HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 26 guests and 5 members online
EH-Net Donations

Enter Amount:
$
Google Ads
EH-Net News Feeds
Latest Additions
Book Recommendations



 
Advertisement

You are here: Home arrow Forum arrow Ethical Hacking Discussions and Related Certificationsarrow Otherarrow Do we or Dont we...
Ethical Hacker Community Forums
January 09, 2009, 08:05:06 PM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: ChicagoCon 2009 - May 4 - 9. Boot Camps & an Ethical Hacking Conf. www.chicagocon.com
 
   Home   Help Calendar Login Register  
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: Do we or Dont we...  (Read 1042 times)
0 Members and 1 Guest are viewing this topic.
hb21l6
Newbie
*
Offline Offline

Posts: 10



View Profile
« on: December 01, 2008, 08:16:01 AM »
Here’s an Ethical dilemma

There is a company, who I know very well, who’s network security is so far open, it might as well be in a field.
- Their AV is 6 months out of date,
- PC’s haven’t been updated since?? Well, ever. Xpsp1
- Firewall … well you might as well stick a sign that says “look in here, we’re open!!”
I’ve tried to no end to explain to them that their network and data is in jeopardy if they don’t act and lock it all down and solve the update issues. Their response is “its been fine up to now, so we’ll leave it as it is” as always it will be the tight fisted finance departments clutching onto the businesses wallet..

I don’t want to see them get hit bad, but they don’t want to spend on decent hardware to put it right..

Do you leave it alone and say “I told you so” afterwards, or.. demonstrate how insecure their systems really are… Having read a few security documents from EH.net I’m no longer willing to jump in and show them with a demonstration without potentially putting myself in trouble with the old bill…

Damned if I do and bye bye data if I don’t.

what would you do...
Logged
mcdba, mcse, ccna,
NickFnord
Jr. Member
**
Offline Offline

Posts: 50



View Profile WWW
« Reply #1 on: December 01, 2008, 08:28:17 AM »
in my humble opinion - you should leave it alone - it is illegal to break into their network regardless of your good intentions.

also, from the limited description you've given of them, it's unlikely they'd take to kindly to you demonstrating everything they know is wrong.

although you hear some stories of white/grey hats breaking into systems and then getting hired to fix them - this is the exception rather than the rule.  Leave them to learn the hard way.

<greyhat>
....or figure out a way to do it very anonymously and send them a screenshot of their data
</greyhat>
Logged
hb21l6
Newbie
*
Offline Offline

Posts: 10



View Profile
« Reply #2 on: December 01, 2008, 08:47:44 AM »
Quote from: NickFnord on December 01, 2008, 08:28:17 AM
<greyhat>
....or figure out a way to do it very anonymously and send them a screenshot of their data
</greyhat>

Lol. The company is run by very PC illiterate people.  (I remote support 30 PC's and 4 servers)
They see me as their unofficial IT guy who fixes problems when IT goes wrong (tsk : don’t work for family) – they’d probably forward me the screen shot asking what it all means. And so, would expect me to fix the issue when all the data’s gone! (and before you mention backups – don’t even go there, they’d rather be in the pub 5 minutes earlier then change a tape)

They work on the principle of “when it breaks, we’ll fix it” as apposed to preventive maintenance.

They need educating in network maintenance, but they are so stubborn by the nature of their business, they don’t want to know.. I think it’s best to cut ties with them and leave them to fend for themselves..

Logged
mcdba, mcse, ccna,
RoleReversal
Hero Member
*****
Offline Offline

Posts: 508


View Profile WWW
« Reply #3 on: December 01, 2008, 09:03:06 AM »
Quote from: hb21l6 on December 01, 2008, 08:47:44 AM
I think it’s best to cut ties with them and leave them to fend for themselves..
Think you might be right there...

On the other side of the coin, if they're only willing to be reactive rather than preventative you should be in a win-win situation (providing you don't have a contract that states you'll keep them secure/operational/etc.). Often clients not willing to pay up front end up paying more in the long run; plus if their systems just got well and truely hosed it can make your negotiations easier for fixing the issue Cheesy

If you really want to get them to do the preventative thing you could do a quick risk assessment and make an estimate of what it'll cost them if it goes wrong, if you can compare that to the cost of a solution it might make negotiations with the money men easier. Alternatively depending on their industry/business they may already be in breach of regulatory requirements...

In terms of the whole grey-hat thing: I'd leave well enough alone. If they don't want to act on your concerns either walk away completely, or if the pay check is good document your concerns in writing and wait for 'I told you so'. Getting a criminal record isn't going to make them any more secure.
Logged
A little bit of sanity:
http://www.infosanity.co.uk
hb21l6
Newbie
*
Offline Offline

Posts: 10



View Profile
« Reply #4 on: December 01, 2008, 09:18:43 AM »
Quote from: RoleReversal on December 01, 2008, 09:03:06 AM
Getting a criminal record isn't going to make them any more secure.

Your soo right on that statement.. I dont even get paid to help them, its just a favour for family, one that will cost them greatly for not heeding my warnings.

Risk assessment, price comparison on a before and worst case after scenario are all done. even talked them through how someone could get in, and they still aren't bothered.  Roll Eyes

Not my problem anymore, already told them to find someone else to look after it.. Smiley
Logged
mcdba, mcse, ccna,
NickFnord
Jr. Member
**
Offline Offline

Posts: 50



View Profile WWW
« Reply #5 on: December 01, 2008, 09:23:46 AM »
well done - that's a hard thing to do when it's family/friends you're working with.

sounds like you've made the right decision.
Logged
jason
Sr. Member
****
Offline Offline

Posts: 370


Aut Viam Inveniam Aut Faciam


View Profile WWW
« Reply #6 on: December 01, 2008, 09:36:55 AM »
I agree. Sounds like a situation that you would be better off having washed your hands of.
Logged
pseud0
Full Member
***
Offline Offline

Posts: 154



View Profile
« Reply #7 on: December 01, 2008, 12:57:46 PM »
Sounds like you've already demonstrated the business impact.  "I'll work for you on one condition, you give me the $$ to fix this mess.  Otherwise, I leave and you pay a contractor market rates for them to maintain your system."  And just to echo everyone else here, I wouldn't even consider the "live demonstration" tactic.  It'd be just your luck that the first dollar they spend in regards to security is an investigator to track down who broke into their systems.
Logged
CISSP, CISM
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.7 | SMF © 2006-2007, Simple Machines LLC
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.04 seconds with 23 queries.
 
Sponsors

cwnp_moto__120x90.gif

Polls
How many security events including conferences and training do you attend a year:
 
Support EH-Net

Support EH-Net by
Buying all of your
Amazon items using
the search bar above.
cbtnuggets_logo_125.jpg
Try CBT Nuggets Free!
Recent Forum Topics
Vote For EH-Net

progenic.com
Click here to Vote!

binarica.com
Binarica Logo

Add to Technorati Favorites
technorati fave

 
         
Advertisement

© 2009 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.