Dealing with an internal ScriptKiddie
Shorter version:
We've been dealing with a credit card number scraping problem on our website for a couple of months.
I have evidence which points to a co-worker being the culprit.
The evidence is strong, but circumstantial, not direct.
How do I handle the situation?
How do I present this to my boss?
Because I previously alluded to this suspicion, only for her to shrug it off at that time. She thinks that if I set up the security protocols good enough, then it doesn't matter that we have a thief working in the office.
Edit: I am not his boss, therefore do not have the authority to take action other than informing, but I am the SysAdmin and have the, albeit circumstantial, evidence.
professionalism termination
asked 8 hours ago
danFbachdanFbach
536
New contributor
danFbach is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
|
show 15 more comments
Shorter version:
We've been dealing with a credit card number scraping problem on our website for a couple of months.
I have evidence which points to a co-worker being the culprit.
The evidence is strong, but circumstantial, not direct.
How do I handle the situation?
How do I present this to my boss?
Because I previously alluded to this suspicion, only for her to shrug it off at that time. She thinks that if I set up the security protocols good enough, then it doesn't matter that we have a thief working in the office.
Edit: I am not his boss, therefore do not have the authority to take action other than informing, but I am the SysAdmin and have the, albeit circumstantial, evidence.
professionalism termination
asked 8 hours ago
danFbachdanFbach
536
New contributor
danFbach is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
1
Paragraphs are your friend. So are summations. That's a dense read.
– Dark Matter
8 hours ago
6
What country is this in? Does the suspect in question have an at-will contract? Seems like this is not only grounds for instant termination, but also likely involvement of the police.
– binarymax
7 hours ago
2
I have to admit that I'm totally confused here, you state that you've been dealing with a known breach of customer's credit card data for months now and rather than take steps to truly remediate and properly report the issue as required you're asking about how to approach your boss. What information are you not sharing in your question?
– Steve
7 hours ago
1
@steve All relavent information has been fowarded to my boss, and she has dealt with the proper channels to notify card processors and card owners, that is not relavant to my current question.
– danFbach
7 hours ago
1
@danFbach Awesome. Glad to hear it. Could you update your question with the information that you've notified the right channels about the stolen card numbers? As a consumer and security advocate, unfortunately, the first place I go to is what happens to the stolen card numbers.
– jcmack
4 hours ago
|
show 15 more comments
Shorter version:
We've been dealing with a credit card number scraping problem on our website for a couple of months.
I have evidence which points to a co-worker being the culprit.
The evidence is strong, but circumstantial, not direct.
How do I handle the situation?
How do I present this to my boss?
Because I previously alluded to this suspicion, only for her to shrug it off at that time. She thinks that if I set up the security protocols good enough, then it doesn't matter that we have a thief working in the office.
Edit: I am not his boss, therefore do not have the authority to take action other than informing, but I am the SysAdmin and have the, albeit circumstantial, evidence.
professionalism termination
asked 8 hours ago
danFbachdanFbach
536
New contributor
danFbach is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Shorter version:
We've been dealing with a credit card number scraping problem on our website for a couple of months.
I have evidence which points to a co-worker being the culprit.
The evidence is strong, but circumstantial, not direct.
How do I handle the situation?
How do I present this to my boss?
Because I previously alluded to this suspicion, only for her to shrug it off at that time. She thinks that if I set up the security protocols good enough, then it doesn't matter that we have a thief working in the office.
Edit: I am not his boss, therefore do not have the authority to take action other than informing, but I am the SysAdmin and have the, albeit circumstantial, evidence.
professionalism termination
professionalism termination
asked 8 hours ago
danFbachdanFbach
536
New contributor
danFbach is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 8 hours ago
danFbachdanFbach
536
New contributor
danFbach is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 6 hours ago
danFbach
asked 8 hours ago
danFbachdanFbach
536
New contributor
danFbach is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 8 hours ago
danFbachdanFbach
536
asked 8 hours ago
danFbachdanFbach
536
536
New contributor
danFbach is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
danFbach is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
danFbach is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
1
Paragraphs are your friend. So are summations. That's a dense read.
– Dark Matter
8 hours ago
6
What country is this in? Does the suspect in question have an at-will contract? Seems like this is not only grounds for instant termination, but also likely involvement of the police.
– binarymax
7 hours ago
2
I have to admit that I'm totally confused here, you state that you've been dealing with a known breach of customer's credit card data for months now and rather than take steps to truly remediate and properly report the issue as required you're asking about how to approach your boss. What information are you not sharing in your question?
– Steve
7 hours ago
1
@steve All relavent information has been fowarded to my boss, and she has dealt with the proper channels to notify card processors and card owners, that is not relavant to my current question.
– danFbach
7 hours ago
1
@danFbach Awesome. Glad to hear it. Could you update your question with the information that you've notified the right channels about the stolen card numbers? As a consumer and security advocate, unfortunately, the first place I go to is what happens to the stolen card numbers.
– jcmack
4 hours ago
|
show 15 more comments
1
Paragraphs are your friend. So are summations. That's a dense read.
– Dark Matter
8 hours ago
6
What country is this in? Does the suspect in question have an at-will contract? Seems like this is not only grounds for instant termination, but also likely involvement of the police.
– binarymax
7 hours ago
2
I have to admit that I'm totally confused here, you state that you've been dealing with a known breach of customer's credit card data for months now and rather than take steps to truly remediate and properly report the issue as required you're asking about how to approach your boss. What information are you not sharing in your question?
– Steve
7 hours ago
1
@steve All relavent information has been fowarded to my boss, and she has dealt with the proper channels to notify card processors and card owners, that is not relavant to my current question.
– danFbach
7 hours ago
1
@danFbach Awesome. Glad to hear it. Could you update your question with the information that you've notified the right channels about the stolen card numbers? As a consumer and security advocate, unfortunately, the first place I go to is what happens to the stolen card numbers.
– jcmack
4 hours ago
1
1
Paragraphs are your friend. So are summations. That's a dense read.
– Dark Matter
8 hours ago
Paragraphs are your friend. So are summations. That's a dense read.
– Dark Matter
8 hours ago
6
6
What country is this in? Does the suspect in question have an at-will contract? Seems like this is not only grounds for instant termination, but also likely involvement of the police.
– binarymax
7 hours ago
What country is this in? Does the suspect in question have an at-will contract? Seems like this is not only grounds for instant termination, but also likely involvement of the police.
– binarymax
7 hours ago
2
2
I have to admit that I'm totally confused here, you state that you've been dealing with a known breach of customer's credit card data for months now and rather than take steps to truly remediate and properly report the issue as required you're asking about how to approach your boss. What information are you not sharing in your question?
– Steve
7 hours ago
I have to admit that I'm totally confused here, you state that you've been dealing with a known breach of customer's credit card data for months now and rather than take steps to truly remediate and properly report the issue as required you're asking about how to approach your boss. What information are you not sharing in your question?
– Steve
7 hours ago
1
1
@steve All relavent information has been fowarded to my boss, and she has dealt with the proper channels to notify card processors and card owners, that is not relavant to my current question.
– danFbach
7 hours ago
@steve All relavent information has been fowarded to my boss, and she has dealt with the proper channels to notify card processors and card owners, that is not relavant to my current question.
– danFbach
7 hours ago
1
1
@danFbach Awesome. Glad to hear it. Could you update your question with the information that you've notified the right channels about the stolen card numbers? As a consumer and security advocate, unfortunately, the first place I go to is what happens to the stolen card numbers.
– jcmack
4 hours ago
@danFbach Awesome. Glad to hear it. Could you update your question with the information that you've notified the right channels about the stolen card numbers? As a consumer and security advocate, unfortunately, the first place I go to is what happens to the stolen card numbers.
– jcmack
4 hours ago
|
show 15 more comments
4 Answers
4
active
oldest
votes
You go to your boss and say, in this order:
- I have locked everything down so that an attack like that will not happen again
- Insider attacks are always harder to defend against. For example they might take advantage of knowing some of us use the same passwords for several things. Practices that are perfectly safe against outsider attacks can leave us vulnerable to insider attacks
- If you want to investigate the source of the attacks, I have quite a lot of data gathered already and can look into it further if it's important
- I am personally convinced precisely who it was, though I couldn't prove it in a court of law. Let me know if that's something you want to pursue.
These are the things that matter to the boss. The direction of the conversation after that is up to the boss, not you.
The reason for this order is so that the boss can wander on a tangent or end the conversation at any time and the most important stuff was still covered. So after the first sentence, the boss may just say "good job, thanks, bye now" and you at least led with your accomplishment. After the second sentence you have mentioned that this wasn't a general failing to protect from strangers, but at most a minor flaw in your preparedness, and planted a seed about just who it is that reuses their passwords like that. The last two sentences have specific prompts for the boss to tell you things because if you've been allowed to say this many sentences, you're not getting shrugged off and can ask for authority to investigate and report your findings.
answered 7 hours ago
Kate GregoryKate Gregory
109k43238343
1
Yeah, that is pretty much the opinion I've come too as well. However, after having been shrugged off so many times, I feel like the street corner guy with the cardboard sign saying "The End Is Near..." Thank you Kate, Appreciate the reassurance.
– danFbach
7 hours ago
@danFbach If you haven't already, I would document this in an email in some way. Email what you found, what you suspect is going on (in a generic way... stick to what you can prove), and what you did to prevent it. I wouldn't mention names, unless you are going to list all the people that were connected at the time it happened, etc. My concern is that at some point what happened is discovered by someone else with more common sense and security knowledge and it might come back to bite you. At least if you sent the email, you can say I let my boss know and her response was X.
– JeffC
5 mins ago
add a comment |
The kid is the minor of the problems your company has. The kid can easily be dealt with. The boss shrugging it off is the more major liability here.
Your company is dealing with credit cards. Dealing with credit cards comes with a whole list of regulations. Which includes promptly dealing with security issues. Your company probably does not want the credit card companies refusing to do business with you.
If your boss is shrugging it off, you go to her boss.
answered 6 hours ago
AbigailAbigail
3,15021019
yes, I am aware of PCI regulations. I'm also aware that credit card scraping happens everywhere, from fortune 500 to mom & pop shops. We follow regulations and our set up is quite secure - My superiors just didn't believe an attack could come from within which is why they resisted sec protocol changes. Finally this week, I chose to disobey and enact them. I caught some grief, but they're still in place.
– danFbach
6 hours ago
2
TBH it sounds like the setup of the company you describe is a shambles. When you say "Even Petco has been attacked!" that is because they made mistakes within a mature, professional setup. In contrast, it sounds like this current company is a dumpster fire. You should go work somewhere better. Get more money, too!
– Fattie
6 hours ago
add a comment |
You go to your boss, tell them everything you have, and the boss makes their decision.
There is no "innocent until proven guilty" here unless your boss wants to take the scriptskiddy to court and then to jail. The boss has in my opinion no choice other than firing the kid.
answered 7 hours ago
gnasher729gnasher729
88.6k40157279
Thanks, I'm of a similar opinion. Though, firing is not my choice to make. And lacking true "Digital Fingerprints," I do hold some reservations about making my case.
– danFbach
7 hours ago
add a comment |
Talk to the kid and ask him if he knows something about it. You don't have to get an honest answer. Your question will lead to a reaction on his side. He might change the form of the attack accordingly or pause for a while or even stop.
answered 4 hours ago
asdfsafdasdfsafd
111
New contributor
asdfsafd is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
1
If you had read the longer version, you would have read that the kid was asking about the changes already...
– Solar Mike
4 hours ago
Thanks mike, and asdf, I also have been considering asking him to see a reaction, but the uncomfortable/awkward questions he was asking is what made me look at him in the first place.
– danFbach
4 hours ago
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "423"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: false,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
danFbach is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fworkplace.stackexchange.com%2fquestions%2f130004%2fdealing-with-an-internal-scriptkiddie%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
StackExchange.ready(function () {
$("#show-editor-button input, #show-editor-button button").click(function () {
var showEditor = function() {
$("#show-editor-button").hide();
$("#post-form").removeClass("dno");
StackExchange.editor.finallyInit();
};
var useFancy = $(this).data('confirm-use-fancy');
if(useFancy == 'True') {
var popupTitle = $(this).data('confirm-fancy-title');
var popupBody = $(this).data('confirm-fancy-body');
var popupAccept = $(this).data('confirm-fancy-accept-button');
$(this).loadPopup({
url: '/post/self-answer-popup',
loaded: function(popup) {
var pTitle = $(popup).find('h2');
var pBody = $(popup).find('.popup-body');
var pSubmit = $(popup).find('.popup-submit');
pTitle.text(popupTitle);
pBody.html(popupBody);
pSubmit.val(popupAccept).click(showEditor);
}
})
} else{
var confirmText = $(this).data('confirm-text');
if (confirmText ? confirm(confirmText) : true) {
showEditor();
}
}
});
});
4 Answers
4
active
oldest
votes
4 Answers
4
active
oldest
votes
active
oldest
votes
active
oldest
votes
You go to your boss and say, in this order:
- I have locked everything down so that an attack like that will not happen again
- Insider attacks are always harder to defend against. For example they might take advantage of knowing some of us use the same passwords for several things. Practices that are perfectly safe against outsider attacks can leave us vulnerable to insider attacks
- If you want to investigate the source of the attacks, I have quite a lot of data gathered already and can look into it further if it's important
- I am personally convinced precisely who it was, though I couldn't prove it in a court of law. Let me know if that's something you want to pursue.
These are the things that matter to the boss. The direction of the conversation after that is up to the boss, not you.
The reason for this order is so that the boss can wander on a tangent or end the conversation at any time and the most important stuff was still covered. So after the first sentence, the boss may just say "good job, thanks, bye now" and you at least led with your accomplishment. After the second sentence you have mentioned that this wasn't a general failing to protect from strangers, but at most a minor flaw in your preparedness, and planted a seed about just who it is that reuses their passwords like that. The last two sentences have specific prompts for the boss to tell you things because if you've been allowed to say this many sentences, you're not getting shrugged off and can ask for authority to investigate and report your findings.
answered 7 hours ago
Kate GregoryKate Gregory
109k43238343
1
Yeah, that is pretty much the opinion I've come too as well. However, after having been shrugged off so many times, I feel like the street corner guy with the cardboard sign saying "The End Is Near..." Thank you Kate, Appreciate the reassurance.
– danFbach
7 hours ago
@danFbach If you haven't already, I would document this in an email in some way. Email what you found, what you suspect is going on (in a generic way... stick to what you can prove), and what you did to prevent it. I wouldn't mention names, unless you are going to list all the people that were connected at the time it happened, etc. My concern is that at some point what happened is discovered by someone else with more common sense and security knowledge and it might come back to bite you. At least if you sent the email, you can say I let my boss know and her response was X.
– JeffC
5 mins ago
add a comment |
You go to your boss and say, in this order:
- I have locked everything down so that an attack like that will not happen again
- Insider attacks are always harder to defend against. For example they might take advantage of knowing some of us use the same passwords for several things. Practices that are perfectly safe against outsider attacks can leave us vulnerable to insider attacks
- If you want to investigate the source of the attacks, I have quite a lot of data gathered already and can look into it further if it's important
- I am personally convinced precisely who it was, though I couldn't prove it in a court of law. Let me know if that's something you want to pursue.
These are the things that matter to the boss. The direction of the conversation after that is up to the boss, not you.
The reason for this order is so that the boss can wander on a tangent or end the conversation at any time and the most important stuff was still covered. So after the first sentence, the boss may just say "good job, thanks, bye now" and you at least led with your accomplishment. After the second sentence you have mentioned that this wasn't a general failing to protect from strangers, but at most a minor flaw in your preparedness, and planted a seed about just who it is that reuses their passwords like that. The last two sentences have specific prompts for the boss to tell you things because if you've been allowed to say this many sentences, you're not getting shrugged off and can ask for authority to investigate and report your findings.
answered 7 hours ago
Kate GregoryKate Gregory
109k43238343
1
Yeah, that is pretty much the opinion I've come too as well. However, after having been shrugged off so many times, I feel like the street corner guy with the cardboard sign saying "The End Is Near..." Thank you Kate, Appreciate the reassurance.
– danFbach
7 hours ago
@danFbach If you haven't already, I would document this in an email in some way. Email what you found, what you suspect is going on (in a generic way... stick to what you can prove), and what you did to prevent it. I wouldn't mention names, unless you are going to list all the people that were connected at the time it happened, etc. My concern is that at some point what happened is discovered by someone else with more common sense and security knowledge and it might come back to bite you. At least if you sent the email, you can say I let my boss know and her response was X.
– JeffC
5 mins ago
add a comment |
You go to your boss and say, in this order:
- I have locked everything down so that an attack like that will not happen again
- Insider attacks are always harder to defend against. For example they might take advantage of knowing some of us use the same passwords for several things. Practices that are perfectly safe against outsider attacks can leave us vulnerable to insider attacks
- If you want to investigate the source of the attacks, I have quite a lot of data gathered already and can look into it further if it's important
- I am personally convinced precisely who it was, though I couldn't prove it in a court of law. Let me know if that's something you want to pursue.
These are the things that matter to the boss. The direction of the conversation after that is up to the boss, not you.
The reason for this order is so that the boss can wander on a tangent or end the conversation at any time and the most important stuff was still covered. So after the first sentence, the boss may just say "good job, thanks, bye now" and you at least led with your accomplishment. After the second sentence you have mentioned that this wasn't a general failing to protect from strangers, but at most a minor flaw in your preparedness, and planted a seed about just who it is that reuses their passwords like that. The last two sentences have specific prompts for the boss to tell you things because if you've been allowed to say this many sentences, you're not getting shrugged off and can ask for authority to investigate and report your findings.
answered 7 hours ago
Kate GregoryKate Gregory
109k43238343
You go to your boss and say, in this order:
- I have locked everything down so that an attack like that will not happen again
- Insider attacks are always harder to defend against. For example they might take advantage of knowing some of us use the same passwords for several things. Practices that are perfectly safe against outsider attacks can leave us vulnerable to insider attacks
- If you want to investigate the source of the attacks, I have quite a lot of data gathered already and can look into it further if it's important
- I am personally convinced precisely who it was, though I couldn't prove it in a court of law. Let me know if that's something you want to pursue.
These are the things that matter to the boss. The direction of the conversation after that is up to the boss, not you.
The reason for this order is so that the boss can wander on a tangent or end the conversation at any time and the most important stuff was still covered. So after the first sentence, the boss may just say "good job, thanks, bye now" and you at least led with your accomplishment. After the second sentence you have mentioned that this wasn't a general failing to protect from strangers, but at most a minor flaw in your preparedness, and planted a seed about just who it is that reuses their passwords like that. The last two sentences have specific prompts for the boss to tell you things because if you've been allowed to say this many sentences, you're not getting shrugged off and can ask for authority to investigate and report your findings.
answered 7 hours ago
Kate GregoryKate Gregory
109k43238343
edited 6 hours ago
answered 7 hours ago
Kate GregoryKate Gregory
109k43238343
answered 7 hours ago
Kate GregoryKate Gregory
109k43238343
answered 7 hours ago
Kate GregoryKate Gregory
109k43238343
109k43238343
1
Yeah, that is pretty much the opinion I've come too as well. However, after having been shrugged off so many times, I feel like the street corner guy with the cardboard sign saying "The End Is Near..." Thank you Kate, Appreciate the reassurance.
– danFbach
7 hours ago
@danFbach If you haven't already, I would document this in an email in some way. Email what you found, what you suspect is going on (in a generic way... stick to what you can prove), and what you did to prevent it. I wouldn't mention names, unless you are going to list all the people that were connected at the time it happened, etc. My concern is that at some point what happened is discovered by someone else with more common sense and security knowledge and it might come back to bite you. At least if you sent the email, you can say I let my boss know and her response was X.
– JeffC
5 mins ago
add a comment |
1
Yeah, that is pretty much the opinion I've come too as well. However, after having been shrugged off so many times, I feel like the street corner guy with the cardboard sign saying "The End Is Near..." Thank you Kate, Appreciate the reassurance.
– danFbach
7 hours ago
@danFbach If you haven't already, I would document this in an email in some way. Email what you found, what you suspect is going on (in a generic way... stick to what you can prove), and what you did to prevent it. I wouldn't mention names, unless you are going to list all the people that were connected at the time it happened, etc. My concern is that at some point what happened is discovered by someone else with more common sense and security knowledge and it might come back to bite you. At least if you sent the email, you can say I let my boss know and her response was X.
– JeffC
5 mins ago
1
1
Yeah, that is pretty much the opinion I've come too as well. However, after having been shrugged off so many times, I feel like the street corner guy with the cardboard sign saying "The End Is Near..." Thank you Kate, Appreciate the reassurance.
– danFbach
7 hours ago
Yeah, that is pretty much the opinion I've come too as well. However, after having been shrugged off so many times, I feel like the street corner guy with the cardboard sign saying "The End Is Near..." Thank you Kate, Appreciate the reassurance.
– danFbach
7 hours ago
@danFbach If you haven't already, I would document this in an email in some way. Email what you found, what you suspect is going on (in a generic way... stick to what you can prove), and what you did to prevent it. I wouldn't mention names, unless you are going to list all the people that were connected at the time it happened, etc. My concern is that at some point what happened is discovered by someone else with more common sense and security knowledge and it might come back to bite you. At least if you sent the email, you can say I let my boss know and her response was X.
– JeffC
5 mins ago
@danFbach If you haven't already, I would document this in an email in some way. Email what you found, what you suspect is going on (in a generic way... stick to what you can prove), and what you did to prevent it. I wouldn't mention names, unless you are going to list all the people that were connected at the time it happened, etc. My concern is that at some point what happened is discovered by someone else with more common sense and security knowledge and it might come back to bite you. At least if you sent the email, you can say I let my boss know and her response was X.
– JeffC
5 mins ago
add a comment |
The kid is the minor of the problems your company has. The kid can easily be dealt with. The boss shrugging it off is the more major liability here.
Your company is dealing with credit cards. Dealing with credit cards comes with a whole list of regulations. Which includes promptly dealing with security issues. Your company probably does not want the credit card companies refusing to do business with you.
If your boss is shrugging it off, you go to her boss.
answered 6 hours ago
AbigailAbigail
3,15021019
yes, I am aware of PCI regulations. I'm also aware that credit card scraping happens everywhere, from fortune 500 to mom & pop shops. We follow regulations and our set up is quite secure - My superiors just didn't believe an attack could come from within which is why they resisted sec protocol changes. Finally this week, I chose to disobey and enact them. I caught some grief, but they're still in place.
– danFbach
6 hours ago
2
TBH it sounds like the setup of the company you describe is a shambles. When you say "Even Petco has been attacked!" that is because they made mistakes within a mature, professional setup. In contrast, it sounds like this current company is a dumpster fire. You should go work somewhere better. Get more money, too!
– Fattie
6 hours ago
add a comment |
The kid is the minor of the problems your company has. The kid can easily be dealt with. The boss shrugging it off is the more major liability here.
Your company is dealing with credit cards. Dealing with credit cards comes with a whole list of regulations. Which includes promptly dealing with security issues. Your company probably does not want the credit card companies refusing to do business with you.
If your boss is shrugging it off, you go to her boss.
answered 6 hours ago
AbigailAbigail
3,15021019
yes, I am aware of PCI regulations. I'm also aware that credit card scraping happens everywhere, from fortune 500 to mom & pop shops. We follow regulations and our set up is quite secure - My superiors just didn't believe an attack could come from within which is why they resisted sec protocol changes. Finally this week, I chose to disobey and enact them. I caught some grief, but they're still in place.
– danFbach
6 hours ago
2
TBH it sounds like the setup of the company you describe is a shambles. When you say "Even Petco has been attacked!" that is because they made mistakes within a mature, professional setup. In contrast, it sounds like this current company is a dumpster fire. You should go work somewhere better. Get more money, too!
– Fattie
6 hours ago
add a comment |
The kid is the minor of the problems your company has. The kid can easily be dealt with. The boss shrugging it off is the more major liability here.
Your company is dealing with credit cards. Dealing with credit cards comes with a whole list of regulations. Which includes promptly dealing with security issues. Your company probably does not want the credit card companies refusing to do business with you.
If your boss is shrugging it off, you go to her boss.
answered 6 hours ago
AbigailAbigail
3,15021019
The kid is the minor of the problems your company has. The kid can easily be dealt with. The boss shrugging it off is the more major liability here.
Your company is dealing with credit cards. Dealing with credit cards comes with a whole list of regulations. Which includes promptly dealing with security issues. Your company probably does not want the credit card companies refusing to do business with you.
If your boss is shrugging it off, you go to her boss.
answered 6 hours ago
AbigailAbigail
3,15021019
answered 6 hours ago
AbigailAbigail
3,15021019
answered 6 hours ago
AbigailAbigail
3,15021019
answered 6 hours ago
AbigailAbigail
3,15021019
3,15021019
yes, I am aware of PCI regulations. I'm also aware that credit card scraping happens everywhere, from fortune 500 to mom & pop shops. We follow regulations and our set up is quite secure - My superiors just didn't believe an attack could come from within which is why they resisted sec protocol changes. Finally this week, I chose to disobey and enact them. I caught some grief, but they're still in place.
– danFbach
6 hours ago
2
TBH it sounds like the setup of the company you describe is a shambles. When you say "Even Petco has been attacked!" that is because they made mistakes within a mature, professional setup. In contrast, it sounds like this current company is a dumpster fire. You should go work somewhere better. Get more money, too!
– Fattie
6 hours ago
add a comment |
yes, I am aware of PCI regulations. I'm also aware that credit card scraping happens everywhere, from fortune 500 to mom & pop shops. We follow regulations and our set up is quite secure - My superiors just didn't believe an attack could come from within which is why they resisted sec protocol changes. Finally this week, I chose to disobey and enact them. I caught some grief, but they're still in place.
– danFbach
6 hours ago
2
TBH it sounds like the setup of the company you describe is a shambles. When you say "Even Petco has been attacked!" that is because they made mistakes within a mature, professional setup. In contrast, it sounds like this current company is a dumpster fire. You should go work somewhere better. Get more money, too!
– Fattie
6 hours ago
yes, I am aware of PCI regulations. I'm also aware that credit card scraping happens everywhere, from fortune 500 to mom & pop shops. We follow regulations and our set up is quite secure - My superiors just didn't believe an attack could come from within which is why they resisted sec protocol changes. Finally this week, I chose to disobey and enact them. I caught some grief, but they're still in place.
– danFbach
6 hours ago
yes, I am aware of PCI regulations. I'm also aware that credit card scraping happens everywhere, from fortune 500 to mom & pop shops. We follow regulations and our set up is quite secure - My superiors just didn't believe an attack could come from within which is why they resisted sec protocol changes. Finally this week, I chose to disobey and enact them. I caught some grief, but they're still in place.
– danFbach
6 hours ago
2
2
TBH it sounds like the setup of the company you describe is a shambles. When you say "Even Petco has been attacked!" that is because they made mistakes within a mature, professional setup. In contrast, it sounds like this current company is a dumpster fire. You should go work somewhere better. Get more money, too!
– Fattie
6 hours ago
TBH it sounds like the setup of the company you describe is a shambles. When you say "Even Petco has been attacked!" that is because they made mistakes within a mature, professional setup. In contrast, it sounds like this current company is a dumpster fire. You should go work somewhere better. Get more money, too!
– Fattie
6 hours ago
add a comment |
You go to your boss, tell them everything you have, and the boss makes their decision.
There is no "innocent until proven guilty" here unless your boss wants to take the scriptskiddy to court and then to jail. The boss has in my opinion no choice other than firing the kid.
answered 7 hours ago
gnasher729gnasher729
88.6k40157279
Thanks, I'm of a similar opinion. Though, firing is not my choice to make. And lacking true "Digital Fingerprints," I do hold some reservations about making my case.
– danFbach
7 hours ago
add a comment |
You go to your boss, tell them everything you have, and the boss makes their decision.
There is no "innocent until proven guilty" here unless your boss wants to take the scriptskiddy to court and then to jail. The boss has in my opinion no choice other than firing the kid.
answered 7 hours ago
gnasher729gnasher729
88.6k40157279
Thanks, I'm of a similar opinion. Though, firing is not my choice to make. And lacking true "Digital Fingerprints," I do hold some reservations about making my case.
– danFbach
7 hours ago
add a comment |
You go to your boss, tell them everything you have, and the boss makes their decision.
There is no "innocent until proven guilty" here unless your boss wants to take the scriptskiddy to court and then to jail. The boss has in my opinion no choice other than firing the kid.
answered 7 hours ago
gnasher729gnasher729
88.6k40157279
You go to your boss, tell them everything you have, and the boss makes their decision.
There is no "innocent until proven guilty" here unless your boss wants to take the scriptskiddy to court and then to jail. The boss has in my opinion no choice other than firing the kid.
answered 7 hours ago
gnasher729gnasher729
88.6k40157279
answered 7 hours ago
gnasher729gnasher729
88.6k40157279
answered 7 hours ago
gnasher729gnasher729
88.6k40157279
answered 7 hours ago
gnasher729gnasher729
88.6k40157279
88.6k40157279
Thanks, I'm of a similar opinion. Though, firing is not my choice to make. And lacking true "Digital Fingerprints," I do hold some reservations about making my case.
– danFbach
7 hours ago
add a comment |
Thanks, I'm of a similar opinion. Though, firing is not my choice to make. And lacking true "Digital Fingerprints," I do hold some reservations about making my case.
– danFbach
7 hours ago
Thanks, I'm of a similar opinion. Though, firing is not my choice to make. And lacking true "Digital Fingerprints," I do hold some reservations about making my case.
– danFbach
7 hours ago
Thanks, I'm of a similar opinion. Though, firing is not my choice to make. And lacking true "Digital Fingerprints," I do hold some reservations about making my case.
