What, exactly, is the benefit to a trading desk @ a hedge fund (the client in question) of allowing access to Facebook? Seriously, outside of sales and marketing, who needs Facebook @ work?
The risks are: 1: Drive-by malware. 2: Unauthorized and untraceable communications that may violate SEC rules regarding insider trading (same reason IM isn't allowed). E-Mail is required for business, scanned, disinfected, and logged to comply with security and compliance risk. So, the decision to not allow sites that are known security risks, and contribute nothing to the business, is a pretty easy one. >-----Original Message----- >From: Hubbard, Dan [mailto:[email protected]] >Sent: Thursday, May 28, 2009 5:23 PM >To: Tomas L. Byrnes; 'Dan Kaminsky' >Cc: '[email protected]'; '[email protected]' >Subject: RE: [funsec] C-level execs ignorant of Web 2.0 dangers > >Email is a bastion of badness. Do you block access to *all* email? How >about IM? Or the Web in general? > >My .02: The debate should be if the risk outweighs the benefit. My >opinion is that in most cases the answer is no. There is a lot of >benefit to companies to open these up. Yes, of course they need to >invest in security to protect against the problem but that is no >different than other areas, it's just a new vector. > > > > > > > > > >-----Original Message----- >From: [email protected] [mailto:[email protected]] >On Behalf Of Tomas L. Byrnes >Sent: Thursday, May 28, 2009 1:56 PM >To: Dan Kaminsky >Cc: [email protected]; [email protected] >Subject: Re: [funsec] C-level execs ignorant of Web 2.0 dangers > >When I've explained to the users how Facebook, Myspace and other such >sites are ways for malware authors to "drive by" them, I've had no >resistance to blocking them. Now, it helps that in the most recent case, >they had actually been infected using just that vector. > > > >>-----Original Message----- >>From: Dan Kaminsky [mailto:[email protected]] >>Sent: Wednesday, May 27, 2009 11:06 PM >>To: Tomas L. Byrnes >>Cc: <[email protected]>; <[email protected]> >>Subject: Re: [funsec] C-level execs ignorant of Web 2.0 dangers >> >>I've been informed, very off the record, that large companies that >>block Facebook at work have serious employee retention and acquisition >>problems directly because of it. I'm dead serious. >> >> >> >>On May 28, 2009, at 6:49 AM, "Tomas L. Byrnes" <[email protected]> >wrote: >> >>> C - level parsed correctly means Clue MINUS level. Since level is the >>> highest in the company, you do the math. >>> >>> >>> >>>> -----Original Message----- >>>> From: [email protected] [mailto:funsec- >>>> [email protected]] >>>> On Behalf Of Rob, grandpa of Ryan, Trevor, Devon & Hannah >>>> Sent: Monday, May 25, 2009 3:49 PM >>>> To: [email protected] >>>> Subject: [funsec] C-level execs ignorant of Web 2.0 dangers >>>> >>>> >http://www.itworldcanada.com/Pages/Docbase/ViewArticle.aspx?id=idgml- >>>> 9e7f4ffd- >>>> 70b7-4120&Portal=448d158c-d857-4785-b759-ffa1c005933c&sub=7345 >>>> >>>> C-level executives are pushing for greater access to social >>>> networking >>>> sites and >>>> facilities, while even IT managers and security specialists are >>>> unprepared to deal >>>> with the full range of risks from this type of activity. >>>> >>>> In order to get some traction with senior management on this issue, >>>> you >>>> might >>>> want to remind them that, when they take off with funds they've >>> obtained >>>> via >>>> fraud, it's best not to post boasts on Facebook: >>>> >>>> >>http://www.smh.com.au/news/technology/web/2009/05/25/1243103468196.htm l >>>> >>>> ====================== (quote inserted randomly by Pegasus Mailer) >>>> [email protected] [email protected] >>>> [email protected] >>>> The real problem is in the hearts and minds of men. It is not a >>>> problem of physics but of ethics. It is easier to denature >>>> plutonium than to denature the evil from the spirit of man. >>>> - Albert Einstein >>>> http://victoria.tc.ca/techrev/rms.htm >>>> http://blog.isc2.org/isc2_blog/slade/index.html >>>> http://twitter.com/rslade >>>> http://blogs.securiteam.com/index.php/archives/author/p1/ >>>> _______________________________________________ >>>> Fun and Misc security discussion for OT posts. >>>> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec >>>> Note: funsec is a public and open mailing list. >>> >>> _______________________________________________ >>> Fun and Misc security discussion for OT posts. >>> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec >>> Note: funsec is a public and open mailing list. > >_______________________________________________ >Fun and Misc security discussion for OT posts. >https://linuxbox.org/cgi-bin/mailman/listinfo/funsec >Note: funsec is a public and open mailing list. > > > Protected by Websense Hosted Email Security -- www.websense.com _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
