It was refreshing to finally read about others who have suffered my same plight. Ignorant bureaucrats defending their arrogant lack of understanding of the technology they use by exploiting the vary laws that should protect us.

In 2000 I had been working with the Office of Inspector General as an ADP Information Security Auditor, although management used a more myopic view and referred to the three of us as ?auditors?. I have to apologize to others who have not had this experience but this only sounds bitter because it is. Dealing with stupidity is like jumping off a cliff. There?s no place to go but down. After dealing with this the only advice I offer is leave the company and let the hackers have a field day. They deserve it.

Personally, it is this arrogance that should be prosecuted!

During a task to assess an annual audit plan which encompassed basic information security issues like, physical security measures, some very basic network security (i.e. is the CMOS password protected, what is the aging of the accounts), and do they have a BCP, I saw a problem in they way data was gathered to provide to the auditors.

I knew some of the network wiring comm folks who could tell me about the configuration of the network. They provided me with various topologies, which identified several weaknesses, which could potentially be exploited. These were brought to the attention of my immediate supervisor in Washington DC. I was told to verify the information and document where the problem existed.

In order to do this I placed a sniffer on my nic to determine what, if any, traffic was going across my nic. I turned it on for 60 seconds. I found that we were tied to a hub extending way beyond the limits of just the Office of Inspector General.

I don?t know the reason why, but I was investigated, my computer was confiscated, I was terminated and had to spend a lot of my own money to defend myself against several allegations beginning with EPOC. The queer thing about this whole thing is that I was given a token award of $400 for my efforts. I spent and lost over $50,000.

This wasn?t just incompetence it was a personal vendetta by a scared frightened ignorant top-level management beginning with the Inspector General himself.

I am a CISSP and a CISA. I?m currently applying for CISM certification. When you place a incompetent management in charge of a technology they don?t understand you only get the best they can make excuses for. In the cases like mine articles like these need more attention and the general public needs to know who?s really in charge!

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/167/20512#20512