Re: O-u-t O-f O-f-f-i-c-e Replies
From: Deus, Attonbitus (Thor@HammerofGod.com)Date: 06/13/02
- Previous message: jtnim@hotmail.com: "CA certificates on W2k"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 13 Jun 2002 08:55:33 -0700 To: "Buckley, Jason" <JBuckley@CCBN.com> From: "Deus, Attonbitus" <Thor@HammerofGod.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
At 06:22 AM 6/13/2002, you wrote:
>Need a little help,
>
>This is a question about out of office replies to addresses outside of an
>internal network. Currently we only allow out of office replies to be sent
>to internal recipients, but now sales and management would like to send them
>outside our network. I understand all the risk with this and have created
>and communicated a risk document, but now the question is "What do all the
>other companies do?" I have searched the internet and found nothing, no
>surveys, no nothing! So this is what I'm looking for, direction to a report
>or survey that has been done that shows how many companies support out of
>office replies, or just drop me an email with what your company does and I
>will put my own together.
>
>Thanks for any help with this!
Hey Jason- first off, you might want to resubmit with a different subject--
the "Out of Office" text caused your mail message to immediately go to my
trash- I just happened to see it ( that's why I changed the subject on the
reply) I would think that those who deal with OoO issues, and who would
probably be best suited to provide you insight, would have a rule in place
to delete them...
Anywho, while I can't point you to a specific report, my experience is that
the practice is gaining in popularity. More and more people are turning to
email as their primary means of communication, and for this reason, they
want to ensure that people are notified when they are not in- particularly
from a business standpoint.
The perceived risk of OoO's varies from person to person- some think they
are a huge security issue while others really don't care. While OoO's can
certainly provide a potential attacker with some ammo, best practices and
policies can mitigate potential damages. For instance, you might not want
to have your Tech Support or Admins send OoO's to the outside world... If
you do, they should have very limited information in them. In fact, all
OoO's should have limited information.
If an attacker knows the admin or tech people are gone, they could do some
social engineering posing as alternate support, phone technicians, or
vendor support. It is best to have IT personnel circulate internal mails
beforehand specifically identifying an alternate contact for questions or
concerns, and not to give out passwords, ID's, numbers, or anything else to
anyone.
HTH
AD
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1
iQA/AwUBPQjAdYhsmyD15h5gEQKkGgCeOOTS5u48nS5MGokwpsYqm1FFQcwAn3ap
tIWl8uC5MtxD0Z2t4Zaz1g/G
=qnQw
-----END PGP SIGNATURE-----
- Previous message: jtnim@hotmail.com: "CA certificates on W2k"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
