Ethical Hacker Community Forums

Ethical Hacking Discussions and Related Certifications => Incident Response => Topic started by: drummerjim123@aol.com on March 08, 2007, 12:45:27 PM


Title: How do you convince a company they are at risk
Post by: drummerjim123@aol.com on March 08, 2007, 12:45:27 PM
I own a franchise and have found they do stupid things like use FTP to pass encrypted data. The data gets encrypted but the ID and password are clear text. This ID can then be used to log into the web site and view critical data.

There is also some URL hacking that can be done so a user can get any other franchise's login id's and passwords.

This has been going on for years and they do not seem to care. Who else should I contact to get them to fix this. Or should I give the IP address to the black hackers and see what they can do.

Thanks

Title: Re: How do you convince a company they are at risk
Post by: Cutaway on March 08, 2007, 01:25:31 PM
First of all, if you present information to somebody who uses it to exploit a vulnerability and do something illegal you are very likely to get sued or even go to jail.  This is not a very smart method to convince somebody or do business.  Tread carefully.

Next, they do not understand the implications because you are not providing them with enough information in a manner that they understand.  People have a hard time understanding risk and how vulnerabilities can lead to exploitation and what the impact of that exploitation could be.  Here are some tips:

  • Point them to the services that you think are vulnerable.  Do not hack these unless you have written permission.
  • Explain to them the information that could be obtained from their current configuration.
  • Show them what the impact due to this exposure could be.  Be sure to include monetary cost, man hours to mitigate, expected down time, legal considerations.
  • Point out if they are violating any regulations like SOX or PCI and what the personal freedom implications and business impact that goes along with violating these regulations.
  • Finally, give them solutions to fix the problem.  Include how much it will cost and try to keep the cost as low as possible and definitely lower than the cost of an incident.

Hope that helps.  Don't worry about it too much.  The manager responsible for business has to do a risk assessment.  If he choses to accept the risk then it is out of your hands.  Your job, I believe, is to point out the problems and make recommendations.  (I am assuming that because you have not been able to just put the change in place.)

Go forth and do good things,
Cutaway

Title: Re: How do you convince a company they are at risk
Post by: oasis_inin on March 09, 2007, 01:22:20 AM
Thts nice adice from Cutaway...

I would like to add that please do carry some reports from studies that all are already done favouring the need for Information Security and the loss caused to businesses coz of poor security policies, enofrcements.

one thing.......

present all the things in a good professional manner :) and tell/show them that you want to help them not threaten them ;)


Powered by SMF 1.1.7 | SMF © 2006-2008, Simple Machines LLC
Joomla Bridge by JoomlaHacks.com