpy’s own marketing resources. WebSpy on the other hand has been operating in the United States for nearly 10 years and will be able to assist Marketboomer’s entry into the region.

The proposed acquisition needs to be approved by shareholders, more information at: www.webspy.com/newsroom/announcements/Marketboomer-Acquisition.pdf

An alternative, if not more sensible, representation of subnets is the slash notation, or “/n” where ‘n’ is the ‘mask length’ – the number of bits that must match between two IP addresses to make them part of the same subnet.

Consider the following;

     IP 192.168.0.1
          (binary: 11000000 10101000 00000000 00000001)

     Subnet 255.255.255.0
          (binary: 11111111 11111111 11111111 00000000)

This would be the same as 192.168.0.1/24, as 255.255.255.0 has the first 24 bits turned on, meaning anything that starts with 192.168.0.x will match it.

A /16 is equivalent to 255.255.0.0, as only the first 16 bits are on. 192.168.0.1/16 would match anything between 192.168.0.0 and 192.168.255.255.

It gets a bit messy with mask lengths that aren’t multiples of 8, for example 10.0.0.1/12 (/12 is equivalent to 255.240.0.0) would match anything between 10.0.0.0 and 10.15.255.255, and 10.16.0.1/12 would match anything between 10.16.0.0 and 10.31.255.255. This is because the addresses must match all 8 bits of the first segment (10), and only the most significant 4 bits of the second segment (16), making for a total match of 12 bits, or a /12 subnet. For example;

     IP 10.0.0.1
          (00001010 00000000 00000000 00000001)

     IP 10.16.0.1
          (00001010 00010000 00000000 00000001)

     Subnet 255.240.0.0 (/12)
          (11111111 11110000 00000000 00000000)

In effect, the shown bits must be the same for the /12 subnet to match an IP in that subnet range;

     IP/Subnet 10.16.0.0/12
          (00001010 0001xxxx xxxxxxxx xxxxxxxx)

     IP 10.16.1.5 matches 10.16.0.0/12
          (00001010 00010000 00000001 00000101)

     IP 10.19.3.1 matches 10.16.0.0/12
          (00001010 00010011 00000011 00000001)

     IP 10.31.1.1 matches 10.16.0.0/12
          (00001010 00011111 00000001 00000001)

     IP 10.32.1.1 does not match 10.16.0.0/12
          (00001010 00100000 00000001 00000001)

     IP 10.0.1.1 does not match 10.16.0.0/12
          (00001010 00000000 00000001 00000001)

WebSpy Vantage uses the slash notation to represent subnet values in Subnet Aliases because it is easier to understand and represent. The slash notation is also used to represent IPv6 subnets, where there is no suitable analogue to the #.#.#.# representation of IPv4 subnets.

I found a subnet calculator that converts between the slash notation and the #.#.#.# representation at http://www.nettoolsonline.com/slash_conversion.php, which comes in handy if you don’t want to have to do the maths yourself.

In an attempt to prevent the use of public proxies, it is common practice to subscribe to, or collect, regularly updated lists of public proxy sites. Many of these lists are freely available on the Internet (see examples at the bottom of the page).

We recommend the following procedures, using WebSpy’s solutions, to improve management and control of public proxies use

CREATE PUBLIC PROXIES PROFILE

• In your Summaries section, run an analysis, then go to Sites / Site Name
• Right click on any site known to be a public proxy site and chose `Include in profile’
• Either create a new profile called `Public Proxies’ or add to your existing `Public Proxies’ profile
• If you suspect a site to be a public proxy, simply right click and choose `Browse’ to investigate further

UPDATING PUBLIC PROXIES PROFILE

• Locate and copy a public proxy list published online
• In your Profile section, open your `Public Proxy’ profile and paste the list
• Even though a little bit time consuming, maintaining a list of the most common public proxies will increase your chances of easily locating novice public proxy culprits

INVESTIGATING INDIVIDUAL USERS

• In your Summaries section, run an analysis, then click on `Users’
• Right click on your selected user, then choose Drilldown | Sites / Site Name
• Many public proxies use IP addresses (as opposed to site names) to avoid easy detection, so a spike in IP address visits could be an indication that an employee or student may be using a public proxy
• Right click any IP address and choose `Browse’ to investigate further

(Please ensure that comprehensive Acceptable Usage Policies, prohibiting the use of public proxies, and breach consequences are explicitly communicated to employees)

There are numerous websites publishing updated public proxy lists online that can easily be located through search engines. Below are just a few examples:

http://www.publicproxyservers.com/

http://www.proxy4free.com/

http://bestproxy.info/

http://tools.rosinstrument.com/proxy/

http://www.fresh-proxy-list.net/

Don’t hesitate to contact us for further information.

