Educause Security Discussion mailing list archives
Effective Practice / Question/Expertise needed
From: James Moore <jhmiso () RIT EDU>
Date: Tue, 2 Jun 2009 16:49:57 -0400
Sorry for the cross-post. I posted this to the REN-ISAC discussion list. I only got one response, and that was asking if anyone had responded to me off-list. That is when I thought that maybe the question needed more visibility. It has to do with Browser security, and plugins, helper objects, controls, and widgets. I accidentally logged into my iGoogle page that I normally reserve for home. I meant to log in to Gmail, to check my alerts for form spam on campus. But I got to wondering about the way that I was using iGoogle. It is very handy at organizing information. But I don't know how to code review its widgets. Then I was forced to admit to myself, that I use Firefox plug-ins that I don't do code reviews on either. I tend to manage risk by using reputation, recommendations (often from people that I don't know), and popularity/number of downloads. I was wondering if anyone had a more quantitative process for managing risk in these areas. The browser is at the crossroads of so much sensitive data. Certifying or controlling extensions seems to be prudent. At the same time, I haven't found many tools that inventory or analyze plug-ins, accelerators, browser helper objects,etc. And the effectiveness of CWSSandbox and Norman Sandbox on these types of objects is not known. Then I wondered if anyone had reduced a more quantitative risk management process to layman's terms (i.e. Policy & End users' guide to what you need to know about browser plugins.). I am also looking for a cost/benefit analysis of using browser plug-ins, accelerators, browser helper objects, iGoogle widgets, etc Thanks, Jim - - - - Jim Moore, CISSP, IAM Information Security Officer Rochester Institute of Technology 151 Lomb Memorial Drive Rochester, NY 14623-5603 (585) 475-5406 (office) (585) 255-0809 (Cell - Incident Reporting & Emergencies) (585) 475-7920 (fax) If you consciously try to thwart opponents, you are already late. Miyamoto Musashi, Japanese philosopher/samurai, 1645 "If we do not, on a national scale, attack organized criminals with weapons and techniques as effective as their own, they will destroy us." Robert F. Kennedy, 1960 Confidentiality Notice: Do the right thing. If this has the words "Confidential" or "Private" in the subject line, or similar language in the email body, or as a label on any attachment, then think. Do you know me? Did you expect to receive this? Do you recognize and work with the other addressees? If not, then you probably received this in error. Please, be respectful and courteous, and delete it immediately. Please, don't forward it to anyone. Now, wasn't that simple. Just, if you had made an error in a sensitive email, and I received it, what would you want me to do with it?
Current thread:
- Effective Practice / Question/Expertise needed James Moore (Jun 02)
- <Possible follow-ups>
- Re: Effective Practice / Question/Expertise needed William Forte (Jun 02)
- Re: Effective Practice / Question/Expertise needed jeff murphy (Jun 02)