If you audited a public company, and "editorialized" your findings a bit,
rather than simply stating the facts, I'm not surprised that they have
asked you to "tone it down."
I would not agree to omit any findings, but if you have stirred a bit of
opinion into the report " ... major security flaw ..., ... gaping holes
..., etc.", they may want you to re-state your findings in a more neutral
and factual manner.
Simply stating the type of vulnerability, what is put at risk, where found,
and the recommmended course(s) of action to correct are the best wy to
handle something like this.
Don't forget that you are probably putting the local sys admin over a
barrel as well; if this company is like most, they probably do not
dedicate sufficient man-power to the security side of their business, and
the sysadmins are stuck trying to do the double duties of service
providor and security expert.
If you have been hired as an outside security consultant, you are there
On Thu, 19 Feb 1998, Greg Collins wrote:
> We recently completed an audit for a financial institution. After we turned
> in our report we received word that the V.P. who commissioned the audit
> would like us to "tone down" the report. He apparently thinks that the audit
> was too harsh. I obviously have an opinion on this, but I would like to hear
> your thoughts on the subject.
> BTW, we found some very serious problems. Such as a UNIX machine accessible
> from the Internet...NO FIREWALL or anything to stop an intrusion. Yes, it
> was running a version of sendmail with known problems!
> Greg Collins
> Data Quest Information Systems
> gcollins @
> "I have but one thing which cannot be taken from me, and that is my
> integrity. It I must give up of my own will."