Archive for the ‘Policy’ Category.

« Previous Entries

METRO Opens Doors, So Employees can take home all the equipment

November 4, 2011, 8:47 pm

Recently, a Washington DC prosecutor declined to prosecute a former Washington METRO employee accused of theft.   He was found to have taken home nine laptop computers, a power generator, a DVD player, a BlackBerry wireless device, a color printer, a digital camera, lots of tools and a computer monitor.   The prosecutor wrote that the absence of enforcement of policy “served to create an atmosphere where such behavior, although not explicitly condoned or excused, was part of an implicitly tolerated practice.”
Source: The Washington Times

 There is a lesson there for us in IT Security.   It is a bad idea to have policy that doesn’t match practice.  Additionally better asset management should be in place to prevent such activity.

Category: Cyberlaw, General, Policy  |  Comment

Social Media Policy

June 27, 2011, 6:50 pm

Do companies need Social Media Policies?

I’ve wondered at times why the company I work for doesn’t have a policy specific to social media.   In the absence of such a policy, I chose to make sure my blog follows other corporate rules.   Additionally for any rants related to work, I either make them generic or make sure the opinion isn’t a surprise were management to read it.  

While I’m not ultra-paranoid about security, I have tried (unsuccessfully) to keep my full name disassociated with this blog.   Some might worry that an attacker researching the company could discover what we use for antivirus, firewall, IDS, etc.  

What is the goal of the social media policy?   The goal of some social media policies seems to be to keep people from using social media.   I just can’t agree with this.   If I were blogging with full name and company name, it would help grow my personal brand, and that benefits the company.  

Many of the policies that people say should be in a social media policy should already be in other policies.  

“You shouldn’t be speaking on behalf of the company.”   This is already in policy.   The only change for social media is to designate that you are not an official company contact, except where you are official then that needs to be noted as well.

“You shouldn’t be tweeting/blogging/facebooking about that confidential contract.”   Hey no kidding.   That should already be covered in policy and doesn’t really need to be in a redundant policy.

Michael Hyatt has some good points in his post about why your company doesn’t need a social media policy.   Shouldn’t companies be encouraging the use of social media?    Check that out and the comments there for some deeper discussion.

Where I work, I’ve seen a couple drafts of a new social media policy.   I’m not happy.   It must be similar to the first draft Michael Hyatt received from his lawyers.    There are two things that I find particularly galling.   There is a prohibition on recommending any current or former employees on a social media site.   I’m not entirely sure what problem they are trying to solve.   For many today, social media is a primary vehicle for the job search.   If you don’t have a searchable brand, then you don’t exist.   This is like saying don’t buy resume card stock.  There isn’t a policy I am aware of forbidding me from recommending a co-worker.   I believe management is restricted to reporting time of service.

The second potential policy change is more problematic for this blog.   Before blogging about any vender, I need management to get the approval of that vender.    So if Symantec releases an update and hoses my machines, I can’t warn people about that update without getting approval.    I don’t think they’ve thought this through.    Can I at least complain about the cafeteria provider Eurest without getting approval?

Hopefully this gets fixed because otherwise to stay in compliance with this policy I will have to sell the blog to my friend Raul.   Ignore any similar posting style between Raul’s Infosec Blog and my own posts.  

Category: Policy  |  Comment

Auditors and Company Policy, Part 2

August 31, 2010, 7:30 pm

Back in 2007 I posted a blog entry about catching our auditors violating company policy by putting their company’s computer on our network.   Today, new group of FISMA auditors, same issue.  

If the auditors were a bit slicker, I”d believe them when they said they were testing our controls for unauthorized computers.   (trust me, this guy was busted cold)  After Alanis, I hesitate to call something ironic, but it sure seems ironic that the people verifying our security policies routinely violate our security policies.

Tags: , ,
Category: General, Policy  |  Comment

Jailbreaking – Unsafe at any speed

August 6, 2010, 8:25 am

Look at me, making Ralph Nader references whether they work or not.

Back in July, the US Copyright office ruled it is legal to jailbreak your iPhone in order to install non-appstore apps or even to unlock the phone to use with another carrier.

What does this mean for iPhones used the enterprise?

Just because something is permissible under the law, that does not mean that a corporation must allow it.    Apple may still make it a violation of their terms of service and void the warranty. 

Jailbreaking  offers a greater potential for malware to be run on the phone.  Do you remember the iPhone jailbreak worm?   A popular jailbreaking technique was setting up SSH and leaving a default password.   Doh!

Dave Zatz had a recent post asking if there was even a case for jailbreaking anymore.

So while my company is full of engineers who like to tinker.   While the phone has corporate data, we need to enforce a no jailbreaking policy.

Tags: , ,
Category: Apple, Policy  |  1 Comment

Out of Office

June 30, 2010, 12:30 am

Are out of office (OOF) messages a security risk or a useful tool?   (Microsoft uses the acronym OOF for Out of Facilitiy.   I’ll be using that rather than OoO for out of office).

I’ve felt that the anti-OOF forces are the kind of ludite people who still agitate for a return to text only email.  Rather than dismissing it out of hand, lets examine some of the objections to OOF

Out of office messages could inadvertently disclose information.  “I’m out of the office, check with Joe at 555-12324.   Now the bad guy has another contact name.   In this era of LinkedIn, I’m not sure how big a disclosure this would be.  You decide for your environment.

OOF messages could verify your email address to spammers.
 Your spam product and Mail server should be blocking directory harvest attacks at the gateway. I wonder if its still true that “verified” email address are more value to attackers. Either way, my spam filter prevents spam from reaching my inbox any way.

