Re: "Porn-surfing hits taxpayer IDs"

[Gary Flynn <flynngn () JMU EDU>]

Jere Retzer wrote:

> The scenario that concerns me is business partners, some who are unsophisticated technology users who need to access 
> sensitive data from machines that are totally outside your control.

Bottom line:

Unsophistated/untrusted operator.
+
Unsecured/untrusted machine.
+
Sensitive data.
-----------------------
Accident waiting to happen

There is no way to change that equation. You must
change one of the variables or pay for business
convenience with higher risk to constituent data
disclosure. The entire industry is facing that
problem.

You may be able to reduce risk by running fraud
detection software on the servers to help
detect unusual access. But, of course, screen
scraping of authorized access wouldn't show
up.

Two factor authentication may limit the times
the compromised computer could access the server
to those times when the token is available.
But it has to be a physical, removable token
and the operator has to remove it.


 Your web application is covered with SSL and you have access and
authorization in place to keep out unauthorized users, but the machines
these authorized outside users use to access the application may be
infected.

Hence providing access to unauthorized users.

 Guy Pace suggested quarantining machines that don't pass muster but
I'm concerned scanning business partners' machines would be unacceptable.

Ideally, their organization would scan their machines. You
could even form some sort of a trusted, federated security
assertion along the lines of the federated identity
idea. On the other hand, if you are responsible for your
constituents' sensitive data, how much trust do you place
in their processes? How much auditing are you willing
to do? You'd effectively be developing a standard like
the credit card companies' PCI data security standard.

And, of course, if they're accessing your constituents' data
with their home machines, all bets are off unless you enforce
some desktop security.




> > > > gtoal () UTPA EDU 06/14/06 3:01 PM >>>
> >
> > How about for machines we do not control?
>
>
> you put them in a zone where you don't care too much if
> they're infected. Certainly not a trusted 'inside' zone
> with access to anything valuable.
>
> (I'm assuming that just keeping them out altogether is
> not an option)
>
> G


--
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature