I'm sure it won't take long for "Bob" to turn it into a warez site if you set back long enough.... ;)
On Mon, Oct 12, 2009 at 4:44 PM, Jason Wood <[email protected]> wrote: > I asked a lot of folks who's opinion I highly respect about this issue. > Their opinion was largely the same as Vincent's. You can and should > suggest, recommend, and take every chance you get to move people towards > protecting their data. However, you still need to document what you feel > needs to be done and CYA. In the end, if/when the system gets hacked the > security guy is a likely scapegoat. Protect your backside and be the person > with the plan to deal with it. > > For a differently worded opinion on it... > http://taosecurity.blogspot.com/2008/09/is-experience-only-teacher-in-security.html > > > Jason > > > > On Mon, Oct 12, 2009 at 2:19 PM, Kennith Asher <[email protected]>wrote: > >> I have to disagree with your approach Vincent. >> >> The point is to protect people from themselves, not point a finger after >> they've failed. >> >> Security is a tough biz since it gets in the way of most people just doing >> their job. It's up to us to convince them that the risk of breach is much >> worse than the inconvenience caused by good security policy. Us versus them >> is simply not the way to a more secure environment. >> >> As much as I enjoy a good laugh at the expense of an uninformed person's >> Epic Fail, documented conversation + CYA response - customer data = FAIL on >> both of you IMO. >> >> Ken >> >> >> On Mon, Oct 12, 2009 at 12:42 PM, Vincent Lape <[email protected]> wrote: >> >>> document your conversation with "top buy" create a report stating the >>> issue and remediation recommendations and just wait till it gets >>> pwned. Once customer data is out there in the wild im sure they will >>> have a different outlook on the issue. Just make sure you CYA so "top >>> guy" doe snot come back and say hey that dude was responsible to >>> fixing that problem. >>> >>> >>> On Oct 12, 2009, at 10:24 AM, Soft Reset wrote: >>> >>> > Without spilling details, I told the IT team to remove an exposed >>> > web portal from the internet as it was not SSL protected and the >>> > password was easy enough to be found in my kid's "My First >>> > Dictionary". This is the response I got back from our "top guy": >>> > >>> > "Many people need access to the web portal. Remember that one of >>> > the objectives is to develop a strategy >>> > for the customer. Easier access, not harder, should be the goal." >>> > >>> > I laughed. How about you? >>> > >>> > >>> > --SR6 >>> > _______________________________________________ >>> > Pauldotcom mailing list >>> > [email protected] >>> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> > Main Web Site: http://pauldotcom.com >>> >>> _______________________________________________ >>> Pauldotcom mailing list >>> [email protected] >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> Main Web Site: http://pauldotcom.com >>> >> >> >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> > > > > -- > > irc: Tadaka > Twitter: Jason_Wood > jwnetworkconsulting.com > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
