Several years ago I was working a contract as a sysadmin for a distribution company. It was a very small IT team and they had no other sysadmins at the time. I kept asking the IT manager what their patching policies and schedules were, maintenance windows, and generally how to access everything so I can do my job. He was very slow in granting me access and kept saying that we would go over patching and general maintenance later. Every day I asked him, I got the same answer.... I'm busy, we'll go over it later. One day we came into work and 95% of all systems were encrypted and the company was dead in the water. Turned out that the compromise was due to an unpatched exchange server that had several zero day vulnerabilities.... I couldn't do anything because I was only a contractor and had to rely on the IT manager to approve all work and after hours maintenance, which he never did. Needless to say, he quietly resigned during the cleanup efforts and even tried to blame me for the compromise. It took the company 4 months to rebuild and the lost approximately $60 million in revenue due to this. The bright side of this is that now I work at a company that takes this type of stuff very seriously and I hope to never be part of one of those events again.
... View more
