I really like Craig's idea of proposing the solution rather than pulling the plug. If the boss says no, the scope of change, cost and impact are all documented as well. I also like the idea of demonstrating the failure via a pen test or via a simple hack.
CYA is personally important but there is nothing at all satisfying about losing employment because your company was sunk by a hacker especially if you could have done something about it. If you're lucky enough to work for a company who takes security seriously count yourself blessed 'cause there are clearly plenty that don't. On Mon, Oct 12, 2009 at 1:30 PM, Vincent Lape <[email protected]> wrote: > Obviously OP has already tried to persuade his boss to fix the issue. > In my experience working with executives, they do not like to hear the > same issue over and over again once they have made a decision thats > that. Sometimes it takes a severe failure for people to realize > security is important. Granted it sucks however it tends to be the > reality in many SMB's > > At the end of the day, when things come rolling down hill OP just > needs to make sure the issues are documented so he does not get the > blame. The job market is rough at the moment..... > > > On Oct 12, 2009, at 1:19 PM, Kennith Asher wrote: > > > I have to disagree with your approach Vincent. > > > > The point is to protect people from themselves, not point a finger > > after they've failed. > > > > Security is a tough biz since it gets in the way of most people just > > doing their job. It's up to us to convince them that the risk of > > breach is much worse than the inconvenience caused by good security > > policy. Us versus them is simply not the way to a more secure > > environment. > > > > As much as I enjoy a good laugh at the expense of an uninformed > > person's Epic Fail, documented conversation + CYA response - > > customer data = FAIL on both of you IMO. > > > > Ken > > > > On Mon, Oct 12, 2009 at 12:42 PM, Vincent Lape <[email protected]> wrote: > > document your conversation with "top buy" create a report stating the > > issue and remediation recommendations and just wait till it gets > > pwned. Once customer data is out there in the wild im sure they will > > have a different outlook on the issue. Just make sure you CYA so "top > > guy" doe snot come back and say hey that dude was responsible to > > fixing that problem. > > > > > > On Oct 12, 2009, at 10:24 AM, Soft Reset wrote: > > > > > Without spilling details, I told the IT team to remove an exposed > > > web portal from the internet as it was not SSL protected and the > > > password was easy enough to be found in my kid's "My First > > > Dictionary". This is the response I got back from our "top guy": > > > > > > "Many people need access to the web portal. Remember that one of > > > the objectives is to develop a strategy > > > for the customer. Easier access, not harder, should be the goal." > > > > > > I laughed. How about you? > > > > > > > > > --SR6 > > > _______________________________________________ > > > Pauldotcom mailing list > > > [email protected] > > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > > > Main Web Site: http://pauldotcom.com > > > > _______________________________________________ > > Pauldotcom mailing list > > [email protected] > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > > Main Web Site: http://pauldotcom.com > > > > _______________________________________________ > > Pauldotcom mailing list > > [email protected] > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > > Main Web Site: http://pauldotcom.com > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
