Obviously OP has already tried to persuade his boss to fix the issue. In my experience working with executives, they do not like to hear the same issue over and over again once they have made a decision thats that. Sometimes it takes a severe failure for people to realize security is important. Granted it sucks however it tends to be the reality in many SMB's
At the end of the day, when things come rolling down hill OP just needs to make sure the issues are documented so he does not get the blame. The job market is rough at the moment..... On Oct 12, 2009, at 1:19 PM, Kennith Asher wrote: > I have to disagree with your approach Vincent. > > The point is to protect people from themselves, not point a finger > after they've failed. > > Security is a tough biz since it gets in the way of most people just > doing their job. It's up to us to convince them that the risk of > breach is much worse than the inconvenience caused by good security > policy. Us versus them is simply not the way to a more secure > environment. > > As much as I enjoy a good laugh at the expense of an uninformed > person's Epic Fail, documented conversation + CYA response - > customer data = FAIL on both of you IMO. > > Ken > > On Mon, Oct 12, 2009 at 12:42 PM, Vincent Lape <[email protected]> wrote: > document your conversation with "top buy" create a report stating the > issue and remediation recommendations and just wait till it gets > pwned. Once customer data is out there in the wild im sure they will > have a different outlook on the issue. Just make sure you CYA so "top > guy" doe snot come back and say hey that dude was responsible to > fixing that problem. > > > On Oct 12, 2009, at 10:24 AM, Soft Reset wrote: > > > Without spilling details, I told the IT team to remove an exposed > > web portal from the internet as it was not SSL protected and the > > password was easy enough to be found in my kid's "My First > > Dictionary". This is the response I got back from our "top guy": > > > > "Many people need access to the web portal. Remember that one of > > the objectives is to develop a strategy > > for the customer. Easier access, not harder, should be the goal." > > > > I laughed. How about you? > > > > > > --SR6 > > _______________________________________________ > > Pauldotcom mailing list > > [email protected] > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > > Main Web Site: http://pauldotcom.com > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
