Re: NASA Security Audit

["Marcos E. Rodriguez" <mrodrigu () agape-tech com>]

Whooooooa horsie, you're tooo wound up mah brotha!

First, relax.  Understand that your auditors are simply men and women, not
to be feared.  They put their pants on the same way you do.

Secondly, if he finds something you've never heard of that's great.  Stick
with that team every step of the audit and testing and learn learn LEARN!
Also, you want to take lots of notes.  Take inventory, (Privately), on what
you have.  Seek the well known lists, go to the CVE, Cert sites, etc.  Make
sure your known patches are applied, take care of the obvious (if you
haven't already).

Vulnerabilities in your network under your care is not necessarily a
reflection of how great an engineer you are.  I've been on many cases where
they had crack engineering teams, but were just spread so thin that it was
impossible to keep up with everything.

An audit/pentest, whatever you like to call it is a great way to get an
overview on how to better keep up with today's security issues, beef up what
you have, maximize your time in-house to put together the right teams needed
for threat management and the like.

It is a long and arduous process friend, security is still in its early
stages as far as popularity is concerned.  Remember to keep it simple, one
step at a time.  Make a list, keep your tabs on it and move out soldier!

Not certain if you are gov't or private sector.  If it's the former, than
your position is quite secure I would guess.

Don't let this rattle you, go into the whole scenario expecting to become a
better engineer, and expecting to learn all you can about this whole
process.  You'll never forget it, just take it by the horns.

My 2 scents, er....cents.

marcos


---------------------------------------------------------------------------
----------------------------------------------------------------------------