PaulDotCom mailing list archives

Previous By Date Next
Previous By Thread Next

Have a laugh on me...

From: herrasher at gmail.com (Kennith Asher)
Date: Mon, 12 Oct 2009 14:01:35 -0700
I really like Craig's idea of proposing the solution rather than pulling the
plug.  If the boss says no, the scope of change, cost and impact are all
documented as well.  I also like the idea of demonstrating the failure via a
pen test or via a simple hack.

CYA is personally important but there is nothing at all satisfying about
losing employment because your company was sunk by a hacker especially if
you could have done something about it.

If you're lucky enough to work for a company who takes security seriously
count yourself blessed 'cause there are clearly plenty that don't.

On Mon, Oct 12, 2009 at 1:30 PM, Vincent Lape <vlape at me.com> wrote:


Obviously OP has already tried to persuade his boss to fix the issue.
In my experience working with executives, they do not like to hear the
same issue over and over again once they have made a decision thats
that. Sometimes it takes a severe failure for people to realize
security is important. Granted it sucks however it tends to be the
reality in many SMB's

At the end of the day, when things come rolling down hill OP just
needs to make sure the issues are documented so he does not get the
blame. The job market is rough at the moment.....


On Oct 12, 2009, at 1:19 PM, Kennith Asher wrote:


I have to disagree with your approach Vincent.

The point is to protect people from themselves, not point a finger
after they've failed.

Security is a tough biz since it gets in the way of most people just
doing their job.  It's up to us to convince them that the risk of
breach is much worse than the inconvenience caused by good security
policy.  Us versus them is simply not the way to a more secure
environment.

As much as I enjoy a good laugh at the expense of an uninformed
person's Epic Fail, documented conversation + CYA response -
customer data = FAIL on both of you IMO.

Ken

On Mon, Oct 12, 2009 at 12:42 PM, Vincent Lape <vlape at me.com> wrote:
document your conversation with "top buy" create a report stating the
issue and remediation recommendations and just wait till it gets
pwned. Once customer data is out there in the wild im sure they will
have a different outlook on the issue. Just make sure you CYA so "top
guy" doe snot come back and say hey that dude was responsible to
fixing that problem.


On Oct 12, 2009, at 10:24 AM, Soft Reset wrote:


Without spilling details, I told the IT team to remove an exposed
web portal from the internet as it was not SSL protected and the
password was easy enough to be found in my kid's "My First
Dictionary".  This is the response I got back from our "top guy":

 "Many people need access to the web portal.  Remember that one of
the objectives is to develop a strategy
  for the customer. Easier access, not harder, should be the goal."

I laughed.  How about you?


--SR6
_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20091012/5f8d1be3/attachment.htm
Previous By Date Next
Previous By Thread Next

Current thread: