Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Ask Slashdot: How To Communicate Security Alerts?

Soulskill posted about 6 months ago | from the your-computer-is-broadcasting-an-ip-address dept.

Communications 84

Capt.Michaels writes: "I need to start sending security alerts and warnings to employees at my somewhat sizable company. My problem: I'm not sure how to send these alerts without freaking everyone out and causing the help desk to get flooded with phone calls. For example, let's take the current Internet Explorer exploit that caused US-CERT to recommend switching browsers. I don't want everyone killing our limited help desk with ridiculous questions like, 'I downloaded $New_Browser, how can I get my toolbar? How do I bookmark things in this browser? Can you tell me which browser you recommend?' Simply put: some vulnerabilities are worth major changes, but many aren't. If we switched software every time a new vulnerability came out, we'd never get anything done. Sooner or later, a patch will come out, and everything will be back to normal. But how do I communicate to end users that they should be aware of an issue and take extra care until it's fixed, without causing panic?"

Sorry! There are no comments related to the filter you selected.

Don't tell them. (1)

Anonymous Coward | about 6 months ago | (#46901365)

Problem solved. Just relay on your backend infrastructure.

- NSA guy

Re:Don't tell them. (1)

Jeremiah Cornelius (137) | about 6 months ago | (#46901517)

I like my method:

"FIRE!"

Re:Don't tell them. (4, Interesting)

Tuidjy (321055) | about 6 months ago | (#46902997)

They ask. They hear something from their friends and colleagues, and retain a garbled version ranging from "OMG, everything Microsoft needs to be erased!" to "Go to this website and it will fix your IE". If you are lucky, they call you before they try to do something astoundingly stupid.

I'm the IT director for a aftermarket auto-manufacturer, and we keep our Internet facing network and our production/POS/ERP networks physically separate. Each of our Internet facing PCs has IE, and a crippled version of Chrome (same idea as Iron) installed.

A few nights ago, I ran a script that stored everyone's IE bookmarks in a backup, and overwrote them with a list of less than a twenty bookmarks, including the company's website, the banking sites for scanning checks, the website that stores our scanned invoices... you get the idea.

I sent an email instructing them to use IE only for the sites for which there is a bookmark, and use the crippled Chrome for everything else. Last night I restored the bookmarks, and while I was at it, checked a few histories here and there. People seem to have complied with the instructions. I saw only one clear violation, and it was work related, to a website that I may have added to the bookmarks, if I had thought of it.

Today, according to my assistant, there have been three calls from people who did not get their bookmarks back, and a few from people who did not know about bookmarks before, and now want the 'official list' back.

All in all, I'm glad how it went.

EMET (1)

Anonymous Coward | about 6 months ago | (#46901367)

Try EMET from Microsoft.

Misleading Summary (0)

Anonymous Coward | about 6 months ago | (#46901377)

1) the recommendation was to update your browser and seek mitigation tools if possible (i.e. EMET) and, only if you were unable to employ such solutions (i.e. for the recently EoL'd WinXP), you should consider switching browsers.

2) the patch for this vulnerability was pushed yesterday, out of stream, for all affected browsers, for all Windows OS's back to and including WinXP.

-AC

Re:Misleading Summary (1)

Ungrounded Lightning (62228) | about 6 months ago | (#46901703)

2) the patch for this vulnerability was pushed yesterday, out of stream, for all affected browsers, for all Windows OS's back to and including WinXP.

So how do you download it on a windows XP box, now that official support has ended? (I just inherited one, after Microsoft dropped support, and it has mission-critical, windows XP applications on it. B-b )

Re:Misleading Summary (0, Flamebait)

Anonymous Coward | about 6 months ago | (#46901743)

The line you quoted says "including Windows XP," you god damn idiot. You either use WSUS or update.microsoft.com. You have to type the second one in the address bar of your web browser and press the Enter key. That's the one labeled "Enter". You may need to get help from an IT professional, because it may require installation of an ActiveX control to work.

Re:Misleading Summary (0)

Anonymous Coward | about 6 months ago | (#46904549)

The responses below echo my sentiments, yet I'm downmodded for calling an obvious moron a "god damn idiot." Fuck off, slashfags.

Re:Misleading Summary (1)

pr0fessor (1940368) | about 6 months ago | (#46901747)

I was under the impression it would be made available through windows update but it's not really very clear.

http://blogs.technet.com/b/msr... [technet.com]

Re:Misleading Summary (1)

TMYates (1946034) | about 6 months ago | (#46901969)

I saw it show up on my WSUS server today for XP on up.

Re:Misleading Summary (1)

pr0fessor (1940368) | about 6 months ago | (#46902079)

In that case deployment is a non-issue.

wsus offline (0)

Anonymous Coward | about 6 months ago | (#46903331)

http://download.wsusoffline.net/

Re:Misleading Summary (1)

GlennC (96879) | about 6 months ago | (#46902111)

Microsoft released the patch for XP as well.

It's on Windows Update, or you can download it at https://technet.microsoft.com/library/security/ms14-021 [microsoft.com]

Re:Misleading Summary (1)

Ungrounded Lightning (62228) | about 6 months ago | (#46910495)

It's on Windows Update, or you can download it at https://technet.microsoft.com/... [microsoft.com]

Thank you.

I was unsure whether the Windows Update servers had been taken down, so that some exceptional process was necressary, or just left running at the end-of-life {plus I.E. fix} patch level.

I Like Paper (1)

fullback (968784) | about 6 months ago | (#46901387)

Type it; print it; deliver it.

It worked for generations.

