Effective Practice / Question/Expertise needed

[James Moore <jhmiso () RIT EDU>]

Sorry for the cross-post.  I posted this to the REN-ISAC discussion
list. I only got one response, and that was asking if anyone had
responded to me off-list.  That is when I thought that maybe the
question needed more visibility.  It has to do with Browser security,
and plugins, helper objects, controls, and widgets.

 

I accidentally logged into my iGoogle page that I normally reserve for
home.  I meant to log in to Gmail, to check my alerts for form spam on
campus.

 

But I got to wondering about the way that I was using iGoogle.  It is
very handy at organizing information.  But I don't know how to code
review its widgets.  Then I was forced to admit to myself, that I use
Firefox plug-ins that I don't do code reviews on either.  I tend to
manage risk by using reputation, recommendations (often from people that
I don't know), and popularity/number of downloads.  

 

I was wondering if anyone had a more quantitative process for managing
risk in these areas.  The browser is at the crossroads of so much
sensitive data.  Certifying or controlling extensions seems to be
prudent.  At the same time, I haven't found many tools that inventory or
analyze  plug-ins, accelerators, browser helper objects,etc.  And the
effectiveness of CWSSandbox and Norman Sandbox on these types of objects
is not known.

 

Then I wondered if anyone had reduced a more quantitative risk
management process to layman's terms (i.e. Policy & End users' guide to
what you need to know about browser plugins.).

 

I am also looking for a cost/benefit analysis of using browser plug-ins,
accelerators, browser helper objects, iGoogle widgets, etc

 

Thanks,

Jim

- - - -
Jim Moore, CISSP, IAM
Information Security Officer
Rochester Institute of Technology
151 Lomb Memorial Drive
Rochester, NY 14623-5603
(585) 475-5406 (office)
(585) 255-0809 (Cell - Incident Reporting & Emergencies)
(585) 475-7920 (fax)


If you consciously try to thwart opponents, you are already late.
Miyamoto Musashi, Japanese philosopher/samurai, 1645


"If we do not, on a national scale, attack organized criminals with
weapons and techniques as effective as their own, they will destroy us."
Robert F. Kennedy, 1960

Confidentiality Notice:  Do the right thing.  If this has the words
"Confidential" or "Private" in the subject line, or similar language in
the email body, or as a label on any attachment, then think.  Do you
know me?  Did you expect to receive this?  Do you recognize and work
with the other addressees?  If not, then you probably received this in
error.  Please, be respectful and courteous, and delete it immediately.
Please, don't forward it to anyone. 

Now, wasn't that simple.  Just, if you had made an error in a sensitive
email, and I received it, what would you want me to do with it?