Most RiskAnalytics shunning products include a country blocking feature. When this feature is enabled the service will block all network traffic to and from the IP ranges associated with a selected country.
RiskAnalytics also offers regional blocking which roughly equates to blocking all the countries in a geographic region. Within the RiskUtilities software a customer can block any of four major regions: Africa, Asia, Europe and South America. For a more granular approach customers can select individual countries from a list rather than entire regions.
How country blocking improves organizational security posture
It is well known that organized cybercrime syndicates prefer to operate from countries that will not pursue and prosecute their criminal operations. In some jurisdictions criminal activities are tolerated for the right price and the right payoff. These corrupt areas are typically in places where many western-based companies conduct little or no business.
There is no strict alignment between tolerance of criminal activities and geographic boundaries, however, after 15 years of tracking and blocking cybercrime, the blocking of specific countries has consistently shown millions of blocked sessions per day without adverse impact on customer network operations.
When to use country blocking
Except as noted in the contraindications, below, most corporate networks can safely use country blocking on their RiskAnalytics appliances and services. To get comfortable with country blocking, most customers can safely block Moldova, Iran, Ukraine and Russia. Although China is a tempting choice for blocking, many well known retailers host their web sites in cheaper Chinese data centers.
Once a customer has decided to use country blocking, the RiskUtilities administrator needs to be familiar with whitelisting and researching IP address characteristics in RiskUtilities. Country blocking should be introduced slowly as a client organization gains comfort with creating new whitelist entries.
When not to use country blocking
Country blocking, by its nature, benefits from collateral damage. Since the regional traffic being blocked is not being blocked because of any known threat, all country block events are technically collateral damage. Obviously, a client should not block traffic to or from countries where the client needs to communicate with business partners and customers. Unfortunately, it is almost impossible to clearly know where one's business partners may host their data operations. For a company that has significant overseas business operations, country blocking should be used very sparingly if at all.