[dinodrac@magenet.net: Re: end user security]
Josh Rollyson <dinodrac@SUMMIT.MAGENET.NET> Wed, 10 October 2001 04:07 UTC
Received: from mailbag.cps.intel.com (mailbag.cps.intel.com [192.102.199.72]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id AAA20162 for <run-archive@LISTS.IETF.ORG>; Wed, 10 Oct 2001 00:07:52 -0400 (EDT)
Received: from mailbag.intel.com (mailbag.cps.intel.com [192.102.199.72]) by mailbag.cps.intel.com (8.9.3/8.9.3/d: relay.m4,v 1.6 2000/11/24 22:10:56 iwep Exp iwep $) with ESMTP id UAA24038; Tue, 9 Oct 2001 20:52:48 -0700 (PDT)
Received: from MAILBAG.INTEL.COM by MAILBAG.INTEL.COM (LISTSERV-TCP/IP release 1.8d) with spool id 14948 for IETF-RUN@MAILBAG.INTEL.COM; Tue, 9 Oct 2001 20:52:48 -0700
Received: from mail.2mbit.com (summit.magenet.net [216.152.230.50]) by mailbag.cps.intel.com (8.9.3/8.9.3/d: relay.m4,v 1.6 2000/11/24 22:10:56 iwep Exp iwep $) with ESMTP id UAA24034 for <IETF-RUN@MAILBAG.INTEL.COM>; Tue, 9 Oct 2001 20:52:46 -0700 (PDT)
Received: (from dinodrac@localhost) by mail.2mbit.com (8.11.6/8.11.6) id f9A3ohN07489 for IETF-RUN@MAILBAG.INTEL.COM.; Tue, 9 Oct 2001 23:50:43 -0400
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
Message-ID: <20011009235043.F32066@magenet.net>
Date: Tue, 09 Oct 2001 23:50:43 -0400
Reply-To: IETF-RUN <IETF-RUN@mailbag.cps.INTEL.COM>
Sender: IETF-RUN <IETF-RUN@mailbag.cps.INTEL.COM>
From: Josh Rollyson <dinodrac@SUMMIT.MAGENET.NET>
Subject: [dinodrac@magenet.net: Re: end user security]
To: IETF-RUN@mailbag.cps.INTEL.COM
> >I'd like to suggest that a document is needed on the responsibilities > >of end users to maintain secure systems. > > This brings up an interesting point, and one that should probably be > raised at this time. > > At SpamCon last spring, a number of people expressed interest in > pursuing this type of document, mostly from the perspective of an Abuse > Desk professional. That is to say, who would create a document that > could be used both by users and network abuse or support personnel in > explaining why systems had to be secured, and how to address the need > for a "best practices" type of approach for Abuse Desk staffs. > > I don't know that it should/would be this group, but I'd be curious to > see what people's impressions are as to what scope the document should > cover. I'm not sure which group would be appropriate for this, but considering that compromised systems are often used to stage much broader attacks against high profile targets, there is obviously imho, some degree of responsibility on the part of the users to make sure this doesn't happen. I didn't see a specific group this would fit perfectly in, as the issues involved are both responsible use (by not allowing your systems to be misused), and security (keeping the systems secure so that the chance of unauthorized access and subsequent misuse is mimimal) I'd like to see such a document cover at a minimum: - Responsibility for systems under the control of end users. - Basic security practices for end users - General security threats against personal systems. - Summary of typical attack methods in laymans terms. (buffer overflows, viruses and trojan horses, etc) - Risks from social engineering. Ideally this would be a document which a provider could hand out to users when they sign up for service, so that users would hopefully have some understanding of the issues involved with running a computer connected to a network, particularly a public network. While this doesn't need to be something that will make users afraid to turn their systems on, it does need to be something that will convey the severity of the risks involved, and the possible consequences of inattention and inaction.
- [dinodrac@magenet.net: Re: end user security] Josh Rollyson