Educause Security Discussion mailing list archives
Re: Effective Practice / Question/Expertise needed
From: William Forte <wforte () MAIL URI EDU>
Date: Tue, 2 Jun 2009 17:07:14 -0400
I don't suppose you do code reviews on all the routing equipment between your host and the servers either, or on the encryption algorithms utilized, or in the implementation of the protocols being utilized, or the OS kernel. I doubt you check the wire between your keyboard and computer tower for hardware keyloggers everytime you sit down. If you worry about every single link in the chain then you're going to go insane, but there are a few layers of security that you can generally utilize to mitigate those risks. Firstly, you probably shouldn't be putting sensitive or confidential information into Google's system at all since you just don't know what level of access or utilization to that information their employees or processes are going to have. You can PGP sign all your emails to remove risk on sensitive communications, treating the entire email exchange as transit through a non-trusted system. No matter what you can't personally engineer or review every piece of code involved in the exchange but there are some risks that are stupid risks to take and there are some levels that are considered an acceptable risk and just need to be evaluated. Respectfully, William Forte Information Security Specialist Information Security Office - University of Rhode Island On Tue, 2 Jun 2009 16:49:57 -0400, James Moore <jhmiso () RIT EDU> wrote:
Sorry for the cross-post. I posted this to the
REN-ISAC discussion list. I only got one response, and that was asking if anyone had responded to me off-list. That is when I thought that maybe the question needed more visibility. It has to do with Browser security, and plugins, helper objects, controls, and widgets.
I accidentally logged into my
iGoogle page that I normally reserve for home. I meant to log in to Gmail, to check my alerts for form spam on campus.
But I got to wondering about the way
that I was using iGoogle. It is very handy at organizing information. But I don't know how to code review its widgets. Then I was forced to admit to myself, that I use Firefox plug-ins that I don't do code reviews on either. I tend to manage risk by using reputation, recommendations (often from people that I don’t know), and popularity/number of downloads.
I was wondering if anyone had a more
quantitative process for managing risk in these areas. The browser is at the crossroads of so much sensitive data. Certifying or controlling extensions seems to be prudent. At the same time, I haven’t found many tools that inventory or analyze plug-ins, accelerators, browser helper objects,etc. And the effectiveness of CWSSandbox and Norman Sandbox on these types of objects is not known.
Then I wondered if anyone had
reduced a more quantitative risk management process to layman's terms (i.e. Policy & End users’ guide to what you need to know about browser plugins.).
I am also looking for a cost/benefit
analysis of using browser plug-ins, accelerators, browser helper objects, iGoogle widgets, etc
Thanks,
Jim
- - - -
Jim Moore, CISSP, IAM
Information Security Officer
Rochester Institute of Technology
151 Lomb Memorial Drive
Rochester , NY 14623-5603
(585) 475-5406 (office)
(585) 255-0809 (Cell - Incident Reporting & Emergencies)
(585) 475-7920 (fax)
If you consciously try to thwart opponents, you are already late. Miyamoto Musashi, Japanese philosopher/samurai, 1645
"If we do not, on a national scale, attack organized criminals with weapons and techniques as effective as their own, they will destroy us." Robert F. Kennedy, 1960
Confidentiality Notice : Do the right thing. If this has the words "Confidential" or "Private" in the subject line, or similar language in the email body, or as a label on any attachment, then think. Do you know me? Did you expect to receive this? Do you recognize and work with the other addressees? If not, then you probably received this in error. Please, be respectful and courteous, and delete it immediately. Please, don't forward it to anyone.
Now, wasn't that simple. Just, if you had made an error in a sensitive email, and I received it, what would you want me to do with it?
Current thread:
- Effective Practice / Question/Expertise needed James Moore (Jun 02)
- <Possible follow-ups>
- Re: Effective Practice / Question/Expertise needed William Forte (Jun 02)
- Re: Effective Practice / Question/Expertise needed jeff murphy (Jun 02)