Re: [PEN-TEST] Testing a "rogue site"

["Missy, E" <freehold () EROLS COM>]

Mike -- Run, don't walk.  :)  This is a perfect setup and yours will be
the first head to roll when - not if - they end up hacked.  I don't
think what you describe is uncommon, I have experience with other
companies trying to 'phase in' security over a period of years :) for
example.  Field offices and other divisions don't like handing over
control of their networks to one guy who isn't on site ('he doesn't know
how we do things, our needs, etc.').   Unless top management lays it
down it won't happen, and a lot of times top's too interested in
protecting rice bowls -- not ticking off the division head who's brought
in a big contract and wants to run that office *his* way, say.

Listen to your instincts.  I believe you're trying to be cooperative and
a team player, and you're clearly interested in security and learning as
much as you've can, but you've already figured out what the problem is
in the title of your email - 'rogue sites'.  They're not playing on the
team, or you wouldn't be using the word 'rogue'.

The company is evidently not quite behind the idea of having a security
policy actually in effect, or they wouldn't allow any 'rogue sites'.
IMO that means they won't back you up as Security Manager when - not if
- there's trouble.  Those sites could eventually endanger the rest of
the network if they're tied in, which you *are* responsible for.

Here there be dragons :), avoid it.  All JMHO.