Using web content filters
An effective web content filter greatly reduces the likelihood of malicious code infection or other inappropriate content from being accessed by users. Web content filters can also disrupt or prevent an adversary from communicating with their malicious code if deployed on an organisation’s network. Some forms of content filtering performed by web content filters are the same as those performed by other types of content filters, while other forms of content filtering are specific to web content filters.
Security Control: 0963; Revision: 5; Updated: Sep-18; Applicability: O, P, S, TS
A web content filter is used to filter potentially harmful web-based content.
Security Control: 0961; Revision: 7; Updated: Apr-20; Applicability: O, P, S, TS
Client-side active content, such as Java, is restricted to a list of allowed websites.
Security Control: 1237; Revision: 1; Updated: Sep-18; Applicability: O, P, S, TS
Web content filtering controls are applied to outbound web traffic where appropriate.
Transport Layer Security filtering
Since Transport Layer Security (TLS) web traffic travelling over Hypertext Transfer Protocol Secure (HTTPS) connections can deliver content without any filtering, organisations can reduce this security risk by using TLS inspection.
Security Control: 0263; Revision: 7; Updated: Apr-20; Applicability: O, P, S, TS
For TLS traffic communicated through internet gateways, either of the following approaches are implemented:
- a solution that decrypts and inspects all TLS traffic as per content filtering security controls
- a list of websites to which encrypted connections are allowed, with all other TLS traffic decrypted and inspected as per content filtering security controls.
Inspection of Transport Layer Security traffic
As encrypted TLS traffic may contain personal information, organisations are recommended to seek legal advice on whether inspecting such traffic could be in breach of the Privacy Act 1988.
Security Control: 0996; Revision: 5; Updated: Sep-18; Applicability: O, P, S, TS
Legal advice is sought regarding the inspection of TLS traffic by internet gateways.
Allowing access to specific websites
Defining a list of allowed websites and blocking all other websites effectively removes one of the most common data delivery and exfiltration techniques used by an adversary. However, if users have a legitimate requirement to access numerous websites, or a rapidly changing list of websites, organisations should consider the costs of such an implementation.
Even a relatively permissive list of allowed websites offers better security than relying on a list of known malicious websites, or no restrictions at all, while still reducing implementation costs. An example of a permissive list could be the entire Australian subdomain, that is ‘*.au’, or the top 1,000 websites from the Alexa website ranking (after filtering Dynamic Domain Name System domains and other inappropriate domains).
Security Control: 0958; Revision: 7; Updated: Apr-20; Applicability: O, P, S, TS
A list of allowed websites, using either domain name or IP address, is implemented for all Hypertext Transfer Protocol (HTTP) and HTTPS traffic communicated through internet gateways.
Security Control: 1170; Revision: 3; Updated: Apr-20; Applicability: O, P, S, TS
If a list of allowed websites is not implemented, a list of allowed website categories is implemented instead.
Blocking access to specific websites
Collections of websites that have been deemed to be inappropriate due to their content or hosting of malicious content can be blocked to prevent them from being accessed.
Targeted cyber intrusions commonly use dynamic or other domains where domain names can be registered anonymously for free due to their lack of attribution.
Security Control: 0959; Revision: 6; Updated: Apr-20; Applicability: O, P, S, TS
If a list of allowed websites is not implemented, a list of blocked websites is implemented instead.
Security Control: 0960; Revision: 6; Updated: Apr-20; Applicability: O, P, S, TS
If a list of blocked websites is implemented, the list is updated on a daily basis to ensure that it remains effective.
Security Control: 1171; Revision: 1; Updated: Sep-18; Applicability: O, P, S, TS
Attempts to access a website through its IP address instead of through its domain name are blocked.
Security Control: 1236; Revision: 1; Updated: Sep-18; Applicability: O, P, S, TS
Dynamic domains and other domains where domain names can be registered anonymously for free are blocked.
Further information on content filtering techniques can be found in the content filtering secction of these guidelines.