An Observation on Security
Recently I discovered that I had misconfigured my e-mail gateway/spam filter and that the wildcard expression I used to block executables as attachments to inbound e-mail was invalid. The result was that files attached as executables were being let in. Not a good thing, but not dramatically bad. As soon as I discovered this, I fixed it.
I also disallow executables, among a long list of other file types, as attachments to outbound email. To me, disallowing executables as an e-mail attachment is standard practice (at least since the late mid-1990's). Doesn't everybody block them?
So I get a call from a user who regularly gets an encrypted, self-extracting archive which happens to be an executable file, and my "fixing" of the problem now means that he can no longer receive this file as an email attachment. This file, by the way, originates at a major national bank. Apparently, the user is too stupid to create an encrypted archive that is not self-extracting.
Now, here is my question. With all the compliance regs that banks and financial institiutions are forced to adhere to, and all the money these guys spend on IT "security", this bank still allows executables as file attachments. What the hell are they thinking?
What is the point of that policy? I know for certain that if I were send an e-mail to a user at this bank with an executable as a file attachment, it would get rejected, or would undergo "hygene" and have the attachment stripped out. And that is as it should be. But why should their users be able to "shit" on my network, and send out executables??? I find it irresponsible.
The bank, btw, rhymes with "Hell's Cargo". I think I have a friend and former co-worker who works at their corporate. I think I'll call him and give him hell. GRRRRRRRRRRRRR.
Recently I discovered that I had misconfigured my e-mail gateway/spam filter and that the wildcard expression I used to block executables as attachments to inbound e-mail was invalid. The result was that files attached as executables were being let in. Not a good thing, but not dramatically bad. As soon as I discovered this, I fixed it.
I also disallow executables, among a long list of other file types, as attachments to outbound email. To me, disallowing executables as an e-mail attachment is standard practice (at least since the late mid-1990's). Doesn't everybody block them?
So I get a call from a user who regularly gets an encrypted, self-extracting archive which happens to be an executable file, and my "fixing" of the problem now means that he can no longer receive this file as an email attachment. This file, by the way, originates at a major national bank. Apparently, the user is too stupid to create an encrypted archive that is not self-extracting.
Now, here is my question. With all the compliance regs that banks and financial institiutions are forced to adhere to, and all the money these guys spend on IT "security", this bank still allows executables as file attachments. What the hell are they thinking?
What is the point of that policy? I know for certain that if I were send an e-mail to a user at this bank with an executable as a file attachment, it would get rejected, or would undergo "hygene" and have the attachment stripped out. And that is as it should be. But why should their users be able to "shit" on my network, and send out executables??? I find it irresponsible.
The bank, btw, rhymes with "Hell's Cargo". I think I have a friend and former co-worker who works at their corporate. I think I'll call him and give him hell. GRRRRRRRRRRRRR.
posted by diaryofanitmadman at 12/28/2005 07:39:00 AM
0 Comments:
Post a Comment
<< Home