Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: How To Communicate Security Alerts?

Posted by Soulskill on from the your-computer-is-broadcasting-an-ip-address dept.

Capt.Michaels writes: "I need to start sending security alerts and warnings to employees at my somewhat sizable company. My problem: I'm not sure how to send these alerts without freaking everyone out and causing the help desk to get flooded with phone calls. For example, let's take the current Internet Explorer exploit that caused US-CERT to recommend switching browsers. I don't want everyone killing our limited help desk with ridiculous questions like, 'I downloaded $New_Browser, how can I get my toolbar? How do I bookmark things in this browser? Can you tell me which browser you recommend?' Simply put: some vulnerabilities are worth major changes, but many aren't. If we switched software every time a new vulnerability came out, we'd never get anything done. Sooner or later, a patch will come out, and everything will be back to normal. But how do I communicate to end users that they should be aware of an issue and take extra care until it's fixed, without causing panic?"

18 of 84 comments (clear)

  1. Run around in panic... by sinij · · Score: 5, Funny

    Ruining around the office in panic screaming that we are all going to die worked well for me so far.

    Also, what kind of security events are we talking about here?

  2. My thoughts. by TMYates · · Score: 4, Insightful

    In the case of the browser, there are a couple of things I would have done:

    1) IT should have selected a viable alternative. Whether it is Chrome, FireFox, etc... IT should be deciding on one to use. You are right in not wanting to bog down the help desk with these calls. By selecting one you can send a message out to your users stating that to improve security, reliability, and performance of your system, we will begin rolling out a new web browser for everyone to use. Be sure to include time for a quick training session. There are various methods for pushing software out behind the scenes as well to install it without bothering many of the workers.

    2) Used something like Group Policy to push out the workaround and disable the DLL in question. This could have easily been done using a login script or GPO. Then you could sit tight waiting on a patch for your existing browser. You may still want to remind everyone to be on the lookout for anything suspicious and report it should something happen.

    The sad fact is that nothing is bulletproof. It could just as easily be Chrome or Safari next week. Don't forget Safari had a nasty SSL flaw not too long ago too. You are right in not wanting to scare your users, but that is where I say you need to put effort into education on the basics of security. Let them know you have their back. And above all, be creative.

    1. Re:My thoughts. by ArcadeMan · · Score: 2

      A lot of corporate users are still stuck with backends that require ActiveX.

      Ten years ago, people kept telling me I shouldn't worry about it and everyone would be using Windows and Internet Explorer forever. Idiots.

      --
      Get free satoshi (Bitcoin) and Dogecoins
    2. Re:My thoughts. by Anonymous Coward · · Score: 2, Informative

      Then you could sit tight waiting on a patch for your existing browser

      That patch he was waiting for? it was pushed yesterday ... FYI.

      If he followed your advice, he would have spent more time creating, testing, and implementing the scripts/GPO's you suggested, than it took to get the patch. Plus he'd get to have all the fun of hearing from the Help Desk about users who're confused by a different browser appearance, and oh, hey, where'd all of my favourites go?

      Not to mention, if the enterprise also uses GPO's to manage browser functionality / appearance / behaviour, woops, none of that on Chrome/Safari/Firefox...

      If he did ANYTHING, on Monday, he could have pushed EMET to his Windows Vista/7/8.x clients, thereby hardening all of them against not only this attack, but also most others going forward; IE11 with EMET has YET to be compromised and was the ONLY browser configuration that came out of PWN2OWN undefeated; (FWIW: If you think that's just from weak-efforts, and manage to find a way to defeat it, there's a $150,000 reward available...)

      -AC

    3. Re:My thoughts. by LordLimecat · · Score: 2

      Chrome can be deployed with extensions via GPO-- like IETab. IETab could be preconfigured to load those specific sites.

      Presumably the few sites you would be using IETab for would either be internal, or restricted access, and so unlikely to have the exploit code.

    4. Re:My thoughts. by TMYates · · Score: 2

      This response was supposed to be a general "what should I do" not "what can I do" type of question. I used the browser topic as a sample, but yes they have released the patch. If a vulnerability was published today, you cannot just assume tomorrow they will have a patch ready to ship and hence why the question was asked how to handle a situation of such.

      It depends on the size of the shop and the IT staff. As a one man IT shop, I would be the one creating, testing, and implementing. Not saying everyone is bad at that, but I happen to know my scripts and GPO objects. In the workaround, they clearly gave instructions for running the fix at a command line. That part would not be difficult to do and if it were serious enough for a large organization, they would most likely already have a rapid test process in place for a vulnerability like this. You would still have to educate the users on a new browser should you push one out, but at least you can reduce the time needed for IT to go to every computer and manually install the software. You wouldn't have to instantly switch it to default.

      As for the GPOs to manage the other browsers, it depends on how they store files. But to prove you wrong on Chrome not having them, here: https://support.google.com/chr...

      EMET should have been a 3rd option, but I wouldn't recommend every shop immediately go out there and implement it without understanding it. There are many complicated things that it helps mitigate and improperly implemented could cause more headaches to the help desk. That being said, I have started to research it for other reasons so I won't knock it being a worthwhile investment.

      Also, you better hope you are on the latest version of EMET, because 4.1 has been bypassed and it is only a matter of time for newer versions: http://bromiumlabs.files.wordp...

      Now go back into your hole since you are too afraid to stand behind anything other than AC for your post name.

  3. You don't by Anonymous Coward · · Score: 2, Interesting

    To be blunt, you don't need to tell every employee about every security problem, precisely for the reasons you stated: they'll panic.

    The best thing you can to is to try to mitigate the problem until a fix is available, and then deploy a fix. Mitigation can mean anything from blocking access to the offending program, malicious website, etc., but nothing beats good old fashioned user education. Instructing your users on safe computing habits goes a long way toward keeping your network secure, and as long as you're not a dick about it, most people will actually listen. There are always those that won't listen or cooperate because 'computery things are your job, not mine', but I've found that those people are few and far between.

  4. You let your employees choose their own browsers? by wonkey_monkey · · Score: 4, Funny

    Goddamn hippy.

    --
    systemd is Roko's Basilisk.
  5. Email and Proper Security Policy by CanHasDIY · · Score: 4, Insightful

    All your issues can be addressed with 2 things - an email to employees that explains everything they need to know about the security update, and a security policy that prevents the installation of unauthorized software.

    Then, for the handful of dumbasses that will ignore the email, try to install an unapproved browser, then call your helpdesk, they have the ammo they need to politely inform the user that if they like getting a paycheck, they should read their messages and abide by the computer usage policy*.

    * Save veeps and members of the board, since they not only believe that company policy doesn't apply to them, but also have the ability to fire you. But that's, like, maybe 20 people, so not a big deal.

    --
    An enigma, wrapped in a riddle, shrouded in bacon and cheese
  6. Re:Howto docs by amicusNYCL · · Score: 2

    Anticipating all dumb questions is easier said than done. As soon as you make something idiot-proof, they go and make a better idiot.

    --
    "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
  7. huh? by Charliemopps · · Score: 5, Insightful

    Is this even a question? If the IE bug isn't important to you, and you don't want people switching browsers, then why the hell would you communicate the bug to anyone? You should only be sending out notifications if your users need to take action or you're trying to communicate an outage. If you're email consists of "There's this problem you don't need to do anything about..." then you're wasting their time and they will quickly learn to ignore your notifications.

    Users do not care about security issues or bugs. They want you to tell them if they need to do something. Otherwise leave them alone. If you have a few users that are worry warts and want to know about that thing they heard on the radio this morning, start a wiki page and just post it there. They can come and look at it if they have questions. But I'd avoid that. Documenting the reasons for your lack of action on a security issue is not a good idea. You may very well have good reasons, but uneducated poorly informed managers can make your life miserable if the bug ends up costing the company money.

  8. Military Basic training method by Whorhay · · Score: 3, Funny

    Don a utilitarian yet heavily starched and pressed uniform, wear a funny hat and a hitler style mustache. Then get a ridding crop and an air horn. Go from cubicle to cubicle screaming and yelling obscenities and personal insults while instructing your vic.... users to apply patches or whatever. If anyone tries asking a question blow the air horn in their face then belittle them and kick up the crazyness of the insults a notch or two.

    Or you could send out a friendly and professionally written email with precise directions with a picture for every step. But that honestly doesn't seem like much fun to me.

  9. Email Alert by HideyoshiJP · · Score: 2
    Security Email Alerts
    Summary

    Often times, email works great for something like this. Make sure you use a standardized and easy to read template that makes important information stand out.

    Affected Items

    • Make sure you list what is going to be affected and how it will affect people's jobs.
    • Make each item stand out from drab text, so people's eyes immediately find whether or not it affects them.

    Your Actions

    Here's where you try to calm people down and/or tell them what they need to do. This section can be a lengthy if necessary, but make sure to break out individual items if this section grows to a text wall.

  10. Meaningless Goal by zieroh · · Score: 2

    Assuming that you find a way to communicate these alerts without freaking everyone out (which is a tall order to start with) I think your goal -- of having people "take extra care until it is fixed" is so completely vague an inactionable as to be completely meaningless.

    --
    People who say "sheeple" have about as much sophistication as an AOL user, and in fact are probably actually AOL users.
  11. Fix "normal" by TMYates · · Score: 2

    So you can be the one responsible to fix other vendor's software and web sites when they fail to run on other browsers. Have fun with that. Not everyone can switch and still function. It may not be the fault of the company using IE. Also, you have to look at organizations like Hospitals that are under regulations that may make it impossible or expensive to recertify equipment. A good example is the FDA regulating product certification systems. Changing out a system design can cost tens or hundreds of thousands of dollars to recertify a design.

    I have my fun with Linux and use it in various ways, but it isn't always the easiest thing to just swap out in a workstation setting. You apparently have very limited knowledge of the various industries and exist in a world where your way is the only correct way. You can go have fun with your copy of Linux, but don't assume it fixes everyone's issue without understanding what they do. If they can switch and still function, great. For purely desktop/laptop environments, Microsoft still has ~90% market share.

  12. Net Send / MSG by TMYates · · Score: 2

    For the most part that was restricted or disabled since the XP days (after one of the updates. Cannot remember which). You reminded me of the old school spam I used to get...

  13. fix it at the proxy level by SethJohnson · · Score: 3, Informative
    Modify your outbound proxy rules to redirect every outbound http request that has a useragent string belonging to the affected browser. Send them to an internal HTML page that explains the security threat and provides a link to download and install the browser preferred by the organization.

    This will:
    1. Selectively communicate the issue to only the affected users.
    2. Prevent anyone on the internal network from being compromised due to this vulnerability.
    3. Prevent anyone from ignoring the 'advisory.'

    If you're not using an outbound proxy, god help you.

    --
    $5 / month hosted VPS on linux = awesome!
  14. Re:Don't tell them. by Tuidjy · · Score: 4, Interesting

    They ask. They hear something from their friends and colleagues, and retain a garbled version ranging from "OMG, everything Microsoft needs to be erased!" to "Go to this website and it will fix your IE". If you are lucky, they call you before they try to do something astoundingly stupid.

    I'm the IT director for a aftermarket auto-manufacturer, and we keep our Internet facing network and our production/POS/ERP networks physically separate. Each of our Internet facing PCs has IE, and a crippled version of Chrome (same idea as Iron) installed.

    A few nights ago, I ran a script that stored everyone's IE bookmarks in a backup, and overwrote them with a list of less than a twenty bookmarks, including the company's website, the banking sites for scanning checks, the website that stores our scanned invoices... you get the idea.

    I sent an email instructing them to use IE only for the sites for which there is a bookmark, and use the crippled Chrome for everything else. Last night I restored the bookmarks, and while I was at it, checked a few histories here and there. People seem to have complied with the instructions. I saw only one clear violation, and it was work related, to a website that I may have added to the bookmarks, if I had thought of it.

    Today, according to my assistant, there have been three calls from people who did not get their bookmarks back, and a few from people who did not know about bookmarks before, and now want the 'official list' back.

    All in all, I'm glad how it went.

    --
    No good deed goes unpunished...