Re:I Like Paper (0)

Anonymous Coward | about 6 months ago | (#46901785)

Wait 24 hours to see if it compiled... then either fix the bugs or continue. It works coding exactly like communicating to people. /me wait LESS than 24 hours for reply.

Re:I Like Paper (0)

Anonymous Coward | about 6 months ago | (#46901797)

So how do you title your prints?

DO NOT PANIC

or

DANGER WILL ROBINSON

Run around in panic... (5, Funny)

sinij (911942) | about 6 months ago | (#46901397)

Ruining around the office in panic screaming that we are all going to die worked well for me so far.

Also, what kind of security events are we talking about here?

Re:Run around in panic... (1)

cbiltcliffe (186293) | about 6 months ago | (#46903507)

When in trouble, or in doubt, run in circles, scream, and shout.

Kill them all (1)

Anonymous Coward | about 6 months ago | (#46901415)

Easy, kill all your users. Seriously.

You are fighting a loosing battle. Everytime i try and make a process more idiot proof 10x more wild moron users appear.

Re:Kill them all (0)

Anonymous Coward | about 6 months ago | (#46901573)

The only loosing battles are fought by whores.

Re: Kill them all (1)

KevReedUK (1066760) | about 6 months ago | (#46912099)

Or, as I generally word it: "For every idiot-proof system, you will encounter at least one system-proof idiot"

My thoughts. (4, Insightful)

TMYates (1946034) | about 6 months ago | (#46901427)

In the case of the browser, there are a couple of things I would have done:

1) IT should have selected a viable alternative. Whether it is Chrome, FireFox, etc... IT should be deciding on one to use. You are right in not wanting to bog down the help desk with these calls. By selecting one you can send a message out to your users stating that to improve security, reliability, and performance of your system, we will begin rolling out a new web browser for everyone to use. Be sure to include time for a quick training session. There are various methods for pushing software out behind the scenes as well to install it without bothering many of the workers.

2) Used something like Group Policy to push out the workaround and disable the DLL in question. This could have easily been done using a login script or GPO. Then you could sit tight waiting on a patch for your existing browser. You may still want to remind everyone to be on the lookout for anything suspicious and report it should something happen.

The sad fact is that nothing is bulletproof. It could just as easily be Chrome or Safari next week. Don't forget Safari had a nasty SSL flaw not too long ago too. You are right in not wanting to scare your users, but that is where I say you need to put effort into education on the basics of security. Let them know you have their back. And above all, be creative.

Re:My thoughts. (2)

ArcadeMan (2766669) | about 6 months ago | (#46901601)

A lot of corporate users are still stuck with backends that require ActiveX.

Ten years ago, people kept telling me I shouldn't worry about it and everyone would be using Windows and Internet Explorer forever. Idiots.

Re:My thoughts. (1)

pavon (30274) | about 6 months ago | (#46901701)

He recommended deploying an alternative browser, not replacing IE altogether. That way when IE has a bad vulnerability you notify everyone to temporarilly use the alternate on external sites, use group policy to disable vulnerable features, or even block it at the firewall depending on the severity. They can keep using IE internally during that time. Then when a patch comes out you deploy it and lift the restrictions. The next week when firefox has a zero-day, you do the same for it, and recommend people use IE for the time being. It is a very sensible way to allow the most productivity possible while staying secure.

If they really need to use Active X on externall websites during a vulnerability, you can whitelist those sites in Group Policy if needed, but honestly I would just consider the downtime a cost of doing business with outdated insecure technology in most cases. Cleaning up a bad worm/virus that spread through the entire campus could be much more expensive.

IE6 compatibility mode still required as well. (0)

Anonymous Coward | about 6 months ago | (#46901735)

There are some corporate websites here in the UK (which provide Internet based services) which will not work correctly unless Internet Explorer is running in IE6 compatibility mode (even when ActiveX is not involved).

No, I am not joking (and no I cannot name them because I handle this as part of my day job.)

Re:My thoughts. (2)

LordLimecat (1103839) | about 6 months ago | (#46901941)

Chrome can be deployed with extensions via GPO-- like IETab. IETab could be preconfigured to load those specific sites.

Presumably the few sites you would be using IETab for would either be internal, or restricted access, and so unlikely to have the exploit code.

Re:My thoughts. (2, Informative)

Anonymous Coward | about 6 months ago | (#46901661)

Then you could sit tight waiting on a patch for your existing browser

That patch he was waiting for? it was pushed yesterday ... FYI.

If he followed your advice, he would have spent more time creating, testing, and implementing the scripts/GPO's you suggested, than it took to get the patch. Plus he'd get to have all the fun of hearing from the Help Desk about users who're confused by a different browser appearance, and oh, hey, where'd all of my favourites go?

Not to mention, if the enterprise also uses GPO's to manage browser functionality / appearance / behaviour, woops, none of that on Chrome/Safari/Firefox...

If he did ANYTHING, on Monday, he could have pushed EMET to his Windows Vista/7/8.x clients, thereby hardening all of them against not only this attack, but also most others going forward; IE11 with EMET has YET to be compromised and was the ONLY browser configuration that came out of PWN2OWN undefeated; (FWIW: If you think that's just from weak-efforts, and manage to find a way to defeat it, there's a $150,000 [wmpoweruser.com] reward available...)

-AC

Minimum Protection (0)

Anonymous Coward | about 6 months ago | (#46901745)

EMET is good idea for companies that are tied to IE/Windows. It's no panacea of course, but raises the time-cost of breaking in.

FYI -A team of researchers publically announced they broke through all EMET's defenses. [pcworld.com] Per the article:

The real question is not whether EMET can be bypassed, but whether it sufficiently raises the cost of exploitation, the Bromium researchers said in their paper. “The answer to that is likely dependent upon the value of the data being protected. For organizations with data of significant value, we submit that EMET does not sufficiently stop customized exploits.”

Re:Minimum Protection (0)

Anonymous Coward | about 6 months ago | (#46902241)

Well, since nobody collected the $150,000 reward at PWN2OWN 6 weeks ago, I'd say that either:

a) the theory proposed in your link is an abstract/theoretical idea, and not yet ACTUALLY do-able in the real-world,

or

b) nobody at PC-World, or anyone who read the article, or anyone on the research team mentioned in it felt like they could use an extra $150,000 back in March...

-AC

Re: Minimum Protection (0)

Anonymous Coward | about 6 months ago | (#46903593)

Wrong. Read the actual Bromium whitepaper. They didn't bypass EMET's DeepHooks feature. It wasn't enabled by default but now it is with the recent release of EMET 4.1 Update 1. I'm not saying EMET is bulletproof but that article is wrong. A couple exploit writing companies have managed to bypass EMET but it isn't something they give out for free. Even $150,000 prize at the last Pwn2Own wasn't enough to get them to disclose their complete bypasses (including DeepHooks). Real complete EMET bypasses are worth more than 150k.

Re:My thoughts. (1)

pr0fessor (1940368) | about 6 months ago | (#46901869)

Not to mention, if the enterprise also uses GPO's to manage browser functionality / appearance / behaviour, woops, none of that on Chrome/Safari/Firefox...

There are custom administrator templates available for firefox and chrome. I'm sure there are some for Safari I've just never used them.

https://support.google.com/chr... [google.com]

http://sourceforge.net/project... [sourceforge.net]

Re:My thoughts. (2)

TMYates (1946034) | about 6 months ago | (#46901953)

This response was supposed to be a general "what should I do" not "what can I do" type of question. I used the browser topic as a sample, but yes they have released the patch. If a vulnerability was published today, you cannot just assume tomorrow they will have a patch ready to ship and hence why the question was asked how to handle a situation of such.

It depends on the size of the shop and the IT staff. As a one man IT shop, I would be the one creating, testing, and implementing. Not saying everyone is bad at that, but I happen to know my scripts and GPO objects. In the workaround, they clearly gave instructions for running the fix at a command line. That part would not be difficult to do and if it were serious enough for a large organization, they would most likely already have a rapid test process in place for a vulnerability like this. You would still have to educate the users on a new browser should you push one out, but at least you can reduce the time needed for IT to go to every computer and manually install the software. You wouldn't have to instantly switch it to default.

As for the GPOs to manage the other browsers, it depends on how they store files. But to prove you wrong on Chrome not having them, here: https://support.google.com/chr... [google.com]

EMET should have been a 3rd option, but I wouldn't recommend every shop immediately go out there and implement it without understanding it. There are many complicated things that it helps mitigate and improperly implemented could cause more headaches to the help desk. That being said, I have started to research it for other reasons so I won't knock it being a worthwhile investment.

Also, you better hope you are on the latest version of EMET, because 4.1 has been bypassed and it is only a matter of time for newer versions: http://bromiumlabs.files.wordp... [wordpress.com]

Now go back into your hole since you are too afraid to stand behind anything other than AC for your post name.

Re:My thoughts. (0)

Anonymous Coward | about 6 months ago | (#46902405)

By default, EMET hardens Windows itself, IE and I think a few other Microsoft Apps (maybe Flash too?) In any case, it should be considered essential in exposed or front-line machines under Windows, and in my environment, we deployed it back in January with only a few hiccoughs to solve. Granted, it's a small office with only a few servers + workstations.

IE11 w/ EMET has not yet (well, as of PWN2OWN, 6 weeks ago) been defeated via drive-by attack. Period. It is the ONLY browser to claim that distinction. (IE11 on it's own only succumbed to a single attack at that time, I didn't hear if it was via this particular hole, or some other, but still, it was the most secure browser at this year's event). If your claim is true, then you, or someone at Bromium Labs should go and demonstrate their bypass and collect a $150,000 bonus!

you are too afraid to stand behind anything other than AC for your post name

I've been reading and posting on /. for about a dozen or so years, over which time I have proudly, and purposely NEVER created an account, and I certainly have no intention of doing so now. Nevertheless, I DO sign all my posts, and not every AC in the above chain is me... Also, choosing not to create an account has nothing at all to do with "fear"...

-AC

Re: My thoughts. (0)

Anonymous Coward | about 6 months ago | (#46908135)

They didn't bypass EMET's DeepHooks feature. Read the actual paper.

Fix "normal" (0)

Anonymous Coward | about 6 months ago | (#46901965)

From the summary:

Sooner or later, a patch will come out, and everything will be back to normal.

It sounds like your "normal" is that you are using Internet Explorer.
Fix that.

From the summary:

But how do I communicate to end users that they should be aware of an issue and take extra care until it's fixed

One option is for your users to wait until you have fixed the issue. The other option is to just fix it. Since you have an issue of being standardized on Internet Explorer, fix it immediately.

From the message being replied to:

Group Policy to push out the workaround and disable the DLL in question.

Using Group Policy has traditionally involved making sure that a server is running a Microsoft Windows Server operating system, and client machines are running the more expensive Pro version of the operating system, and that IT staff are trained in using Microsoft components. Once that is all done, start relying on client-side security to implement security measures, which is generally the least trustworthy spot to be implementing security.
Better idea: Do not implement all those pro-Microsoft policies just so you can torture your users with Microsoft's browser. Instead, get out of Microsoft's bed.

