-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > -----Original Message----- > From: tony toni [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, March 12, 2002 11:44 AM > To: [EMAIL PROTECTED] > Subject: Political Challenges Using Nessus
<cut> > This is my question... > 1) What are the political risks I may come incur if I run > Nessus without > formal approval? In other words, running Nessus against any > IP address I > want and without telling anyone what I am doing? I am > afraid that if I > list the IP's I want to go against...I will run into a bunch of > political road > blocks. I want to impress everyone that I can successfully > run Nessus and > not hurt anything and everyone will say great job. On the > other hand...this > could back fire on me and I could get *nailed* for doing > these audits in the > *stealth* mode. Heh.. Well, there are lots of political risks when you're DOING SOMETHING THAT YOU HAVE BEEN TOLD NOT TO. This is like sneaking into the network manager's office and looking through his personal notebooks for system passwords he has written down. If you get caught.. politically, you're screwed. Sure you might find that the root passwords on all the outward facing boxes are all written down and happen to be dictionary words.. But that's not going to explain why you were digging through his office without permission. And you're going to get screwed...if you get caught. But, if you don't happen to be particularly adept at breaking into people's offices and sneaking around.. You probably will get caught and subsequently screwed. There's a parallel here. If you get caught scanning internal networks that you have been told not to scan.. You're going to get screwed...if you get caught. But, if you don't happen to be particularly adept at stealth vulnerability scanning and network subterfuge.. And you have to ask for advice on security-basics.. You probably will get caught and subsequently screwed. Even if you have pages and pages of vulnerabilities, politically, you're still going to get nailed, simply because you're doing something you were told not to do. Okay.. I think I've said enough on that.. Now for a solution. This is a political situation. Use politics to fix it. Formally raise several new security issues to management (the recent ssh and zlib stuff is great). Show them official looking CERT advisories, and communicate the risk to them. Communicate this risk to the aforementioned network manager who isn't letting you run vulnerability scans. If he still doesn't budge, ask him why.. Perhaps there is a political reason for this decision. Or perhaps it's a SLA issue. Then write up a document that details several recent vulnerabilities that have a high risk on your company's network infrastructure. At the end, write something like "I, <network manager's name> understand the impact of these vulnerabilities, which have been properly brought to my attention by <your name here>. Despite the potential impact to the network infrastructure of <your company's name here>, I believe that vulnerability scans and other measures to mitigate these risks are unnecessary because of <insert his reasons from your prior conversation>" Then put a space for him to sign his name, and type his name and title at the bottom. Ask him to sign this document for you, because you don't want to be held responsible if something does get exploited. He probably won't sign it, and you might not even have to go this far... But if he does, well.. Great, it's not your problem anymore.. If he doesn't, he'll basically be forced to take action into securing the network.. And then you start doing your work. Seriously though.. Play by the rules... Don't do things you've been told NOT to do.. Even if you think it's in the best interest of the company. There could be a myriad of political and financial reasons that management doesn't want you doing vulnerability scans. Not all business decisions are driven by technology. Hope this helps.. - -- Jon Erickson Cryptologist and Security Designer Caspian 415.974.7081 D49B 4561 1078 0A72 DDF3 7250 8EF4 4681 587E 41DD 1728748 -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQA/AwUBPI+rSY70RoFYfkHdEQKZAwCfdL4RECKFaoLaj7my1Bi8nG3S8lMAniZQ dltaKkas49yclvnMUlVDKpxQ =PfQK -----END PGP SIGNATURE-----