>My problem... >I am not sure if I can trust either my Director or the Manger of >Network/Servers if I start running Nessus. Both have a keen sense of >corporate politics and only look out for themselves. My manager want >results..but then he offers no support and will *nail* me hard if I make any >mistakes.
This viewpoint makes me question you, not your employer. Did you receive a formal written request to use Nessus to run vulnerability assessments ? Do you have a formal plan for what specific vulnerabilities you are searching for or have a requirement to correct ? >I have been a *bad boy* of late and have been running Nessus on several >production servers without telling anyone. Found lots of security >weaknesses. None of the system admins are aware that I have run these tests >(must not be looking at their logs). I want to continue running Nessus on >switches, routers, firewalls and more servers. I want to really build a >case for using Nessus and all of the security problems this company has. You acknowledge that you are not sure you should be running the Nessus program. You may already be in violation of the law. How do you know data isn't being collected on your activities ? Do the switches, routers , servers, and firewalls fall under your responsibility ? Do you have extensive knowledge on ALL said equipment ? >This is my question... >) What are the political risks I may come incur if I run Nessus without >formal approval? In other words, running Nessus against any IP address I >want and without telling anyone what I am doing? I am afraid that if I >list the IP's I want to go against...I will run into a bunch of political road >blocks. I want to impress everyone that I can successfully run Nessus and >not hurt anything and everyone will say great job. On the other hand...this >could back fire on me and I could get *nailed* for doing these audits in the >*stealth* mode. "...I want to impress everyone.." And there it is. This is not about security, this is about you. IMHO, at this point, you are the loose cannon and the biggest current danger to your companies IT infrastructure. >I am sure that others on this list have had the same sort of political >challenges. I am impatient...I hate politics ..I know I can pull this off. >Problem is management is getting in my way. What is your answers to my >questions? "I am impatient...I know I can pull this off. Problem is management is getting in my way.." You need to examine your priorities and the purpose of your department and your role in it. You are employed by the management and unless you have the written authority to act as you currently are, you are digging your grave. Impatience in Security leads inevitably to expensive problems. You need to work with the Team before they fire you. ~S~ Disclaimer: My own 2 cents... _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.