I know, you likely consider this unuseful advice. That is exactly why this is advice that you obviously don't hear enough. Not just you, either. If you're not being annoyed by the fact that nobody values your Microsoft-centric knowledge, then Mark Shuttleworth has closed Ubuntu bug #1 too early.

Fix "normal" (2)

TMYates (1946034) | about 6 months ago | (#46902189)

So you can be the one responsible to fix other vendor's software and web sites when they fail to run on other browsers. Have fun with that. Not everyone can switch and still function. It may not be the fault of the company using IE. Also, you have to look at organizations like Hospitals that are under regulations that may make it impossible or expensive to recertify equipment. A good example is the FDA regulating product certification systems. Changing out a system design can cost tens or hundreds of thousands of dollars to recertify a design.

I have my fun with Linux and use it in various ways, but it isn't always the easiest thing to just swap out in a workstation setting. You apparently have very limited knowledge of the various industries and exist in a world where your way is the only correct way. You can go have fun with your copy of Linux, but don't assume it fixes everyone's issue without understanding what they do. If they can switch and still function, great. For purely desktop/laptop environments, Microsoft still has ~90% market share.

RE: Fix "normal" (0)

TMYates (1946034) | about 6 months ago | (#46902221)

And the previous comment that this was in reply to is now gone....

Sigh... rant... sigh... rant... sigh... rant (0)

Anonymous Coward | about 6 months ago | (#46903133)

Sigh... TMYates... You've proven so many of my points, including the ones I hadn't even bothered to mention.
(Yes, I'm the same Anonymous Coward that wrote comment #46901965 [slashdot.org] )

A flamefest will get us nowhere. (case in point: my post was basically a strong anti-Microsoft flame... did it get us to any mutual understandings?) And, Slashdot articles are hardly the most recommended forum for clear, unbiased, cool, intelligent discussions. Yet, I propose we try anyway. I'm curious how far an actual attempt-to-act-civilized discussion may go here. I'll keep the name calling minimal, and see if I can actually make some sense that can be more easily understood.

Bonus: If you can make it through my manifesto, chances are you'll actually learn something in the end. (More on that later.)

First, let's look at some of what you've stated:

For purely desktop/laptop environments, Microsoft still has ~90% market share.

Yeah, I understand that concept, as demonstrated by my mentioning that Ubuntu bug #1 [launchpad.net] was closed by Mark Shuttleworth [launchpad.net] too early.

You apparently have very limited knowledge of the various industries and exist in a world...

Actually, I exist on Earth, and have supported Microsoft Windows environments for many businesses for years. Your claim of my "very limited knowledge" is only salvaged by the word "apparently".

You can go have fun with your copy of Linux

I actually don't choose to use Linux much at all. (Granted, I may use it. I have a NAS at home that uses Linux, which I wasn't expecting when I purchased it. However, on systems where I have a choice, they are rarely using Linux.)
This is kind of off the topic, but I just wanted to formally decline your suggestion, because Linux-based operating systems are too restrictive, regarding licensing.

Here's the nuts and bolts of the situation:

...where your way is the only correct way.

This is actually far closer to the truth than you probably intended.

See, I wasn't actually trying to provide business advice that would be tolerable to many corporate environments. This was more of a philosophical rant. One that would have gotten me disciplined (and possibly fired) in my previous job of supporting these inflexible corporate environments. Thank Slashdot that a means has been provided, allowing me to blow off some steam. I'll try to act a bit more rationally, now. Although, my very next statements are likely going to rank among the least rational things you've read this decade.

Not everyone can switch and still function.

Then don't let them function!
Seriously: Just let the businesses die.

Yes, I just gave you all the reason in the world to tune me out as a psychopathic madman with ideas that are uselessly unimplementable.
Obviously, advice to just shut down businesses will not be tolerated by typical business management, and much of the rest of society would disfavor large corporations being unable to proceed.

However, before dismissing me entirely, just consider my analysis of where we are today. Companies shirk off their responsibility by committing only to "commercially reasonable efforts", which means that their efforts only go as far as what permits them to profitably engage in commerce. Quite often, this involves identifying another organization that security responsibility may be shifted to. For example, management can sleep easy as long as they've paid the right organizations enough so that there are support contracts with many third party vendors, and Microsoft. Regardless of whether data is actually secure, there is always somebody who could be sued if things get too far out of hand. If criminal activity occurs, the crimes may be successfully committed. However, we will typically not be penalized if we can successfully shift the blame, such as using forensics to determine whodunnit, especially if that is a person living on native soil that can be penalized by law enforcement. That will probably take care of most cases, and the few cases where those approaches fail can be covered by the vague notion that absolute experts, including groups sponsored by hostile (or even domestic!) nation-states, can potentially succeed to attack the companies we support, even if we apply the best of our limited knowledge. So, not every attack is realistically defensible. But, we IT experts cannot be held responsible for any problems because everything we do is protected by the vague clause that says we only have to do whatever is widely perceived as "commercially reasonable".

This doesn't provide us with any incentive to increase our limited knowledge beyond the minimum needed to be able to craft an excuse why we performed to a level that could be described as "commercially reasonable". I'm sorry if I can't learn more about security that functionally works. I'm too busy learning about certification systems, determining whether the targets of my finger pointing are still suitable or need to be re-defined, and spending whatever other time I have left coating myself with butter: I wouldn't want that buck sticking to me.

