Re: RE:Vulnerability Scanners ( was: concerning ~el8 / project mayhem )

["B. Scott Harroff" <Scott.Harroff () att net>]

> You'll need non-repudiable authentication (evidence), as a court of law
> would describe.
> How would you propose to verify Jim was at Jane's workstation at the time
> of the porn site visit?
> In addition to "strong authentication" as we define it today, do you
> propose cameras? Keyloggers that distinguish typing behavior?


I'm not looking for 100% assuradness that Jim had not compromised Janes
account to deliberately surf with her identity.  I'm looking for more than
"The DHCP server thought that 10.1.2.3 belonged to Janes at 1:30 PM".  IE,
The proxy server recorded Jane's domain ID and IP in outbound traffic.
Given by policy passwords regularly change, passwords have minimum
requirements, and users can not walk away from a logged in workstation,
there is a very high probabilty that Jane was surfing the site, not Jim.
And, Jane wouldn't be terminated for one logged instance; if her logs showed
regular activity, someone would show up at her usual surfing time to greet
her.

> Something that's annoyed me for ages is the distinction that policy
> violations conducted through computing and networking are so different
from
> any other medium. If an employee uses his phone card to dial a phone sex
> number during work hours, from a business phone, is it as serious an
> offense (granted, there's no temporary or long term cache of the "image"
> unless he's taped the conversation). What about print media and fax
> (although I've never heard of fax sex?)


If an employee dials a phone sex line on corporate time, they are improperly
using corporate resources, costing the company <relatively> minimal monetary
loss. Commensurate discipline would be a slap on the hand.  If Jim surfs to
a porn site (often) and Jane who sees this feels sexually ofended and
harassed, and the company does not follow up with stopping folks like Jim,
the company could face a embarrasing and expensive law suit....

> Content inspection is an odd business, and it seems perpetually focused on
> computer networking. My point is that I've seen some policies that don't
> uniformly treat all media - it's acceptable to have a sexy calendar, but
> not to visit Victoria's Secret online, or thumb through PlayBoy during
> lunch? I've told folks that such policies are an HR nightmare waiting to
> happen.

Agreed on both counts.  Not taking action can be very expensive though.....

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards