Get premission in WRITING. With a signature. No email. -T
> -----Original Message----- > From: tony toni [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, March 12, 2002 11:44 AM > To: [EMAIL PROTECTED] > Subject: Political Challenges Using Nessus > > > Folks, > > I am currently experimenting with Nessus. I also have a > spreadsheet of all > IP addresses that our company uses (about 10,000) and it has a detailed > description of each IP address. As you can appreciate a hacker > would love > to have this spreadsheet. > > My situation� > I currently work in the Security Group and I *sort of* have > approval to run > Nessus to perform vulnerability assessments. This is a new responsibility > that is being forced upon my director. He assigned me this > project but has > little interest in what I am doing, is a moron about security issues, and > will be the first person to stab me in the back if anything goes wrong. > However, he is also putting a lot of pressure on me to do the assessments > and produce reports so he can look good to his VP. > > My next challenge is the Manager of the Server and Network Group. He is > very territorial and is not responding to my requests for partnering with > him while I run Nessus. He does not want audits done on his > servers/firewall/routers. I think he is either afraid of what I > will find > out or I will cause some damage. He is also a moron on security issues. > > My problem� > I am not sure if I can trust either my Director or the Manger of > Network/Servers if I start running Nessus. Both have a keen sense of > corporate politics and only look out for themselves. My manager want > results..but then he offers no support and will *nail* me hard if > I make any > mistakes. > > I have been a *bad boy* of late and have been running Nessus on several > production servers without telling anyone. Found lots of security > weaknesses. None of the system admins are aware that I have run > these tests > (must not be looking at their logs). I want to continue running > Nessus on > switches, routers, firewalls and more servers. I want to really build a > case for using Nessus and all of the security problems this company has. > > This is my question� > 1) What are the political risks I may come incur if I run Nessus without > formal approval? In other words, running Nessus against any IP address I > want and without telling anyone what I am doing? I am afraid that if I > list the IP's I want to go against�I will run into a bunch of > political road > blocks. I want to impress everyone that I can successfully run > Nessus and > not hurt anything and everyone will say great job. On the other > hand�this > could back fire on me and I could get *nailed* for doing these > audits in the > *stealth* mode. > > 2) From a technical viewpoint�can I run Nessus against a switch, router, > firewall and not worry about bringing these devices down? > Currently, I use > the option "disable all dangerous plug-ins"�.so I feel I using it safely. > > I am sure that others on this list have had the same sort of political > challenges. I am impatient�I hate politics ..I know I can pull > this off. > Problem is management is getting in my way. What is your answers to my > questions? > > Tony > Security Project Lead > Major Financial Institution on West Coast > > > > > > _________________________________________________________________ > Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.