All of this lets us believe that we have suitably protected our company from lawsuits, while not adding one iota of security. But that's fine, because the most important priority is that businesses continue to operate. After all, that leads to the financial sponsorship of paychecks, which is really the important issue at hand, isn't it?

This whole situation provides us with quite comfortable living, as we just inconveniently try to convince ourselves that we can happily ignore one truth which we just can't completely deny to ourselves. Rather than demanding caution, and security, so that those concerns are ranked higher than the ability to operate profitably, we live in a society where domestic identity theft is a very regular occurrence.

We also have a situation where a person identified as TMYates seems to be an IT expert familiar with system design certifications that "cost tends or hundreds of thousands of dollars". And yet, this wonderful professional expert doesn't know enough to avoid making a public comment about not being able to see a Slashdot comment, which is a temporary situation.

One thing I learned in my IT training is to not make public statements in a way that may be recorded and then used against you later. (In the court of law, a plaintiff could discredit your expertise due to a lack of basic knowledge.) You'll notice that this is advice that I am following as I make a highly controversial rant: I am posting only as Anonymous Coward. Sure, my IP address is probably recorded somewhere, but for Internet access I'm using a service which is not in my name, and which I will likely stop using in less than a year. Highly unlikely to haunt me later. In fairness, I recognize that perhaps you didn't have a college instructor that pointed out some of the dangers to demonstrating a lack of knowledge. After all, there is so much IT knowledge to learn (such as useless things like designing security around trusting clients, just because it promotes a design that leads to people paying Microsoft more money) that we can't realistically be expected to learn it all.

And so, we have our excuse. And people continue to be hurt (via identity theft). And it's all commercially reasonable. And we can all sleep at night, knowing that we've protected our own personal butts, the butts of our family, and the butts of the people who pay us our paychecks. And if anyone dares to speak up about how things really should work, if the proposition is incompatible with common corporate-style behavior, we can dismiss them as one of those people on this planet who "apparently have little knowledge". And we can all just continue to get our paychecks by not doing things the right way.

This whole incident reinforces whatever level of confidence I already had regarding whether hospitals and government oversight organizations (like the FDA) are giving their money to people who actually know a lot about how computer systems actually function.

* regarding the bonus: I suggested that by the end I might actually teach you something tangible by the end of the message. So, here it is: my understanding is that Slashdot uses multiple systems. I can certainly believe that Slashdot may use multiple servers. When you post a message, it might not appear reliably for a little while. One option is to copy the comment ID (or the entire URL to a shortcut to the article). However, even then, the message might not be visible. If you lower your viewing threshhold to include comments rated under Score:1, the message might be visible. But, even then, it might not be. You might need to try later. However, now that enough time has passed, you'll probably see the comment as long as your viewing threshhold settings aren't filtering it out. So, you spoke about a temporary situation where you weren't able to see the message as easily. And the permanent record now shows that.

Most important (0)

Anonymous Coward | about 6 months ago | (#46901431)

The most important things when communicating security alerts is to not exaggerate the threat.

Cry wolf just once and people will find that listening to you is a waste of their time.

Howto docs (1)

ichthus (72442) | about 6 months ago | (#46901437)

Anticipate all questions (smart or dumb), and create a howto/faq addressing each one.

Re:Howto docs (0)

Anonymous Coward | about 6 months ago | (#46901527)

>Implying users read.

Re:Howto docs (2)

amicusNYCL (1538833) | about 6 months ago | (#46901613)

Anticipating all dumb questions is easier said than done. As soon as you make something idiot-proof, they go and make a better idiot.

You don't (2, Interesting)

Anonymous Coward | about 6 months ago | (#46901445)

To be blunt, you don't need to tell every employee about every security problem, precisely for the reasons you stated: they'll panic.

The best thing you can to is to try to mitigate the problem until a fix is available, and then deploy a fix. Mitigation can mean anything from blocking access to the offending program, malicious website, etc., but nothing beats good old fashioned user education. Instructing your users on safe computing habits goes a long way toward keeping your network secure, and as long as you're not a dick about it, most people will actually listen. There are always those that won't listen or cooperate because 'computery things are your job, not mine', but I've found that those people are few and far between.

The security alerts should come from the help desk (1)

Anonymous Coward | about 6 months ago | (#46901461)

The security alerts should come from the help desk and the support staff. They are much more in touch with the types of problems that will occur, as well as how to best communicate with the users. You can work with the support staff to craft an accurate and helpful message without causing chaos.

You let your employees choose their own browsers? (4, Funny)

wonkey_monkey (2592601) | about 6 months ago | (#46901475)

Goddamn hippy.

Giant Hammer (1)

originalmouse (2450446) | about 6 months ago | (#46901481)

be as concise as possible. carry a giant hammer. "There is a vulnerability in IE. If you're paying attention, you will not have any issues. [procedure or new policy]. If you cannot comply with [new policy] please bring your machine to [your office] for molecular realignment."

Avoid the issue (0)

Anonymous Coward | about 6 months ago | (#46901505)

Explain the consequences and lost productivity from the user panic and threat of users doing strange things in response to the warning, and then recommend that the network be isolated from the internet due to "technical problems that we are working around the clock to resolve". Let corporate VPN connections remain so that people can still do business and maybe even wave your hands and explain that email works because it is "on an isolated subnet not affected by the outage", but lock down general internet access tight at the firewall.

They'll never know, and they might even get some work done using the time they used to spend browsing 4chan or the chive.

