Re: EXAMPLE: Why OOO is *BAD* [WAS: Re: OOO FLAME]

["Adam Thompson" <adwulf () gmail com>]

2008/9/17 M.B.Jr. <marcio.barbado () gmail com>:
> LISTENING ONLY - SILENCE IS GOLD
> The first thing help desks should do in those situations is writing
> the caller's phone number down and hanging up; then, consulting their
> policies.
> Do their policies allow confidential content handling instructions to
> be passed by phone calls?
> If so, the help desk should call up his boss to confirm and, being
> truth, getting his instructions, directly.

How many people here can honestly say that every helpdesk they've ever
worked on has validated the caller before progressing the request?  It
seems the default is IF $VOICE claims name = "Joe Bloggs" then $VOICE
must be "Joe Bloggs".

How many helpdesks have personal information (eg mother's maiden name,
date of birth, favourite colour, preference to UK or US spelling...;-)
) stored to challenge callers with?

Whilst this seems to be common for third party providers (eg your colo
datacentre or ISP), it seems in my experience to be the exception
rather than the rule for internal helpdesks, or even outsourced
helpdesks which act 'as if' they were internal.

-- 
AdamT
"At times one remains faithful to a cause only because its opponents
do not cease to be insipid." - Nietzsche
(Currently:  Awaiting OOO messages to flood in).

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in 
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------