Here’s a short summary of the main topics discussed during the event. For more information please follow the related links at the bottom of the page.

Event Summary

Sophos’s Asia Pacific Managing Director initiated the event by discussing organized cyber crimes. He highlighted that online organized crime rates are escalating rapidly. Online criminals are becoming increasingly sophisticated in the techniques they use to try and scam private people and businesses alike. Unfortunately their techniques are evolving much faster than legislation and community awareness, estimated to be at least 12 months behind.

Police Cyber Crime Unit

The representative from WA’s Cyber Crime Unit expanded on the safety of children, and how Internet predators are becoming increasingly Internet savvy and often avoid getting caught by engaging in their illegal activities at work. Nevertheless the audience was happy to learn about a recent case where the Cyber Crime Unit successfully tracked down an online predator, who had managed to stay anonymous for a long time by exclusively using his employer’s Internet resources. He worked for a very large organization, but thanks to the employer’s internal security and monitoring system he was identified before he had the chance to commit further crimes.

Hiding in a Wireless Hotspot

Wireless hotspots, today free at many airports, coffee shops and fast food chains, was another concern raised by the police’s Cyber Crime Unit. More often than not, the companies providing this free access to customers do not have a system in place to monitor and alert on any inappropriate or illegal activities. When this is the case it is virtually impossible to prevent predators using these networks to stay anonymous. Unfortunately, legislation, or public outcry, to address the issue is not likely to occur until an illegal activity, enabled by the anonymous use of wireless hot spots, takes place and receives media attention.

At School

The representative from the educational sector continued to discuss online safety related to children and students. He highlighted that security system at schools and universities are essential, but not always enough. On many occasions students bypass the school’s firewall by using virus ridden public proxies to access blocked sites. Even students with studious intent occasionally use public proxies to access legitimate sites that have been blocked thanks to a “block worthy” word in a corporate blog, or something of similar virtuousness.

The importance of educating children about the dangers of social networking was also emphasized. Children are often overconfident in their abilities to spot a predator among their peers. However, in reality, they do not fully comprehend the psychological techniques used by online prowlers to gain their trust.

Best Practices

To sum up, the event focused the changing landscape of the internet and internet security. In our internet dependent world everyone is at risk, whether at work, at home, or at school. The best practices, when working towards a safer e-environment, keeps changing but the proactive theme throughout the event emphasized a combination of security systems, system monitoring, education of workforce (parents, teachers, students), and an increased involvement from all levels within organizations and community.

Related Links:
Western Australia Internet Association
Australian Communications and Media Authority
Wise up to IT
Cyber Smart Kids
Stay Safe
Think U Know
Virtual Global Task Force
Sophos

The attack was quickly under control and IT updated firewall rules to prevent any employees from accessing the particular site again. However, instead of immediately blocking further emails from the malicious sender, the IT department saw this as an opportunity to educate the workforce about phishing attacks. They used WebSpy Vantage to report on their firewall and identified all employees who tried to access blocked phishing sites. As employees were identified, IT started organizing informal meetings to inform them about phishing, how to recognize attacks and the most common phishing techniques used.

Because IT was able to pinpoint exactly which employees needed more information about phishing attacks, these smaller meetings showed to be very effective. The employees attending the meetings naturally realized their phishing knowledge was insufficient and were eager to find out more as they didn’t want to make the same mistake again, at work or at home. The government department is still the target of phishing attacks but their employees are now educated enough to identify them before any harm is done.

If you want to share your monitoring and reporting experiences either comment below or email me directly at asa@webspy.com.

You should be prompted to update your software on startup, but if you’ve turned off that feature, simply go to Tools | Check for Updates.

New Features

This new build sports the following new features:

• Support for Microsoft Forefront Threat Management Gateway (Beta)
  Microsoft Forefront Threat Management Gateway (FTMG) is still currently in Beta, and is due to be released around November 2009. For those that do not know, FTMG is the next version of Microsoft’s popular ISA Server. Information and downloads for FTMG can be found here http://www.microsoft.com/forefront/edgesecurity/isaserver/en/us/tmg-beta.aspx. We have added support for FTMG beta 2 and 3 for both the W3C text logs (recommended) and the internal SQL Server Express Database logs. If you are currently trialling FTMG, we are very interested to hear your feedback. Let us know how you go!
  

  Now Supported - Microsoft Forefront Threat Management Gateway

• Data purge
  You can now purge data from a storage, and schedule this purge to occur on a regular basis using Tasks. Purge options include data between a date range, data before a date, data after a date, data older than a date relative to now, and all data. This feature will let you easily maintain a single storage that only includes data for the last month or day.
  

