RSS Feature in Image 6.0
Guest Post from CAPT Marshall Lytle , Acting CG-6/CIO
On Thursday, June 4th, the C4IT Service Center deployed a series of computer security setting updates associated with Image 6.0. Updates like these are issued periodically by DISA and commercial software providers to address vulnerabilities or risks. Compliance with the updates is required in order for the Coast Guard to maintain its network accreditation with the Department of Defense. One of the modifications contained in this update required us to disable RSS or "Really Simple Syndication" feeds in Outlook2007. This means that those of us who subscribe to RSS feeds from blogs or other news sources, will not be able to receive them via the Outlook2007 RSS feed reader.
Why did RSS feeds have to be shut off? What was the risk? These feeds come to us in a format that allows attachments, graphics and links that can contain code and other malicious actions that are invisible to the user. This is called by the IT security world an "Attack Vector"; an avenue where the bad guys can gain access and take advantage of our information and people through our networks. While we certainly want to be able to work smarter, we also need to provide a safe place to work as well.
This unfortunate action restricts our ability to fully exercise and exploit one of the benefits of Web 2.0 capabilities that I believe is so important to our organization; important because it provides a collaborative and transparent environment for us to better perform our jobs and keep abreast of what's happening. A key aspect of our new CG Portal and Image 6.0 combination is the ability to stay up to date on CG information via RSS.
Although we have complied, I have asked the C4IT Service Center to aggressively pursue several avenues for secure reinstatement of RSS feed capability, as well as looking at alternative methods to deliver these types of feeds.
For more information on RSS feeds.
On Thursday, June 4th, the C4IT Service Center deployed a series of computer security setting updates associated with Image 6.0. Updates like these are issued periodically by DISA and commercial software providers to address vulnerabilities or risks. Compliance with the updates is required in order for the Coast Guard to maintain its network accreditation with the Department of Defense. One of the modifications contained in this update required us to disable RSS or "Really Simple Syndication" feeds in Outlook2007. This means that those of us who subscribe to RSS feeds from blogs or other news sources, will not be able to receive them via the Outlook2007 RSS feed reader.
Why did RSS feeds have to be shut off? What was the risk? These feeds come to us in a format that allows attachments, graphics and links that can contain code and other malicious actions that are invisible to the user. This is called by the IT security world an "Attack Vector"; an avenue where the bad guys can gain access and take advantage of our information and people through our networks. While we certainly want to be able to work smarter, we also need to provide a safe place to work as well.
This unfortunate action restricts our ability to fully exercise and exploit one of the benefits of Web 2.0 capabilities that I believe is so important to our organization; important because it provides a collaborative and transparent environment for us to better perform our jobs and keep abreast of what's happening. A key aspect of our new CG Portal and Image 6.0 combination is the ability to stay up to date on CG information via RSS.
Although we have complied, I have asked the C4IT Service Center to aggressively pursue several avenues for secure reinstatement of RSS feed capability, as well as looking at alternative methods to deliver these types of feeds.
For more information on RSS feeds.
Posted at
8:41 AM
7 Comments:
Captain, what about web-based feed readers, like Bloglines or GoogleReader? Is there some sort of RSS reader capability in the new IBM Portal software?
Captain, I forgot one thing... I found your post... on my feed reader. Managing the ever increasing amount of information is critical, and RSS feeds can play a huge part in the management of electronic information.
As a proponent of web 2.0 I have never relied on the RSS feature on the CG Workstation. Instead I use Google Reader. Google Reader is accessible on the standard workstation and provides greater features than are available on the Outlook platform.
Google Reader is also "cloud" computing so you can access your subscriptions from any computer.
Thanks for the update.
Some excellent points here. The restriction only applies to the feed reader in Outlook2007, not external readers. Where this will come into play is when subscribing to internal RSS feeds like the ones on the CGPORTAL. External readers can't "see" those. We will keep working on a solution for this! Agree this capability is important to information flow.
MBL
CG-6
Captain, one other thought... it would be great if the solution were able to pick up Intelink-U RSS feeds in addition to the internal CG feeds on CGCN+.
Thanks.
There's a great three minute video available from Common Craft at http://commoncraft.com/rss_plain_english that explains the concept well and shows how to set up Google Reader and subscribe to RSS feeds.
For people who are hearing about RSS readers for the first time, the video may three minutes well spent.
Looking at the DISA requirement it says:
Enable the "turn off RSS Feeds" feature in Outlook.
Vulnerability
Discussion:
By default, users can subscribe to RSS feeds from within Outlook 2007 and read RSS items like
e-mail messages. If your organization has policies that govern the use of external resources
such as RSS feeds, allowing users to subscribe to the RSS feed in Outlook might enable them to
violate those policies.
Default
Finding
Details:
Ensure "Turn off RSS feature" is set to Enabled.
So if USCG policy prohibits the access of outside external resources then even if USCG uses a non-Microsoft third party News reader the risk is the same.
Post a Comment
Links to this post:
Create a Link
<< Home