Hello, While I'm sure your mailbox is full of replies to either you should resign, try to make a difference, or even suck it up and stay, I'd like to actually expand more on the security aspect of your letter.
There are many local ISP's in various cities around the US that have no security. What is even worse is that in many cases the network abuse is actually caused from their own people. Many ISP's are simply extentions of other "traditional" retail stores that wanted to cash in the internet "trend" and hired some wiz kids out of their local college and put them to work. So you're not alone. I've been in places where employees were sharing "funny" emails of customers. Where credit card numbers were kept in a DOS text file. Where all the passwords where one and that was kept in a sticky on the company's bulletin. When a company has been running for a while like that and nothing has happened, it is hard to convince the owners, that have seen (or not) a return of the investment with the existing policies in place. What have I done in the past? Get the owners (WRITTEN) permission to allow you to break into their systems, then show them the abuse and how easy it was done. In cases where you are working against the existing system administrator you may or may not want to pick that battle. Up to you. As for your particular situation, if it is indeed as big of an organization as you describe, snort and BlackICE would hardly be sufficient at this point. You would need a hardware-based firewall with stateful packet inspection at your gateway and a host-based IDS system to pick up any continuous attempts. You would also need a very detailed audit of the rest of the security measures. Usually a company so relaxed with their network security also lacks in other security areas as well (the password on the sticky scenario). Sorry that this is really not an advice in your situation but I'm afraid that if you were to fight this you would need to establish a much more efficient solution than snort/BlackICE (that I'm sure was just an example) since when/if that fails then it will be all you that would take that fall. Good luck. Nicko -----Original Message----- From: A Question [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 01, 2002 12:38 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Is it bad enough to resign? Greetings, Beg your parden for sending, but I could use your advice. I have been reading this list for some time and have benefited from it. There are some good minds on this list, and a lot of experience, so I submit my question to you seeking your perspective. Before I begin, I want to tell you that I have already made up my mind weather to resign or not, what I am needing is perspective as the company I work for is the only one I have worked at as a Systems Administrator, and the only one that I have been responsible for securing the system. The security for the network and servers I administer is NON-EXISTENT. This is not only fine with my superiors, but I have been told to not work on security anymore, as it is "un-important". The CEO thinks that it is secure because my CIO lies and tells him that it is. Here is some background. We have approx. 14,000 IP's in a stub network (only one way in or out on the router). Since those IP's are mostly used to host virtual hosts, there is over 100,000 total paying customers that depend on our systems being secure. We tell customers and the CEO that we have a firewall - it's a lie. * WE HAVE NO FIREWALL ON OUR ENTIRE NETWORK. * WE HAVE NO INTRUSION DETECTION ON OUR SYSTEM We use Linux and Windows. Windows is even more pathetic as we depend on hotfixes and Service Packs as our ONLY form of Windows security. They won't let me put Snort on it, and they won't buy Black Ice, or anything else. To top this off, the CIO refused to let me apply Service Pack 2 to Windows for months after the release. I brought it up every week at our management meeting. Finally, several Windows machines were compromised so that the cracker had admin level access for weeks before it was even detected. This would have been prevented if they would have only let me apply SP2! The CIO kept saying that he could hear me saying "I told you so". The CIO lied to the CEO and said that it was not a Admin level intrusion, but merely a rouge FTP account used for Warez. The cracker could have formatted the drives with data at any time! It gets even worse than this, but you get the idea. I prevented Nimda and Code Red attacks even while everyone else was wondering what they are. Do they promote me? Reward me? No. Apparently, they are too embarrassed as my CIO and Managers that they are incompetent in security (they setup up the systems this way, after all), and seeking to keep me quiet, they demoted me so that I wouldn't be responsible for security anymore. As far as I can tell, the only reason I was promoted to Security Manager was so that they could have a fall-guy when things went wrong "How did they do that? Weren't you doing your job?". But when their scheme backfired and I actually did such a good job that their position in front of the CEO was threatened, they decided to keep me quiet. Am I being paranoid? Am I overacting? Your perspective from your experience would be greatly appreciated. Also, after I leave, should I send a letter to the CEO about this? Thanks __________________________________________________ Do You Yahoo!? Send your FREE holiday greetings online! http://greetings.yahoo.com
