Security Basics mailing list archives
Re: Allowing access to social networking... securely?
From: krymson () gmail com
Date: Fri, 22 May 2009 07:33:58 -0600
I'm not trying to jump down your throat, but I do have to pull out some points. :) 1- If we evaluated security based on whether it can be bypassed, we'd not be implementing much of what we have now, and certainly we'd never allow the use of Windows or Macs. We really have to look at what it improves, and I can tell you that my web filter technology greatly improves my bandwidth situation, the desktop guys with troubleshooting end user systems, and the number of silly things eating resources on desktops. Yes, there are people who will spend time and know how to get around protections, but there are many people who get blocked once and accept it. 2. This next topic always makes me sad, and I actually even contradict a principle above: education ultimately does not work. Sure, a few people may listen and behave better, but too often people just don't care to learn. I admit, I don't know how to change the oil on my car, and while I know I should probably learn someday, it's just not something I want to do. Same with remembering how to set the clock on my VCR^H^H^H Blueray player. In addition, even those that learn will throw away those lessons any time their convenience is impacted. Click yes, go to site, ignore warnings, etc. We often say that a good security/hacker sense can't be taught, but really it's that slightly paranoid/careful mindset that we're trying to teach, often futilely. But, yes, *sigh* we still have to educate. :) 3) I have yet to really hear or see that employees are held accountable even for things like lost laptops with silly data on them. Let alone holding them responsible for a bad link they clicked. Sad, but too often true. :( You do have good points, however, and thanks for sharing! I'll fess up to playing Devil's Advocate in my spare time. <- snip -> lmaia royalhat org Security as an excuse to filter. Users will *always* find another way out , and the websites they'll end up with won't be "known" to admins and will have themselves malware. If instead they can direct and freely access them, they won't spend time searching on how to "bypass" filtering and going through dubious content. Besides, most Social Networks have manpower and means to mitigate most problems while others won't be as constantly screened. (and ofcourse if you can predict where they are likely to browse you also can do some previous research yourself). I think more reasonable would be teaching how to "feel unsafe", don't blindly trust content,etc. this way you put more responsability on users for their actions and they won't get excuse that it's IT fault that some particular website wasn't filtered/blocked. Second thought would be *giving* away antivirus licenses (i really mean FOR FREE) for their personal use (laptop,desktop,whatever) if they are allowed to use any sort of external storage, that way they'll learn the grips of the tools. teach them how to use tools how to more safely browse, what are your policies,etc. Believe me if they knew they'll be held responsable if something goes wrong, they'll avoid everything that can give them problems...instead of purely relying on IT folks. About time spended, you can always make public the "social networking king" (i mean the person who accesses it the most), and the most accessed website in your network. And ofcourse if you get 50% access on Facebook and you have proper policies you can always take action. Since noone would like to be called to the office to explain why they are "the king", they'll likely avoid it during workhours. (ofcourse if you make this remember to create exceptions to the executives... or you'll get into troubles... ) And your risk vs benefit will likely be incorrect if you are inducing random variables due to blocking. That way you'll end up evaluating trust of "unknown" instead of known SN domains. I remember making a script to access some blocked website (for fun) , gave it to my friends (and they are people from IT) , they used it and were blindly inserting user/password details (until i warned them i could be snooping them) one of them even told me he used the same for VPN to a "secure" server and SSH and he was inserting credentials in something he didn't knew previously it was controlled by me. So if you use it daily, are you sure your users have different passwords for everything?! Maybe your block makes worse than you'd expect. Sorry for such a long post, but i had to explain my view. ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff! http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html ------------------------------------------------------------------------
Current thread:
- Re: Re: Allowing access to social networking... securely?, (continued)
- Re: Re: Allowing access to social networking... securely? chmod1777 (May 19)
- Re: Allowing access to social networking... securely? Michael Schaefer (May 20)
- RE: Allowing access to social networking... securely? Ian Bradshaw (May 20)
- Re: Allowing access to social networking... securely? Michael Schaefer (May 20)
- Re: Allowing access to social networking... securely? krymson (May 20)
- Re: Allowing access to social networking... securely? krymson (May 20)
- RE: Allowing access to social networking... securely? Robin Smith (FaceTime) (May 21)
- Re: Re: Allowing access to social networking... securely? chmod1777 (May 21)
- Re: Re: Re: Allowing access to social networking... securely? lmaia (May 21)
- RE: Re: Re: Allowing access to social networking... securely? Ian Bradshaw (May 22)
- Re: Allowing access to social networking... securely? krymson (May 22)
- Re: Allowing access to social networking... securely? krymson (May 22)
- Re: Allowing access to social networking... securely? Patrick J Kobly (May 22)
- Re: Re: Allowing access to social networking... securely? no (May 22)
- Re: Allowing access to social networking... securely? Patrick J Kobly (May 25)
- Re: Re: Allowing access to social networking... securely? Stephen Mullins (May 26)
- Re: Re: Allowing access to social networking... securely? chmod1777 (May 19)