Convincing Management of Network Security Issues?

An Anonymous Coward asks: "Here at work for internet connectivity, we share a Cisco 2600 router with the administrative folks in the other half of the building. Our development network is isolated from theirs, safely behind a Debain firewall--we just show up as one IP with _very_ few ports open. The Cisco connects directly into a Linksys DSL router, which is *supposed* to be providing NAT for both of our networks. Instead, it's acting needlessly as an extra hub, with the incoming feed plugged into its port 2 and the outgoing feed in port 3. The feed from port 3 plugs into a 24-port hub, which connects all of the admin workstations and our Debian box. Each workstation, in turn, has a static IP (we have one too). This is due to a variety of reasons--so we've been told--but what it boils down to is the incompetence of the 'Microsoft Certified (w/Internet) Network Engineer,' who's responsible for the routers, the administrative network, and their Windows 2000 corporate webserver." Now, the workplace is left with no firewall and a Network Engineer that is downplaying the problem to the higher-ups. What would be the best way to communicate that there really is a problem?

"I went up the chain and explained the problem to my boss. He was horrified. He took it to his boss (who also happens to be in charge of said Network Engineer). The result was less-than spectacular. My boss' boss came out, with The Engineer in tow, who after fiddling with things for a while, proclaimed everything to be 'locked down,' and then they left. What we later discovered was that she'd only closed down a few of the webserver's non-essential ports and had done nothing about the Linksys firewall situation. But in the process, she'd managed to convince our collective higher-ups that the problem wasn't as big as we (read: the lowly, know-nothing, software developers) had made it all out to be and now nobody wants to hear a word about it. In other words, they have NO firewall at all, and we've been unable to convince them that this is a Bad Thing(tm).

Since The Engineer and her boss have always tended to be reactive, rather than proactive, I logged onto Steve Gibson's Leak Test from an admin workstation and showed them the results. Unfortunately, this 'parlor trick' failed to generate much in the way of enthusiasm. So what I'm looking for are (mostly) non-destructive suggestions to alert them to the dangers of their network configuration. Short of posting their IP's in a #skript_kiddie_channel and daring them to trash everything, how should I bring it to their attention in a, shall we say, meaningful way?"

Tough position.

[gaudior]

I suggest you get everything in writing. Document the snot out of the system, paying particular attention to the obvious points of failure.

Get as many of your peers to agree that there is a problem, and then sign a letter to the top boss, outlining the whole situation. Make it an open letter, if you must. It's clear there is gross incompetence going on, and if you care about the organization, you need to get this thing resolved.

If a large number of you break the chain of command, and do it loudly, you might succeed.

#script_kiddie_channel could break your legs

[DieNadel]

I'd say that since you now has "a point to prove", the first thing you should do is pray for your network NOT to be cracked into. If this comes to happen, some very suspicious eyes would fall on you.
Why don't you suggest a limited pen-test, documenting very well how you could get in, what damages you could inflict and, most important, how should it all be fixed (but don't, at any point, be picky with The Engineer, or else this all could be seemed as an ego war.)