Can filter technologies help to stop child sexual abuse material?

Can filter technologies help to stop child sexual abuse material?
17 September, 2018 NetClean

Can filter technologies help to stop child sexual abuse material?

In our series that looks at different technologies that tackle the spread of child sexual abuse material, we started with Internet Service Providers and how they can block access to child sexual abuse material in their networks. This next blog post shifts to a different level of the internet – looking at how filter technologies that businesses and organisations use to protect their web based IT environment can also be used to block child sexual abuse material.

What do we mean by filter technologies?

The list of security threats that businesses and organisations face is long; it ranges from ransomware to phishing to stealing intellectual property. This is nothing new, all businesses and organisations know that they must take steps to protect themselves from cyber-attacks and most invest heavily in IT security. Gateways, such as web gateways and e-mail gateways, firewalls and DNS (domain name servers) are all used to try to identify and stop harmful traffic with help of filter solutions.

One of the biggest concerns for IT security professionals are internal data breaches. Firewalls can be used to stop hackers from gaining access to sensitive data, still, employees can all too easily click on malicious links contained in phishing emails or visit websites that download malware or ransomware.

How do they work?

There are different types of filtering options, but in the most basic of explanations all filter technologies look at web traffic that passes in and out from the company and decides what is allowed to pass through. These methods work at different layers of a network, which determines how specific the filtering options can be.

What the solutions have in common is that they look for suspect behaviour, surf patterns, links,  known “bad” domains or specific patterns in different ways. They all only look at a portion of the traffic (a large corporation can have a million DNS requests every second and looking in detail at all that traffic would require enormous data power). Instead of one solution trying to do it all, companies install different solutions that work in layers and look at different parts of the traffic.

Domain filtering

A DNS filtering solution is a specific type of web filter that operates as a middleman between a client computer and the web server you are trying to access. When someone within the organisation types in a URL or clicks on a link, the DNS internet filtering solution checks the request against its database of prohibited addresses and either allows the web page to be displayed or refuses the request. Filter solutions that are installed on DNS servers block on domain level.

Harmful domains that have been up and known for a long time are not a problem, they are effectively blocked. The major challenge is to keep pace with new domains that pop up as thousands are created every minute and harmful content is constantly moved around. DNS providers continuously analyse the production of new domains, using algorithms to try to understand which domains are legit and which are not.

URL filtering

URL filtering solutions are more sophisticated and granular than just a mechanism to block access to domains. URL filtering solutions can be used to block access to specific websites or parts of websites known to contain malware.

The four most common ways in which a filtering solution prevents web pages from being loaded onto a user´s device are blacklists, categories, keywords or content filters.

  • Blacklists are normally provided and updated automatically by the web filter solution vendor. These are lists of websites known to contain malware and viruses, and when a request to visit a website matches a blacklisted website, the request is denied. Similarly, URIBL and SURBL filters (real-time blacklists designed to be used to block or tag spam based on uniform resource identifiers, usually domain names or websites found within the message body) check requests to visit websites against IP addresses from which spam e-mail has originated. As a great deal of spam e-mails are attempts to execute phishing attacks, requests are denied to protect network users from visiting phishing websites.
  • Companies can also choose to block access to certain websites by their category. For example, if an organisation suffers from bandwidth issues, it might want to block access to video streaming sites. Or, if the organisation wants to prevent employees from visiting pornographic websites during work hours, access to that category can be blocked. More than three million of the worlds’ most visited websites are sorted into more than fifty different categories (e.g. adult material, drugs and gambling).
  • Content filtering, in the most general sense, involves using a program to prevent access to certain items, which may be harmful if opened or accessed. The most common items to filter are executables, emails or websites. With content filtering, the request is allowed, but the response is inspected at the proxy server. The actual payload of the packet is examined to determine if it contains anything meeting configured criteria, and an allow/deny decision is made. This provides the ability to block viruses, e-mail attachments, advertisements, redirects, web bugs, cookies, Java, ActiveX, pop-ups, media types and embedded objects, etc.
  • Keyword filters enable organisations to block access to specific content by keyword without necessarily blocking access to an entire category of website content. Keyword blocking is used as an extension of category blocking. An example is blocking a known e-mail subject or sender in a virus attack.

URL blocking and content filtering are complementary. Together they offer a more complete internet access control solution for organisations. Most of the undesirable traffic is stopped quickly and efficiently by URL blocking on the outbound path. The rest is caught on the return path. The company also has the flexibility to allow access to a site but selectively block certain content from that site. Together these four features enable organisations to prevent the inadvertent installation of malware, resolve bandwidth management issues, and implement and enforce acceptable use policies.

How effective are filter technologies at stopping child sexual abuse material?

Filter technologies are only as effective as the intelligence put into the solutions – the lists of domains or URL:s known to contain harmful material. Keeping those lists up to date requires a lot of work and continuous updates. The focus for all traditional filter solutions are security threats such as business intelligence, service disruptions, ransomware, fishing etcetera, which means that, unfortunately, child sexual abuse material comes far down the list. As a result, filter technologies can definitely be used to block child sexual abuse material, but they are not truly effective.

About the Technical Model National Response

Inspired by the WeProtect Global Alliance Model we have set out to develop an initiative that looks at technology. We call it the Technical Model National Response.  It is an overview of the existing technologies that need to be applied by different sectors and businesses to effectively fight the spread of child sexual abuse material.

Learn about the other

  • Aug202018

    Hashing Technologies
    Read now

  • Aug192018

    Read now

  • Aug182018

    Artificial Intelligence
    Read now

  • Aug162018
    Blocking - Technical Model National Response

    Blocking Technologies
    Read now

  • Aug162018

    Web Crawlers
    Read now

  • Aug152018

    Filter Technologies
    Read now

  • Aug142018

    Keyword Matching
    Read now

  • Aug142018

    Law Enforcement Collaboration platform – Coming soon

  • Aug132018

    Notice and Takedown
    Coming soon