"Greg Collins" <gcollins @
dqisystems .
com> writes:
> All,
>
> We recently completed an audit for a financial institution. After we turned
> in our report we received word that the V.P. who commissioned the audit
> would like us to "tone down" the report. He apparently thinks that the audit
> was too harsh. I obviously have an opinion on this, but I would like to hear
> your thoughts on the subject.
> BTW, we found some very serious problems. Such as a UNIX machine accessible
> from the Internet...NO FIREWALL or anything to stop an intrusion. Yes, it
> was running a version of sendmail with known problems!
I think that the real question might be the political need
for not being harsh: by being blunt, the audit could
be putting the instigators of the audit's jobs at
risk whereas by using similar (but less threatening language),
one might be able to present the information in a manner more
politically palettable to the rest of the company.
for example, instead of stating that the unix machine is
wide open to hackers, one might instead recommend bringing
internet mail server software up to the latest revision
so as to mimimize risk. says roughly the same thing,
but in a more passive tone.
-- craig
-------------------------------------------------------------------------------
Craig I. Hagan "It's a small world, but I wouldn't want to back it up"
hagan(at)cih.com "True hackers don't die, their ttl expires"
"It takes a village to raise an idiot, but an idiot can raze a village"
Stop the spread of spam, use a sendmail condom!
http://www.cih.com/~hagan/smtpd-hacks
In Bandwidth we trust
Follow-Ups:
References:
|
|
