Re: Spaf did not receive your email (was Re: Job Descriptions)

["Bruhn, Mark S." <mbruhn () INDIANA EDU>]

I had this penned before Kevin sent his last...essentially, it says "I
agree with Kevin."

***
By the way, I also haven't had a virus for a very long time.  But, it
means that I have to have my virus patterns updated very often (which
happens automatically), and we also have Antigen from Sybari on our
Exchange servers, so 99.9% of the emailed viruses never make it to my
desktop.  Also, my workstation is automatically scanned every 28 days,
and the results are made available to me.  Of course, I then have to
deal with repairing the vulnerabilities found.  And, I have the security
settings in Word and Outlook set pretty high.  So, in choosing to use
this suite of tools, I have obviously excepted the fact that I have to
put in a little more effort, and that the effort is worth it to me.  

But, because of what I do, I'm making that conscious decision.  Most of
our users don't do that kind of thinking, and also don't put in the
required effort (at least the part that requires the user to take
proactive steps).   As Dan says, we can either accept this add'l
required effort as part of the situation we're dealing with, or we can
offer them a viable alternative to which we can migrate them over time.

Having said all of that, while my question about mechanically blocking
transmittal of .doc files was mostly tongue-in-cheek, that fact is that
what James says below would seem to be the better strategy, and one that
could be more successful.  The campaign shouldn't be migrating users to
other tools, the campaign should be getting users to transmit safer file
formats.  (While also pressuring vendors to change things such that the
file format shouldn't matter, of course.)

M. 

-- 
Mark S. Bruhn, CISSP
Chief IT Security and Policy Officer
Office of the Vice President for Information Technology and CIO
Indiana University
812-855-0326

Incidents involving IU IT resources: it-incident () iu edu
Complaints/kudos about OVPIT/UITS services: itombuds () iu edu




-----Original Message-----
From: Jim Wilcox [mailto:jim () WILCOXS NET] 
Sent: Wednesday, February 26, 2003 8:06 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Spaf did not receive your email (was Re:
[SECURITY] Job Descriptions)


At the risk of making enemies, I would like to support Spaf to the
extent of promoting the sending of read-only files (e.g., .pdf) that
pose less risk, especially when forwarding files to a mailing list.
Seems to make sense, and it is simple.

James Wilcox, CISSP
Director of Business Development
Cylant, Inc.
PO Box 19777
Portland, OR 97280-9777
503 799-8438
james () cylant com
www.cylant.com
CylantSecure, LinuxWorld "Best Security Solution"

-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dan Updegrove
Sent: Wednesday, February 26, 2003 4:09 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Spaf did not receive your email (was Re:
[SECURITY] Job Descriptions)


Colleagues -

The UT System (15 campuses) has a multi-year enterprise license for
Microsoft Office products and for Windows upgrades. When we discussed
renewing this license last year, I was advised that support costs had
declined and end user productivity had increased substantially because
of the standardization thus enabled. It was also judged to be a
substantial benefit to the University to be relieved of license audit
overhead as well as the legal/financial/p.r. risk of failing an audit.

In my experience here (two years), Word docs, Excel spreadsheets, and
PowerPoint files are exchanged routinely and successfully, both within
the 15 campuses and with colleagues and vendors far and wide. In most
cases, this success extends to Macintoshes as well.

Given my interest in *both* security and satisfying and serving
thousands of users of widely varying technical skills and interest in
computing, what reasonable alternative can I practice and preach?

Thanks,
Dan


At 04:57 PM 2/26/2003, Bruhn, Mark S. wrote:
> This is an age-old discussion and issue -- not whether security people
> should personally boycott MS products, which I suppose we could discuss

> as well, but whether we should (and in fact can, given alternatives)
> actively attempt to influence our communities to avoid MS products.
> More discussion on this list would be quite interesting, esp. if it
> leads to something actually useful in this contentious space.
>
> In a perfect world, all systems would be secure (or there wouldn't be a

> need to secure them), and I could be running a restaurant right now.
>
> I'm sure someone knows the statistics -- I would guess 65% of our
> community use Windows and MS products.  We can certainly grouse about
> that and strongly encourage them to use something else (What?  Someone
> could start by listing the suite of products that equate), but the
> reality is that they are not going to stop using that suite of
> applications, and we're going to have to spend time on helping them
> secure them.
>
> As an aside, is there a way to configure my Outlook client (clearly I'm

> in that 65%) to NOT let me send .doc files?  :-)
>
> M.
>
> --
> Mark S. Bruhn, CISSP
> Chief IT Security and Policy Officer
> Office of the Vice President for Information Technology and CIO Indiana

> University 812-855-0326
>
> Incidents involving IU IT resources: it-incident () iu edu
> Complaints/kudos about OVPIT/UITS services: itombuds () iu edu
>
>
>
>
> -----Original Message-----
> From: Kevin Shalla [mailto:Kevin.Shalla () IIT EDU]
> Sent: Wednesday, February 26, 2003 10:18 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Spaf did not receive your email (was Re:
> [SECURITY] Job Descriptions)
>
>
> I can't help but jump in here.  As leaders in security, shouldn't we
> strive to behave uncommonly if by doing so we can improve security, and

> also set a
> good example?  On the other hand, maybe we don't all agree that it is
> preferable to not send Word documents.  I do agree with Gene Spafford
> that
> stamping out certain types of email attachments would drastically
reduce
> many problems we do have today.
> At 08:15 AM 2/26/2003 -0500, you wrote:
> > Spaf, your opinion in this area is well known, certainly.  Common may

> > not mean standard, but common does mean common.
> >
> > Most of the documents I sent (and send) happen to be in Word format
> > in our repository, and rarely does someone I send them to have
> > trouble dealing with the format.  So, I suspect that anyone who is
> > interested
> in
> > the documents I sent and needs them in a different format will ask
> > me. If I had sent them in response to a request from you, I certainly

> > would have sent them in rtf  :-)
> >
> > M.
> >
> > --
> > Mark S. Bruhn, CISSP
> > Chief IT Security and Policy Officer
> > Office of the Vice President for Information Technology and CIO
> > Indiana University 812-855-0326
> >
> > Incidents involving IU IT resources: it-incident () iu edu
> > Complaints/kudos about OVPIT/UITS services: itombuds () iu edu
> >
> >
> >
> >
> > -----Original Message-----
> > From: Gene Spafford [mailto:spaf () CERIAS PURDUE EDU]
> > Sent: Tuesday, February 25, 2003 7:03 PM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: Re: [SECURITY] Spaf did not receive your email (was Re:
> > [SECURITY] Job Descriptions)
> >
> >
> > Sorry, folks.   I guess I need to adjust the filter on my autoreply.
> >
> >     ....and security people need to learn not to send Word
> > documents!
>
>
>
> Kevin Shalla
> Manager, Student Information Systems
> Illinois Institute of Technology
> <mailto:Kevin.Shalla () iit edu>
>
> **********
> Participation and subscription information for this EDUCAUSE Discussion

> Group discussion list can be found at
> http://www.educause.edu/memdir/cg/.
>
> **********
> Participation and subscription information for this EDUCAUSE Discussion

> Group discussion list can be found at
> http://www.educause.edu/memdir/cg/.


VP  for Information Technology          Phone (512) 232-9610
The University of Texas at Austin       Fax (512) 232-9607
FAC 248 (Mail code: G9800)              d.updegrove () its utexas edu
P.O. Box 7407
http://wnt.utexas.edu/~danu/
Austin, TX 78713-7407

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at
http://www.educause.edu/memdir/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at
http://www.educause.edu/memdir/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/memdir/cg/.