RE: MS Outlook booted off campus

[InfoSec News <isn () c4i org>]

Forwarded from: Wall David  Civ AETC/DOXD <David.Wall () RANDOLPH AF MIL>

OK, Guess I wasn't clear.

We run Norton, and get automatic updates every 24 hours, occasionally
changing to every 12 hours.  Everything is automatic on our network
(UNIX servers and NT workstations).  No user can open any file, e-mail
or attachment unless the antivirus checks it first.  This isn't on the
firewall, it's on the network.

I know it's impossible to catch every virus if it is radically new,
but we very, VERY seldom get a successful penetration.  For example,
we took over 600,000 hits with I love you, and none got through.  
Lesser, obviously, numbers with code red, Klez, and others.  Again,
none got through. The virus was deleted and the e-mail then had an
attachment that wasn't there.

I'm no great fan of Outlook, but I don't see that it deserved the
comments by that university.  For those who disagree, that's fine.

Now, if you'll pardon my absence - i.e., no more responses for a
couple weeks - I'm off to get married.  I don't expect to even hear
the words virus, Norton, Outlook, infosecNews, etc., for a while.

Happy computing

Dave Wall

-----Original Message-----
From: Stanislav N. Vardomskiy [mailto:stany () NotBSD org]
Sent: Friday, May 24, 2002 10:52 AM
To: InfoSec News
Cc: isn () attrition org; David.Wall () randolph af mil
Subject: RE: [ISN] MS Outlook booted off campus


On Fri, 24 May 2002, InfoSec News wrote:

> Forwarded from: Wall David Civ AETC/DOXD <David.Wall () RANDOLPH AF MIL>
>
> Is it just me, or is somebody burying their heads in the sand?
> Whatever happened to maintaining the latest antiviral signature files
> so you don't get hit in the first place?
>
> Am I missing something here?????

You are missing the human factor.

There are really two ways of dealing with desktop users: First one is
a Nortel approach, where noone outside the helpdesk had
root/administrator access, and in order to get done something as
trivial as time synchronised on between the license server and the
workstation (so that FlexLM would actually check out the license), one
had to call helpdesk.

This approach works really well if you have huge budget for IT and
infinitely patient users - IT/helpdesk has to be up to speed and be
able to resolve problems FAST, and users get really really upset after
having to call the "helldesk" for the third time with the same problem
(And of course every problem is mission critical, be it e-mail outage
or shortage of Modelsim licenses).

At the moment I am babysitting about 20 users in a remote office.  My
policies are fairely lax - all I care about is engineering being
productive, so as long as they can read their e-mail, access their
fileservers, and run their Verilog, I do not strictly enforce how they
use their systems, with a believe that users themselves know best what
it is that they want and how they want their systems configured in
order to be most productive (The fact that most of my Windows users
still use Windows 98 with no concept of local security makes it a
folly to even try to prevent them from changing background pictures,
mouse pointers, etc). Users are all informed that if I can not solve
their problem, I will re-image their system to a sane configuration.

This approach, while definitely easier on users does not permit
totalitarian control over what gets executed on the desktop, and
allowes users to toggle settings of their anti-viral software.

I have to point out that my approach so far worked out, and not only
are users productive, but there is no fear and loathing of IT
department at my site, and users do bring potential problems to my
attention.  At my site engineers are the ones that bring in revenue,
and I get paid out of the money they generate.  In my mind it's a
direct relationship - if they are not productive, then I do not get
paid :-)  Playing a Computer Cop would get me nothing besides pink
slip.

Lastly, the default settings with Symantec Norton Anti-Virus corporate
edition that the head office here maintains calls for downloading the
latest signature file once a week.  Unfortunately, with the latest
batch of virii, that spread like wildfire, a week is nowhere near fast
enough, and, truth to be told, even fetching an updated signature once
a day can be not fast enough (figure in a delay in vendor releasing a
signature, pushing it out to the corporate signature server, and
client fetching it from the corporate server).

So to address your inital question: 
I can totally relate to the problems of Cambridge college's systems
administrators.  If it's anywhere like the academentia I know and
love, they are probably underpaid and understaffed and have no
manpower to upkeep desktops of 700 users, and most likely have no
political power in the colledge either.  As a result, while most
likely they do maintain an anti-virus server/software, they have no
way of making sure that every user is up to date and uses it.

In a situation like this not using Windows, or at least not using
components of Windows that were designed [1] to spread virii is a
major workload reduction.

> Dave Wall

Signed:
//Stany

[1] http://www.microsoft.com/mac/products/office/2001/office_main.asp?embfname=virus_alert.asp
   
Will the virus impact my Macintosh if I am using a non-Microsoft e-mail
program, such as Eudora?
   
If you are using an Macintosh e-mail program that is not from
Microsoft, we recommend checking with that particular company.  But most
likely other e-mail programs like Eudora are not designed to enable virus
replication.                                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^

-- 
+-------+ Stanislav N Vardomskiy - Procurator Odiosus Ex Infernis[TM]
+-------+
| "Backups we have; it's restores that we find tricky." Richard Letts at ASR
|
| This message is powered by JOLT!  For all the sugar and twice the 
caffeine. |
+-+ 10570 + My words are my own.  LARTs are provided free of charge + 10533
+-+




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.