  Options for Purging data from your storage

• Import Organization from CSV can now be scheduled using Tasks
  If you are importing your organizational structure from CSV, you can now schedule this action using Tasks. This enables you to update your organizational structure before any reports are run.
  

  Import Organization from CSV via Tasks

• Added Support for ExoServer Web
  If you’re running ExoServer Web, you can now analyze it’s logs using WebSpy Vantage.

Fixes

We also fixed some things that may have been bugging you:

• Improved the start time for the application by improving the logic to check for Storage damage.
• Fixed the IronPort loader (Fixed out of range issues on excessive size fields).
• “Having” filters no longer override the sort order of a Report Template node.
• Fixed an issue that may result in duplicated storages after migrating settings from earlier versions.
• Fixed the inability to remove invalid entities from web module permissions list (users that no longer exist).
• Fixed a timeout issue when publishing storages to the web module.

Why are you still reading? Go update now!

Have fun!

To use Windows Authentication, there are just a few things you need to do.

1. Set the Web Module’s Authentication type to IIS Integrated, and add your administrators in the form of domain\username
2. Enable Windows Authentication and disable Anonymous authentication in IIS.
3. Ensure all users in your Organization screen have a login name in the form of domain\username. Use the ‘Prefix’ option to prefix “domain\” (without the quotes) to your usernames names when importing your Organization from LDAP or LDIF.
4. Connect Vantage and the Web Module using the new authentication details and synchronize your Organization.

1. Set the Web Module’s Authentication type to IIS Integrated, and add your Administrators.

When you first install the Web Module, the first screen you see is the ‘Initial Configuration Wizard’ that guides you through the process of selecting your authentication type and specifying your administrator(s). If you have already been through this Wizard and are currently using Vantage In-Built or Client Certificate authentication, you can easily reset this initial configuration wizard. Simply login to the Web Module with your current administrator details and go to Options | Maintenance | Reset Initial Configuration Wizard.

Note: You can also change your authentication and administrator options individually using the Authentication and Administrator options on the Options tab of the Web Module.  However, for ease of demonstration, I’ll use the Initial Configuration Wizard method.

Now that you’re at the Initial Configuration Wizard, proceed through the wizard, selecting IIS Integrated authentication and entering your administrators in the form of domain\username (replace domain with your organization’s AD domain, and username with the sAMAccountName of your administrator.

Initial Configuration Wizard - Welcome Page

Initial Configuration Wizard - Authentication Page

Initial Configuration Wizard - Delegate Administrators Page

Initial Configuration Wizard - Summary Page

Click Finish, and if the authentication was successfully changed, you should get a message saying ‘The specified credentials were not accepted”.

The 'Specified credentials were not accepted' message.

Don’t panic at this point. This message is an indication that the authentication was successfully changed and that the Web Module is now listening for IIS to pass through Windows Usernames. The reason you’re getting this message is because IIS is not yet passing through Windows Usernames to the Web Module. This is configured in the next step.

2. Enable Windows Authentication and disable Anonymous authentication in IIS.

Now that the Web Module is expecting IIS to authenticate your users, you need to set up  IIS  to do this.

1. Open IIS by navigating to Start | Control Panel | Administrative Tools and double-clicking on Internet Information Services (IIS) Manager.
2. Navigate to the Web Module site or virtual directory in the left hand ‘Connections’ Panel. It will be located under <Server Name>\<Sites>. For example, MyServer->Sites->Default Web Site->webmodule.

• If you’re running IIS7 ( Windows Server 2008, Vista or Windows 7)
  1. Select the Web Module site and ensure the ‘Features’ tab is selected at the bottom of the middle pane.
  2. Double-click the ‘Authentication’ feature.
  3. Right-click ‘Anonymous Authentication’ and select Disable
  4. Right-click and ‘Windows Authentication’ and select Enable
  5. Restart IIS by selecting your server in the right hand connections pane, and clicking Restart in the ‘Actions’ pane on the right.

• If you’re running IIS6 or 5.1 (Windows Server 2003, Windows XP)
  1. Right-click Web Module site and select Properties.
  2. Go to the Directory Security tab
  3. Under ‘Authentication and access control’ click the Edit button.
  4. Uncheck ‘Enable anonymous access’ and check ‘Integrated Windows authentication’
  5. Restart IIS by right-clicking the local server, select All Tasks, and then click Restart IIS.

If you added your own Windows login name as an administrator in step 1, you can now test the authentication is working. Go back to the Web Module in your browser and click Refresh. You will be presented with an ‘Authentication Required’ dialog where you can enter your username and password.

