Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security SecProg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

"Selling" a code-audit and politics

from [Richard Rager] Network Security [Permanent Link]
Subject: "Selling" a code-audit and politics
Date: Thu, 23 Sep 2004 20:06:01 -0500 (CDT) 
I have been reading this thread of "Selling" a code-audit.

I feel the pain of some of the responses.  But I think the really problem 
here is politics.  I want to share my story and ask some feedback on the 
right way of doing this since: I lost the client and a contractor that sub 
contracted the work to us.  I keep the name of the client out of this 
story.  I will start with this that I only spoke the truth and I hate 
politics.

  These politics is with a state government organization that need to be 
in HIPPA compliance.   First they had an old firewall that was over 4 year 
old with many known securities issues.   Simple port forward for telnet to 
a Cisco router that was not patched.  Port forwarding to a Windows NT 
server not patched with anonymous FTP, HTTP and Exchange 5.0.  The FTP 
server was being used to upload patience data on in plain text files.  
Email was being used with no encryption of patience data.  Then one top of 
all this was a open wireless network to load palm pilot sync with patience 
data. 

   First I said the telnet need to be closed, you may uses ssh if you need
that type of access.  Telnet was open by that contractor that sub us out.  
I said that we did it and it was a mistake that needed to be fixed.  I try
to explain the rules about send patience data over the Internet requires
encryption.  Also try to educated them about how ftp was in plain text and
said that user name and password can not be in plain text.
  The CFO hold up a palm pilot and ask me the security problems with them.  
I said the biggest problem with the is people lose them.  I said look at 
the FBI an laptop problems.  Now comes the fall out.
  Well the contractor is mad at us because I point out a problem they
caused.  The client stop using the palms computers.  It was a pet project
of the CEO and the IT staff did not have the resources or skills to fix
all the problems.  CFO said they did not have the money to fix to 
problems.  So I scare the hell out of them.  They removed the
contractor and us.  So every one is mad at us.  We can not go directly to 
the client because of contracts.  So that is the way the cookies crumbles.

Enjoy,

Richard Rager
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Inspecting Code for Security, Aleksander P. Czarnowski
Next by Date:  RE: Inspecting Code for Security, Yvan Boily
Previous by Thread:  Re: "Selling" a code-audit., Zed A. Shaw
Next by Thread:  Re: "Selling" a code-audit and politics, Atom 'Smasher'
Indexes:  [Date] [Thread] [Top] [All Lists]