Security Basics: Re: Survey: Chat and IM

["Johannes Ullrich" <jullrich () euclidian com>]

> We currently are allowing web based chat and instant messaging.  I know
> that there are lots of security issues involved with its usage.  The IT
> folks are telling me that it is a common practice in the industry.  I
> have a hard time believing this and this is one battle I would like to
> take on.
Same argument: sh*t must taste good. billions of flies can't be wrong.

However, approach this battle carefully. Ask, what the business
requirements are to use IM. There may be some valid reasons (collaboration
with remote offices ...). If there are none, try to find existing policies
that may apply (personal phone calls...). If there are valid business 
reasons, try to offer alternatives (jabber...)

If you use this to sharpen your 'battle skills', try to approach this
from a positive site. Basically, try to find out how IM is used and
try to find alternatives that work better to fulfill this function.
If there is no business need, explain to management how it lowers
productivity and increases risk. Try to make it so you end up solving 
a problem and try to avoid just being the nay-sayer.




-- 
--------------------------------------------------------------------
jullrich () euclidian com             Collaborative Intrusion Detection
                                         join http://www.dshield.org

Attachment: _bin
Description: