Tuesday, April 23, 2024
Latest:

Computer Security Articles

RSS Reader for Computer Security Articles

ComputerWorld Independent 

Throwback Thursday: Now he's feeling even LESS secure

admin

Credit to Author: Sharky| Date: Thu, 22 Feb 2018 03:00:00 -0800

This organization’s IT security officer leaves and isn’t replaced. “A year and a half goes by and the organization suffers a web page defacement,” says a pilot fish on the scene. “During the course of the remediation, another server that has a couple of Trojans on it is found.”

That’s not really a big surprise. Since the infosec guy’s departure, the CIO has repeatedly demanded that ports be opened in the firewall, external connections be made to servers bypassing the firewall and servers in the DMZ be connected to internal servers.

The support manager objects every time — and is always overruled.

“Worse, support isn’t part of the process of selection or meetings with potential vendors for the new web services,” fish says. “Support only finds out about the requirements when they are directed to create the holes.”

And by then, there’s never been time left in the schedule to do anything except open up yet another hole in the antiquated firewall, which the CIO has also refused to upgrade.

And the intrusion-detection system? It’s not working — and there’s no budget for fixing it because, despite the support manager’s objections, the CIO wants to spend money on noncritical enhancements he’s promised to the business side.

But with the website defacement, it’s clear something has to change. Support manager and his team determine that the two main casualties of the attack are the web server itself and a database server with one of those firewall-hole setups.

The problems that clearly need to be addressed are the holey firewall configuration and the nonfunctional intrusion-detection system.

“The CIO’s solution? Make the support manager the security officer,” reports fish. “This is, of course, the same person who isn’t invited to the meetings and whose objections are ignored.

“The CIO’s pep talk about the new position: ‘I need someone who will challenge me. I had some knock-down drag-outs with the old security officer.’

“Great — anyone have a two-by-four?”

Sharky hates violence, so distract me from the mayhem with your story. Send me your true tale of IT life at sharky@computerworld.com. You’ll snag a snazzy Shark shirt if I use it. Comment on today’s tale at Sharky’s Google+ community, and read thousands of great old tales in the Sharkives.

Get Sharky’s outtakes from the IT Theater of the Absurd delivered directly to your Inbox. Subscribe now to the Daily Shark Newsletter.

http://www.computerworld.com/category/security/index.rss