Great Circle Associates Firewalls
(February 1998)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: Harsh Security audits?
From: "Craig I. Hagan" <hagan @ cih . com>
Date: 21 Feb 1998 18:27:27 -0500
To: "Greg Collins" <gcollins @ dqisystems . com>
Cc: <firewalls @ GreatCircle . COM>
In-reply-to: "Greg Collins"'s message of "Thu, 19 Feb 1998 21:29:14 -0500"
References: <01bd3da7$560a72c0$648010ac @ gcollins . dqisystems . com>

"Greg Collins" <gcollins @
 dqisystems .
 com> writes:

> All,
> 
> We recently completed an audit for a financial institution. After we turned
> in our report we received word that the V.P. who commissioned the audit
> would like us to "tone down" the report. He apparently thinks that the audit
> was too harsh. I obviously have an opinion on this, but I would like to hear
> your thoughts on the subject.
> BTW, we found some very serious problems. Such as a UNIX machine accessible
> from the Internet...NO FIREWALL or anything to stop an intrusion. Yes, it
> was running a version of sendmail with known problems!

I think that the real question might be the political need
for not being harsh: by being blunt, the audit could
be putting the instigators of the audit's jobs at
risk whereas by using similar (but less threatening language),
one might be able to present the information in a manner more
politically palettable to the rest of the company.

for example, instead of stating that the unix machine is
wide open to hackers, one might instead recommend bringing
internet mail server software up to the latest revision
so as to mimimize risk. says roughly the same thing,
but in a more passive tone.

-- craig



-------------------------------------------------------------------------------
Craig I. Hagan     "It's a small world, but I wouldn't want to back it up"
hagan(at)cih.com        "True hackers don't die, their ttl expires"
  	"It takes a village to raise an idiot, but an idiot can raze a village"

	Stop the spread of spam, use a sendmail condom!
	     http://www.cih.com/~hagan/smtpd-hacks

                       In Bandwidth we trust


Follow-Ups:
References:
Indexed By Date Previous: Re: Use the CISSP, Luke (was Re: Certifiying Security Auditors)
From: "Paul D. Robertson" <proberts @ clark . net>
Next: Request a help for Firewalls Thesis
From: Martin Tan <mkwtan @ hotmail . com>
Indexed By Thread Previous: Re: Harsh Security audits?
From: Rabid Wombat <wombat @ mcfeely . bsfs . org>
Next: Re: Harsh Security audits? -reply
From: mht @ clark . net

Google
 
Search Internet Search www.greatcircle.com