HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
linkedin_logo.png rss_logo.jpg
twitter_logo.png youtube_logo.jpg
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 78 guests and 2 members online
EH-Net News Feeds
Latest Additions
 
Advertisement

You are here: Home arrow Forum arrow Ethical Hacking Discussions and Related Certificationsarrow Otherarrow Do we or Dont we...
EH-Net
February 10, 2012, 01:02:58 AM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Advertise on EH-Net!! - Reasonable Rates, Highly Targeted Audience.
 
   Home   Help Calendar Login Register  
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: Do we or Dont we...  (Read 3328 times)
0 Members and 1 Guest are viewing this topic.
hb21l6
Newbie
*
Offline Offline

Posts: 10



View Profile
« on: December 01, 2008, 08:16:01 AM »
Here’s an Ethical dilemma

There is a company, who I know very well, who’s network security is so far open, it might as well be in a field.
- Their AV is 6 months out of date,
- PC’s haven’t been updated since?? Well, ever. Xpsp1
- Firewall … well you might as well stick a sign that says “look in here, we’re open!!”
I’ve tried to no end to explain to them that their network and data is in jeopardy if they don’t act and lock it all down and solve the update issues. Their response is “its been fine up to now, so we’ll leave it as it is” as always it will be the tight fisted finance departments clutching onto the businesses wallet..

I don’t want to see them get hit bad, but they don’t want to spend on decent hardware to put it right..

Do you leave it alone and say “I told you so” afterwards, or.. demonstrate how insecure their systems really are… Having read a few security documents from EH.net I’m no longer willing to jump in and show them with a demonstration without potentially putting myself in trouble with the old bill…

Damned if I do and bye bye data if I don’t.

what would you do...
Logged
mcdba, mcse, ccna,
NickFnord
Full Member
***
Offline Offline

Posts: 117



View Profile WWW
« Reply #1 on: December 01, 2008, 08:28:17 AM »
in my humble opinion - you should leave it alone - it is illegal to break into their network regardless of your good intentions.

also, from the limited description you've given of them, it's unlikely they'd take to kindly to you demonstrating everything they know is wrong.

although you hear some stories of white/grey hats breaking into systems and then getting hired to fix them - this is the exception rather than the rule.  Leave them to learn the hard way.

<greyhat>
....or figure out a way to do it very anonymously and send them a screenshot of their data
</greyhat>
Logged
hb21l6
Newbie
*
Offline Offline

Posts: 10



View Profile
« Reply #2 on: December 01, 2008, 08:47:44 AM »
Quote from: NickFnord on December 01, 2008, 08:28:17 AM
<greyhat>
....or figure out a way to do it very anonymously and send them a screenshot of their data
</greyhat>

Lol. The company is run by very PC illiterate people.  (I remote support 30 PC's and 4 servers)
They see me as their unofficial IT guy who fixes problems when IT goes wrong (tsk : don’t work for family) – they’d probably forward me the screen shot asking what it all means. And so, would expect me to fix the issue when all the data’s gone! (and before you mention backups – don’t even go there, they’d rather be in the pub 5 minutes earlier then change a tape)

They work on the principle of “when it breaks, we’ll fix it” as apposed to preventive maintenance.

They need educating in network maintenance, but they are so stubborn by the nature of their business, they don’t want to know.. I think it’s best to cut ties with them and leave them to fend for themselves..

Logged
mcdba, mcse, ccna,
Andrew Waite
Hero Member
*****
Offline Offline

Posts: 857



View Profile WWW
« Reply #3 on: December 01, 2008, 09:03:06 AM »
Quote from: hb21l6 on December 01, 2008, 08:47:44 AM
I think it’s best to cut ties with them and leave them to fend for themselves..
Think you might be right there...

On the other side of the coin, if they're only willing to be reactive rather than preventative you should be in a win-win situation (providing you don't have a contract that states you'll keep them secure/operational/etc.). Often clients not willing to pay up front end up paying more in the long run; plus if their systems just got well and truely hosed it can make your negotiations easier for fixing the issue Cheesy

If you really want to get them to do the preventative thing you could do a quick risk assessment and make an estimate of what it'll cost them if it goes wrong, if you can compare that to the cost of a solution it might make negotiations with the money men easier. Alternatively depending on their industry/business they may already be in breach of regulatory requirements...

In terms of the whole grey-hat thing: I'd leave well enough alone. If they don't want to act on your concerns either walk away completely, or if the pay check is good document your concerns in writing and wait for 'I told you so'. Getting a criminal record isn't going to make them any more secure.
Logged
-- http://www.infosanity.co.uk
-- http://blog.infosanity.co.uk
hb21l6
Newbie
*
Offline Offline

Posts: 10



View Profile
« Reply #4 on: December 01, 2008, 09:18:43 AM »
Quote from: RoleReversal on December 01, 2008, 09:03:06 AM
Getting a criminal record isn't going to make them any more secure.

Your soo right on that statement.. I dont even get paid to help them, its just a favour for family, one that will cost them greatly for not heeding my warnings.

Risk assessment, price comparison on a before and worst case after scenario are all done. even talked them through how someone could get in, and they still aren't bothered.  Roll Eyes

Not my problem anymore, already told them to find someone else to look after it.. Smiley
Logged
mcdba, mcse, ccna,
NickFnord
Full Member
***
Offline Offline

Posts: 117



View Profile WWW
« Reply #5 on: December 01, 2008, 09:23:46 AM »
well done - that's a hard thing to do when it's family/friends you're working with.

sounds like you've made the right decision.
Logged
jason
Hero Member
*****
Offline Offline

Posts: 923



View Profile
« Reply #6 on: December 01, 2008, 09:36:55 AM »
I agree. Sounds like a situation that you would be better off having washed your hands of.
Logged
pseud0
Recruiters
Full Member
*
Offline Offline

Posts: 204



View Profile
« Reply #7 on: December 01, 2008, 12:57:46 PM »
Sounds like you've already demonstrated the business impact.  "I'll work for you on one condition, you give me the $$ to fix this mess.  Otherwise, I leave and you pay a contractor market rates for them to maintain your system."  And just to echo everyone else here, I wouldn't even consider the "live demonstration" tactic.  It'd be just your luck that the first dollar they spend in regards to security is an investigator to track down who broke into their systems.
Logged
CISSP, CISM, CISA, GCIH, CEH, HMFIC, KTHXBIROFLCOPTER
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.16 | SMF © 2011, Simple Machines
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.184 seconds with 22 queries.
 

gk_static-ad_feb2012.jpg
Global Knowledge Training: Build Security Skills to Protect and Defend

offsec_130x200-2_jan-feb2012.png
Offensive Security
AWE Live in the Caribbean!
March 5 - 9, 2012

SANS Deals 4 EH-Netters
$150 OFF Any SANS Course in Any Format!
Coupon Code: Refer_EHN
Including SANS Phoenix 2012, SANS 2012
Recent Forum Topics

cbtnuggets_logo_125.jpg
Try CBT Nuggets Free!

Vote For EH-Net

Add to Technorati Favorites
technorati fave

 
         
Advertisement

© 2012 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.