I recommend that you put in a memorandum format and make the boss actually sign it with his own hand, if he won't then forward to your legal department/compliance department if you have one. I agree, always CYA yourself first.
Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:ezi...@lifespan.org Cell:401-639-3505 -----Original Message----- From: John Cook [mailto:john.c...@pfsf.org] Sent: Thursday, February 10, 2011 2:41 PM To: NT System Admin Issues Subject: Re: IPhone attack reveals passwords in six minutes We all know you can't solve stupid! That being said I can document that I told them to follow the protocol, my a$$ get's covered first! John W. Cook Systems Administrator Partnership for Strong Families ----- Original Message ----- From: Ziots, Edward <ezi...@lifespan.org> To: NT System Admin Issues <ntsysadmin@lyris.sunbelt-software.com> Sent: Thu Feb 10 14:33:23 2011 Subject: RE: IPhone attack reveals passwords in six minutes John, but you know how much users, follow directions, <=0, we been in this game far too long to know better. Its basically trying to stop stupid, but even trying to remote wipe, if they have slipped the sim card or batter, u aren't getting a wipe, and the data ( unencrypted) is gone, which in some states is a breach notification time. So how comfortable in a risk-based proposition do we all feel about this going forward, hopefully not good enough that some careful thoughts and discussions about the risks they are taking ( Bussiness/Management) ( if they accept them, they do, its the business choice) but the financial fallout could be the undoing, along with the liability and tarnished company image, etc etc. Make the business accept the risk ( in writing) after a carefully discussing the issues and documenting them, which is your CYA if things go wrong, it will be only the folks that accepted the risk in a court of law answering for the lack of due care and due diligence with company resources and peoples critical information when all is said and done. Word to the wise, I see this and things like it as the next new "ticking" timebomb just waiting to go off... Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:ezi...@lifespan.org Cell:401-639-3505 -----Original Message----- From: John Cook [mailto:john.c...@pfsf.org] Sent: Thursday, February 10, 2011 2:23 PM To: NT System Admin Issues Subject: RE: IPhone attack reveals passwords in six minutes We give each user explicit directions to call us first then the Police so we have a shot at wiping it ASAP. -----Original Message----- From: Ziots, Edward [mailto:ezi...@lifespan.org] Sent: Thursday, February 10, 2011 2:13 PM To: NT System Admin Issues Subject: RE: IPhone attack reveals passwords in six minutes Two more words, "NO Battery" = NO remote Wipe, therefore dispense with that fallacy that its going to save you, because it doesn't do a secure wipe of the drive itself, which allows an attacker with the phone to basically hook it up to a device offline and download the information on the phone and do what they want with it. Aaron Turner of the IANS faculity is a subject matter expert in these areas and have put on a lot of talks, and the news is pretty grim atm. Basically storing any type of sensitive information on the BB, Android, Iphone, etc etc is like playing Russian roulette with a loaded gun pointed straight at your face, one of these times it isn't going to go well for you. But this is the risk that business continue to take over and over again, because the users are clammering for these devices, and the functionality they bring, but are clearly blind to the security and information disclosure aspects and how the loss, theft of data could be the business undoing. Sincerely, EZ Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:ezi...@lifespan.org Cell:401-639-3505 -----Original Message----- From: S Powell [mailto:powe...@gmail.com] Sent: Thursday, February 10, 2011 12:10 PM To: NT System Admin Issues Subject: Re: IPhone attack reveals passwords in six minutes two words. remote wipe. Yep, big security issue, but if someone has physical control of your device, any device, you should always consider it compromised. @THIS STATMENT IS VERIFIABLY INCORRECT On Thu, Feb 10, 2011 at 08:40, David Lum <david....@nwea.org> wrote: > What I don't know is if this phone OS is any worse than anything else in > use. Anyone care to comment?: > > > > "Among passwords that could be revealed were those for Google Mail as an MS > Exchange account, other MS Exchange accounts, LDAP accounts, voicemail, VPN > passwords, WiFi passwords and some App passwords" > > > > http://www.computerworld.com/s/article/9208920/IPhone_attack_reveals_pas swords_in_six_minutes?taxonomyId=85 > > > > David Lum // SYSTEMS ENGINEER > NORTHWEST EVALUATION ASSOCIATION > (Desk) 503.548.5229 // (Cell) 503.267.9764 > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin CONFIDENTIALITY STATEMENT: The information transmitted, or contained or attached to or with this Notice is intended only for the person or entity to which it is addressed and may contain Protected Health Information (PHI), confidential and/or privileged material. Any review, transmission, dissemination, or other use of, and taking any action in reliance upon this information by persons or entities other than the intended recipient without the express written consent of the sender are prohibited. This information may be protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other Federal and Florida laws. Improper or unauthorized use or disclosure of this information could result in civil and/or criminal penalties. Consider the environment. Please don't print this e-mail unless you really need to. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin CONFIDENTIALITY STATEMENT: The information transmitted, or contained or attached to or with this Notice is intended only for the person or entity to which it is addressed and may contain Protected Health Information (PHI), confidential and/or privileged material. Any review, transmission, dissemination, or other use of, and taking any action in reliance upon this information by persons or entities other than the intended recipient without the express written consent of the sender are prohibited. This information may be protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other Federal and Florida laws. Improper or unauthorized use or disclosure of this information could result in civil and/or criminal penalties. Consider the environment. Please don't print this e-mail unless you really need to. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin