I completely agree with the signoff procedure you have in place, but what is the point of disabling the dangerous options in Nessus? That defeats the purpose and gives you a false sense of security. You'll miss plenty of DoS exploits (among others) that could be used in conjunction with other seemingly innocuous actions to completely compromise a machine. Do full scans of systems during maintenance windows and before bringing online in a production environment.
my .02. k. back to the lurk. -----Original Message----- From: Hornat, Charles [mailto:[EMAIL PROTECTED]] Sent: Wednesday, March 13, 2002 12:53 PM To: 'tony toni'; [EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED] Subject: RE: Political Challenges Using Nessus I am so happy to see someone actually putting thought in before just running off and launching scans. I wish my admins thought like you. Here is what I require before any assessment is done. I have a form that I fill out with specific info. The sheet contains information like the following: Who will do the assessment and why. What will be done and why. When will the assessment be done and why. Where will it be done from and why. I then require four signatures, the person doing the audit, the persons manager, the owner of the technology that will be scanned and their manager. It may seem like over kill, but it covers your ass, and helps inform all important parties what your doing and that your taking the time to help them. I use NESSUS and I recommend you perform scans, but always click the "enable all but dangerous" button. I have had no problems and have scanned a million servers, but I know others who weren't' so lucky. hope this helps. Charles -----Original Message----- From: tony toni [mailto:[EMAIL PROTECTED]] Sent: Tuesday, March 12, 2002 2:44 PM To: [EMAIL PROTECTED] Subject: Political Challenges Using Nessus Folks, I am currently experimenting with Nessus. I also have a spreadsheet of all IP addresses that our company uses (about 10,000) and it has a detailed description of each IP address. As you can appreciate a hacker would love to have this spreadsheet. My situation... I currently work in the Security Group and I *sort of* have approval to run Nessus to perform vulnerability assessments. This is a new responsibility that is being forced upon my director. He assigned me this project but has little interest in what I am doing, is a moron about security issues, and will be the first person to stab me in the back if anything goes wrong. However, he is also putting a lot of pressure on me to do the assessments and produce reports so he can look good to his VP. My next challenge is the Manager of the Server and Network Group. He is very territorial and is not responding to my requests for partnering with him while I run Nessus. He does not want audits done on his servers/firewall/routers. I think he is either afraid of what I will find out or I will cause some damage. He is also a moron on security issues. My problem... I am not sure if I can trust either my Director or the Manger of Network/Servers if I start running Nessus. Both have a keen sense of corporate politics and only look out for themselves. My manager want results..but then he offers no support and will *nail* me hard if I make any mistakes. I have been a *bad boy* of late and have been running Nessus on several production servers without telling anyone. Found lots of security weaknesses. None of the system admins are aware that I have run these tests (must not be looking at their logs). I want to continue running Nessus on switches, routers, firewalls and more servers. I want to really build a case for using Nessus and all of the security problems this company has. This is my question... 1) What are the political risks I may come incur if I run Nessus without formal approval? In other words, running Nessus against any IP address I want and without telling anyone what I am doing? I am afraid that if I list the IP's I want to go against...I will run into a bunch of political road blocks. I want to impress everyone that I can successfully run Nessus and not hurt anything and everyone will say great job. On the other hand...this could back fire on me and I could get *nailed* for doing these audits in the *stealth* mode. 2) From a technical viewpoint...can I run Nessus against a switch, router, firewall and not worry about bringing these devices down? Currently, I use the option "disable all dangerous plug-ins"....so I feel I using it safely. I am sure that others on this list have had the same sort of political challenges. I am impatient...I hate politics ..I know I can pull this off. Problem is management is getting in my way. What is your answers to my questions? Tony Security Project Lead Major Financial Institution on West Coast _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp. ________________________________________________________________ The information contained in this message is intended only for the recipient, may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, please be aware that any dissemination or copying of this communication is strictly prohibited. If you have received this communication in error, please immediately notify us by replying to the message and deleting it from your computer. Thank you, Standard & Poor's
