A scan is a scan NO MORE than that. I get around 50 scans per day on my system. Do you think I'm going to report any of them? Hell no, it just gives me some good practice. Most of the scanning that is done on me barley effect my system resources. It also pusses me to find more things I can do to fake them. ex.. they may think I'm running certain ports when I'm not. Now if they compromise the system using nessus, well that's all on me, I should have been doing my job. Basically what I'm saying is fuck it SCAN YA HEART OUT.
----- Original Message ----- From: "Hopkins, John A. [C]" <[EMAIL PROTECTED]> To: "'tony toni'" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Wednesday, March 13, 2002 4:37 PM Subject: RE: Political Challenges Using Nessus > Tony, > > As hard as it may be, you MUST NOT run any Intrusion Detection or > vulnerability scans within your organization until you have, at a minimum, > management's direction and approval IN WRITING! The only way to securely, > safely, correctly, and legally, conduct any security assessment and/or > processes within your organization is to have a WRITTEN corporate security > plan/policy to identify and support established protocols and procedures > necessary to ascertain and promote your corporate security requirements. > Conducting vulnerability scans and security assessments without WRITTEN > policy and procedures is guaranteed individual and corporate suicide. There > are many books and instructions - I'm sure you are aware of - that can > assist you and your organization in establishing a sound security plan and > policy. Don't put yourself on the line, as you have already stated, with > the distrust and disapproval you have already encountered in your > organization. IT IS A BOMB WAITING TO GO OFF! It will go off in your hands > if you continue in your current practices. Information security is dynamic > in nature and MUST be supported and inforced with a documented and signed > (by executive management)dynamic security policy. If you cannot obtain this > type of support, I would STRONGLY recommend washing your hands of it until > such time that corporate security concerns can be addressed adequately and > responsibly! > > John H > ISSO > Major Government Organization > > -----Original Message----- > From: tony toni [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, March 12, 2002 2:44 PM > To: [EMAIL PROTECTED] > Subject: Political Challenges Using Nessus > > > Folks, > > I am currently experimenting with Nessus. I also have a spreadsheet of all > IP addresses that our company uses (about 10,000) and it has a detailed > description of each IP address. As you can appreciate a hacker would love > to have this spreadsheet. > > My situation... > I currently work in the Security Group and I *sort of* have approval to run > Nessus to perform vulnerability assessments. This is a new responsibility > that is being forced upon my director. He assigned me this project but has > little interest in what I am doing, is a moron about security issues, and > will be the first person to stab me in the back if anything goes wrong. > However, he is also putting a lot of pressure on me to do the assessments > and produce reports so he can look good to his VP. > > My next challenge is the Manager of the Server and Network Group. He is > very territorial and is not responding to my requests for partnering with > him while I run Nessus. He does not want audits done on his > servers/firewall/routers. I think he is either afraid of what I will find > out or I will cause some damage. He is also a moron on security issues. > > My problem... > I am not sure if I can trust either my Director or the Manger of > Network/Servers if I start running Nessus. Both have a keen sense of > corporate politics and only look out for themselves. My manager want > results..but then he offers no support and will *nail* me hard if I make any > > mistakes. > > I have been a *bad boy* of late and have been running Nessus on several > production servers without telling anyone. Found lots of security > weaknesses. None of the system admins are aware that I have run these tests > > (must not be looking at their logs). I want to continue running Nessus on > switches, routers, firewalls and more servers. I want to really build a > case for using Nessus and all of the security problems this company has. > > This is my question... > 1) What are the political risks I may come incur if I run Nessus without > formal approval? In other words, running Nessus against any IP address I > want and without telling anyone what I am doing? I am afraid that if I > list the IP's I want to go against...I will run into a bunch of political > road > blocks. I want to impress everyone that I can successfully run Nessus and > not hurt anything and everyone will say great job. On the other hand...this > > could back fire on me and I could get *nailed* for doing these audits in the > > *stealth* mode. > > 2) From a technical viewpoint...can I run Nessus against a switch, router, > firewall and not worry about bringing these devices down? Currently, I use > the option "disable all dangerous plug-ins"....so I feel I using it safely. > > I am sure that others on this list have had the same sort of political > challenges. I am impatient...I hate politics ..I know I can pull this off. > > Problem is management is getting in my way. What is your answers to my > questions? > > Tony > Security Project Lead > Major Financial Institution on West Coast > > > > > > _________________________________________________________________ > Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.