– danFbach
7 hours ago
add a comment |
Talk to the kid and ask him if he knows something about it. You don't have to get an honest answer. Your question will lead to a reaction on his side. He might change the form of the attack accordingly or pause for a while or even stop.
answered 4 hours ago
asdfsafdasdfsafd
111
New contributor
asdfsafd is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
1
If you had read the longer version, you would have read that the kid was asking about the changes already...
– Solar Mike
4 hours ago
Thanks mike, and asdf, I also have been considering asking him to see a reaction, but the uncomfortable/awkward questions he was asking is what made me look at him in the first place.
– danFbach
4 hours ago
add a comment |
Talk to the kid and ask him if he knows something about it. You don't have to get an honest answer. Your question will lead to a reaction on his side. He might change the form of the attack accordingly or pause for a while or even stop.
answered 4 hours ago
asdfsafdasdfsafd
111
New contributor
asdfsafd is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
1
If you had read the longer version, you would have read that the kid was asking about the changes already...
– Solar Mike
4 hours ago
Thanks mike, and asdf, I also have been considering asking him to see a reaction, but the uncomfortable/awkward questions he was asking is what made me look at him in the first place.
– danFbach
4 hours ago
add a comment |
Talk to the kid and ask him if he knows something about it. You don't have to get an honest answer. Your question will lead to a reaction on his side. He might change the form of the attack accordingly or pause for a while or even stop.
answered 4 hours ago
asdfsafdasdfsafd
111
New contributor
asdfsafd is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Talk to the kid and ask him if he knows something about it. You don't have to get an honest answer. Your question will lead to a reaction on his side. He might change the form of the attack accordingly or pause for a while or even stop.
answered 4 hours ago
asdfsafdasdfsafd
111
New contributor
asdfsafd is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 4 hours ago
asdfsafdasdfsafd
111
New contributor
asdfsafd is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 4 hours ago
asdfsafdasdfsafd
111
answered 4 hours ago
asdfsafdasdfsafd
111
111
New contributor
asdfsafd is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
asdfsafd is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asdfsafd is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
1
If you had read the longer version, you would have read that the kid was asking about the changes already...
– Solar Mike
4 hours ago
Thanks mike, and asdf, I also have been considering asking him to see a reaction, but the uncomfortable/awkward questions he was asking is what made me look at him in the first place.
– danFbach
4 hours ago
add a comment |
1
If you had read the longer version, you would have read that the kid was asking about the changes already...
– Solar Mike
4 hours ago
Thanks mike, and asdf, I also have been considering asking him to see a reaction, but the uncomfortable/awkward questions he was asking is what made me look at him in the first place.
– danFbach
4 hours ago
1
1
If you had read the longer version, you would have read that the kid was asking about the changes already...
– Solar Mike
4 hours ago
If you had read the longer version, you would have read that the kid was asking about the changes already...
– Solar Mike
4 hours ago
Thanks mike, and asdf, I also have been considering asking him to see a reaction, but the uncomfortable/awkward questions he was asking is what made me look at him in the first place.
– danFbach
4 hours ago
Thanks mike, and asdf, I also have been considering asking him to see a reaction, but the uncomfortable/awkward questions he was asking is what made me look at him in the first place.
– danFbach
4 hours ago
add a comment |
danFbach is a new contributor. Be nice, and check out our Code of Conduct.
danFbach is a new contributor. Be nice, and check out our Code of Conduct.
danFbach is a new contributor. Be nice, and check out our Code of Conduct.
danFbach is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to The Workplace Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fworkplace.stackexchange.com%2fquestions%2f130004%2fdealing-with-an-internal-scriptkiddie%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
Paragraphs are your friend. So are summations. That's a dense read.
– Dark Matter
8 hours ago
6
What country is this in? Does the suspect in question have an at-will contract? Seems like this is not only grounds for instant termination, but also likely involvement of the police.
– binarymax
7 hours ago
2
I have to admit that I'm totally confused here, you state that you've been dealing with a known breach of customer's credit card data for months now and rather than take steps to truly remediate and properly report the issue as required you're asking about how to approach your boss. What information are you not sharing in your question?
– Steve
7 hours ago
1
@steve All relavent information has been fowarded to my boss, and she has dealt with the proper channels to notify card processors and card owners, that is not relavant to my current question.
– danFbach
7 hours ago
1
@danFbach Awesome. Glad to hear it. Could you update your question with the information that you've notified the right channels about the stolen card numbers? As a consumer and security advocate, unfortunately, the first place I go to is what happens to the stolen card numbers.
– jcmack
4 hours ago