, 2004-03-29
Social engineering in the latest crop of viruses has people jumping through hoops to open malicious attachments. How do we change the pattern?
Expand all |
Post comment
Human Nature vs. Security
2004-03-30
IT Professional (2 replies)
IT Professional (2 replies)
Human Nature vs. Security
2004-03-30
Mene Tekel (1 replies)
Mene Tekel (1 replies)
Human Nature vs. Security
2004-03-31
jaywalker (3 replies)
jaywalker (3 replies)
Human Nature vs. Security
2004-03-31
Anonymous (1 replies)
Anonymous (1 replies)
I once worked at a place where we realised this years ago. Just as HTML mail was appearing, we decided it was a revolting and stupid idea, and managed to get our CIO (who was fairly clueless) to sign off on a policy of forbidding any non-approved mail types. Then we made a qmail filter that searched for non-approved MIME types OR file extensions, and replaced them with a little harangue. And we (in the IT department) got to make up the approved type list. There were only three allowed:
* plain text.
* JPEGs.
* "xyz" files.
xyz files meant Zip files (or in principle anything, actually) that had had the three letter extension manually changed to a secret three letter combination before attachment. The secret extension was changed from time to time, and was only released to users who had displayed general cluefulness.
This meant:
* the mail system and mail storage servers became dramatically more efficient
* complaints about MS Office version control issues disappeared
* security problems related to email practically vanished
* in the next six months, there was only ONE virus incident (from hundreds of users), which was someone bringing in an ancient boot sector virus on a floppy and getting instantly stopped by the AV software
* sending attachments is still possible if genuinely required
* incoming attachments (other than JPEGs) are possible only by prior arrangement, thus total immunity to all the common Outlook automailing virii.
* incoming attachments have to be manually processed in a way that clueless users don't even understand, and that reminds the clueful users of the possible hazards in what they are doing.
There was considerable moaning for a while, especially from the legal department which had formerly been in the habit of sending 25 MB Word files (with about 20 words of actual content) and thought they would be disgraced in the eyes of their professional colleagues if forced to use text. However the CIO was able to show the dramatic improvements in the mail system, and they were told to shut up and lear to use "save as text".
In short, "plain text email is the only option" is actually a very workable solution.
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/columns/231/25667#25667