Re: Perhaps the most OBVIOUS question you will ever see.

From: Jeff Cochran (jeff.nospam_at_zina.com)
Date: 01/28/05 

Date: Fri, 28 Jan 2005 21:14:12 GMT

What the heck does this have to do with the MBSA (Baseline Analyzer)?
So why did you crosspost this rant to every group you knew? It also
doesn't involve Microsoft Access (a database product if you didn't
realize that), Pocket PC wireless or SQL Server security.

Because of that I've restricted this reply to just two groups. In the
future, you'd make more friends if you did the same.

The first step of this process will be to get your resume ready.
You're going to need it. In fact, you probably already should have
used it. You and your boss are not suited for a working relationship.

The second step is to make sure you're right. Being right won't help,
but being wrong will definitely hurt. If you're the security admin
for the company, you should already have fixed this so right or wrong
you'd lose then. If you're a network admin or have another related
job function, you still probably should have fixed this, and still
will be taking the blame.

Now, if you're not the one in charge of fixing this, be prepared to
take the fallout from those who are. You'll have better ground to
stand on, so when you lose you may be able to save face.

That said, from your specific viewpoint presented, it may seem an
obvious question. But you don't know all the facts, and certainly we
don't, so most likely your issue isn't as obvious as you seem to
believe. After all, if it is that blatant, why haven't you already
had all the nasty things happen?

There are perfectly acceptable reasons for the setups you describe,
and valid business reasons to have a lower than ultimate security
level. Think about it, the absolute best data security would be to
let only one person know the data, never write it down and then shoot
that person dead. That info is as secure as it can be. It's also
useless. Security is never an absolute, and it's always a trade-off
between security and functionality. And that tradeoff will be
different for every organization and every piece of data.

Lastly, no matter how ridiculously stupid they may actually be, bosses
rule. Get used to that and you'll live a longer, happier life.

Jeff

On Thu, 27 Jan 2005 21:03:14 -0500, "Curious George"
 <curious@spampoop.com> wrote:

>Dear Colleagues:
>
>For the life of me I don't know why I have to ask this question since the
>answer is so obvious, however, I need to have others tell me that I am not
>completely insane.
>
>I work at a place where we have a myriad of wireless access points and NO, I
>am not writing from there at present.
>
>NONE of the wireless access points has any form of security on them
>whatsoever. No WEP, no CHAP. . . no nothing. Everything is open so you
>could walk into our joint, grab an IP address and surf the web to your
>heart's content.
>
>Here is the problem. My boss insists that its "no big deal" and that since
>the servers are on the inside and protected, we really don't have a thing to
>worry about. Furthermore, my boss is under the impression that since we are
>situated in a wide area, that nobody would be able to get into our network
>because of this distance. Needless to say, my boss does not consider
>somebody sneaking into a parking lot with a laptop, a good network card and
>a directional bazooka antenna a possibility.
>
>So here is what I have to explain to my boss' boss and, perhaps, the board
>of directors. . . and here is where I can't help but laugh. I hope that I
>will be able to keep a straight face come Monday when I have to explain
>myself to people why its important.
>
>Okay, so I know the analogies. For example, I understand that not having a
>secure wireless network with many Waps and high gain transmission antennas
>is the same as putting cables out to anybody within 'x' amount of yards with
>a sign that says "free internet access", but since I am going to be asked
>these obvious questions, just what type of damage could somebody do?
>
>Yeah, I know about denial of service attacks, yeah I also know about
>enumeration and password guessing, but considering that we have an SQL
>server on the inside of our network (no, the sa account password is not
>null) what are we talking about.
>
>I can envision so many things. Like somebody just sitting there caputring
>packets to get things like usernames, passwords and the like, but come on. .
>. what else could they do.
>
>I have read my boss the riot act many times, but this is now going to go in
>front of somebody over my boss' head, so, aside from giving them worst case
>scenarios, end of the world analogies, etc., how else could people break in.
>
>Creative responses are appreciated and will be rewarded with much praise.
>
>I can't believe that I have to actually explain this to people, and this
>entire thing would last about two seconds when it comes to talking with a
>computer professional, but you see, my boss is under the impression that
>they are a computer professional because they received a Master's degree in
>Comp Sci back in the 80's. I know that this line of thinking is dangerous,
>but I really want some creative answers to put my point across strongly, and
>yet professionally.
>
>Although I realize that this post will likely be the *** of many jokes
>(which I will appreciate immensely) I never the less would appreciate a bit
>of useful information in your responses.
>
>I am going to have a serious drink now, and then bang my head against the
>wall.
>
>Thanks in advance,
>
>CC
>

Quantcast