funsec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: C-level execs ignorant of Web 2.0 dangers

From: "Hubbard, Dan" <dhubbard () websense com>
Date: Fri, 29 May 2009 08:33:02 -0700
We can debate on Gadi's debate@ list if you wish. I don't want to pollute funsec. Bottom line is that I am of the 
opinion that anyone who thinks that they can continue to block *all 2.0* sites moving forward will soon find themselves 
in a position of being told to open them in due time (if not already). If you don't understand the business value then 
you don't use the technologies.

......

Web 2.0 is required for business, scanned, disinfected, and logged to comply with security and compliance risk.





 




-----Original Message-----
From: Tomas L. Byrnes [mailto:tomb () byrneit net] 
Sent: Thursday, May 28, 2009 10:25 PM
To: Hubbard, Dan; Dan Kaminsky
Cc: funsec () linuxbox org; rMslade () shaw ca
Subject: RE: [funsec] C-level execs ignorant of Web 2.0 dangers

What, exactly, is the benefit to a trading desk @ a hedge fund (the
client in question) of allowing access to Facebook? Seriously, outside
of sales and marketing, who needs Facebook @ work?

The risks are:

1: Drive-by malware.

2: Unauthorized and untraceable communications that may violate SEC
rules regarding insider trading (same reason IM isn't allowed).

E-Mail is required for business, scanned, disinfected, and logged to
comply with security and compliance risk.

So, the decision to not allow sites that are known security risks, and
contribute nothing to the business, is a pretty easy one.



-----Original Message-----
From: Hubbard, Dan [mailto:dhubbard () websense com]
Sent: Thursday, May 28, 2009 5:23 PM
To: Tomas L. Byrnes; 'Dan Kaminsky'
Cc: 'funsec () linuxbox org'; 'rMslade () shaw ca'
Subject: RE: [funsec] C-level execs ignorant of Web 2.0 dangers

Email is a bastion of badness. Do you block access to *all* email? How
about IM? Or the Web in general?

My .02: The debate should be if the risk outweighs the benefit. My
opinion is that in most cases the answer is no. There is a lot of
benefit to companies to open these up. Yes, of course they need to
invest in security to protect against the problem but that is no
different than other areas, it's just a new vector.









-----Original Message-----
From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org]
On Behalf Of Tomas L. Byrnes
Sent: Thursday, May 28, 2009 1:56 PM
To: Dan Kaminsky
Cc: funsec () linuxbox org; rMslade () shaw ca
Subject: Re: [funsec] C-level execs ignorant of Web 2.0 dangers

When I've explained to the users how Facebook, Myspace and other such
sites are ways for malware authors to "drive by" them, I've had no
resistance to blocking them. Now, it helps that in the most recent

case,

they had actually been infected using just that vector.




-----Original Message-----
From: Dan Kaminsky [mailto:dan () doxpara com]
Sent: Wednesday, May 27, 2009 11:06 PM
To: Tomas L. Byrnes
Cc: <rMslade () shaw ca>; <funsec () linuxbox org>
Subject: Re: [funsec] C-level execs ignorant of Web 2.0 dangers

I've been informed, very off the record, that large companies that
block Facebook at work have serious employee retention and acquisition
problems directly because of it.  I'm dead serious.



On May 28, 2009, at 6:49 AM, "Tomas L. Byrnes" <tomb () byrneit net>

wrote:



C - level parsed correctly means Clue MINUS level. Since level is

the

highest in the company, you do the math.




-----Original Message-----
From: funsec-bounces () linuxbox org [mailto:funsec-
bounces () linuxbox org]
On Behalf Of Rob, grandpa of Ryan, Trevor, Devon & Hannah
Sent: Monday, May 25, 2009 3:49 PM
To: funsec () linuxbox org
Subject: [funsec] C-level execs ignorant of Web 2.0 dangers



http://www.itworldcanada.com/Pages/Docbase/ViewArticle.aspx?id=idgml-

9e7f4ffd-
70b7-4120&Portal=448d158c-d857-4785-b759-ffa1c005933c&sub=7345

C-level executives are pushing for greater access to social
networking
sites and
facilities, while even IT managers and security specialists are
unprepared to deal
with the full range of risks from this type of activity.

In order to get some traction with senior management on this issue,
you
might
want to remind them that, when they take off with funds they've

obtained

via
fraud, it's best not to post boasts on Facebook:



http://www.smh.com.au/news/technology/web/2009/05/25/1243103468196.htm

l


======================  (quote inserted randomly by Pegasus Mailer)
rslade () vcn bc ca     slade () victoria tc ca
rslade () computercrime org
The real problem is in the hearts and minds of men. It is not a
problem of physics but of ethics. It is easier to denature
plutonium than to denature the evil from the spirit of man.
                                                 - Albert Einstein
http://victoria.tc.ca/techrev/rms.htm
http://blog.isc2.org/isc2_blog/slade/index.html
http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.


Protected by Websense Hosted Email Security -- www.websense.com


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: