Convincing Management of Network Security Issues?

An Anonymous Coward asks: "Here at work for internet connectivity, we share a Cisco 2600 router with the administrative folks in the other half of the building. Our development network is isolated from theirs, safely behind a Debain firewall--we just show up as one IP with _very_ few ports open. The Cisco connects directly into a Linksys DSL router, which is *supposed* to be providing NAT for both of our networks. Instead, it's acting needlessly as an extra hub, with the incoming feed plugged into its port 2 and the outgoing feed in port 3. The feed from port 3 plugs into a 24-port hub, which connects all of the admin workstations and our Debian box. Each workstation, in turn, has a static IP (we have one too). This is due to a variety of reasons--so we've been told--but what it boils down to is the incompetence of the 'Microsoft Certified (w/Internet) Network Engineer,' who's responsible for the routers, the administrative network, and their Windows 2000 corporate webserver." Now, the workplace is left with no firewall and a Network Engineer that is downplaying the problem to the higher-ups. What would be the best way to communicate that there really is a problem?

"I went up the chain and explained the problem to my boss. He was horrified. He took it to his boss (who also happens to be in charge of said Network Engineer). The result was less-than spectacular. My boss' boss came out, with The Engineer in tow, who after fiddling with things for a while, proclaimed everything to be 'locked down,' and then they left. What we later discovered was that she'd only closed down a few of the webserver's non-essential ports and had done nothing about the Linksys firewall situation. But in the process, she'd managed to convince our collective higher-ups that the problem wasn't as big as we (read: the lowly, know-nothing, software developers) had made it all out to be and now nobody wants to hear a word about it. In other words, they have NO firewall at all, and we've been unable to convince them that this is a Bad Thing(tm).

Since The Engineer and her boss have always tended to be reactive, rather than proactive, I logged onto Steve Gibson's Leak Test from an admin workstation and showed them the results. Unfortunately, this 'parlor trick' failed to generate much in the way of enthusiasm. So what I'm looking for are (mostly) non-destructive suggestions to alert them to the dangers of their network configuration. Short of posting their IP's in a #skript_kiddie_channel and daring them to trash everything, how should I bring it to their attention in a, shall we say, meaningful way?"

Tough position.

[gaudior]

I suggest you get everything in writing. Document the snot out of the system, paying particular attention to the obvious points of failure.

Get as many of your peers to agree that there is a problem, and then sign a letter to the top boss, outlining the whole situation. Make it an open letter, if you must. It's clear there is gross incompetence going on, and if you care about the organization, you need to get this thing resolved.

If a large number of you break the chain of command, and do it loudly, you might succeed.

#script_kiddie_channel could break your legs

[DieNadel]

I'd say that since you now has "a point to prove", the first thing you should do is pray for your network NOT to be cracked into. If this comes to happen, some very suspicious eyes would fall on you.
Why don't you suggest a limited pen-test, documenting very well how you could get in, what damages you could inflict and, most important, how should it all be fixed (but don't, at any point, be picky with The Engineer, or else this all could be seemed as an ego war.)

Ask for a third party security audit

[Diamon]

Have your boss try to talk their boos into a security audit by a third party. Try and convince them that an independant third party should be able to satisfy your concerns, and is much cheaper thank recovering from script kiddies. This also keeps your butt out of the frying pan it could be in if you go looking for holes and get accused of cracking.

Document and move on to something else

[Bravo_Two_Zero]

I'd agree with the first post. Document your objections and the exploits. Give it to your boss. If he wants to CC everybody, that's his business.

It sounds like a political issue (know-nothings vs. know-it-alls ... thank goodness I always consider myself a know-nothing... keeps an open mind). But, even a political issue does have a cost/benefits analysis. If you can put a price on fixing the issue (time, people, money), you make an even stronger case.

Also, if you do get nailed, you can point to the cost/benefits analysis to say "see, $5,000 then would have saved $25,000 in damages". On the other hand, in some cases, you'll end up on the other side of that equasion. If the cost to fix outweighs the potential damage, you put it to unbiased numbers.

You won't be seen as "chicken little" crying about the falling sky; you'll be a professional who bases the comments on a fiscal analysis of the risk. If your professional guess is unsupported by the findings, that's ok (and, let's be honest, you're almost certainly on the right side of the equasion here).

But, pointing to technical weaknesses won't help your case. It will make you a pain in the side of all parties concerned. They will cut off their heads to spite you (and, may already have done so, according to your details). Put it to dollars, document it and go to your next challenge.