Re: RE:[fw-wiz] Vulnerability Scanners ( was: concerning ~el8 / project mayhem )
From: B. Scott Harroff (Scott.Harroff@att.net)
Date: 08/26/02
- Next message: Patrick Darden: "Re: [fw-wiz] VPN concentrators"
- Previous message: scouser@paradise.net.nz: "[fw-wiz] VPN concentrators"
- In reply to: Dave Piscitello: "Re: RE:[fw-wiz] Vulnerability Scanners ( was: concerning ~el8 / project mayhem )"
- Next in thread: Paul D. Robertson: "Re: RE:[fw-wiz] Vulnerability Scanners ( was: concerning ~el8 / project mayhem )"
- Reply: Paul D. Robertson: "Re: RE:[fw-wiz] Vulnerability Scanners ( was: concerning ~el8 / project mayhem )"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "B. Scott Harroff" <Scott.Harroff@att.net> To: "Dave Piscitello" <dave@corecom.com>, <firewall-wizards@honor.icsalabs.com> Date: Mon Aug 26 08:19:01 2002
> You'll need non-repudiable authentication (evidence), as a court of law
> would describe.
> How would you propose to verify Jim was at Jane's workstation at the time
> of the porn site visit?
> In addition to "strong authentication" as we define it today, do you
> propose cameras? Keyloggers that distinguish typing behavior?
I'm not looking for 100% assuradness that Jim had not compromised Janes
account to deliberately surf with her identity. I'm looking for more than
"The DHCP server thought that 10.1.2.3 belonged to Janes at 1:30 PM". IE,
The proxy server recorded Jane's domain ID and IP in outbound traffic.
Given by policy passwords regularly change, passwords have minimum
requirements, and users can not walk away from a logged in workstation,
there is a very high probabilty that Jane was surfing the site, not Jim.
And, Jane wouldn't be terminated for one logged instance; if her logs showed
regular activity, someone would show up at her usual surfing time to greet
her.
> Something that's annoyed me for ages is the distinction that policy
> violations conducted through computing and networking are so different
from
> any other medium. If an employee uses his phone card to dial a phone sex
> number during work hours, from a business phone, is it as serious an
> offense (granted, there's no temporary or long term cache of the "image"
> unless he's taped the conversation). What about print media and fax
> (although I've never heard of fax sex?)
If an employee dials a phone sex line on corporate time, they are improperly
using corporate resources, costing the company <relatively> minimal monetary
loss. Commensurate discipline would be a slap on the hand. If Jim surfs to
a porn site (often) and Jane who sees this feels sexually ofended and
harassed, and the company does not follow up with stopping folks like Jim,
the company could face a embarrasing and expensive law suit....
> Content inspection is an odd business, and it seems perpetually focused on
> computer networking. My point is that I've seen some policies that don't
> uniformly treat all media - it's acceptable to have a sexy calendar, but
> not to visit Victoria's Secret online, or thumb through PlayBoy during
> lunch? I've told folks that such policies are an HR nightmare waiting to
> happen.
Agreed on both counts. Not taking action can be very expensive though.....
- Next message: Patrick Darden: "Re: [fw-wiz] VPN concentrators"
- Previous message: scouser@paradise.net.nz: "[fw-wiz] VPN concentrators"
- In reply to: Dave Piscitello: "Re: RE:[fw-wiz] Vulnerability Scanners ( was: concerning ~el8 / project mayhem )"
- Next in thread: Paul D. Robertson: "Re: RE:[fw-wiz] Vulnerability Scanners ( was: concerning ~el8 / project mayhem )"
- Reply: Paul D. Robertson: "Re: RE:[fw-wiz] Vulnerability Scanners ( was: concerning ~el8 / project mayhem )"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
