Wouldn't it be a shame if "somehow" your network information ended up posted on a few hackers' newsgroups on the morning of your departure.
Ha ha ha!!! Best of luck to you! ---------- Original Message ---------------------------------- From: A Question <[EMAIL PROTECTED]> Date: Tue, 1 Jan 2002 12:37:30 -0800 (PST) >Greetings, > >Beg your parden for sending, but I could use your >advice. > >I have been reading this list for some time and have >benefited from it. There are some good minds on this >list, and a lot of experience, so I submit my question >to you seeking your perspective. > >Before I begin, I want to tell you that I have already >made up my mind weather to resign or not, what I am >needing is perspective as the company I work for is >the only one I have worked at as a Systems >Administrator, and the only one that I have been >responsible for securing the system. > >The security for the network and servers I administer >is NON-EXISTENT. This is not only fine with my >superiors, but I have been told to not work on >security anymore, as it is "un-important". The CEO >thinks that it is secure because my CIO lies and tells >him that it is. > >Here is some background. We have approx. 14,000 IP's >in a stub network (only one way in or out on the >router). Since those IP's are mostly used to host >virtual hosts, there is over 100,000 total paying >customers that depend on our systems being secure. > >We tell customers and the CEO that we have a firewall >- it's a lie. > >* WE HAVE NO FIREWALL ON OUR ENTIRE NETWORK. >* WE HAVE NO INTRUSION DETECTION ON OUR SYSTEM > >We use Linux and Windows. Windows is even more >pathetic as we depend on hotfixes and Service Packs as >our ONLY form of Windows security. They won't let me >put Snort on it, and they won't buy Black Ice, or >anything else. > >To top this off, the CIO refused to let me apply >Service Pack 2 to Windows for months after the >release. I brought it up every week at our management >meeting. Finally, several Windows machines were >compromised so that the cracker had admin level access >for weeks before it was even detected. This would >have been prevented if they would have only let me >apply SP2! The CIO kept saying that he could hear me >saying "I told you so". The CIO lied to the CEO and >said that it was not a Admin level intrusion, but >merely a rouge FTP account used for Warez. The >cracker could have formatted the drives with data at >any time! > >It gets even worse than this, but you get the idea. I >prevented Nimda and Code Red attacks even while >everyone else was wondering what they are. > >Do they promote me? Reward me? No. Apparently, they >are too embarrassed as my CIO and Managers that they >are incompetent in security (they setup up the systems >this way, after all), and seeking to keep me quiet, >they demoted me so that I wouldn't be responsible for >security anymore. As far as I can tell, the only >reason I was promoted to Security Manager was so that >they could have a fall-guy when things went wrong "How >did they do that? Weren't you doing your job?". But >when their scheme backfired and I actually did such a >good job that their position in front of the CEO was >threatened, they decided to keep me quiet. > >Am I being paranoid? Am I overacting? Your >perspective from your experience would be greatly >appreciated. Also, after I leave, should I send a >letter to the CEO about this? > > >Thanks > > > >__________________________________________________ >Do You Yahoo!? >Send your FREE holiday greetings online! >http://greetings.yahoo.com >