[PLUG] A dilema

Sasha Romanosky sasha_romanosky at yahoo.com
Tue Dec 9 14:04:02 UTC 2003 

I think you'll always find there are inconsistencies when dealing with
others regarding infosec; they'll have their biases and approach and
you'll have yours. I don't believe the solution lies in forcing them to
change at any cost (assuming you still want to maintain a relationship),
but to find a way to manage the situation. 

One such solution might be to outline exactly what you think the the
threats are to the systems and their vulnerabilities and asses what you
feel the overall risks are. Provide them the information, obtain some
acknowledgement that they've read and understood it, then let them
decide on a course of action. That is consulting, after all. 

Ideally, they become more aware, you become absolved, and you maintain
your customer. 

Hope that helps.

cheers,
Sasha

> -----Original Message-----
> From: plug-admin at lists.pdxlinux.org 
> [mailto:plug-admin at lists.pdxlinux.org] On Behalf Of Robbert van Andel
> Sent: Tuesday, December 09, 2003 1:44 PM
> To: plug at lists.pdxlinux.org
> Subject: Re: [PLUG] A dilema
> 
> 
> I would think that if your concerns are documented and the 
> companies lack of desire to implement the security changes, 
> you should no be held responsible.  Just my 2 cents, I'm not a lawyer.
> 
> Robbert
> 
> On Tue, 2003-12-09 at 13:33, Ed Sawicki wrote:
> > I need some opinions to solve a moral and business
> > dilemma.
> > 
> > I have a consulting customer that runs a Windows shop.
> > At least two of their Windows computers have been
> > attacked and we've reinstalled Windows each time. They
> > then install their Norton software on the computer and declare it 
> > secure. Surely, nothing bad should happen if Norton is 
> installed, they 
> > think.
> > 
> > We've replaced their Windows 2000 server with Linux acting
> > as a firewall and router so we now have control over that 
> part of the 
> > network but we have no control over desktop computers 
> running Windows. 
> > They run Outlook and I suspect this is how they're being attacked.
> > 
> > The main problem is my customer's attitude. They do not
> > care about security if it's the least bit inconvenient. Worse, they 
> > don't care about the privacy of their customer data. Their 
> customers 
> > are individuals who would be devastated by identity theft. Their 
> > personal data is stored on this company's server and 
> there's no effort 
> > to protect it.
> > 
> > As long as attackers don't delete their data files, this company 
> > doesn't seem to care if their data files leak out to the Internet. 
> > They would be unwilling to spend the money to have me secure their 
> > computers.
> > 
> > I'm concerned about numerous issues. Primarily, I see this
> > as criminal negligence and I don't know what to do about it. 
> > Secondarily, I'm wondering about the risk of being named as a 
> > defendant should one of their customers be victimized in some way.
> > 
> > Ed
> > 
> > 
> > _______________________________________________
> > PLUG mailing list
> > PLUG at lists.pdxlinux.org 
> > http://lists.pdxlinux.org/mailman/listinfo/plug
> > 
> > 
> 
> 
> _______________________________________________
> PLUG mailing list
> PLUG at lists.pdxlinux.org 
> http://lists.pdxlinux.org/mailman/listinfo/plu> g
>

More information about the PLUG mailing list