Authentication Required Dialog

Again, ensure your username is in the form of domain\username. Click OK, and you should log straight into the Web Module using Windows Authentication.

3. Ensure all users in your Organization screen have a login name in the form of domain\username

Now your administrator account can log into the Web Module using Windows Authentication, but all other users will not be able to log in unless they have their login name specified in the form of domain\username. This is done in Vantage Ultimate on the Organization screen.

Organization Screen showing correct login name for Windows Authentication

If you’re importing your users from LDAP or LDIF, make sure you use the ‘Prefix’ option on the User Details page to prefix domain\ before your imported usernames. For example:

4. Connect Vantage and the Web Module using the new authentication details, and synchronize your Organization.

In order to publish information to the Web Module, you need to add a connection between Vantage and the Web Module. This is done on the Web Module screen in Vantage Ultimate.

1. Click Add Web Module (or if you already had a web module before changing the authentication details, select it and click Properties)
2. Enter the server & virtual directory of the Web module, and enter the correct credentials ensuring domain is specified.
3. Click OK to connect.

Connect to Web Module dialog

Once connected, synchronize Vantage with the Web Module by clicking the Synchronize link in the Web Module task pad. You may also want to provide permissions for your users in the Permissions section on the Web Module screen.

That’s it. You can now test that everything is working by getting one of your users to access the Web Module’s URL. They should sail straight in with no username/password prompt.

I hope this helps! Please let me know your feedback by emailing me, or leaving a comment below.

Something of great importance is taking the users of the network you intend to monitor into consideration. Overly intrusive practices can easily create the negative perception that Big Brother is watching and make employees feel frustrated and uncomfortable. Effective Internet monitoring requires a two-pronged approach; intuitive monitoring software AND workforce education / consideration.

This time around I would like to expand on the best ways of monitoring your organizational Internet usage whilst maintaining a harmonious working environment between employers and employees.

1. Allow for a certain amount of personal / recreational usage

Prohibiting all personal use is usually both impractical and virtually impossible to enforce in most work environments. Allowing a certain amount of (monitored) online recreation can enhance many workplaces and ultimately make employees more productive. Recent research by Dr Brent Coker at the University of Melbourne shows that people who do surf the Internet for fun at work – within a reasonable limit of less than 20% of their total time in the office – are more productive by about 9% than those who don’t.

2. Allow for a certain amount unmonitored usage

Employee privacy is a recurring concern when monitoring Internet usage at work. Employees are working longer hours than they ever before and might need to be able to deal with urgent personal matters online, during work time. By specifying and ensuring, that there will be no monitoring during lunch hours (for example), your employees can trust that their privacy is important to you, and you know it won’t affect their productivity.

3. Establish Acceptable Internet Usage Policies

Establish policies around Internet usage and:

• Explain the business-related reasons behind monitoring
• Clearly state what is considered productive and unproductive activity
• If you allow a certain amount of personal use, and / or unmonitored use during certain hours of the day, ensure you outline the exact specifications of these privileges
• Clearly state what is absolutely prohibited, for example, sending or accessing discriminatory, harassing, defamatory, or pornographic material, downloading or distributing copyrighted material without permission etc
• Include consequences for policy violations

4. Use an honest and open monitoring approach

The effectiveness of Internet monitoring directly relates to employees’ awareness of the content of the policy and corresponding breach consequences. Once your crystal clear policies have been developed, ensure you actively distribute, publish and communicate them so employees understand exactly what is expected of them and the conditions of their working environment.

5. Allow employees to view their own Internet usage

This is one of the best recommendations we can give you. More often than not, employees tend to underestimate the time they spend browsing non-work related sites. Allowing employees to view, for example, their productive and non-productive activity can help foster and drive responsible Internet usage behaviour. Employees who understand the organizational costs of their personal unproductive activities are more likely to accept your monitoring activities and modify their own behaviour accordingly.

6. Monitor the whole organization (even managers)

If you ensure everyone knows the whole organization is being monitored, as opposed to individual users or departments, you will decrease the likelihood employees feeling singled out or treated unfairly. Employees feel affirmed if procedures are adopted to treat them with respect and dignity and the likelihood of Internet monitoring acceptance and effectiveness is increased.

7. Help employees sticking to the rules

If you have set a limit of, for example, no more than 10 hours of recreational surfing per month, then ensure you alert employees when they are approaching that limit. Again, this will give the employees another opportunity to modify their own behaviour before they actually violate your Acceptable Internet Usage Policy.

8. Distribute reports – distribute responsibility

Frequently IT managers