On Thu, 02 May 2002 06:02:20 PDT, Jonathan Bloomquist said: > I doubt many have but I wouldn't consider dumping > Outlook a solution to worms either. Scanning and/or > disallowing attachments with the (in)appropriate > extensions would be a more reasonable reaction. Given that a *large* number of worms have leveraged off the inability of Outlook to keep straight "MIME type" versus "extension", I think that "blocking based on extension" may not be all that perfect an idea. Yes, it will *help*, but so few sites manage to get it right... > IIS is OK (did I just say that? eww!) if your admins > patch it when updates are released. This might keep > them pretty busy, of course ... Remember that in large shops, it may take some time to test and convince yourself that a given patch doesn't break things. Also remember that many shops won't rush out and install patches precisely because they've gotten burnt before - right now there seems to be a number of sites that have gotten hosed by applying the latest set of Microsoft patches. > Possibly. That is a frightening concept - I guess > those types figure if they stick their heads in the > sand the predator can't see them too. They're *NOT* sticking their heads in the sand. They're making a careful evaluation of "We will most likely be hit for $2M per year in losses if we do this, but we'll still come out ahead". > Yikes. Until very soon my 9-5 is in the banking > industry and auditors regularly come in and sweat our > users about their security practices. When they have > findings (which is rare at our site :) IT implements > the fixes. I cannot even imagine anyone who has data > they consider valuable allowing easy access to their > network simply because it is easier than if it was > secure. This ia an entirely upside-down philosophy. Banks have *THEIR* line items for write-offs of bad loans and written-off credit cards as well - and nobody calls it "sticking their head in the sand" when they write a loan they know is a bit riskier, after having balanced the higher interest they're charging against the chance it will end up in their write-off pile. And having said "you can't even imagine allowing easy access" - you might want to ask yourself how much you pay the average teller, and how many different screens of financial information they are able to get at from their terminal, and exactly how much check-and-balance you *really* do.
This archive was generated by hypermail 2b30 : Thu May 02 2002 - 11:00:31 PDT