| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <43EF224D.18400.147211A0@nick.virus-l.demon.co.uk> Date: Sat Feb 11 22:56:11 2006 From: nick at virus-l.demon.co.uk (Nick FitzGerald) Subject: blocking Google Desktop gboyce wrote: > As a computer user, I certainly do have this choice. I'm certainly not > going to install Google Desktop. In fact, I generally don't run Windows, > so I don't even have the OPTIOn of running Google Desktop. > > This new "feature" still worries me though, and I want to find out how to > block it. Why? Because of my JOB. I'm in a small group of people in > charge of security for a company with hundreds of employees that are local > admins to their desktops and laptops (for various reasons that I'm not > going into here). Well, in reality, you have to address that nonsense before you can hope to usefully secure anything in your organization, but I assume _you_ understand that and the problem is some less clueful non-IT/non- security folk elsewhere who insist that "we must use this crappy software"... > I'm not worried about MY documents ending on Google's servers. I'm > worried about the documents belonging to a percentage of the company that > either doesn't understand the security ramifications of using this > feature, or just doesn't care. I'll tell you how to _make them care_ AND _educate_ them at the same time... Go to HR, explain that the new security policy about not running Google Desktop is make-or-break and explain why. To achieve this you may need higher-level management buy-in, so hopefully you can threaten exposure under HIPAA, Sarbanes-Oxley or some such _IF_ the policy is ever breached. Make it a matter of "if our IDS sees traffic from your machine to desktop.google.com (or whatever) its an automatic HR warning", and then let your standard (two, three, whatever strikes and you're out) HR policy deal with enforcement. > User education only works to a degree. A way to PREVENT accidental > information disclosure is needed. Despite claims to the contrary -- usually from palces where the very notion of banning something like Google Desktop cannot even be contemplated -- user education does not work at well _for this kind of issue_. The way to make it work is to make the cost of not following the policy very high and personally significant for the policy breachers. Fire a few staff because they installed Google Desktop AND make it widely known throughout the company that this is not only the policy, but this is a policy that will be ruthlessly enforced. If that doesn't work, you have a much bigger problem... Regards, Nick FitzGerald
Powered by blists - more mailing lists