Re: New IE flaw and exploit sites/migration to non-MS browser

Sometimes they are in banner ads and you just don't know.  I don't have 
enough hours in the day to build a "white list" of trusted business 
sites that my firm needs to use given the needs of my business.

This is the fundamental argument where the security guys need to 
understand that I don't build or use tanks, warfare or other military 
like stuff.  I run a business.  I evaluate based on risk, not on black 
and whites of security.  I deal with being good enough and "reasonable" 
security measures...not absolutes.

But yes, everyone in my office has and has signed an acceptable use 
policy... there are samples of such on the SANS.org web site (click on 
the policy button at the top)

Besides...unless you are signed up with Websense... exactly "how" do you 
know what that list of sites are?






Thomas W Shinder wrote:

> A more important issue is the AUP your company has. If you are
> *enabling* users to access compromised sites, then there's a problem
> with AUP, or your network infrastructure team thinking they understand
> security.
>
> Have off network security to network security personnel who understand
> application layer inspection and outbound access control based on
> user/group membership.
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
>
>
>
>  
>
> > -----Original Message-----
> > From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] 
> > [mailto:sbradcpa@pacbell.net] 
> > Sent: Friday, March 31, 2006 5:08 PM
> > To: bkfsec
> > Cc: Murad Talukdar; focus-ms@securityfocus.com
> > Subject: Re: New IE flaw and exploit sites/migration to non-MS browser
> >
> > How many of you are running as non admin?  Used the Group policy to 
> > adjust and allow approved active X?
> >
> > Now I'm no coder...but from threads I've seen.... Firefox's 
> > Extensions 
> > are ripe for fun and excitement.
> >
> > Is it IE that's insecure?  Or how the workstations are setup in the 
> > first place?
> >
> >
> > bkfsec wrote:
> >
> >    
> >
> > > Murad Talukdar wrote:
> > >
> > >      
> > >
> > > > On a related note--how many people have initiated a move 
> > > >        
> > away from IE to
> >    
> >
> > > > Firefox/Opera etc in a corporate environment, due to the 
> > > > perception(is it
> > > > JUST a perception or reality based?) that IE is less secure/more 
> > > > prone to
> > > > exploits?
> > > >
> > > >
> > > >
> > > >        
> > > We have in certain areas.  It's very much reality-based that IE is 
> > > less secure and more prone to exploit than other browsers, for a 
> > > number of reasons, not the least of which is IE's 
> > >      
> > architectural tie-in 
> >    
> >
> > > with the MS Windows operating system.
> > >
> > >            -bkfsec
> > >
> > >
> > >
> > >
> > >      
> > --------------------------------------------------------------
> > ------------- 
> >    
> >
> > >      
> > --------------------------------------------------------------
> > ------------- 
> >    
> >
> > >      
> > --
> > Letting your vendors set your risk analysis these days?  
> > http://www.threatcode.com
> >
> >
> > --------------------------------------------------------------
> > -------------
> > --------------------------------------------------------------
> > -------------
> >
> >
> >
> >    
>
>  

--
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com


---------------------------------------------------------------------------
---------------------------------------------------------------------------