RE: Basic Windows Security Question

From: Reece, Terry (terry.reece_at_nmci-isf.com)
Date: 03/31/05

  • Next message: Glenn English: "Re: Firewall rules standards"
    Date: Thu, 31 Mar 2005 10:26:31 -0500
    To: "Andrew McIntosh" <amcintosh@networkadvocates.com>, <security-basics@securityfocus.com>
    
    

    This is something the folks I work with were discussing here the other day as well. I would say that disabling the USB port isn't the primary concern, and there is a bigger issue at hand. I certainly wouldn't want people on my network taking company data and putting in on their personal PCs, or any PC outside of company control. Obviously money is an issue, but employee's who want to work on things at home and have a legitimate business need should have a laptop.

    OK...back to the real world...

    I think the most viable solution is a policy statement that specifically addresses this issue, and make sure that message is conveyed to the end user and that it is understood. An example could be that USB thumb drives are ok, but with the caveat that the other PC must have such and such AV program installed, updated, etc. I would also think that most (<~keyword) AV programs are going to catch key loggers as well, although there are a few that could slip through, but then you fall into the whole "defense in depth" idea.

    ./ramble off

    Terry
    -----Original Message-----
    From: Andrew McIntosh [mailto:amcintosh@networkadvocates.com]
    Sent: Tuesday, March 29, 2005 16:21
    To: security-basics@securityfocus.com
    Subject: Basic Windows Security Question

    Hello Everybody,

    I am curious to see the different suggestions for this scenario:

    Suppose you have a small company of less than 100 employees. One of the
    employees likes to bring his work home on occasion. He does so using a
    USB thumb drive. One day he catches a [virus, worm, Trojan, spyware,
    anything you can think of] at home and it winds up on his thumb drive,
    which he in turn brings to the company network.

    The company certainly should have anti-virus software in place, which
    would fix that problem. But what if he unknowingly loads a key logging
    program that could capture private customer information? What do you
    suggest? Here is what I could think of so far:

    Disable USB Port - That would solve the particular problem and create
    other problems. For instance, substitute the thumb drive with a floppy
    disk or CD. For obvious reasons you don't want to disable those as well.

    Restrict user permissions - That could potentially prevent a program
    from installing itself, but it would also cause the user some grief if
    they need to install programs themselves, or even do simple things like
    changing personal settings.

    Security Policy - Haven't looked into this yet, but maybe there is a way
    to prevent the use of thumb drives and other specific devices through
    security policy.

    What do you think?

    Thanks!

    ====================
    amcintosh@ntad.com
    ====================

    ---------------------------------------------------------------------------
    Earn your MS in Information Security ONLINE
    Organizations worldwide are in need of highly qualified information security
    professionals. Norwich University is fulfilling this demand with its MS in
    Information Security offered online. Recognized by the NSA as an
    academically excellent program, NU offers you the opportunity to earn your
    degree without disrupting your home or work life.

    http://www.msia.norwich.edu/secfocus_en
    ----------------------------------------------------------------------------


  • Next message: Glenn English: "Re: Firewall rules standards"

    Relevant Pages

    • ISO 27001 Newsletter: Edition 17 Released
      ... The latest issue of the newsletter covering the ISO information ... news and background with respect to the ISO security standards. ... Trials and Tribulations of an Information Security Officer ... Business Continuity Management: Preparation and Risk ...
      (comp.security.misc)
    • REVIEW: "The Information Security Dictionary", Urs E. Gattiker
      ... "The Information Security Dictionary", Urs E. Gattiker, 2004, ... %T "The Information Security Dictionary" ... The entry for Authentication does not list the ... listing is given for trade secrets or trade marks. ...
      (comp.security.misc)
    • REVIEW: "The Information Security Dictionary", Urs E. Gattiker
      ... "The Information Security Dictionary", Urs E. Gattiker, 2004, ... %T "The Information Security Dictionary" ... The entry for Authentication does not list the ... listing is given for trade secrets or trade marks. ...
      (alt.computer.security)
    • The ISO 27001 Newsletter: Issue 18 Published
      ... news and background with respect to the ISO security standards. ... Trials and Tribulations of an Information Security Officer Part 2 ...
      (comp.security.misc)
    • Issue 18 of The ISO 27000 Newsletter Released
      ... news and background with respect to the ISO security standards. ... Trials and Tribulations of an Information Security Officer Part 2 ...
      (alt.computer.security)