[rescue] Do you remember when? Security software.....

[Daniel de Young]

On Mon, 2003-08-11 at 09:20, Michael A. Turner wrote:

> 	So we have no firewall, no dmz, no bastions. All of our servers sit
> on the internet with routable IP addresses and no one bothers to patch them
> very often. Our administrator password has not changed in three years. When
> I at least tried to implement a patching scheme my boss actively stopped me.
> He has gotten burned by patches in the past, his philosophy is if it ain't
> broke don't fix it. Our routers are all in the same state.

Obviously your organization doesn't have investors/share holders... 
This kind of behavior is never going to be considered anything close to
"diligence" or "due care".  By not following the analyst's
recommendations, he is futher cementing his own doom.  It would be
better for him to continue doing nothing and try to coax a non-technical
jury "or boss" with an "it's all just so complicated" defense.

> 	So the official reason is that he is looking for someone to pay a
> consultancy fee to every month and then ignore there advice. This is so that
> when the catastrophic break in happens he can point at them to shift blame
> from himself. This is a simple CYA move on his part and he has no intentions
> of following any recommendations that he is given. He stated this to us all
> in a meeting. I am not even reading between the lines here. He stated " I
> want them around to take the fall if anything happens."

I really really really think it's going to be the opposite unless he
gets some teeny bopper or ex-Y2K consultant in there who doesn't
document and/or communicate well.  He needs to look for a very green
"security person" because anybody who's done more than, oh... I don't
know... one job, is going to understand CYA much better than this
gentleman seems to.

Pitty some people are really this naive.

-Daniel