Recently in Policy Category

Corporate Fantasyland

Twice today I read "enterprises do this" statements that made me laugh.

Over at SANS the handler wrote "Corporates typically block outbound FTP" while describing Yahoo phishing that had FTP downloaded malware.

Later I was reading the latest AV-Comparatives report. In the discussion of numerous Sophos false positives, the author says Sophos is used in corporate environments where "new software is rarely installed."

I've been looking for reliable statistics about what percentage of companies currently allow a significant percentage of employees to have local administrator rights. When I see statements like the above I wonder if our policies which were once one of the more restrictive are now comparitively lax. Or is it that the authors are merely stating what they wish were true.

By Roger on June 1, 2008 5:52 PM | | Comments (0) | TrackBacks (0)

Auditors and Company Policy

Its always nice when your own auditors follow company policy. We have an external auditor in for the next 6 week in order to obtain FISMA certification. At the kickoff meeting, we told the auditors that they were not allowed to put their computers on our internal network, but they were more than welcome to use our guest wireless. This information was also on the account request form that they signed.

I had a feeling that they weren't going to follow our policy. We don't currently have a technical mechanism in place to enforce such a policy. I opened our DHCP management console and sure enough 5 computers had a DHCP lease with a computername and domain giving away that their owner was this auditing firm.

So I was able to bust them on that, and prove to them that we do review the logs and record anomalies in servicedesk.

By Roger on September 15, 2007 1:07 PM | | Comments (2) | TrackBacks (0)

The Paris Hilton DoS

I was going through the outbound viruses last night. Most were false positives on espn or cnn web pages that were pasted into an email message (the scanner didn't like the javascript). But one was called Exploit/BigEmail. that sounded kind of interesting. First I did a search to look for AV vendors with a virus named that. It sounded to me like the vendor was stopping large messages to avoid denial of service attacks.

Continue reading The Paris Hilton DoS.
By Roger on August 11, 2004 6:03 PM |

Developing an Employee Usage Policy Part 2

My professor posted the following guidelines for creating/evaluating an employee use policy.

Email and Internet Usage Policy

Implementation of sound, well-written policies helps manage risk by defining acceptable and unacceptable forms of behavior and educating employees as to the organization’s expectations concerning their behavior. Organizations can and should expect their employees to act ethically and the organization, as well as its employees, should expect to be accountable to society for their actions. On the positive side, good policies

encourage ethical behavior, and discourages criminal behavior,

encourage polite and civil communication,

encourage individual integrity and honesty,

encourage respect for others and their property,

protect the organization’s information infrastructure from danger, and

the risk of lawsuits.

Good policies also

discourage copyright infringement, software piracy, and plagiarism,

discourage slander, libel, defamation, and mendacity, and

discourage profanity, obscenity, pornography, and waste.

(See Kinnaman, D., Critiquing acceptable use policies. http://www.io.com/~kinnaman/aupessay.html)

Continue reading Developing an Employee Usage Policy Part 2.
By Roger on July 6, 2004 6:45 PM |

U.S. vs Councilman opens door for admin snoops

The Electronic Frontier Foundation charges that this weeks appeals court decision in U.S. vs Councilman gives your ISP the right to monitor your email.

The court brief is http://www.ca1.uscourts.gov/pdf.opinions/03-1383-01A.pdf

The defendant used procmail and sendmail to monitor email from Amazon to the booksellers and other email clients that used his mailserver. He used a form of store and forward to do this. I believe the courts have held that wiretapping is grabbing the message off the line with a sniffer. It is a different charge when the mail is in storage. The courts dismissed the charges against the defendant stating that at the time the message was copied it wasn't in transit.

I agree that he is not guilty of wiretapping. I'll have to go reread the Stored Communications Act to see if his claim of being a service provider is correct. I am currently in a cyberlaw class and we read the lower court ruling on US v Councilman a couple weeks ago. So I was pretty excited to see this case.

By Roger on June 30, 2004 7:07 PM |
« Physical Security | Main Index | Archives | Spam »

About this Archive

This page is a archive of recent entries in the Policy category.

Physical Security is the previous category.

Spam is the next category.

Find recent content on the main index or look in the archives to find all content.

Policy: Monthly Archives

Subscribe to feed Subscribe to this blog's feed
Add to Google
Please contact me by leaving a comment where appropriate. Otherwise, you can reach me at blog...@infosecblog.org
Get Safe Online Remember Rick Rescorla Powered by Movable Type 4.1

Search