Re:Avoid the issue (0)

Anonymous Coward | about 6 months ago | (#46901629)

what about browsing /.?

high alert ongoing warnings (0)

Anonymous Coward | about 6 months ago | (#46901525)

tell your friends http://www.youtube.com/results?search_query=wmd+weather+alert wake up

Simple (1)

Anonymous Coward | about 6 months ago | (#46901549)

Stop locking people's machines down. Make IT into a department that trains people to be responsible, not a department that locks their machines up.

Re:Simple (0)

Anonymous Coward | about 6 months ago | (#46903881)

Stop locking people's machines down. Make IT into a department that trains people to be responsible, not a department that locks their machines up.

How well has that worked for you, AC? You are obviously on the End User side, rather than the IT side....and we've tried....repeatedly...After you explain 100 times to the same 1/3 of your company what to do/not do, you give up and remove admin access. Problem just about solved.

delegate to helpdesk (1)

zr (19885) | about 6 months ago | (#46901567)

they'll know how to communicate and what things to mention. and if they don't, they will learn quickly.

Large flashy red lights (0)

Anonymous Coward | about 6 months ago | (#46901585)

Seriously,

Large flashy red lights and REALLY loud siren.

Diversify (0)

Anonymous Coward | about 6 months ago | (#46901597)

Recommend from the start that your users make use of multiple different applications to accomplish the same task. If these users regularly make use of Firefox, Chrome, and IE, then they are far less disturbed by a forced transition due to a zero-day exploit. Likewise, users that compose alternately in MS Office, Open Office, and Libre Office, will find themselves much better equipped to adjust to a change in corporate suite preference.

Persuade your users not to paint themselves into a corner, and your job will be much easier in the long run.

Email and Proper Security Policy (4, Insightful)

CanHasDIY (1672858) | about 6 months ago | (#46901605)

All your issues can be addressed with 2 things - an email to employees that explains everything they need to know about the security update, and a security policy that prevents the installation of unauthorized software.

Then, for the handful of dumbasses that will ignore the email, try to install an unapproved browser, then call your helpdesk, they have the ammo they need to politely inform the user that if they like getting a paycheck, they should read their messages and abide by the computer usage policy*.

* Save veeps and members of the board, since they not only believe that company policy doesn't apply to them, but also have the ability to fire you. But that's, like, maybe 20 people, so not a big deal.

Re:Email and Proper Security Policy (0)

Anonymous Coward | about 6 months ago | (#46902085)

Well yes email. None of this is your users problem. It is yours.

As for the second...depends on the company but if they want a secure network they either have to trust the users not to be silly or restrict it so that they can not.

Of course everyone hates this. I am not a sys admin so I see it from the other side. Doing tech stuff tends to mean that a seperate net is allocated to us with fewer restrictions and a more of a "you broke it you fix it" kind of mentality. I am not saying that is good as it can get very broken by a few, many or all people fucking up. (Think of it as under the juristiction of those gods on high that hold the keys to computers but also allow far more flexibility when needed)

Veeps signed off on the rules so keep them to them. As with any other person you will help to the best of your ability (defined)

Re:Email and Proper Security Policy (0)

Anonymous Coward | about 6 months ago | (#46902101)

I would not recommend calling the employees dumbasses. The use foul language has no place in a professional office environment. None of the offices that I have worked at tolerate cursing. Just an observation and my opinion.

Net Send / MSG (1)

CanHasDIY (1672858) | about 6 months ago | (#46901635)

I need to start sending security alerts and warnings to employees at my somewhat sizable company.

Presuming this is a Windows network, just do a net send / msg to all users.

My problem: I'm not sure how to send these alerts without freaking everyone out

Aw, but that's half the fun of net send!!!

Spoilsport.

Net Send / MSG (2)

TMYates (1946034) | about 6 months ago | (#46902249)

For the most part that was restricted or disabled since the XP days (after one of the updates. Cannot remember which). You reminded me of the old school spam I used to get...

Re:Net Send / MSG (1)

CanHasDIY (1672858) | about 6 months ago | (#46902741)

For the most part that was restricted or disabled since the XP days (after one of the updates. Cannot remember which). You reminded me of the old school spam I used to get...

I had thought that myself, but apparently a user with admin rights can still use msg to send pop-up notifications across the network. Thus, I've had a good ol' time fucking with some of my co-workers ever since rediscovering that command earlier today :)

Send out a note and post an FAQ (1)

Anonymous Coward | about 6 months ago | (#46901643)

Send them something like this:

"Recently you may have heard about a vulnerability in Internet Explorer. Why this made the news and the Flash vulnerability from the same week didn't nobody knows. But please be aware that we know about this vulnerability - and, just like the last 5 zero-day vulnerabilities in Internet Explorer - we are monitoring the situation and will take any action deemed appropriate. At the present time we are protected by EMET - which we first deployed in 2011 - and do not have any exposure to existing exploits targeting this vulnerability. We will evaluate, test, and deploy the patch for this vulnerability during the standard "patch Tuesday" window when the other patches come out on May 13th.

Thanks!"

huh? (5, Insightful)

Charliemopps (1157495) | about 6 months ago | (#46901677)

Is this even a question? If the IE bug isn't important to you, and you don't want people switching browsers, then why the hell would you communicate the bug to anyone? You should only be sending out notifications if your users need to take action or you're trying to communicate an outage. If you're email consists of "There's this problem you don't need to do anything about..." then you're wasting their time and they will quickly learn to ignore your notifications.

