RE: Is it bad enough to resign?

From: Ivan Hernandez Puga (ivan.hernandez@globalsis.com.ar)
Date: 01/02/02


Date: Wed, 2 Jan 2002 14:36:03 -0300
From: "Ivan Hernandez Puga" <ivan.hernandez@globalsis.com.ar>
To: "A Question" <secureit2002@yahoo.com>, <security-basics@securityfocus.com>

Get another work. That enviroment is insane and will soon or later hurt your reputation.
But... Why not snort and a firewall??? You can set up a firewall in minutes and snort is almost "plug and play" software!
Well... As someone said: "It's much more easy and nobody will find the difference, until it's too late!"
Ivan Hernandez

---------------------------------------------------------------------
  .~.
  /V\ Free science and free software are just two aspects
 // \\ of the same complex reality: long-term human survival.
/( )\ Support humankind--use LINUX.
 ^^-^^
---------------------------------------------------------------------

-----Original Message-----
From: A Question [mailto:secureit2002@yahoo.com]
Sent: Tuesday, January 01, 2002 5:38 PM
To: security-basics@securityfocus.com
Cc: incidents@securityfocus.com
Subject: Is it bad enough to resign?

Greetings,

Beg your parden for sending, but I could use your
advice.

I have been reading this list for some time and have
benefited from it. There are some good minds on this
list, and a lot of experience, so I submit my question
to you seeking your perspective.

Before I begin, I want to tell you that I have already
made up my mind weather to resign or not, what I am
needing is perspective as the company I work for is
the only one I have worked at as a Systems
Administrator, and the only one that I have been
responsible for securing the system.

The security for the network and servers I administer
is NON-EXISTENT. This is not only fine with my
superiors, but I have been told to not work on
security anymore, as it is "un-important". The CEO
thinks that it is secure because my CIO lies and tells
him that it is.

Here is some background. We have approx. 14,000 IP's
in a stub network (only one way in or out on the
router). Since those IP's are mostly used to host
virtual hosts, there is over 100,000 total paying
customers that depend on our systems being secure.

We tell customers and the CEO that we have a firewall
- it's a lie.

* WE HAVE NO FIREWALL ON OUR ENTIRE NETWORK.
* WE HAVE NO INTRUSION DETECTION ON OUR SYSTEM

We use Linux and Windows. Windows is even more
pathetic as we depend on hotfixes and Service Packs as
our ONLY form of Windows security. They won't let me
put Snort on it, and they won't buy Black Ice, or
anything else.

To top this off, the CIO refused to let me apply
Service Pack 2 to Windows for months after the
release. I brought it up every week at our management
meeting. Finally, several Windows machines were
compromised so that the cracker had admin level access
for weeks before it was even detected. This would
have been prevented if they would have only let me
apply SP2! The CIO kept saying that he could hear me
saying "I told you so". The CIO lied to the CEO and
said that it was not a Admin level intrusion, but
merely a rouge FTP account used for Warez. The
cracker could have formatted the drives with data at
any time!

It gets even worse than this, but you get the idea. I
prevented Nimda and Code Red attacks even while everyone else
was wondering what they are.

Do they promote me? Reward me? No. Apparently, they
are too embarrassed as my CIO and Managers that they
are incompetent in security (they setup up the systems
this way, after all), and seeking to keep me quiet,
they demoted me so that I wouldn't be responsible for
security anymore. As far as I can tell, the only
reason I was promoted to Security Manager was so that
they could have a fall-guy when things went wrong "How
did they do that? Weren't you doing your job?". But
when their scheme backfired and I actually did such a
good job that their position in front of the CEO was
threatened, they decided to keep me quiet.

Am I being paranoid? Am I overacting? Your
perspective from your experience would be greatly
appreciated. Also, after I leave, should I send a
letter to the CEO about this?

Thanks

__________________________________________________
Do You Yahoo!?
Send your FREE holiday greetings online! http://greetings.yahoo.com



Relevant Pages

  • Re: Guide to secure installtion of IIS 5
    ... don't forget a well-configured firewall. ... Do not put the computer onto the network or the Internet until after the ... Follow the instructions for hardening Windows and IIS at ... Install all service packs and security fixes from Microsoft and otherwise ...
    (microsoft.public.inetserver.iis.security)
  • Re: The Myth of the secure Mac
    ... You are screwed only if you use Outlook. ... >> 1) You fail to apply necessary recommended security patches after ... >> 3) In the case of a firewall, ... >> attached as common Windows files) Make sure this Junk Mail is moved to ...
    (comp.sys.mac.advocacy)
  • Re: Antivirus Programs
    ... Shenan-you wrote an excellent security book. ... >> May I install Norton AntiVirus and McAfee Security on my ... > Windows is not the only product you likely have on your PC. ... You should at least turn on the built in firewall. ...
    (microsoft.public.windowsxp.newusers)
  • Re: Microsoft Windows Network & Web Client Network - somebody connected to my computer?
    ... I use Windows XP. ... Doing the best I can at absorbing the necessary information about security. ... > UPDATES and PATCHES ... You should at least turn on the built in firewall. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Messenger Service security breach
    ... > The attached graphic is an example of a Windows security ... > We've put off installation of a firewall appliance between ... > could plug the security holes on individual computers. ... downloading and installing MyNetWatchman or Dshield. ...
    (microsoft.public.security)