As a second legal opinion, I agree with John. This is a liability bomb waiting to go
off. And you do not want to be the guy that everyone looks to when that happens.
If you want to give management something reasonably short that might get their
attention, I wrote an article for USENIX; login: back in April that might do the
trick. ("You've Been Cracked ... and Now You're Sued!", ;login:, April 2001, pp. 73-76)
Regardless of whether or not you leave, document everything, particularly your
warnings/recommendations to upper management. If your communications have only been
via email, print them out and keep them somewhere. If you have only been doing those
things verbally, start documenting them now.
If you decide to stay, you need to decide what you are going to do. I'd suggest
preparing a package that includes: 1) all of the documentation mentioned above, 2) an
analysis of the current state of security, and 3) your prioritized recommendations for
what to change, why, and how much each will cost. You might include as supporting
documentation any best practices info that you have. Once you have that, have a
meeting with the CIO and present it to him.
You can take one of several approaches to that meeting: 1) Only give the presentation
to the CIO (which sounds like it will be useless, but is the least confrontational
approach), 2) Give the presentation to the CIO and CC: the CEO (might piss off the CIO
and could make the CEO annoyed that you are going around the chain of command -
depends on how bureaucratic your company is), 3) Give it to the CIO and ask him to go
with you to present it to the CEO (gives the CIO an out, but forces the issue).
On a more personal level, I'd say get out. It doesn't sound like you're happy there,
and, even in the current environment (or perhaps because of it) there are lots of
places looking for competent security help.
John
In a message dated Thu, 3 Jan 2002 1:01:54 PM Eastern Standard Time, "Christiansen,
John (SEA)" <[EMAIL PROTECTED]> writes:
> I don't know whether you resign or not, but I can tell you (as a lawyer who
> does computer security work) that there are good legal theories and a couple
> of cases I can point to supporting legal liability of your company to its
> customers if they are harmed due to negligent operation of your systems -
> which this sure sounds like. Worse than that, if you are representing that
> you have firewalls and intrusion detection and don't, you have added a much
> more easily proven cause of action for misrepresentation - and if some of
> those using your network are consumers I could probably make a nice little
> consumer protection class action out of it. (That's the really nasty kind of
> lawsuit that comes with things like triple or more damages, attorneys fees
> awards, extremely bad publicity, sometimes intervention by e.g. state
> attorneys general or the FTC). Your company may also have blown its ability
> to successfully refer intrusion incidents to law enforcement for possible
> prosecution, not that it sounds like there would be viable records to
> support it even if intruders could be identified.
>
> In your shoes at least I would document my communications to my superiors
> and their responses, to C your own A in case it does hit the fan. If you
> want to try to get something done about this, you might consider getting a
> notice to your CEO - who, by the way, could face personal liability to
> shareholders if what you say is true, and the company is sued and loses
> value as a result.
>
> Having said all this, it is also not an uncommon type of scenario at this
> point. The fact that this is the existing standard of care doesn't make it
> the right one, legally or practically. But I expect it will take a few high
> profile, high damages cases to bring this point home to a lot of companies.
>
> John R. Christiansen / Preston Gates & Ellis
> [EMAIL PROTECTED] http://www.prestongates.com
>
> -----Original Message-----
> From: A Question [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, January 01, 2002 12:38 PM
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: Is it bad enough to resign?
>
>
> Greetings,
>
> Beg your parden for sending, but I could use your
> advice.
>
> I have been reading this list for some time and have
> benefited from it. There are some good minds on this
> list, and a lot of experience, so I submit my question
> to you seeking your perspective.
>
> Before I begin, I want to tell you that I have already
> made up my mind weather to resign or not, what I am
> needing is perspective as the company I work for is
> the only one I have worked at as a Systems
> Administrator, and the only one that I have been
> responsible for securing the system.
>
> The security for the network and servers I administer
> is NON-EXISTENT. This is not only fine with my
> superiors, but I have been told to not work on
> security anymore, as it is "un-important". The CEO
> thinks that it is secure because my CIO lies and tells
> him that it is.
>
> Here is some background. We have approx. 14,000 IP's
> in a stub network (only one way in or out on the
> router). Since those IP's are mostly used to host
> virtual hosts, there is over 100,000 total paying
> customers that depend on our systems being secure.
>
> We tell customers and the CEO that we have a firewall
> - it's a lie.
>
> * WE HAVE NO FIREWALL ON OUR ENTIRE NETWORK.
> * WE HAVE NO INTRUSION DETECTION ON OUR SYSTEM
>
> We use Linux and Windows. Windows is even more
> pathetic as we depend on hotfixes and Service Packs as
> our ONLY form of Windows security. They won't let me
> put Snort on it, and they won't buy Black Ice, or
> anything else.
>
> To top this off, the CIO refused to let me apply
> Service Pack 2 to Windows for months after the
> release. I brought it up every week at our management
> meeting. Finally, several Windows machines were
> compromised so that the cracker had admin level access
> for weeks before it was even detected. This would
> have been prevented if they would have only let me
> apply SP2! The CIO kept saying that he could hear me
> saying "I told you so". The CIO lied to the CEO and
> said that it was not a Admin level intrusion, but
> merely a rouge FTP account used for Warez. The
> cracker could have formatted the drives with data at
> any time!
>
> It gets even worse than this, but you get the idea. I
> prevented Nimda and Code Red attacks even while
> everyone else was wondering what they are.
>
> Do they promote me? Reward me? No. Apparently, they
> are too embarrassed as my CIO and Managers that they
> are incompetent in security (they setup up the systems
> this way, after all), and seeking to keep me quiet,
> they demoted me so that I wouldn't be responsible for
> security anymore. As far as I can tell, the only
> reason I was promoted to Security Manager was so that
> they could have a fall-guy when things went wrong "How
> did they do that? Weren't you doing your job?". But
> when their scheme backfired and I actually did such a
> good job that their position in front of the CEO was
> threatened, they decided to keep me quiet.
>
> Am I being paranoid? Am I overacting? Your
> perspective from your experience would be greatly
> appreciated. Also, after I leave, should I send a
> letter to the CEO about this?
>
>
> Thanks
>
>
>
> __________________________________________________
> Do You Yahoo!?
> Send your FREE holiday greetings online!
> http://greetings.yahoo.com
