The biggest challenge in my life.
How do you make a non-IT savvy management see the importance of security, when you are the only one Sr System Engineer and the proprietary software's consultants believe:
* running ssh instead of telnet = "it may be good but people depends on it so leave it that way"
* defining ACLs to restrict access = "too much work for nothing"
* encrypting communications between remote sites = "not necessary, it is a dedicated link right?"
* authenticating and encrypting the office wireless network = "Would I be able to send emails?"
* root passwords are top secret = "Everyone here need it"
* Patching is necessary = "NO WAY!!!" (currently 276 patches in queue, 202 non-critical and 74 critical)
...... and the list goes on and on
So far this is the biggest challenge I have faced all my live. I have learned "the hard way" that security and system maintenance should be top priority in my list, I just don't find the way to teach them or maybe they don't want to listen.
What do you guys think?
[1054 byte] By [
gesperona] at [2007-11-26 16:01:18]
# 2
I would start by explaining that PROVEN....the number 1 threat of a hack or stolen information does not come from the internet, it starts from inside your own network. As a Sr. Sys Admin, trust NO ONE! If they still don't listen...RUN!
Start them out reading some of these:
http://project.honeynet.org/papers/enemy/index.html
Then fire up a honeywall and honeypot and see how fast someone connects and opens some backdoors.
Good luck...it is an up mountain battle.
# 3
> How do you make a non-IT savvy management see the
> importance of security, when you are the only one Sr
> System Engineer and the proprietary software's
> consultants believe:
Start by moving some important files from the server to your local disk, then remove them from the server.
Post people's passwords as a motd.
Do I really recommend doing that, no. Show them this email instead.
alan
# 4
Well, speak the manager磗 language. What I see is that there is a lot of work that has to be done and that means tha it has a cost associated and a manager won't approve an expense if it isn't beneficial in terms of money.
If you can convince the manager that the changes you propose will actually save the company money then you will absolutely get the approval.
Don't make managers read technical data they won't understand (You get paid for that.) I propose this.
First you have to measure how much money the company loses by not implementing security (for example: data restoration, fixing the server someone broke, external people using the wireless network)
Then establish some priorities, Show them you have a plan that will actually save them some money and make sure they know how much they will save.
