I would enforce most of it if policy allowed, but in the absence of any written policy (which is my current situation), I can't. Were it in my power to actually set policy, things would be much different.
At the very least, I'd love to be able to implement the top 4 controls - patch the OS, patch the applications, remove administrator access from end users and only allow whitelisted applications (of which we do a good job on the first, a mediocre job on the second, and get a flat failure on the last two - I'm in the process of improving the second by getting Adobe and Java patching up to speed). If I could have just those, life would be 10 times easier than it is now. All I can do is educate, and since I'm mostly limited to that, the effort is basically futile, because using the Internet for most folks is like leaving a three year old within sight of an active quarry with no fences - they don't have the skills or judgement to play safely in the field next to it and not be attracted to (or to navigate) the cliffs, ponds and heavy machinery in the quarry, because they lack the experience and and training that most of us on this list have acquired. For instance, on trusted source - I've learned that downloading software from CNET or other repositories is a great way to get pwned, yet staff keep downloading and installing random software onto machines because, well, the gods only know why, really - nothing they've ever said to me makes any sense as a reason for installing the multitudinous crap I've seen. Ditto for user interaction with any number of other sources of data, whether nominally executable or not, web sites most especially included. So, basically, any source is untrusted until I've personally vetted it, and feel comfortable with it. Likewise on leaving scripting on by default in browsers. Most commercial web sites use third party resources to track and advertise and provide rich experience. None of that is trusted until I've personally experienced it and and played with it for a while. In most cases, if the site uses its own CDN, I'll whitelist that CDN for that web site. Other than that, not so much. The best I can do when someone has a pwned machine is say "sucks to be you - if you paid attention when I was talking it wouldn't have happened", then wipe their machines and let them start over, after asking them a few questions to see if I can figure out how it happened and tell them not to do that anymore - which they promptly ignore. The battle is lost - or at least it is until management says we can try to win it. The most I can safely say is that my accounts, and the computers on which I'm the sole operator, are far less likely to be compromised than end-user accounts and computers. Frustrating, but true... Kurt On Wed, Apr 17, 2013 at 3:48 PM, Jonathan Link <jonathan.l...@gmail.com> wrote: > You do that. Do you enforce that down to your users? All of that? > What is an untrusted source? > > > On Wed, Apr 17, 2013 at 4:42 PM, Kurt Buff <kurt.b...@gmail.com> wrote: >> >> On Wed, Apr 17, 2013 at 1:19 PM, Jonathan Link <jonathan.l...@gmail.com> >> wrote: >> > On Wed, Apr 17, 2013 at 4:07 PM, Kurt Buff <kurt.b...@gmail.com> wrote: >> >> >> >> On Wed, Apr 17, 2013 at 12:27 PM, Ben Scott <mailvor...@gmail.com> >> >> wrote: >> >> > On Wed, Apr 17, 2013 at 2:43 PM, Michael B. Smith >> >> > <mich...@smithcons.com> wrote: >> >> >> IOW: Security is for the MANAGEMENT of risk and MITIGATION of same. >> >> >> For >> >> >> real >> >> >> world systems, and usage of them, there is no such thing as perfect >> >> >> security. >> >> > >> >> > That's true, too, but the point Munroe is trying to make is that a >> >> > lot of people lose track of the forest for the trees. They get so >> >> > caught up in protecting the computer that they forget why they're >> >> > protecting it. >> >> >> >> If that's the case, then he didn't make his point at all clear. >> > >> > It was pretty clear to me, and coincidentally (or not!) his image looks >> > like >> > a tree. Nevermind the fact that most professionals are saying don't run >> > as >> > admin. OK, so they're not. Does that mean they are protected? >> > Protected >> > from what? Not getting a more pervasive infection, sure. But malware >> > writers are dropping the .exe's in userland and doing stuff with the >> > data >> > they access. How do you protect that data, when the person who's been >> > infected, is the person who needs access to the data? >> > >> > Thought it was pretty clear, to be honest. >> >> Apparently I'm dense, then. >> >> I protect all of my accounts, privileged or not, in the same ways, and >> have been doing so for so long that it's completely natural to me. It >> just feels unnatural not to do so. >> >> No running executables from untrusted sources, turn off scripting in >> my browsers, view all email as plain text, no remembering/caching of >> passwords in browsers, using a unique password per web site and per >> other accounts, regular clearing of cookies, no linking of accounts >> between web sites, running current AV, no browsing with elevated >> accounts, laptops have full disk encryption, etc., etc., etc. >> >> Kurt >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to listmana...@lyris.sunbeltsoftware.com >> with the body: unsubscribe ntsysadmin > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