Users do not care about security issues or bugs. They want you to tell them if they need to do something. Otherwise leave them alone. If you have a few users that are worry warts and want to know about that thing they heard on the radio this morning, start a wiki page and just post it there. They can come and look at it if they have questions. But I'd avoid that. Documenting the reasons for your lack of action on a security issue is not a good idea. You may very well have good reasons, but uneducated poorly informed managers can make your life miserable if the bug ends up costing the company money.

Military Basic training method (3, Funny)

Whorhay (1319089) | about 6 months ago | (#46901699)

Don a utilitarian yet heavily starched and pressed uniform, wear a funny hat and a hitler style mustache. Then get a ridding crop and an air horn. Go from cubicle to cubicle screaming and yelling obscenities and personal insults while instructing your vic.... users to apply patches or whatever. If anyone tries asking a question blow the air horn in their face then belittle them and kick up the crazyness of the insults a notch or two.

Or you could send out a friendly and professionally written email with precise directions with a picture for every step. But that honestly doesn't seem like much fun to me.

Re:Military Basic training method (1)

pr0fessor (1940368) | about 6 months ago | (#46902041)

That'll be twenty push-ups for sending lol cats through corperate e-mail to your co-workers.

I'm not so sure the boss would go for that.

Re:Military Basic training method (1)

laejoh (648921) | about 6 months ago | (#46902133)

Watch Fawlty Towers, "The Germans", for a HOW-TO on how to actually perform the required silly walk!

Re:Military Basic training method (0)

Anonymous Coward | about 6 months ago | (#46903437)

Well stated!

But I think he had the answer to his own question in his question, namely, listing what employees should NOT call tech support about, and that "extra care" would handle much of the problem.

Of course, he could provide each user with a CD of Lightweight Portable Security, and say to use that to read emails they suspect are bogus, and be done with it.

CVSS, CVE, CPEs and Policy (1)

mtippett (110279) | about 6 months ago | (#46901707)

Define actions (instant, daily, weekly alerts) for ranges of CVSS scores http://nvd.nist.gov/cvss.cfm?c... [nist.gov]

Track incoming CVEs (http://nvd.nist.gov/download.cfm) , assign CVSS scores specific to your organization. Also have a organization specific remediation approach.

As you find out who is using what software, and use the CVE CPE (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2168) information to target more specific users.

In the blast emails, you could potentially harvest who thinks they may be affected to gather CPE information.

It's going to be a thankless, painful job, so you may as well automate as much as possible.

Here's an idea (1)

Let's All Be Chinese (2654985) | about 6 months ago | (#46901723)

Set policy. Like, you have a list of recommended software. I'd say at least two browsers and a bunch of utility software. You support those, and beyond that it's best-effort. Curate the collection. With a clear idea of what's in use, you can even start to assemble the whole thing from FOSS and eventually move to a non-proprietary OS to underpin the tools. But that really is but a side-effect of having a good grasp of the needs of your shop. See the LiMux project.

Communicate. Not just this one thing, your entire policy, FAQs, tips and tricks, what-have-you. An internal website will do. A wiki is great for this*, even if you're not opening up editing to others. But you could do that for selected parts too. Make sure everybody knows where the fount of (IT) wisdom is to be found. You don't have to be pushy about getting people to use it; even helpdeskers reading ready-made solutions to panicked people is better than having them making up answers on the spot, though this is only true if the ready-made stuff is of good quality. And if it applies to the situation, but that's the helpdesker's job to workout. So make a point of both having helpdeskers add questions and of curating the material, so you both know what's popular and that they have decent answers.

Most of all, don't get condescending; write *for* the reader, not *at* them, or worse, refer to them as "the user", like so many programmers do. Who're they writing their software for, anyway?

Once that's going you can even expand into short tutorials**, book reviews to help pick up more skills, and so on. But let's get the basics going first.

Notice that if you have your shop organised with ready-made software and information answers, people will have a well-known point to look at in case of panic. So with that in hand, in case of big trouble you can send out word with a recommendation to review the latest news in the usual places where all the details can be found, with a short abstract with enough information --accessible to them-- to let them make a "should I spend time on this now? can it wait until later?" decision.

Don't try to force people's hands until and unless absolutely necessary. Give them the tools and the right information on the right time to let them make meaningful decisions. This requires not so much serious writing skill (though it helps), but putting yourself in their perspective. "I don't understand all this, why do I need to bother?"

* Plenty wiki software available. I like dokuwiki and dislike mediawiki because syntax, which I think is important as it is a tool to express and so convey the message. At minimum go for CREOLE support.
** A tutorial isn't a tutorial unless it also tells how to recover from mishaps. Most "tutorial" blogposts fail at this and as such are not worthy of the name.

DO NOT PANIC!!! (0)

Anonymous Coward | about 6 months ago | (#46901761)

REMAIN CALM!!! ALL IS WELL!!!!!! ALL IS WELL!!!!!!!!!

http://www.youtube.com/watch?v=zDAmPIq29ro&feature=kp

yes, this is yelling, so I must now type all of the stupid padding, since the slash-filters can't tell what a joke is about.

"IT Security Alert" (1)

Peter Simpson (112887) | about 6 months ago | (#46901771)

First, I would title them IT Security Alerts, rather than Security Alerts. One has to do with your computer, the other has to do with thrreats to your personal safety. You don't want people overreacting.

Group Policy? Login Script? (1)

freeze128 (544774) | about 6 months ago | (#46901807)

You can use Group Policy or your network login scripts to disable the svg vulnerability that was recently in IE without even telling your exployees.

You can ask slashdot all day "How do I write an email?", or you can just be an administrator.

