.

How do you convince a company they are at risk

<<

drummerjim123@aol.com

Newbie
Newbie

Posts: 1

Joined: Thu Mar 08, 2007 1:34 pm

Post Thu Mar 08, 2007 1:45 pm

How do you convince a company they are at risk

I own a franchise and have found they do stupid things like use FTP to pass encrypted data. The data gets encrypted but the ID and password are clear text. This ID can then be used to log into the web site and view critical data.

There is also some URL hacking that can be done so a user can get any other franchise's login id's and passwords.

This has been going on for years and they do not seem to care. Who else should I contact to get them to fix this. Or should I give the IP address to the black hackers and see what they can do.

Thanks
<<

Cutaway

User avatar

Jr. Member
Jr. Member

Posts: 96

Joined: Mon Nov 20, 2006 5:02 pm

Post Thu Mar 08, 2007 2:25 pm

Re: How do you convince a company they are at risk

First of all, if you present information to somebody who uses it to exploit a vulnerability and do something illegal you are very likely to get sued or even go to jail.  This is not a very smart method to convince somebody or do business.  Tread carefully.

Next, they do not understand the implications because you are not providing them with enough information in a manner that they understand.  People have a hard time understanding risk and how vulnerabilities can lead to exploitation and what the impact of that exploitation could be.  Here are some tips:

  • Point them to the services that you think are vulnerable.  Do not hack these unless you have written permission.
  • Explain to them the information that could be obtained from their current configuration.
  • Show them what the impact due to this exposure could be.  Be sure to include monetary cost, man hours to mitigate, expected down time, legal considerations.
  • Point out if they are violating any regulations like SOX or PCI and what the personal freedom implications and business impact that goes along with violating these regulations.
  • Finally, give them solutions to fix the problem.  Include how much it will cost and try to keep the cost as low as possible and definitely lower than the cost of an incident.

Hope that helps.  Don't worry about it too much.  The manager responsible for business has to do a risk assessment.  If he choses to accept the risk then it is out of your hands.  Your job, I believe, is to point out the problems and make recommendations.  (I am assuming that because you have not been able to just put the change in place.)

Go forth and do good things,
Cutaway
Go forth and do good things,
Cutaway
<<

oasis_inin

Newbie
Newbie

Posts: 20

Joined: Thu Mar 01, 2007 4:36 am

Post Fri Mar 09, 2007 2:22 am

Re: How do you convince a company they are at risk

Thts nice adice from Cutaway...

I would like to add that please do carry some reports from studies that all are already done favouring the need for Information Security and the loss caused to businesses coz of poor security policies, enofrcements.

one thing.......

present all the things in a good professional manner :) and tell/show them that you want to help them not threaten them ;)
CISSP, MCSE Sec, Security +
studying for C|EH

Return to Incident Response

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software