1

The company I work at uses zscaler to restrict access to certain websites.

Earlier today, I tried to visit pastebin.com, but got the error message in the picture below:

Website blocked. Not allowed to browse SHN-High Risk Services category. You tried to visit:https://pastebin.com/

Trying to google why pastebin is considered a high risk service, I didn't really find much, except this one blog post which talks about certain hacker groups pasting sensitive data to the site.

This alone doesn't seem like a very strong reason to block the site, as there should be a multitude of other options for making information public. What am I missing here?

eirikdaude
  • 111
  • 3
  • You might have to talk to your IT team to ask why they think it is a high-risk service. – schroeder Sep 07 '20 at 10:27
  • Is "SHN" your company? – schroeder Sep 07 '20 at 10:30
  • Oh, I thought it'd be a feature of zscaler, not my local IT. I can see how it would be off-topic for this site if it is the latter @schroeder – eirikdaude Sep 07 '20 at 10:31
  • My company is Norsk Hydro. I haven't seen SHN as an abbreviation for it, or any of its subsidiaries, but that doesn't mean it doesn't exist... @schroeder – eirikdaude Sep 07 '20 at 10:33
  • zscaler does automatically classify URLs, but this looks like a custom classification. – schroeder Sep 07 '20 at 10:33
  • @eirikdaude Should probably be mentioned that Norsk Hydro was target of a rather high profile attack not so long ago... They may choose to err on the side of caution, due to recent scars. – vidarlo Sep 07 '20 at 11:37
  • @vidarlo That's true, do you think it should be edited into the question? What I find odd about their choice here (if it was their choice), is that it seems kinda arbitrary since sites like social media platforms, non-work email, dropbox, etc are not blocked. I was wondering if there is anything in particular about pastebin which might make it an attack vector. – eirikdaude Sep 07 '20 at 11:44
  • I think it has to do more with what you could do on pastebin not what other users post. In theory someone could post confidential information on pastebin. – The Movie Man Sep 08 '20 at 02:41
  • @TheMovieMan But you could post confidential information anywhere - and if you want to include files or similar, dropbox, email or similar would be more suited? – eirikdaude Sep 08 '20 at 05:47

1 Answers1

3

This depends on your company's risk management strategies and security policies and, therefore, is entirely environmental rather than Pastebin being publicly rated as a high risk service.

Information Security SE might be a high risk service, too: after all you are able to share potentially confidential details on your company's security policy here. Likewise, Pastebin allows leaking information like source code or configuration files and make it publicly available. From this perspective, the decision seems reasonable and possibly even experiential.

Esa Jokinen
  • 18,957
  • 6
  • 58
  • 61
  • Yes, many organizations block access to any uncontrolled ingress/egress service. How effective that is is a whole other discussion. – user10216038 Sep 11 '20 at 16:34
  • The more the users are restricted, the worse alternatives they'll come up trying to circumvent it. Therefore, the best way to prevent them from using unwanted tools is to provide better permitted tools. – Esa Jokinen Sep 11 '20 at 18:50