I agree, but it's a big can of worms. As Kevin already pointed out :-) On 27 January 2012 16:51, Andrew S. Baker <asbz...@gmail.com> wrote:
> True, but technology can help prevent accidents, of which there are very > many on a regular basis. > > Furthermore, it makes enforcement of the policy that much more precise, > because anyone who circumvents the technology has to do so deliberately. > > * * > > *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of > Technology for the SMB market… > > * > > > > On Fri, Jan 27, 2012 at 11:25 AM, James Rankin <kz2...@googlemail.com>wrote: > >> DLP taken to logical extremes is extremely difficult. How to stop people >> using Print Screen, printers, forwarding emails, even camera phone shots? >> There's rarely a technological solution that can account for all of the >> above. AppSense can handle some of it, but short of draconian measures that >> prisons would be proud of, employee training and good corporate policies >> are really the only way to try and progress it. >> >> >> On 27 January 2012 16:19, Kevin Lundy <klu...@gmail.com> wrote: >> >>> You could also look at something like the Ironport, which includes some >>> very basic DLP capabilities. >>> >>> Broadly speaking, DLP is not a quick project. It could easily take a >>> year to properly scope, evaluate, plan, test, and deploy. >>> >>> On Fri, Jan 27, 2012 at 11:01 AM, Kurt Buff <kurt.b...@gmail.com> wrote: >>> >>>> For an email gateway to protect your Exchange infrastructure >>>> (including antispam and antivirus), and which can be put in the DMZ, >>>> there's an open source project called Maia Mailguard. Commercial >>>> alternatives include Barracuda's offerings. >>>> >>>> On Fri, Jan 27, 2012 at 07:32, itli...@imcu.com <itli...@imcu.com> >>>> wrote: >>>> > I am figuring on putting somekind of smtp/owa forwarding device in >>>> the dmz. Leave Exchange 2003 or even 2010 out of the DMZ but off my core >>>> tellering (SQL server) LAN as well just to apease them. >>>> > >>>> > VPN is currently Cisco anyconnect. I am going to add some kind of >>>> multi factor and ACL to the firewall for those that do get access. As well >>>> the software or agent that verifies windows updates and virusscan patching >>>> prior to authentication. >>>> > >>>> > Looking at DLP now. Currently all I do is look at outgoing emails. >>>> So anything more will be better. >>>> > >>>> > >>>> > >>>> > -----Original Message----- >>>> > From: Kurt Buff [mailto:kurt.b...@gmail.com] >>>> > Posted At: Friday, January 27, 2012 10:04 AM >>>> > Posted To: itli...@imcu.com >>>> > Conversation: DLP, SIEM, Network Access Control, VPN multi factor >>>> authentication, Moving Exchange into a DMZ >>>> > Subject: Re: DLP, SIEM, Network Access Control, VPN multi factor >>>> authentication, Moving Exchange into a DMZ >>>> > >>>> > DLP is way more than just restricting access to removable devices. >>>> > http://code.google.com/p/opendlp/ >>>> > >>>> > VPN access restrictions such as you mentioned are a good thing. There >>>> are open source two factor auth solutions. >>>> > >>>> > Exchange doesn't go in a DMZ >>>> > >>>> > On Fri, Jan 27, 2012 at 06:46, itli...@imcu.com <itli...@imcu.com> >>>> wrote: >>>> >> >>>> >> >>>> >> Ok, so we have had a NCUA IT audit and some of the recommendations >>>> are >>>> >> as >>>> >> follows: >>>> >> >>>> >> >>>> >> >>>> >> Data Loss Prevention (DLP) >>>> >> >>>> >> The Credit Union should have the the ability to use USB storage >>>> >> devices, DVD, and CD drives turned off unless required. With some >>>> for >>>> >> of alerting if a user is trying to use those devices without >>>> permission. >>>> >> >>>> >> >>>> >> >>>> >> Security Information and Event Management (SIEM) system >>>> >> >>>> >> The Credit Union should have a SIEM system in place to consolidate >>>> >> logs from all devices and applications, encrypt those logs, have real >>>> >> time alerting, and compliance reporting. >>>> >> >>>> >> >>>> >> >>>> >> VPN access >>>> >> >>>> >> The Credit Union should have Network Access Controls such as scanning >>>> >> the connecting machine for correct configuration prior to allowing >>>> >> access to the network, some kind of multi factor token or device, and >>>> >> a more detailed access list on the VPN client area of the firewall. >>>> >> >>>> >> >>>> >> >>>> >> DMZ >>>> >> >>>> >> The Credit Union should move the Microsoft Exchange server into a DMZ >>>> >> of the firewall or industry best practice for proxing email traffic >>>> >> into and out of the DMZ to protect the Credit Union's internal >>>> network >>>> >> if a breach occurs on the email system. >>>> >> >>>> >> >>>> >> >>>> >> With all of this being said, can you get me some vendor information >>>> >> about about each of these areas. It can be freeware, it can be >>>> >> appliances, it can be anything that is easily managable. >>>> >> >>>> >> And Management is looking for a quick turn around on this so >>>> >> whitepapers and recommendations first. >>>> >> >>>> >> >>>> >> >>>> >> This is what I sent my software vendors. Did I ask the right >>>> questions? >>>> >> >>>> >>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." ****** IMPORTANT INFORMATION/DISCLAIMER ***** This document should be read only by those persons to whom it is addressed. If you have received this message it was obviously addressed to you and therefore you can read it, even it we didn't mean to send it to you. However, if the contents of this email make no sense whatsoever then you probably were not the intended recipient, or, alternatively, you are a mindless cretin; either way, you should immediately kill yourself and destroy your computer (not necessarily in that order). Once you have taken this action, please contact us.. no, sorry, you can't use your computer, because you just destroyed it, and possibly also committed suicide afterwards, but I am starting to digress...... * * The originator of this email is not liable for the transmission of the information contained in this communication. Or are they? Either way it's a pretty dull legal query and frankly one I'm not going to dwell on. But should you have nothing better to do, please feel free to ruminate on it, and please pass on any concrete conclusions should you find them. However, if you pass them on via email, be sure to include a disclaimer regarding liability for transmission. * * In the event that the originator did not send this email to you, then please return it to us and attach a scanned-in picture of your mother's brother's wife wearing nothing but a kangaroo suit, and we will immediately refund you exactly half of what you paid for the can of Whiskas you bought when you went to Pets** ** At Home yesterday. * * We take no responsibility for non-receipt of this email because we are running Exchange 5.5 and everyone knows how glitchy that can be. In the event that you do get this message then please note that we take no responsibility for that either. Nor will we accept any liability, tacit or implied, for any damage you may or may not incur as a result of receiving, or not, as the case may be, from time to time, notwithstanding all liabilities implied or otherwise, ummm, hell, where was I...umm, no matter what happens, it is NOT, and NEVER WILL BE, OUR FAULT! * * The comments and opinions expressed herein are my own and NOT those of my employer, who, if he knew I was sending emails and surfing the seamier side of the Internet, would cut off my manhood and feed it to me for afternoon tea. * ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
