There is a lesson there for us in IT Security.   It is a bad idea to have policy that doesn’t match practice.  Additionally better asset management should be in place to prevent such activity.

I’ve wondered at times why the company I work for doesn’t have a policy specific to social media.   In the absence of such a policy, I chose to make sure my blog follows other corporate rules.   Additionally for any rants related to work, I either make them generic or make sure the opinion isn’t a surprise were management to read it.  

While I’m not ultra-paranoid about security, I have tried (unsuccessfully) to keep my full name disassociated with this blog.   Some might worry that an attacker researching the company could discover what we use for antivirus, firewall, IDS, etc.  

What is the goal of the social media policy?   The goal of some social media policies seems to be to keep people from using social media.   I just can’t agree with this.   If I were blogging with full name and company name, it would help grow my personal brand, and that benefits the company.  

Many of the policies that people say should be in a social media policy should already be in other policies.  

“You shouldn’t be speaking on behalf of the company.”   This is already in policy.   The only change for social media is to designate that you are not an official company contact, except where you are official then that needs to be noted as well.

“You shouldn’t be tweeting/blogging/facebooking about that confidential contract.”   Hey no kidding.   That should already be covered in policy and doesn’t really need to be in a redundant policy.

Michael Hyatt has some good points in his post about why your company doesn’t need a social media policy.   Shouldn’t companies be encouraging the use of social media?    Check that out and the comments there for some deeper discussion.

Where I work, I’ve seen a couple drafts of a new social media policy.   I’m not happy.   It must be similar to the first draft Michael Hyatt received from his lawyers.    There are two things that I find particularly galling.   There is a prohibition on recommending any current or former employees on a social media site.   I’m not entirely sure what problem they are trying to solve.   For many today, social media is a primary vehicle for the job search.   If you don’t have a searchable brand, then you don’t exist.   This is like saying don’t buy resume card stock.  There isn’t a policy I am aware of forbidding me from recommending a co-worker.   I believe management is restricted to reporting time of service.

The second potential policy change is more problematic for this blog.   Before blogging about any vender, I need management to get the approval of that vender.    So if Symantec releases an update and hoses my machines, I can’t warn people about that update without getting approval.    I don’t think they’ve thought this through.    Can I at least complain about the cafeteria provider Eurest without getting approval?

Hopefully this gets fixed because otherwise to stay in compliance with this policy I will have to sell the blog to my friend Raul.   Ignore any similar posting style between Raul’s Infosec Blog and my own posts.  

If the auditors were a bit slicker, I”d believe them when they said they were testing our controls for unauthorized computers.   (trust me, this guy was busted cold)  After Alanis, I hesitate to call something ironic, but it sure seems ironic that the people verifying our security policies routinely violate our security policies.

Back in July, the US Copyright office ruled it is legal to jailbreak your iPhone in order to install non-appstore apps or even to unlock the phone to use with another carrier.

What does this mean for iPhones used the enterprise?

Just because something is permissible under the law, that does not mean that a corporation must allow it.    Apple may still make it a violation of their terms of service and void the warranty. 

Jailbreaking  offers a greater potential for malware to be run on the phone.  Do you remember the iPhone jailbreak worm?   A popular jailbreaking technique was setting up SSH and leaving a default password.   Doh!

Dave Zatz had a recent post asking if there was even a case for jailbreaking anymore.

So while my company is full of engineers who like to tinker.   While the phone has corporate data, we need to enforce a no jailbreaking policy.

I’ve felt that the anti-OOF forces are the kind of ludite people who still agitate for a return to text only email.  Rather than dismissing it out of hand, lets examine some of the objections to OOF

Out of office messages could inadvertently disclose information.  “I’m out of the office, check with Joe at 555-12324.   Now the bad guy has another contact name.   In this era of LinkedIn, I’m not sure how big a disclosure this would be.  You decide for your environment.

OOF messages could verify your email address to spammers.
 Your spam product and Mail server should be blocking directory harvest attacks at the gateway. I wonder if its still true that “verified” email address are more value to attackers. Either way, my spam filter prevents spam from reaching my inbox any way.

