Il 3/9/14, 2:28 PM, Paul Syverson ha scritto: > I understand that many organizations are dysfunctional and don't use > common sense, but that isn't something to recommend. Solving such > dysfunction is hard, highly contextual, and I'm not pretending it is > something for which I have expertise. But there are still very simple > things security folks can to do if dysfunction has not gone off the > deep end. Selective, short-lived blocking based on incidents is > different from permanent blocks, as Andrew commented, speaking as > former head of IT of a global company. Similarly having a perimeter > rule-set that includes requiring authentication, or solving a CAPTCHA, > or whatever is specifically appropriate based on IP address rather > than just permanent blocks as I commented.
While i understand and agree from the technical point of view, this approach does not scale up because of a matter of effort. Having additional authentication or solving a Captcha is something that usually require application's modification. Modifying an application in a large enterprise means that someone need to: - convince the product manager of the application that this a valuable feature - allocate a budget for this additional "functional requirements" - prioritize so it would not end-up in the "never to be implemented requirements" So the "Security Department" cannot do anything directly into this process other than "blocking at perimeter" using a functionality that they already have in their Firewall/IPS, usually clicking on a couple of checkboxes. Unless we are not clearly able to demonstrate the business value to avoid IP-based blocking, switching to an application-level enforcement, the IT Security Product Vendor built-in features will win. Probably the Tor Project could work on creating a set of CIO and CISO focused papers, explaining the business value of improving the accessibility of their enterprise applications and services to users using Tor. But that does require an important Advocacy and Lobby activity to be done within the Information Security and IT Security world, reasonably focusing on senior and middle management. The manager will always ask "Show me the numbers, swho me the best industry practices". That's probably what we need in order to feed the cat. Fabio -- tor-talk mailing list - [email protected] To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