OOF messages could help an attacker engage in social engineering
Now that the bad guy knows Joe is the backup, they know he may not know procedure as well. “Roger let me do that”. Personally I think that is a problem with training not OOF.

OOF messages could alert an attacker that its time to break into your home.
While there are stories about burglaries when someone posted their vacation schedule on Twitter, that is often neighborhood kids and people you know. Not using an OOF doesn’t exactly help there. 

Now that we’ve gone through some OOF FUD, how can you OOF safely?
1.  If you’re running Exchange 2007 or later you have the ability to use a different message for internal senders and contacts versus external senders.  You can also perform OOF only for people in your contacts.

2.  Sign off of any mailing lists or set them to “no mail” where possible. You don’t need to be annoying the list with your out of office notes.   I think this is the real root of the anti-OOF forces, annoyance with mailing list OOF backscatter.

3.  The less said the better.

At work, you kind of need to let people know you wont be getting back to them for a while.   There may be a few businesses (e.g. financial) where the risk does outweigh the courtesy.   For most of us I think a OOF on the work email account isn’t the end of the world.

“Best Practices” are for people who cannot perform a risk analysis.   You’ll need to consider the risk environment and decide whether OOF is appropriate.

Tags: , ,
Category: Awareness, Policy  |  Comment

Corporate Fantasyland

June 1, 2008, 5:52 pm

Twice today I read “enterprises do this” statements that made me laugh.
Over at SANS the handler wrote “Corporates typically block outbound FTP” while describing Yahoo phishing that had FTP downloaded malware.
Later I was reading the latest AV-Comparatives report. In the discussion of numerous Sophos false positives, the author says Sophos is used in corporate environments where “new software is rarely installed.”
I’ve been looking for reliable statistics about what percentage of companies currently allow a significant percentage of employees to have local administrator rights. When I see statements like the above I wonder if our policies which were once one of the more restrictive are now comparitively lax. Or is it that the authors are merely stating what they wish were true.

Tags: , ,
Category: Policy  |  Comment

Auditors and Company Policy

September 15, 2007, 1:07 pm

It’s always nice when your own auditors follow company policy. We have an external auditor in for the next 6 week in order to obtain FISMA certification. At the kickoff meeting, we told the auditors that they were not allowed to put their computers on our internal network, but they were more than welcome to use our guest wireless. This information was also on the account request form that they signed.

I had a feeling that they weren’t going to follow our policy. We don’t currently have a technical mechanism in place to enforce such a policy. I opened our DHCP management console and sure enough 5 computers had a DHCP lease with a computername and domain giving away that their owner was this auditing firm.

So I was able to bust them on that, and prove to them that we do review the logs and record anomalies in servicedesk.

Tags:
Category: General, Policy  |  3 Comments

The Paris Hilton DoS

August 11, 2004, 6:03 pm

I was going through the outbound viruses last night. Most were false positives on ESPN or CNN web pages that were pasted into an email message (the scanner didn’t like the javascript). But one was called Exploit/BigEmail. That sounded kind of interesting. First I did a search to look for AV vendors with a virus named that. It sounded to me like the vendor was stopping large messages to avoid denial of service attacks.

Continue reading ‘The Paris Hilton DoS’ »

Tags:
Category: Policy  |  Comments Off

Developing an Employee Usage Policy Part 2

July 6, 2004, 6:45 pm

My professor posted the following guidelines for creating/evaluating an employee use policy.
Email and Internet Usage Policy
Implementation of sound, well-written policies helps manage risk by defining acceptable and unacceptable forms of behavior and educating employees as to the organization’s expectations concerning their behavior. Organizations can and should expect their employees to act ethically and the organization, as well as its employees, should expect to be accountable to society for their actions. On the positive side, good policies
encourage ethical behavior, and discourages criminal behavior,
encourage polite and civil communication,
encourage individual integrity and honesty,
encourage respect for others and their property,
protect the organization’s information infrastructure from danger, and
the risk of lawsuits.
Good policies also
discourage copyright infringement, software piracy, and plagiarism,
discourage slander, libel, defamation, and mendacity, and
discourage profanity, obscenity, pornography, and waste.
(See Kinnaman, D., Critiquing acceptable use policies. http://www.io.com/~kinnaman/aupessay.html)

Continue reading ‘Developing an Employee Usage Policy Part 2’ »

Tags:
Category: Policy  |  Comments Off

U.S. vs Councilman opens door for admin snoops

June 30, 2004, 7:07 pm

The Electronic Frontier Foundation charges that this weeks appeals court decision in U.S. vs Councilman gives your ISP the right to monitor your email.
The court brief is http://www.ca1.uscourts.gov/pdf.opinions/03-1383-01A.pdf
The defendant used procmail and sendmail to monitor email from Amazon to the booksellers and other email clients that used his mailserver. He used a form of store and forward to do this. I believe the courts have held that wiretapping is grabbing the message off the line with a sniffer. It is a different charge when the mail is in storage. The courts dismissed the charges against the defendant stating that at the time the message was copied it wasn’t in transit.
I agree that he is not guilty of wiretapping. I’ll have to go reread the Stored Communications Act to see if his claim of being a service provider is correct. I am currently in a cyberlaw class and we read the lower court ruling on US v Councilman a couple weeks ago. So I was pretty excited to see this case.

Tags:
Category: Policy  |  Comments Off
« Previous Entries