Your decision is up to you. But bear this in mind. In every Dibert versus the Boss situation, there is a valid logic operating on both sides with different priorities of what's important. I suspect the same is true in your case, and that the same principle will follow you where ever you go.
It was apparent from your note that security is not your boss's priority. But you didn't mention what IS. So I suspect you either don't know or have persuaded yourself that security is by definition top priority. It almost never is, not for companies, nor even for individuals. Most value convenience far more highly than security (else why do we use credit cards instead of secure cash or wireless phones instead of secure wireline phones?). And for most, survival (income) is ranks higher even than convenience. I'm not claiming your priority ordering, nor your bosses, is "right", but that security is only one of many competing priorities companies must balance somehow. If you decide to stick it out, spend some quality time LISTENING. You'll have to whereever you go. Good luck whatever you decide. On Tuesday, January 1, 2002, at 03:37 PM, A Question wrote: > Greetings, > > Beg your parden for sending, but I could use your > advice. > > I have been reading this list for some time and have > benefited from it. There are some good minds on this > list, and a lot of experience, so I submit my question > to you seeking your perspective. > > Before I begin, I want to tell you that I have already > made up my mind weather to resign or not, what I am > needing is perspective as the company I work for is > the only one I have worked at as a Systems > Administrator, and the only one that I have been > responsible for securing the system. > > The security for the network and servers I administer > is NON-EXISTENT. This is not only fine with my > superiors, but I have been told to not work on > security anymore, as it is "un-important". The CEO > thinks that it is secure because my CIO lies and tells > him that it is. > > Here is some background. We have approx. 14,000 IP's > in a stub network (only one way in or out on the > router). Since those IP's are mostly used to host > virtual hosts, there is over 100,000 total paying > customers that depend on our systems being secure. > > We tell customers and the CEO that we have a firewall > - it's a lie. > > * WE HAVE NO FIREWALL ON OUR ENTIRE NETWORK. > * WE HAVE NO INTRUSION DETECTION ON OUR SYSTEM > > We use Linux and Windows. Windows is even more > pathetic as we depend on hotfixes and Service Packs as > our ONLY form of Windows security. They won't let me > put Snort on it, and they won't buy Black Ice, or > anything else. > > To top this off, the CIO refused to let me apply > Service Pack 2 to Windows for months after the > release. I brought it up every week at our management > meeting. Finally, several Windows machines were > compromised so that the cracker had admin level access > for weeks before it was even detected. This would > have been prevented if they would have only let me > apply SP2! The CIO kept saying that he could hear me > saying "I told you so". The CIO lied to the CEO and > said that it was not a Admin level intrusion, but > merely a rouge FTP account used for Warez. The > cracker could have formatted the drives with data at > any time! > > It gets even worse than this, but you get the idea. I > prevented Nimda and Code Red attacks even while > everyone else was wondering what they are. > > Do they promote me? Reward me? No. Apparently, they > are too embarrassed as my CIO and Managers that they > are incompetent in security (they setup up the systems > this way, after all), and seeking to keep me quiet, > they demoted me so that I wouldn't be responsible for > security anymore. As far as I can tell, the only > reason I was promoted to Security Manager was so that > they could have a fall-guy when things went wrong "How > did they do that? Weren't you doing your job?". But > when their scheme backfired and I actually did such a > good job that their position in front of the CEO was > threatened, they decided to keep me quiet. > > Am I being paranoid? Am I overacting? Your > perspective from your experience would be greatly > appreciated. Also, after I leave, should I send a > letter to the CEO about this? > > > Thanks > > > > __________________________________________________ > Do You Yahoo!? > Send your FREE holiday greetings online! > http://greetings.yahoo.com > > Brad Cox, Ph.D.; [EMAIL PROTECTED] 703 361 4751 For industrial age goods there were checks and credit cards. For everything else there is http://virtualschool.edu/mybank Java Web Application Architecture: http://virtualschool.edu/jwaa
