Full Disclosure mailing list archives
Re: blocking Google Desktop
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Sun, 12 Feb 2006 11:55:57 +1300
gboyce wrote:
As a computer user, I certainly do have this choice. I'm certainly not going to install Google Desktop. In fact, I generally don't run Windows, so I don't even have the OPTIOn of running Google Desktop. This new "feature" still worries me though, and I want to find out how to block it. Why? Because of my JOB. I'm in a small group of people in charge of security for a company with hundreds of employees that are local admins to their desktops and laptops (for various reasons that I'm not going into here).
Well, in reality, you have to address that nonsense before you can hope to usefully secure anything in your organization, but I assume _you_ understand that and the problem is some less clueful non-IT/non- security folk elsewhere who insist that "we must use this crappy software"...
I'm not worried about MY documents ending on Google's servers. I'm worried about the documents belonging to a percentage of the company that either doesn't understand the security ramifications of using this feature, or just doesn't care.
I'll tell you how to _make them care_ AND _educate_ them at the same time... Go to HR, explain that the new security policy about not running Google Desktop is make-or-break and explain why. To achieve this you may need higher-level management buy-in, so hopefully you can threaten exposure under HIPAA, Sarbanes-Oxley or some such _IF_ the policy is ever breached. Make it a matter of "if our IDS sees traffic from your machine to desktop.google.com (or whatever) its an automatic HR warning", and then let your standard (two, three, whatever strikes and you're out) HR policy deal with enforcement.
User education only works to a degree. A way to PREVENT accidental information disclosure is needed.
Despite claims to the contrary -- usually from palces where the very notion of banning something like Google Desktop cannot even be contemplated -- user education does not work at well _for this kind of issue_. The way to make it work is to make the cost of not following the policy very high and personally significant for the policy breachers. Fire a few staff because they installed Google Desktop AND make it widely known throughout the company that this is not only the policy, but this is a policy that will be ruthlessly enforced. If that doesn't work, you have a much bigger problem... Regards, Nick FitzGerald _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: blocking Google Desktop, (continued)
- Re: blocking Google Desktop J.A. Terranson (Feb 11)
- Re: blocking Google Desktop Michael Holstein (Feb 13)
- Re: blocking Google Desktop Prabhat Sharma (Feb 13)
- Re: blocking Google Desktop Valdis . Kletnieks (Feb 13)
- Re: blocking Google Desktop Michael Holstein (Feb 13)
- Re: blocking Google Desktop sekure (Feb 14)
- Re: blocking Google Desktop Michael Holstein (Feb 14)
- Re: blocking Google Desktop sekure (Feb 14)
- RE: Some one needs their coffee. WAS: blocking Google Desktop Randall M (Feb 11)
- Re: blocking Google Desktop gboyce (Feb 11)
- Re: blocking Google Desktop Nick FitzGerald (Feb 11)
- Re: blocking Google Desktop gboyce (Feb 11)
- Re: blocking Google Desktop Michael Holstein (Feb 10)
- Re: blocking Google Desktop Jason Mayer (Feb 10)