Email Alert (2)

HideyoshiJP (1392619) | about 6 months ago | (#46901849)

Security Email Alerts
Summary

Often times, email works great for something like this. Make sure you use a standardized and easy to read template that makes important information stand out.

Affected Items

  • Make sure you list what is going to be affected and how it will affect people's jobs.
  • Make each item stand out from drab text, so people's eyes immediately find whether or not it affects them.

Your Actions

Here's where you try to calm people down and/or tell them what they need to do. This section can be a lengthy if necessary, but make sure to break out individual items if this section grows to a text wall.

Flat-out lie (1)

fran6gagne (1467469) | about 6 months ago | (#46902055)

Tell them there is some magical device on you network that prevent all secuity issues that can happen. They are safe and they can keep working in peace. Rainbows and unicorns bla bla bla...

Don't send texts (1)

Richy_T (111409) | about 6 months ago | (#46902123)

They are annoying, flood the text inbox and hide other stuff. Have/buy an alert app for android & iphone (& maybe blackberry) which can actually handle things sanely. Not to mention the cost.

If there's a holdout with an L7089, texts may be acceptable for them but smartphone users have better options.

Meaningless Goal (2)

zieroh (307208) | about 6 months ago | (#46902163)

Assuming that you find a way to communicate these alerts without freaking everyone out (which is a tall order to start with) I think your goal -- of having people "take extra care until it is fixed" is so completely vague an inactionable as to be completely meaningless.

fix it at the proxy level (3, Informative)

SethJohnson (112166) | about 6 months ago | (#46902279)

Modify your outbound proxy rules to redirect every outbound http request that has a useragent string belonging to the affected browser. Send them to an internal HTML page that explains the security threat and provides a link to download and install the browser preferred by the organization.

This will:
  1. Selectively communicate the issue to only the affected users.
  2. Prevent anyone on the internal network from being compromised due to this vulnerability.
  3. Prevent anyone from ignoring the 'advisory.'

If you're not using an outbound proxy, god help you.

Re:fix it at the proxy level (0)

Anonymous Coward | about 6 months ago | (#46911313)

It will also teach your users to trust any site that claims to fix a vulnerability by downloading and running an executable.

Company-wide Malware Warnings (1)

MaudyGrunch (3639883) | about 6 months ago | (#46902603)

I had to create a warning protocol/process about 15 years ago but it might work for you. 1. We color coded the warnings kinda like the first DHS warnings ... colors are associated with threat levels. 2. When a threat or a vulnerability became a concern, we sent out global company emails to employees, contractors, and clients. The emails had a standard format, including color-coded stationary. 3. We created a short PDF for each threat/vuln that was sent as an attachment with the global email warning. This was done with guidance from an authority like SANS or the CERT at Carnegie Mellon. 4. That PDF contained an explanation of differences between threat and vuln (like the difference between Storm Watch and Storm Warning). 5. That PDF contained info about the particular threat/vuln, what the company was doing about it, and what personal steps the employees should take at work and at home. They were encouraged to give these PDFs to friends and family, so as to educate as many people as possible. This process was detailed in our Risk Assessment plan. which was in our larger Security Plan. I know not every company has these but, if you created the plan by piecemeal, you can eventually have enough material to put a full Security Plan together. Just remember to change up the warning levels. Don't always leave it at yellow or orange or you create user ambivalence, just like the reception the DHS warning system got from the general public.

be thorough (0)

Anonymous Coward | about 6 months ago | (#46902753)

Personally I like the "executive summary, detailed version below" method but there's other stuff you gotta do.

0. Don't panic, ignore this, or call me to have it explained to you. This message is the explanation. See bottom for question protocol. (calm the f*** down)
1. Summarize what the problem is (IE is broke!)
2. Summarize the solution (use Chrome for now, monitor Windows Update mechanism!)
3. Explain the consequences of inaction or incorrect action (you gonna get infected, and then fired.)
4. Explain that responsibility lies with them, and that not understanding is a problem they are responsible for solving (this is part of your job, figure it out!)
5. Explain the problem in full detail, but still as briefly as possible. (IE is unpatched and can be exploited by attackers if you use it. So don't.)
6. Test the notification to a few folks, and combined with your own expertise, write an FAQ (I installed Chrome but where my bookmarks at?)
7. Questions: Ask two co-workers first. Email me only if they don't have answers. No calls, texts, or carrier pigeons. In your email please include the names of the two co-workers you asked so that they can be CC'd on the answer.
8. Tell them which unquestionable executive signed off on the protocols of the email notification. Ideally, forge your email headers and send it from the CEOs account.

Simple (1)

Synerg1y (2169962) | about 6 months ago | (#46902943)

Include the solution or recommended course of action in the alert email. Don't just say there's a problem, tell them how to fix it.

Ex. download this hotfix at this link
Ex. enable/disable this setting
Ex. Be careful while using Internet Explorer and use an alternative browser such as firefox or chrome (I wouldn't include links here but thats just me)

Oh and no technical jargon, the unknown scares people, if your boss can understand it based on just your email (before you send it), you've achieved this.

The neccessary comment (0)

Anonymous Coward | about 6 months ago | (#46903375)

"If you need to ask this on Slashdot, you're not he right person for the job!'

Just in case this was not yet posted....

Colored Lights and News (0)

Anonymous Coward | about 6 months ago | (#46905121)

Take three lights: a red, a yellow and a green. Attach some vague sentences how the users should be wary when the lights go yellow, and really scared when the red light fills the room. Use disco lights for signals. Implement a regular company news video stream which always remembers to report the current threat level and how scary it is.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?