Quickly read and re-read a blog post at MDSec: Categorisation is not a security boundary. The post itself is nice and talks about evading web page category blocking in a few different ways for red teams looking to get phishing attack success.

My problem is the title doesn’t match the content. Nowhere does the post itself back up this title. Yes, you can evade web categories, but I’m not sure anyone is truly saying that web category blocking is insurmountable. Does it protect from a dedicated attacker? No. Does it protect against some 2-month-old watering hole location? Yeah, probably. It helps protect against known things, and probably is more useful to controlling productivity and things you should block for regulation or legal issues, but the control itself isn’t dead. Which is how I read that title. The author even says that, “Domain categorisation can often prove a thorn in the side of many red teams…”

It’s a minor thing, but I also don’t see any alternative solution. (I imagine the alternative somoene would give is deep inspection with magic rather than a domain-matching category allow/deny.) In security, we can poke holes in probably 99% of all controls (often due to the poor implementation of good controls!), but that doesn’t mean we go to the CSO and say these solutions are worthless.

If I wanted to get a little more specific, I don’t think “security boundary” is the proper term to use. I think it’s more of a “line of defense.”