Actually the emails and passwords in linked in, and the information you have posted about yourself has a lot of value (spear-phishing attacks, company reputation hit ( use your accounts to spread stuff on linked in about your company or other companies in a negative light) I could go on with the scenario but you definitely don’t want to be a target on that. (Grounds for termination, etc)
Z Edward Ziots CISSP, Security +, Network + Security Engineer Lifespan Organization ezi...@lifespan.org From: David Lum [mailto:david....@nwea.org] Sent: Thursday, June 07, 2012 11:14 AM To: NT System Admin Issues Subject: FW: To notify, or not notify (LinkedIn) Here’s the discussion this morning with one of our Service Desk guys. _____________________________________________ Sent: Thursday, June 07, 2012 7:48 AM To: David Lum Subject: RE: To notify, or not notify (LinkedIn) David, this is EXACTLY what I was looking for. Thank you very much! No more comments from the peanut gallery here. J _____________________________________________ From: David Lum Sent: Thursday, June 07, 2012 7:45 AM Subject: RE: To notify, or not notify (LinkedIn) Good questions! * How do we make the decision about what gets set out and what doesn’t Experience – it’s part of why our wages are a far more than minimum-wage - we’re paid to think, not just fill in checkboxes. For something more concrete: “if it's business-oriented and heavily used by said business then a notification should go out, if not, then no”. If in doubt: Ask. There was discussion between three departments that happened before the LinkedIn notice was sent out, for example. * Do we have a clearly defined idea of where it ends I do, see above. * Several users are utilizing Dropbox and putting company property/product on that site. If it was hacked, that would be a lot worse than losing your “online resume” from LinkedIn, in my opinion. If so then I would hope that if you heard about Dropbox passwords being posted on the Internet that you would want to send out a note to the org, right? On the other hand this is one reason we DON’T want users using Google, Dropbox, etc for corporate business – we don’t have control of the security. This is one area that most employees seem to grasp… * Is Service Desk expected to field calls regarding non-NWEA items (LinkedIn for example) If it’s about communications *we* send out, then yes. If we know what we’re doing (and we do) it should be trivial to respond to these. It’s our job to support our staff, even if some things are beyond our direct control. * Do we need to survey the Org and find a “list” of all the business related apps/sites and actively monitor them? No, we’re paid to understand and know our environment. If we don’t know the majority of what’s on users’ machines and what websites are commonly used by our staff then we’re not doing our job. Do we know EVERY site they use? No. The key phrase is “commonly used”. Dave _____________________________________________ Sent: Thursday, June 07, 2012 7:23 AM To: David Lum Subject: RE: To notify, or not notify (LinkedIn) David, Thank you for your follow up and feeling concerned about our reaction. Let me state, I wasn’t upset with the decision, I think what you did was a good thing. Here’s the angle I am coming from: * How do we make the decision about what gets set out and what doesn’t * Is Service Desk expected to field calls regarding non-NWEA items (LinkedIn for example) I am not trying to knock the fact we sent it out, even if I was acting in a joking manor yesterday. What I am trying to do is play the other side and ask questions that I feel really do need to be asked. Where do we stop? Yesterday when we were all talking, Dropbox was tossed out and it didn’t seem to get the same response as LinkedIn. Several users are utilizing Dropbox and putting company property/product on that site. If it was hacked, that would be a lot worse than losing your “online resume” from LinkedIn, in my opinion. So what I am trying to drill down to is; how do we make these decisions, how do we support this when they happen and do we need to survey the Org and find a “list” of all the business related apps/sites and actively monitor them? And if all this is “above my pay grade” , then disregard my 7:00 am rambling J ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
