Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!mailrus!iuvax!rutgers!netnews.upenn.edu!vax1.cc.lehigh.edu!sei.cmu.edu!krvw From: chinet!ignatz@att.att.com Newsgroups: comp.virus Subject: Re: Corporate culture shift resulting from virus mis(?)information Message-ID: <0006.8907211134.AA06039@ge.sei.cmu.edu> Date: 20 Jul 89 19:23:42 GMT Sender: Virus Discussion List Lines: 70 Approved: krvw@sei.cmu.edu In article <0004.y8907171856.AA19378@ge.sei.cmu.edu> DCD@CUNYVMS1.BITNET writes : >.... I am intrigued by what can only be called the return of MIS: >we all know the corporate Kulturkampf that took place not so many years >ago when microcomputers became readily available--the MIS people (in large >corporations) kicked and screamed, but eventually their power was diluted. >Now, I am seeing reports that their day has returned. Relatively techno- >illiterate upper management sees reports on viruses in Time, etc., and puts >a call in that all decisions on software must be blessed from a newly power- >ful management structure. > [A few examples elided] > >I have no doubt that such corporate shenanigans are taking place all >the time, and would be interested in any comments. > >Thanks for your time in reading this, > > Robert Braham >E-mail: DCD@CUNYVMS1.BITNET >Home: 1315 Third Ave., 4D > New York, NY 10021 > (212) 879-1026 I trust Robert reads this group; otherwise, well, he won't see this. I'm a consultant in the Chicago area, and have been for almost 11 years now. This means I get to encounter the MIS and computer policies of a number of different firms, both Fortune 500 and small ones. Most definitely, the MIS departments are attempting to re-assert their control over computing resources, and use of the current panic concerning possible viruses, worms, and other infestations by crackers is one of the prime tools. Unfortunately, these organizations often have little or no knowledge of the needs of the long-alienated users who now must clear requests through them; many are traditional IBM mainframe managers, who now must deal with the bewildering plethora of packages and utilities available to the micro- and mini-computer user. The (unfortunate) result is that often, only a very few programs and packages are considered 'authorized', and restrictive (and usually unnecessary) controls are placed on procurement and use. Even worse are some organizations who have installed usually unqualified personnel in the newly-created office of "Computer Security." In one unnamed company, this person was a lawyer whose qualifications were that he knew how to use Lotus 1-2-3. Period. In these cases, it's particularly difficult to express the difference between accepting a source copy of a public domain program, and a binary copy--this person passed down a directive that *all* PD software was to be scrubbed ASAP on all corporate machines. It took a **long** training session to explain the difference in verification capabilities, and why we really could safely review and use PD sources. I'm in the position to argue with, and (often) successfully educate such organizations; but this is difficult for "real" employees, since such directives often come from individuals who are high enough in the hierarchy to make disagreement a somewhat risky proposition. Also, the decision makers at this level may well not be computer literate themselves, and have neither the time nor the desire to do so--they want clear, concise advice from their experts, who are often those disenfranchised MIS people. (Who are often not qualified themselves...see above.) This is not a happy-making situation, and I don't have a blanket answer. I think what, perhaps, will give us all the best ammunition to counter the rising hysteria is a clear, well-written text that is targeted at the intelligent layman, describing exactly what the attack vectors are, and what approaches can reasonably protect a distributed computing environment without unnecessary stifling of creative use or access to valuable programs.