Security Basics mailing list archives

RE: Re: Re: Allowing access to social networking... securely?

From: "Ian Bradshaw" <ian () ianbradshaw net>
Date: Thu, 21 May 2009 21:12:08 +0100

"Second thought would be *giving* away antivirus  licenses (i really mean
FOR FREE) for their personal use (laptop,desktop,whatever)"

... http://personalfirewall.comodo.com/index.html

I.

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of lmaia () royalhat org
Sent: 21 May 2009 17:39
To: security-basics () securityfocus com
Subject: Re: Re: Re: Allowing access to social networking... securely?

Security as an excuse to filter. 

Users will *always* find another way out , and the websites they'll end up
with won't be "known" to admins and will have themselves malware.
If instead they can direct and freely access them, they won't spend time
searching on how to "bypass" filtering and going through dubious content.
Besides, most Social Networks have manpower and means to mitigate most
problems while others won't be as constantly screened. (and ofcourse if you
can predict where they are likely to browse you also can do some previous
research yourself).

I think more reasonable would be teaching how to "feel unsafe", don't
blindly trust content,etc. this way you put more responsability on users for
their actions and they won't get excuse that it's IT fault that some
particular website wasn't filtered/blocked.

Second thought would be *giving* away antivirus  licenses (i really mean FOR
FREE) for their personal use (laptop,desktop,whatever) if they are allowed
to use any sort of external storage, that way they'll learn the grips of the
tools. teach them how to use tools how to more safely browse, what are your
policies,etc.

Believe me if they knew they'll be held responsable if something goes wrong,
they'll avoid everything that can give them problems...instead of purely
relying on IT folks. 
About time spended, you can always make public the "social networking king"
(i mean the person who accesses it the most), and the most accessed website
in your network. And ofcourse if you get 50% access on Facebook and you have
proper policies you can always take action.
Since noone would like to be called to the office to explain why they are
"the king", they'll likely avoid it during workhours. (ofcourse if you make
this remember to create exceptions to the executives... or you'll get into
troubles... )

And your risk vs benefit will likely be incorrect if you are inducing random
variables due to blocking.
That way you'll end up evaluating trust of "unknown" instead of known SN
domains.

I remember making a script to access some blocked website (for fun) , gave
it to my friends (and they are people from IT) , they used it and were
blindly inserting user/password details (until i warned them i could be
snooping them) one of them even told me he used the same for VPN to a
"secure" server and SSH and he was inserting credentials in something he
didn't knew previously it was controlled by me.

So if you use it daily, are you sure your users have different passwords for
everything?!
Maybe your block makes worse than you'd expect.

Sorry for such a long post, but i had to explain my view.

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both
Instructor-Led and Online formats is the most concentrated exam prep
available. Comprehensive course materials and an expert instructor means you
pass the exam. Gain a laser like insight into what is covered on the exam,
with zero fluff! 

http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
------------------------------------------------------------------------





------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most 
concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain 
a laser like insight into what is covered on the exam, with zero fluff! 

http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
------------------------------------------------------------------------

Current thread:

Glassfish Apache and Tomcat All attONCE ?, (continued)
- - Glassfish Apache and Tomcat All attONCE ? Mattias Hemmingsson (May 19)
    - Re: Glassfish Apache and Tomcat All attONCE ? Carsten Heesch (May 19)
- Re: Re: Allowing access to social networking... securely? chmod1777 (May 19)
  - Re: Allowing access to social networking... securely? Michael Schaefer (May 20)
    - RE: Allowing access to social networking... securely? Ian Bradshaw (May 20)
- Re: Allowing access to social networking... securely? krymson (May 20)
- Re: Allowing access to social networking... securely? krymson (May 20)
  - RE: Allowing access to social networking... securely? Robin Smith (FaceTime) (May 21)
- Re: Re: Allowing access to social networking... securely? chmod1777 (May 21)
- Re: Re: Re: Allowing access to social networking... securely? lmaia (May 21)
  - RE: Re: Re: Allowing access to social networking... securely? Ian Bradshaw (May 22)
- Re: Allowing access to social networking... securely? krymson (May 22)
- Re: Allowing access to social networking... securely? krymson (May 22)
  - Re: Allowing access to social networking... securely? Patrick J Kobly (May 22)
- Re: Re: Allowing access to social networking... securely? no (May 22)
  - Re: Allowing access to social networking... securely? Patrick J Kobly (May 25)
  - Re: Re: Allowing access to social networking... securely? Stephen Mullins (May 26)