[Dshield] web access list

Kenton Smith ksmith at chartwelltechnology.com
Wed Jun 30 16:20:43 GMT 2004


This is always a contentious issue but one I'm very wary of.

Do you have a management approved policy in place to implement something
like this (and by management approved I mean CEO/CFO/COO level)?
Who gets to decide what sites are legitimate or not?
Do you have a way of monitoring your network for people using other browsers
and other means of accessing the Internet?
Are you sure this will prevent the problem? The latest is that some major
financial institutions web sites have been hacked; what happens when your
accounting staff goes to their bank site (using unpatched IE) and the
company's financial information is stolen?
Are you blocking IM, IRC, P2P etc? If not, you could get infected that way
too.

If people want to, they're going to find a way around this type of system
and you need to make sure that complacency doesn't set in. "Patch for that?
Oh, no we don't have to worry; they couldn't get to that site anyway."

My CDN $0.02 worth,

Kenton

-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of Guy Barnum
Sent: Tuesday, June 29, 2004 12:53 PM
To: list at lists.dshield.org
Subject: [Dshield] web access list

I'm reading the latest Computer World security roundup:
 http://www.computerworld.com/newsletter/0,4902,94125,00.html?nlid=SEC 

and towards the bottom you'll notice two MS vulnerabilities mentioned,
one without a patch.  With this text in the article "Microsoft hasn't
yet positively identified the flaw being exploited" and another huge
web-wide credit card hack mentioned in the same Computer World mailing I
have to wonder what you guys are doing to protect your surfers.

I know there is no secure computer other than the one boxed up in your
closet.  To keep the pc's out of the closet my current idea is to make a
list of authorized web sites that I'll allow users to visit.  When they
have a new site they need access to they can email the IT Dept. to have
it authorized and added to the list.  Overhead danger right?  Well we're
a small shop and I can get away with it but even with a bigger
organization what's going to cost more, allowing people to surf
unfettered trashing their pc and eventually the network?  Or put man
hours into filtering and authorizing a web access list?

IMHO firewalls and AV wares are going to continue falling further behind
(drastically) in their ability to detect or stop internet born threats.
Users might think its draconian, choking off their web usage, but if
your IT Dept. has the pull to make it happen it seems like the best
compromise to putting the pc's back in the boxes that I can think of.

Does anyone on this list currently make an authorized surfing list like
this?  Any problems or suggestions with this kind of plan?  What are
your thoughts?

Guy
_______________________________________________
list mailing list
list at lists.dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list