Re: Spaf did not receive your email (was Re: Job Descriptions)

[Kevin Shalla <Kevin.Shalla () IIT EDU>]

May I suggest that the main issue is not using Office, but the problem of
unsecured document exchange.  While I believe that Office offers way too
much functionality that goes unused by 99% of users, it is so pervasive
that it would be difficult to change users' document production
habits.  Most (all?) of the malicious Office macros come from outside our
own organizations, and if we can avoid files from the outside we should be
safe, correct?  So, if instead of using email to transfer documents we used
shares on file servers, then we can have some assurance that in fact the
document was placed there in good faith by the originator, and is probably
free of malicious macros.  Word also has a feature of disabling unsigned
macros (tools, macros, security), which should probably be set at high,
with no trusted sources.

This leads to this recommendation -
1) When you want to transfer a file to a person within your organization,
put it on a file server to which you and your recipient both have access.
2) When you want to transfer a file outside, email the file in some
non-executable format.  Surprisingly enough, I've had luck (even with Excel
spreadsheets) with this technique - open the document, select all, copy,
then paste into the body of the email - it preserves most of the
formatting, and is not an attachment.
3) Don't open any email attachments that may contain executable content
(Office, VB, exe, others?).  Refer the sender to steps 1) or 2) above.
4) Set Word macro security to high.

This of course is not very secure, it's just more secure than what we're
doing now, because there may be some internal bad guys who just post to
file servers instead of emailing, and there may be  unknowing internal
users who have malicious macros in their documents.

Please comment on this recommendation.

At 06:09 PM 2/26/2003 -0600, Dan Updegrove wrote:
> Colleagues -
>
> The UT System (15 campuses) has a multi-year enterprise license for
> Microsoft Office products and for Windows upgrades. When we discussed
> renewing this license last year, I was advised that support costs had
> declined and end user productivity had increased substantially because of
> the standardization thus enabled. It was also judged to be a substantial
> benefit to the University to be relieved of license audit overhead as well
> as the legal/financial/p.r. risk of failing an audit.
>
> In my experience here (two years), Word docs, Excel spreadsheets, and
> PowerPoint files are exchanged routinely and successfully, both within the
> 15 campuses and with colleagues and vendors far and wide. In most cases,
> this success extends to Macintoshes as well.
>
> Given my interest in *both* security and satisfying and serving thousands
> of users of widely varying technical skills and interest in computing, what
> reasonable alternative can I practice and preach?
>
> Thanks,
> Dan
>
>
> At 04:57 PM 2/26/2003, Bruhn, Mark S. wrote:
> > This is an age-old discussion and issue -- not whether security people
> > should personally boycott MS products, which I suppose we could discuss
> > as well, but whether we should (and in fact can, given alternatives)
> > actively attempt to influence our communities to avoid MS products.
> > More discussion on this list would be quite interesting, esp. if it
> > leads to something actually useful in this contentious space.
> >
> > In a perfect world, all systems would be secure (or there wouldn't be a
> > need to secure them), and I could be running a restaurant right now.
> >
> > I'm sure someone knows the statistics -- I would guess 65% of our
> > community use Windows and MS products.  We can certainly grouse about
> > that and strongly encourage them to use something else (What?  Someone
> > could start by listing the suite of products that equate), but the
> > reality is that they are not going to stop using that suite of
> > applications, and we're going to have to spend time on helping them
> > secure them.
> >
> > As an aside, is there a way to configure my Outlook client (clearly I'm
> > in that 65%) to NOT let me send .doc files?  :-)
> >
> > M.
> >
> > --
> > Mark S. Bruhn, CISSP
> > Chief IT Security and Policy Officer
> > Office of the Vice President for Information Technology and CIO
> > Indiana University
> > 812-855-0326
> >
> > Incidents involving IU IT resources: it-incident () iu edu
> > Complaints/kudos about OVPIT/UITS services: itombuds () iu edu
> >
> >
> >
> >
> > -----Original Message-----
> > From: Kevin Shalla [mailto:Kevin.Shalla () IIT EDU]
> > Sent: Wednesday, February 26, 2003 10:18 AM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: Re: [SECURITY] Spaf did not receive your email (was Re:
> > [SECURITY] Job Descriptions)
> >
> >
> > I can't help but jump in here.  As leaders in security, shouldn't we
> > strive
> > to behave uncommonly if by doing so we can improve security, and also
> > set a
> > good example?  On the other hand, maybe we don't all agree that it is
> > preferable to not send Word documents.  I do agree with Gene Spafford
> > that
> > stamping out certain types of email attachments would drastically reduce
> > many problems we do have today.
> > At 08:15 AM 2/26/2003 -0500, you wrote:
> > >Spaf, your opinion in this area is well known, certainly.  Common may
> > >not mean standard, but common does mean common.
> > >
> > >Most of the documents I sent (and send) happen to be in Word format in
> > >our repository, and rarely does someone I send them to have trouble
> > >dealing with the format.  So, I suspect that anyone who is interested
> > in
> > >the documents I sent and needs them in a different format will ask me.
> > >If I had sent them in response to a request from you, I certainly would
> > >have sent them in rtf  :-)
> > >
> > >M.
> > >
> > >--
> > >Mark S. Bruhn, CISSP
> > >Chief IT Security and Policy Officer
> > >Office of the Vice President for Information Technology and CIO
> > >Indiana University
> > >812-855-0326
> > >
> > >Incidents involving IU IT resources: it-incident () iu edu
> > >Complaints/kudos about OVPIT/UITS services: itombuds () iu edu
> > >
> > >
> > >
> > >
> > >-----Original Message-----
> > >From: Gene Spafford [mailto:spaf () CERIAS PURDUE EDU]
> > >Sent: Tuesday, February 25, 2003 7:03 PM
> > >To: SECURITY () LISTSERV EDUCAUSE EDU
> > >Subject: Re: [SECURITY] Spaf did not receive your email (was Re:
> > >[SECURITY] Job Descriptions)
> > >
> > >
> > >Sorry, folks.   I guess I need to adjust the filter on my autoreply.
> > >
> > >     ....and security people need to learn not to send Word documents!
> >
> >
> >
> > Kevin Shalla
> > Manager, Student Information Systems
> > Illinois Institute of Technology
> > <mailto:Kevin.Shalla () iit edu>
> >
> > **********
> > Participation and subscription information for this EDUCAUSE Discussion
> > Group discussion list can be found at
> > http://www.educause.edu/memdir/cg/.
> >
> > **********
> > Participation and subscription information for this EDUCAUSE Discussion
> > Group discussion list can be found at http://www.educause.edu/memdir/cg/.
>
>
> VP  for Information Technology          Phone (512) 232-9610
> The University of Texas at Austin       Fax (512) 232-9607
> FAC 248 (Mail code: G9800)              d.updegrove () its utexas edu
> P.O. Box 7407                                   http://wnt.utexas.edu/~danu/
> Austin, TX 78713-7407
>
> **********
> Participation and subscription information for this EDUCAUSE Discussion
> Group discussion list can be found at http://www.educause.edu/memdir/cg/.


Kevin Shalla
Manager, Student Information Systems
Illinois Institute of Technology
<mailto:Kevin.Shalla () iit edu>

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/memdir/cg/.