I'm a security engineer for a Fortune 500 company. My work primarily involves our NT servers, while the firewall and routing is handled by the network group. Internet security is handled by yet another group, and so on. This is representitive of the entire company's structure, in that each group does their thing while having little contact with any other group. This makes coordination to fix anything (let alone establishing enterpride-wide security practices) very difficult and political. I've found that this is typical of many large companies. The one thing that does seem to be common for everyone is a presence on the the corporate intranet, specifically the phone directory. In fact in some cases it's mandatory. Every employee has access, including the front-desk receptionists, who are usually the contact point for the outside world. If I were on the outside trying to reach someone like me, I would start there, at the front desk. If the number is not listed in the phone book, just get any number you can. If you call anyone in the company and say something like, "I'm sorry, my contact info must be wrong, can you transfer me to the front desk?" Most people will be happy to oblige, just to get you off their phone. Once on the line with the receptionist, just ask to be connected to the Information Security office. Thinking that you're an employee that's too lazy to look it up themselves, she'll get the number off the Intranet, and voila, you're connected to the right people. You never even had to deal with the PR folks. Yes, you'll probably get voice mail, but that just because the IS managers are extremely overworked and understaffed, and simply don't have time to pick up the phone. I guarantee you, however, the words "server", "credit card numbers", and "security hole" will get you a call back in less than 30 minutes. They will take it VERY seriously, and they will probably be very grateful that you called them instead of downloading all the info and posting it on the internet.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/346/10940#10940