No time to go into depth here, so here's a scattershot: Start with discussions, not technology. Do attack vector mapping and scan by attack vector in order of priority. Do not scan the next attack vector until you have created a mitigation plan that everyone agrees with. Once you have that, split your time 80/20 between resolving issues and finding new ones. The surest way to fail is to drown people in data while providing no practical advice.
Practice your report writing skills. Contrary to what you were (likely) taught in school, longer is not better. If you can't explain an issue possible solutions and your recommended mitigation in a single page, it needs to be shorter. Read children's board books for inspiration. (Seriously. Do this now. I am not kidding.) Be prepared to prove your findings. Practice on VMs and test systems so your proof doesn't break production. Try to find mitigations that shortcut other people's jobs. That's a great way to get buy in. (Meeting starting, have to end here. Good luck.) -Josh More On Wed, Sep 12, 2012 at 12:41 PM, A D <[email protected]> wrote: > Hi all. > > I recently started working for a new company (beginning of the year) > as part of the networked systems team. We currently manage 300 or so > systems provisioned at a handful of datacenters around the world. 97% > of the systems or running Linux. We have no official security team. > Just good common sense and a need to steer clear of becoming > compromised. My last few jobs I have always been the security > administrator (perimeter security services) so I have some experience > and built in paranoia about what goes on behind the scenes. This > appears to me to be a perfect opportunity to really jump into a > security role by taking the lead in providing vulnerability scans and > penetration testing for the company. I have had exposure to the > typical scanning tools pre-installed with the Backtrack distro and > some others. Although, my Metaspoit skills suck at the moment. > > With the hope of providing some quick results and to get my employer > interested in my abilities I am going to jump right in and start doing > whitebox testing using NMAP and Nessus. > > What suggestions do you guys have to allow me to step up to the > challenge? This is what want to do in the next phase of my career. > > Thanks in adv. > > HM > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
