Security Basics mailing list archives
Re: Allowing access to social networking... securely?
From: Patrick J Kobly <patrick () kobly com>
Date: Fri, 22 May 2009 13:17:51 -0600
krymson () gmail com wrote:
I'm not trying to jump down your throat, but I do have to pull out some points. :) 1- If we evaluated security based on whether it can be bypassed, we'd not be implementing much of what we have now, and certainly we'd never allow the use of Windows or Macs. We really have to look at what it improves, and I can tell you that my web filter technology greatly improves my bandwidth situation, the desktop guys with troubleshooting end user systems, and the number of silly things eating resources on desktops. Yes, there are people who will spend time and know how to get around protections, but there are many people who get blocked once and accept it.
I think the OP's point was far subtler than you give credit for. He wasn't arguing "this can be bypassed, so it doesn't give us anything anyway." He seems to have been arguing that blocking introduces a new risk vector that didn't previously exist (or was negligible) - the bypass mechanism. This vector was negligible before blocking, because your users had no reason to use it. The OP's suggested risk vector - malware infested proxy sites isn't even the worst one introduced. I've seen places where blocking has induced users to use bypass mechanisms including: - Separate dialup connections - USB Wifi piggy-backing on nearby offices' signals - SSH tunneling - VPN connections out to a machine acting as a proxy (home PC for example) - GoToMyPC or equivalent to a machine acting as a proxy Are there technical controls to prohibit these? Yes, but do you really want to get into an arms race with your users. Effectively, you've created a hostile in your trusted network. Does the risk introduced by these bypass mechanisms outweigh the benefits in bandwidth usage, troubleshooting and "silly things eating resources on desktops"? I don't know... Depends on your user base (How likely are they to use these mechanisms? How likely are they to do so in a more secure manner?)
3) I have yet to really hear or see that employees are held accountable even for things like lost laptops with silly data on them. Let alone holding them responsible for a bad link they clicked. Sad, but too often true. :(
I have seen reasonable accountability imposed. It's a balance between administrative controls and technical controls... PK -- Patrick Kobly, CISSP
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- Re: Allowing access to social networking... securely?, (continued)
- Re: Allowing access to social networking... securely? Michael Schaefer (May 20)
- RE: Allowing access to social networking... securely? Ian Bradshaw (May 20)
- Re: Allowing access to social networking... securely? Michael Schaefer (May 20)
- Re: Allowing access to social networking... securely? krymson (May 20)
- Re: Allowing access to social networking... securely? krymson (May 20)
- RE: Allowing access to social networking... securely? Robin Smith (FaceTime) (May 21)
- Re: Re: Allowing access to social networking... securely? chmod1777 (May 21)
- Re: Re: Re: Allowing access to social networking... securely? lmaia (May 21)
- RE: Re: Re: Allowing access to social networking... securely? Ian Bradshaw (May 22)
- Re: Allowing access to social networking... securely? krymson (May 22)
- Re: Allowing access to social networking... securely? krymson (May 22)
- Re: Allowing access to social networking... securely? Patrick J Kobly (May 22)
- Re: Re: Allowing access to social networking... securely? no (May 22)
- Re: Allowing access to social networking... securely? Patrick J Kobly (May 25)
- Re: Re: Allowing access to social networking... securely? Stephen Mullins (May 26)