A Basic Security Question.

[ChronoSec]

You're right 5768. Actually hacking the system might go to far if he doesn't get prior permission. I suppose a "safer" approach is to do a vulnerability test. Locate the actual holes and present to management the "likely" loss of data or damage the network would incur should someone exploit the vulnerabilities.

The point is to obtain some very real evidence to present to the managers. It is one thing to present hypothetical dangers and another to present real holes.

[nihil]

C'mon folks, get real will ya?

If you work for a boss who doesn't want to know, then you have to accept that decision. If you try anything else you are challenging him and his job? That is career limiting activity as I see things?

Perhaps the OP should update his CV and look at the "situations vacant columns"?

My view. based on many years of observing the "game"

[thatch]

Thanks for the replies guys, theres some really interesting and usefull information. i'm certainly not going to hack the network as a) i dont have the skills yet and would almost definately be fired. And b) i'm sure if i can put a good enough case together and present him with enough facts he'll listen to my proposals and begin to impliment a security programme.

Thanks again for taking the time to make your suggestions, i'm fairly new to the security side of networking but i can hopefully make a go of this and get trained and get things sorted.

Thatch.

[ChronoSec]

If you work for a boss who doesn't want to know, then you have to accept that decision. If you try anything else you are challenging him and his job? That is career limiting activity as I see things?

I see your point for sure, but if you have a boss that doesn't want to know but will blame the consequences of his ignorance on you, it may be "carreer limiting" to simply "accept that decision."

Unfortunately, there are alot of people out there who don't know much but get places anyway by playing the "blame game" when their ignorance causes avoidable damage. I've been in a somewhat similar situation to what thatch is explaining and can tell you that a good presentation of theory is not a sure-fire way to get the changes made that need to be made. I would hate to see thatch wind up the fall guy when he was the one trying to implement effective change. Cynical perhaps, but it's something he and anyone else in his situation needs to consider with his other options.

[nihil]

I see your point for sure, but if you have a boss that doesn't want to know but will blame the consequences of his ignorance on you, it may be "carreer limiting" to simply "accept that decision."

That is my point from a different direction. If you have been hired as a scapegoat you don't have a career, end of story. It is not a case of "if" it is a case of when.............time to move on

[ric-o]

Originally posted here by nihil
That is career limiting activity as I see things?

LOL... yeah, in my circles it's called a CLM (Career Limiting Move).

ChronoSec: Like nihil says- move away from that job...you're in a bad place bud.

[thatch]

Well I’ve got this meeting soon and hopefully if I can use the information I’ve got and clearly outline the issues and the threats (as best as I can) then hopefully they’ll see that I’m serious about the security and let me get schooled in it and be the one to make a difference. If after I’ve had the meeting and done my best to convince him of the risks if nothing changes then maybe ill move on after I’ve completed the CEH at the end of the year.

[IKnowNot]

Although many here have offered some very good advice, I am much more with nihil on this issue.

I wish you the best, but unfortunately I think your only solution is to:

1) document everything you say

2) document everything your boss says

3) start looking for a better place to work.

This advice does not come off the cuff, but rather from life's examples I have witnessed, and am currently witnessing.

This boss of yours has made conscious decisions which effect the security and stability of the systems managed. In this day ( not ten years ago ) these decisions could cause extreme liability on everyone involved. But initially you will be the target ( the old saying, **** rolls downhill ..... to bring it up-to-date as far as IT is concerned you should include the phrase .... but covers everything in its path. )


If your boss is of extreme moral fiber and just ignorant of the IT world, you stand a chance of changing their mind and correcting things. Otherwise, you are S.O.L.

In either case, my advise above stands.