Not to mention the time taken to rebuild everything
that the hacker went in and changed so it doesn't
happen again. So basically IT DOES come down to MONEY,
TIME, EFFORT...
Robert
You can pay a little now or a lot later.
--- Bennett Todd <[EMAIL PROTECTED]> wrote:
> An interesting topic indeed.
>
> I'd say the first step is a security policy. If you
> don't have one,
> you need one (this is my standing battle cry).
>
> Make the definition of the security policy the
> battle ground for
> this issue. The security policy should describe what
> resources need
> protecting, against what threats, and mandate
> requirements (possibly
> including firewalls) that follow logically from the
> resources and
> threats.
>
> But that's just setting a sound structure for the
> debate, it doesn't
> actually address your question.
>
> If you've described resources that need protecting,
> and threats they
> need protecting against, and the manager still
> doesn't buy into your
> proposed solution, then either you need a more
> flexible solution
> (e.g. protect critical servers with a different,
> tighter policy from
> the one you inflict on desktop clients --- which may
> also require
> protecting them _against_ the vulnerable desktops)
> or else they're
> ignoring the problem. In that latter case what I
> like doing is
> demonstrating the problem. Come up with a clear
> threat, fantasize a
> plausible attacker, describe the scenario in detail,
> then offer to
> demonstrate the practicality and effects of the
> attack by running
> it (with prior agreement, at a scheduled time). If
> they insist on
> continuing to ignore the threat, and refuse to let
> you demonstrate
> it, then back off. Carry out these negotiations in
> email and keep
> file copies, and then when they get burgled you can
> document that
> the manager deliberately chose to let it happen.
>
> If that last bit (let 'em hang) is unacceptable to
> you, your choices
> reduce to trying to go over the head of the
> recalcitrant manager, or
> finding another job.
>
> -Bennett
>
> ATTACHMENT part 2 application/pgp-signature
__________________________________________________
Do You Yahoo!?
Talk to your friends online with Yahoo! Messenger.
http://im.yahoo.com
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
