RE: Is it bad enough to resign?

From: Jonathan Goetsch (jgoetsch@cwbusiness.com)
Date: 01/02/02


Date: Wed, 02 Jan 2002 12:30:50 -0800
From: Jonathan Goetsch <jgoetsch@cwbusiness.com>
To: A Question <secureit2002@yahoo.com>, security-basics@securityfocus.com

A Question,

Obviously, you're leaving.... But it also sounds that it's the right
choice.

First off, once you leave, contact the CEO and inform him of his
vulnerabilities and offer to fix them at a seriously high cost as an
independent contractor.... Keep it confidential at every level. If he does
nothing, well do as you will...

Before you leave, an inter office memo about your security measures and what
you were unable to implement, will save you from being the whipping post
after you leave. This memo needs only to be specific enough to authenticate
your work but do not point fingers in any way.

Lastly..... this CIO person.... Don't burn this bridge !! Once you're
gone he'll continue to lie and make excuses. This person will pay even more
that the CEO to save his own skin when the time comes. On your way out, let
them know you'll be a "hired gun" for a time and that maybe you'll be in
touch.

If you're as good as you think, you'll be fine. If not... nothing will come
of your efforts and this should present a sign as to what you should
consider for your future. In your position, strategy my friend...
strategy. You'll always get more bees with honey......

If you're looking for a new career... let me know where you're living... I
possibly could help with a few recommendations. There are very serious
companies currently looking for talented security people.

J Goetsch

-----Original Message-----
From: A Question [mailto:secureit2002@yahoo.com]
Sent: Tuesday, January 01, 2002 12:38 PM
To: security-basics@securityfocus.com
Cc: incidents@securityfocus.com
Subject: Is it bad enough to resign?

Greetings,

Beg your parden for sending, but I could use your
advice.

I have been reading this list for some time and have
benefited from it. There are some good minds on this
list, and a lot of experience, so I submit my question
to you seeking your perspective.

Before I begin, I want to tell you that I have already
made up my mind weather to resign or not, what I am
needing is perspective as the company I work for is
the only one I have worked at as a Systems
Administrator, and the only one that I have been
responsible for securing the system.

The security for the network and servers I administer
is NON-EXISTENT. This is not only fine with my
superiors, but I have been told to not work on
security anymore, as it is "un-important". The CEO
thinks that it is secure because my CIO lies and tells
him that it is.

Here is some background. We have approx. 14,000 IP's
in a stub network (only one way in or out on the
router). Since those IP's are mostly used to host
virtual hosts, there is over 100,000 total paying
customers that depend on our systems being secure.

We tell customers and the CEO that we have a firewall
- it's a lie.

* WE HAVE NO FIREWALL ON OUR ENTIRE NETWORK.
* WE HAVE NO INTRUSION DETECTION ON OUR SYSTEM

We use Linux and Windows. Windows is even more
pathetic as we depend on hotfixes and Service Packs as
our ONLY form of Windows security. They won't let me
put Snort on it, and they won't buy Black Ice, or
anything else.

To top this off, the CIO refused to let me apply
Service Pack 2 to Windows for months after the
release. I brought it up every week at our management
meeting. Finally, several Windows machines were
compromised so that the cracker had admin level access
for weeks before it was even detected. This would
have been prevented if they would have only let me
apply SP2! The CIO kept saying that he could hear me
saying "I told you so". The CIO lied to the CEO and
said that it was not a Admin level intrusion, but
merely a rouge FTP account used for Warez. The
cracker could have formatted the drives with data at
any time!

It gets even worse than this, but you get the idea. I
prevented Nimda and Code Red attacks even while
everyone else was wondering what they are.

Do they promote me? Reward me? No. Apparently, they
are too embarrassed as my CIO and Managers that they
are incompetent in security (they setup up the systems
this way, after all), and seeking to keep me quiet,
they demoted me so that I wouldn't be responsible for
security anymore. As far as I can tell, the only
reason I was promoted to Security Manager was so that
they could have a fall-guy when things went wrong "How
did they do that? Weren't you doing your job?". But
when their scheme backfired and I actually did such a
good job that their position in front of the CEO was
threatened, they decided to keep me quiet.

Am I being paranoid? Am I overacting? Your
perspective from your experience would be greatly
appreciated. Also, after I leave, should I send a
letter to the CEO about this?

Thanks

__________________________________________________
Do You Yahoo!?
Send your FREE holiday greetings online!
http://greetings.yahoo.com



Relevant Pages