Home page logo

basics logo Security Basics mailing list archives

RE: security not a big priority?
From: "David Rosenhan" <drosenhan () tvg com>
Date: Thu, 15 Feb 2007 12:21:06 -0700

After you have done all of this, and documented it, you will need to
keep a nice long record of it all for CYA purposes.  

You can't force your company to do the right thing; you can push them in
the right direction. But I have found that upper management will only
take care of what they can "see" most of the time.  

It really sounds like you are doing your best. I would get very
frustrated as well.  The only next step you really have is to take it up
one more level and present something that will strike a fire under your
management teams "rear ends".  You will have to take the proof you have
gathered regarding your vulnerabilities. Then map out what could happen
if your company was compromised through an inside or an outside attack
using the vulnerabilities you have outlined.  Research how often this
happens, worst and best case scenarios.  You will need to outline how
much it will cost and how many man hours it will take to fix the problem
and push out the changes; management has to have this information to
make an informed decision.  You have to prove that it will cost more
money in the end if they don't fix it than if they just spend the money
and assign the man hours now to fix the problem.  This is called
"justifying money and man hours for a project".

From here management will need you (or your companies project manager)
to compile an initiative and a project plan, with a timeline and a
budget, that they will *have* to sign off on before anyone will actually
do anything about it.  If management does not sign off on the deal then
nobody will care and nothing will get done, you need them behind you so
you can push others to get it done.

This is the way I have been able to get things done in the past.  In
business, it is almost the only way to get your job done anymore.

If I am way off the mark here let me know, but I am reading into this
and it sounds like all the technical parts are done; now it is time to
manage it!

If none of this flies, and they don't care, then quit!!  You have way
too much integrity and self worth to work for a company that does not
and will not care.

David R.
Network Security Engineer

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Francois Yang
Sent: Thursday, February 15, 2007 9:34 AM
To: security-basics () securityfocus com
Subject: Re: security not a big priority?

Comments below.

On 2/15/07, Paul daSilva <pdasilva () polr org> wrote:

I would make the following recommendations if you wish to pursue a
career in Security and are fed up with your present situation:

1) Leave that job and find yourself another position which does focus
Security.  Educational facilities and other non-profits are notorious
for hiring people to fill job positions without really defining the
role or qualifying a potential candidate.  This has been my
and you would gain much more ground working for the private sector -
find a normal company to work for.

I'm starting to think that I should look into the private sector. they
tend to take this kind of things more seriously.

2) If you are attached to the community college for whatever personal
reasons, then you should stay and push the envelope.  First have a
sit-down meeting with your boss and explain to him the situation, that
you would rather work on real Security matters than assisting the
Network team with Project Management tasks.  Tell him that you would
consider another job before staying in your current dilemma.  Then
your worth by executing a few simple Security tests around campus,
whether approved by management or not -- so you can showcase your
hat" skills.

That I have already done.  Still, not much was accomplished.

Example Security tests you can start with:

Scan the entire network passively (without disruption) with NMAP and
Nessus, to both identify all open protocols on campus and then test
those systems for vulnerabilities or outdated software.  Create nice
reports with graphs and present this package to Management identifying
the overall risk posture along with your recommendations for

You can perform the same scenario as above, but from outside the
firewalls (from home) so you can simulate what an outside hacker would
experience and see.  Please note, your home ISP may not like this, so
you better get their permission first to be safe.

I've done those tests the first month I was here. I'm been here for
about 4 months. and yes, I even created some nice little reports.

Look around for Physical Security violations -- unlocked areas which
should be locked, dark areas that may need lighting and/or camera
surveillance, faculty members leaving their laptops unattended thus
risking theft, or perhaps administration leaving confidential files
in the open.

Look around for Logical Security violations -- anyone in the computer
lab shouting out their user name and/or password(s) to one another,
shady "black hats" who may come on campus to use the computing
facilities but often tend to stick out, internal websites that
be publicly available or should otherwise be locked down with strict
user access.

Walk around campus with a laptop, wireless card, and GPS unit to scan
the airwaves around the school to plot what you find:  good access
points, rogue access points, neighboring wireless networks that are
open allowing students an alternative network from which to cause
maybe even a truck driver in the parking lot making use of the free
wireless connection without permission.

You could try some social engineering tests - try to trick somebody
giving you their password, offer to install random malware on personal
PC's and see how people react just to educate them.

A similar test was done about 3 yrs ago by an outside consulting firm.
And to my surprise nothing was ever done.

If your school has a Spam problem, try to improve that situation by
deploying better Anti-Spam products/tactics.  Could be as easy as
purchasing a Barracuda appliance and having it deployed by the Network
team.  You can configure it to have per-user quarantine, daily or
summaries, pretty graphics to show overall spam situation, etc.

I suggested upgrading the spam system about 2 months ago.
Talked to several vendors and got quotes etc....still not going very
in the process but it's very very slow.

Make sure your entire campus is Anti-Virus protected with a leading
vendor's product, and if possible centralize the
management/configuration of this environment.  For example, if you
McAfee deployed, look for their ePO or even Protection Pilot software
that lets you push out software and updates, and also make sure
complies with the Security policy (which should say that every
must have Anti-Virus protection and it must be updated regularly).

I've also recommend centralizing Windows update deployment and
antivirus updates in the first 2 months I started here.  Still nothing
has been done.  They don't want to take actions or they don't want to
deal with the impact it will have.

Heck, if the school does not already have one, start building/writing
comprehensive Security Policy!  Then bring it to your boss for review
and approval -- pretty soon you will be the school's Chief Information
Security Officer (CISO).

I've already written 3 policies, but again, nothing.
I've asked my boss and other engineers to review them, and no one seem
to want to add their inputs.  And it won't go any further unless they
give me some inputs.

All too often, a person finds themselves in charge of something that
they think they comprehend, until their boss tells them to go off and
something totally unrelated.  I'm afraid it's up to you to both prove
your worthiness and better define your role in this school's Security
team.  Should such a team be lacking, then you have the perfect
opportunity to be the leader of such team.  It may be a one person
for a while, but as the school grows, and as the security threats
increase, you may find yourself needing to hire some people.

Keep your chin up and always show a positive "can do" attitude.  Who
knows, maybe your boss is testing you by placing you with the Network
team, just to gauge your reaction.

Hope this helps, man!  Cheers,


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]