About InfoWorld : Advertise : Subscribe : Contact Us : Awards : Events : Store
InfoWorld HomeNewsTest CenterOpinionsProduct GuideTechIndex
 COLUMN ARCHIVE  FORUMS
 

COLUMN

 
Security Advisor
P.J. Connolly

Banning attachments is like tying an arm behind your back and expecting results

IN THE WAKE of the Visual Basic Script (VBS) SST, or Anna Kournikova e-mail virus, a lot of ink and toner -- some of it mine -- has been spilled on ways to foil future incidents. Many of the solutions are simple, obvious ones that fall under the category of "due diligence" and include installing application and OS patches and keeping anti-virus software up-to-date. More elaborate precautions such as adding virus protection to e-mail servers and modifying system policies also are advisable. For a discussion of the nuts-and-bolts of securing your e-mail systems, take a look at recommendations I made in my column last week.

   ADVERTISEMENT
  

Free IT resource

Virtualization Insights from Top Experts - Learn how virtualization gets real!

Sponsored by Dell

Free IT resource

TechNet: More ways to know it, share it, and keep it running.

Sponsored by Microsoft

RELATED LINKS
»  IE 7 bug reopens debate over patch responsibilities
»  Woman ordered to pay for file-sharing will appeal
»  McAfee to buy SafeBoot for $350M
»  Security RSS feed 

IDG ENTERPRISE NETWORK
Research Reports  (CIO)
Ask the Expert  (CIO)

TOP NEWS 


IT SOLUTION SEARCH
File attachments to e-mail are coming in for an unfair share of the blame in cases such as SST, which is like blaming the diskette for carrying a boot sector virus. Some IT managers have gone to the ludicrous step of completely banning e-mail attachments from their systems. I'd bet the guys who thought up those policies are really proud of themselves. They should be; this is a proactive step that makes them look like they're willing to take drastic action to protect company assets.

While these hard-nosed, take-charge types pat themselves on the back, I'm wondering how many employees at their shops access browser-based e-mail or instant messaging and are using them without the knowledge of the IT big shots? I'm wondering how many have modems and access to analog lines as backup to the corporate Internet connection?

After all, it's great to be stopping malicious code at the firewall, but we humans are clever and will dodge obstacles in our path. Think about the trouble the CIA has had with their former chief spook, John Deutch, who may have mishandled hundreds of classified documents on unsecured home computers with Internet access (only to be pardoned by outgoing President Bill Clinton). If IT doesn't allow us to move files via the corporate e-mail system, we'll find a way around it even if we're unwittingly compromising security. Do these anti-attachment zealots honestly believe it's better to move files via FTP than via an e-mail system with anti-virus protection?

For many people, file attachment is the best thing about e-mail (I don't know how I'd function without it). Every few months, I delete the stale items, saving myself the paper cuts I'd get from shuffling through a mountain of press kits. At the risk of being called a tree-hugger, I'll even add that e-mail attachments probably save a few trees every year, although I don't believe in the "paperless office" -- yet.

That aside, one of the primary reasons for e-mail and networking computers was to do away with SneakerNet. Shops with a no-attachment policy might also want to consider disconnecting those pesky CD and floppy drives to eliminate other sources of infection. Here's another idea: Maybe the truly proactive security manager should insist that the openings of all CD and floppy drives on desktop computers be glued shut.

A much more realistic approach to the problem of the current crop of e-mail viruses is to apply the available patches. The SST incident wasn't as nasty as the LoveBug virus, in part because patched systems weren't affected, period. The ignorant, overworked, or sloppy seem to be the ones who were bitten. But even an overworked IT department has had months to make sure that the patches were on corporate systems and to assist home and remote workers with the task of hardening their systems.

The big problem isn't file attachments; it's the consultants, home office users, and telecommuters who pose trouble. It's not enough to ask the telecommuter to make sure the computer she uses is secure; all computers in the household have to be patched.

Just as King Canute commanded the tides to halt in vain as a demonstration of the difference between the powers of God and the power of kings, the believers in a no-attachment policy are ignoring the water lapping at their knees. Attachments aren't a "necessary evil," but an effective way for users of heterogeneous systems to transfer files. If we wanted text-only e-mail, then we should have stuck with PROFS. So if you're worrying about file attachments in e-mail but don't know if your Windows systems have the latest patches, it's time to get your priorities in order, and fast.


P.J. Connolly asks that you send comments, not e-mail pictures of your favorite tennis star, to pj_connolly@infoworld.com.




RELATED SUBJECTS

Security
MORE >


SPONSORED WHITE PAPERS
EMC - Lower costs and improve reliability-Get the EMC CLARiiON white paper!
Ciphertrust - Are you ready for Sobig.G? Learn how to protect your email systems.
CDW - Personal attention. CDW. The Right Technology. Right Away.
EMC - Explore key performance features and capabilities of EMC ControlCenter 5.1.1.
Intel - Free Intel white paper shows you how to deploy a secure wireless LAN
Cisco - FREE WHITE PAPER: BLUEPRINT to design and implement secure VPNs
Verity, Inc. - "Mass Consolidation Hits the Web-Search Market"
McDATA - Download a FREE storage consolidation white paper from McDATA(R).
Lucent Technologies - Overcoming Common Firewall Limitations
Lucent Technologies - Leverage Your Mobile High Speed Data Access. Download Free White Paper!
Nokia - Get the scoop! Mobilizing business white papers & case studies.
BMC Software - Maximize the Potential of Enterprise Data: Free white paper!
Network Associates - Free white paper - Strategies for Optimizing Network Costs and Benefits
Entrust - Manage identities across applications. Improve productivity.
Stalker Software - CommuniGate Pro - Transform your Email and Calendaring
Remedy - A NEW Gartner Research Note:Producing Quality IT Services

Search the IDG White Paper Library:


SPONSORED LINKS

INFOWORLD MARKETPLACE


» IT Compliance Conference: Nov. 5-7 in San Diego
Best Practices, Peer Experiences, & Expert Advice for Building a Defensible IT Compliance Program
» FREE Sophos Threat Detection Test
Is your AV catching everything it should? Free virus, spyware and adware scan.
» IT Audit Checklists
Prepare for your next internal IT audit. Checklists cover security, risk management, PCI, and more.
» FREE White Paper: Mitigating Rock Phish Attacks
Standard anti-phishing methods cannot defeat complex Rock Phish attacks. Learn how to fight back...
» Apply BPM and ITIL at your IT Help Desk
ServiceWise brings BPM to complete IT service while eliminating integration cost. Learn more here.

 HOME  NEWS  TEST CENTER  OPINIONS  PRODUCT GUIDE  TECHINDEX   About : Advertise : Subscribe : Contact Us : Awards : Events 

Copyright © 2008, Reprints, Permissions, Licensing, IDG Network, Privacy Policy

All Rights reserved. InfoWorld is a leading publisher of technology information and product reviews on topics including viruses, phishing, worms, firewalls, security, servers, storage, networking, wireless, databases, and web services.

Computerworld :: Network World :: CIO :: PC World :: Darwin :: CMO :: CSO
IT Careers :: JavaWorld :: Macworld :: Mac Central :: Playlist :: GamePro :: GameStar :: Gamerhelp
ITWorld Canada :: Computerwoche :: Techworld UK :: tecChannel :: IDG.se :: IDG.no