Ask Slashdot: How To Communicate Security Alerts?

Capt.Michaels writes: "I need to start sending security alerts and warnings to employees at my somewhat sizable company. My problem: I'm not sure how to send these alerts without freaking everyone out and causing the help desk to get flooded with phone calls. For example, let's take the current Internet Explorer exploit that caused US-CERT to recommend switching browsers. I don't want everyone killing our limited help desk with ridiculous questions like, 'I downloaded $New_Browser, how can I get my toolbar? How do I bookmark things in this browser? Can you tell me which browser you recommend?' Simply put: some vulnerabilities are worth major changes, but many aren't. If we switched software every time a new vulnerability came out, we'd never get anything done. Sooner or later, a patch will come out, and everything will be back to normal. But how do I communicate to end users that they should be aware of an issue and take extra care until it's fixed, without causing panic?"

fix it at the proxy level

[SethJohnson]

Modify your outbound proxy rules to redirect every outbound http request that has a useragent string belonging to the affected browser. Send them to an internal HTML page that explains the security threat and provides a link to download and install the browser preferred by the organization.

This will:

1. Selectively communicate the issue to only the affected users.
2. Prevent anyone on the internal network from being compromised due to this vulnerability.
3. Prevent anyone from ignoring the 'advisory.'

If you're not using an outbound proxy, god help you.