Re[4]: www.hexblog.com down?

[Sean Donelan <sean () donelan com>]

On Wed, 4 Jan 2006, Pierre Vandevenne wrote:
> Do you rely on yours? Are you suggesting that all businesses should,
> and will, in the future, implement the clever military approach
> (totally physically and functionally segregated networks)? I don't
> know.

Each business will have its own assessments.  I was reacting to your
stated risk for your business: "Should our customer data be vulnerable
to a blissfully unaware accountant surfing the web with a vulnerable
system?"  And your proposed response.

People often state a threat as justification to do something.  But my
question does your proposed response effectively address your stated
threat?  If your answer is that's all you can afford to do, then you've
accepted the unmitigated risk.

Are there other alternatives to address your stated threat?  Could you
implement a control for your accountant to surf the web using a browser
with RunAs limited priviliges, so not only this particular trick the user
into executing something is blocked but also other forms of trick the
user into executing something are blocked?  Would this be a more effective
control than the one you proposed?  Perhaps not as effective as having two
separate machines with an air-gap, but more effective than patching a
single vulnerability.




_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.