Subject: RE: Political Challenges Using Nessus
Hi, I have only just started to read your emails and as much as I think your intensions are very good, but you need to have the complete backing of management before you perform any ethical attacks or tests on a production network. I have used Nessus now for a long time with greate success. My role in the company is security and part of my job is to test and find problems in the network with the complete backing of management. You may try to change your approch to management and show them on paper at lease how important testing and ethical attacks are in minimizing the external risks to the company. Provide a report that highlights how much money they can save in downtime and lost time if the systems are secure and protected against the outside and inside threats. Also show that the software you are using is also free so you have saved the company more money. I guess the main point is get the backing of management, get it in writing and schedule ethical attacks with management. Security involves all management and technical and general staff. >From a technical point be careful with older systems when you run Nessus as some of the older TCPIP stacks will crash when you run your tests. Hope this helps Paul Jose Network Security Analyst -----Original Message----- From: Vachon, Scott [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 14, 2002 4:06 AM To: [EMAIL PROTECTED] Subject: RE: Political Challenges Using Nessus >My problem... >I am not sure if I can trust either my Director or the Manger of >Network/Servers if I start running Nessus. Both have a keen sense of >corporate politics and only look out for themselves. My manager want >results..but then he offers no support and will *nail* me hard if I make any >mistakes. This viewpoint makes me question you, not your employer. Did you receive a formal written request to use Nessus to run vulnerability assessments ? Do you have a formal plan for what specific vulnerabilities you are searching for or have a requirement to correct ? >I have been a *bad boy* of late and have been running Nessus on several >production servers without telling anyone. Found lots of security >weaknesses. None of the system admins are aware that I have run these tests >(must not be looking at their logs). I want to continue running Nessus >on >switches, routers, firewalls and more servers. I want to really build a >case for using Nessus and all of the security problems this company has. You acknowledge that you are not sure you should be running the Nessus program. You may already be in violation of the law. How do you know data isn't being collected on your activities ? Do the switches, routers , servers, and firewalls fall under your responsibility ? Do you have extensive knowledge on ALL said equipment ? >This is my question... >) What are the political risks I may come incur if I run Nessus >without >formal approval? In other words, running Nessus against any IP address I >want and without telling anyone what I am doing? I am afraid that if I >list the IP's I want to go against...I will run into a bunch of political road >blocks. I want to impress everyone that I can successfully run Nessus >and >not hurt anything and everyone will say great job. On the other hand...this >could back fire on me and I could get *nailed* for doing these audits >in the >*stealth* mode. "...I want to impress everyone.." And there it is. This is not about security, this is about you. IMHO, at this point, you are the loose cannon and the biggest current danger to your companies IT infrastructure. >I am sure that others on this list have had the same sort of political >challenges. I am impatient...I hate politics ..I know I can pull this off. >Problem is management is getting in my way. What is your answers to my >questions? "I am impatient...I know I can pull this off. Problem is management is getting in my way.." You need to examine your priorities and the purpose of your department and your role in it. You are employed by the management and unless you have the written authority to act as you currently are, you are digging your grave. Impatience in Security leads inevitably to expensive problems. You need to work with the Team before they fire you. ~S~ Disclaimer: My own 2 cents... _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.