OOF messages could help an attacker engage in social engineering
Now that the bad guy knows Joe is the backup, they know he may not know procedure as well. “Roger let me do that”. Personally I think that is a problem with training not OOF.

OOF messages could alert an attacker that its time to break into your home.
While there are stories about burglaries when someone posted their vacation schedule on Twitter, that is often neighborhood kids and people you know. Not using an OOF doesn’t exactly help there. 

Now that we’ve gone through some OOF FUD, how can you OOF safely?
1.  If you’re running Exchange 2007 or later you have the ability to use a different message for internal senders and contacts versus external senders.  You can also perform OOF only for people in your contacts.

2.  Sign off of any mailing lists or set them to “no mail” where possible. You don’t need to be annoying the list with your out of office notes.   I think this is the real root of the anti-OOF forces, annoyance with mailing list OOF backscatter.

3.  The less said the better.

At work, you kind of need to let people know you wont be getting back to them for a while.   There may be a few businesses (e.g. financial) where the risk does outweigh the courtesy.   For most of us I think a OOF on the work email account isn’t the end of the world.

“Best Practices” are for people who cannot perform a risk analysis.   You’ll need to consider the risk environment and decide whether OOF is appropriate.

I had a feeling that they weren’t going to follow our policy. We don’t currently have a technical mechanism in place to enforce such a policy. I opened our DHCP management console and sure enough 5 computers had a DHCP lease with a computername and domain giving away that their owner was this auditing firm.

So I was able to bust them on that, and prove to them that we do review the logs and record anomalies in servicedesk.

I checked through the logs and it turned out to be a 365 MB mail message with a file named Paris-DivX505-A.avi. It didn’t take much detective work to conclude that a user was sending out the Paris Hilton sex tape via email! (the use of that term aught to get the hit count up a bit).
I thought that was freakin hilarious. I think the lesson to be learned here is its a good idea to have a maximum message size and enforce it at all levels. Even a very large limit like 100 MB would have prevented this message from being processed by exchange, scanned by trend micro, processed by sendmail before being stopped. This could have been really bad for the infrastructure.

As always, there are four policy essentials:
1.Policies need to be in writing — Unwritten policies may sometimes be found to exist by courts, and enforced, but to be sure that an organization’s policy is clear and fosters the behaviors the organization intends and limits those behaviors that an organization deems undesirable, policies should always be in writing
2. Policies must be promulgated — A policy the employees don’t know about is ineffective. Best practice is to have a signed statement that the employee has read and understands the policy.
3. There must be some process to determine if the policy is being followed. If an organization has no way of knowing whether a policy is being followed, the policy may be (and usually is) ineffective.
4. There have to be sanctions for violations of the policy discovered by the detection process. A policy with no teeth is ineffective.
Good policies explicitly define and make clear to all users the ethical standards and expectations of the organization. The policy should explicitly state that all hardware, software, and related infrastructure made available to employees are property of the organization and are to be used for business-related purposes only. The policy should clearly state that email and Internet usage will be monitored and audited. No one should have an expectation of privacy regarding email or Internet usage.
Policies concerning the use (and potential for abuse) of email and Internet access should probably touch on all of the following (listed in no particular order):
conduct of personal business using the organization’s information infrastructure
sexual harassment
threats
flames
interference with others, including cyberstalking
exceeding authorized access
downloading software, music, or movies
snooping
on-line gambling
illegal activities
use of unescrowed cryptography and cryptographic keys
playing video games
chat rooms, instant messaging, and blogging
chain letters and Ponzi schemes
defamatory, illegal, discriminatory, offensive, threatening or harassing messages
misrepresentation of oneself or the organization to customers, clients, vendors and other employees
fraudulent behavior
denigration of others based on their sex, race, sexuality, age, national origin, or religious or political beliefs
political activities
pornography
child pornography
use of antiviral software to protect customers, clients, vendors, and the organization’s information infrastructure
privacy and disclosure of personal or privileged information
protection of the organization’s trade secrets
requirement for ethical behavior
requirement of conform to all State and federal laws
defeating or attempting to defeat the auditing, monitoring, access control or other security features or procedures used by the organization’s information infrastructure