Re: New IE flaw and exploit sites/migration to non-MS browser



Sometimes they are in banner ads and you just don't know. I don't have enough hours in the day to build a "white list" of trusted business sites that my firm needs to use given the needs of my business.

This is the fundamental argument where the security guys need to understand that I don't build or use tanks, warfare or other military like stuff. I run a business. I evaluate based on risk, not on black and whites of security. I deal with being good enough and "reasonable" security measures...not absolutes.

But yes, everyone in my office has and has signed an acceptable use policy... there are samples of such on the SANS.org web site (click on the policy button at the top)

Besides...unless you are signed up with Websense... exactly "how" do you know what that list of sites are?






Thomas W Shinder wrote:

A more important issue is the AUP your company has. If you are
*enabling* users to access compromised sites, then there's a problem
with AUP, or your network infrastructure team thinking they understand
security.

Have off network security to network security personnel who understand
application layer inspection and outbound access control based on
user/group membership.

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls





-----Original Message-----
From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [mailto:sbradcpa@xxxxxxxxxxx] Sent: Friday, March 31, 2006 5:08 PM
To: bkfsec
Cc: Murad Talukdar; focus-ms@xxxxxxxxxxxxxxxxx
Subject: Re: New IE flaw and exploit sites/migration to non-MS browser

How many of you are running as non admin? Used the Group policy to adjust and allow approved active X?

Now I'm no coder...but from threads I've seen.... Firefox's Extensions are ripe for fun and excitement.

Is it IE that's insecure? Or how the workstations are setup in the first place?


bkfsec wrote:



Murad Talukdar wrote:



On a related note--how many people have initiated a move

away from IE to


Firefox/Opera etc in a corporate environment, due to the perception(is it
JUST a perception or reality based?) that IE is less secure/more prone to
exploits?





We have in certain areas. It's very much reality-based that IE is less secure and more prone to exploit than other browsers, for a number of reasons, not the least of which is IE's

architectural tie-in

with the MS Windows operating system.

-bkfsec






--------------------------------------------------------------
-------------



--------------------------------------------------------------
-------------




--
Letting your vendors set your risk analysis these days? http://www.threatcode.com


--------------------------------------------------------------
-------------
--------------------------------------------------------------
-------------









--
Letting your vendors set your risk analysis these days? http://www.threatcode.com


---------------------------------------------------------------------------
---------------------------------------------------------------------------



Relevant Pages

  • Re: releasing confidential docs
    ... Security Policy, Data Classification Policy, Data Retention Policy, ... Policy, Business Continuity Plan Summary, Disaster Recovery Plan ... My opinion on whether or not a NDA would protect your ...
    (microsoft.public.security)
  • RE: Is IDS/IPS worthless?
    ... primary business is theirs, and other people's money, calculate technology ... role and costing of technology in a business. ... Different businesses have different teams that look into the value of risk ... Most banks now have IT security savvy staff within their audit teams - I ...
    (Focus-IDS)
  • Re: GPO to restrict Authentication to NTLMv2
    ... Check the setting on the Default Domain controller policy also. ... See the detailed description "Network security: Lan Manager authentication level" in: ...
    (microsoft.public.windows.server.active_directory)
  • ISO 27001 Newsletter: Edition 17 Released
    ... The latest issue of the newsletter covering the ISO information ... news and background with respect to the ISO security standards. ... Trials and Tribulations of an Information Security Officer ... Business Continuity Management: Preparation and Risk ...
    (comp.security.misc)
  • RE: Password Checking Tool
    ... a trial version from their website. ... of security, how old it is and lots of other useful information. ... This is a one time deal to "sell" the policy to some of our problematic ... users (which are backbone of our business) so we cannot just say "here it is ...
    (Security-Basics)