Security Basics mailing list archives
Re: security not a big priority?
From: "Francois Yang" <francois.y () gmail com>
Date: Thu, 15 Feb 2007 10:33:47 -0600
Comments below. On 2/15/07, Paul daSilva <pdasilva () polr org> wrote:
Francois, I would make the following recommendations if you wish to pursue a career in Security and are fed up with your present situation: 1) Leave that job and find yourself another position which does focus on Security. Educational facilities and other non-profits are notorious for hiring people to fill job positions without really defining the job role or qualifying a potential candidate. This has been my experience, and you would gain much more ground working for the private sector - find a normal company to work for.
I'm starting to think that I should look into the private sector. they tend to take this kind of things more seriously.
2) If you are attached to the community college for whatever personal reasons, then you should stay and push the envelope. First have a sit-down meeting with your boss and explain to him the situation, that you would rather work on real Security matters than assisting the Network team with Project Management tasks. Tell him that you would consider another job before staying in your current dilemma. Then prove your worth by executing a few simple Security tests around campus, whether approved by management or not -- so you can showcase your "white hat" skills.
That I have already done. Still, not much was accomplished.
Example Security tests you can start with: Scan the entire network passively (without disruption) with NMAP and Nessus, to both identify all open protocols on campus and then test those systems for vulnerabilities or outdated software. Create nice reports with graphs and present this package to Management identifying the overall risk posture along with your recommendations for improvement. You can perform the same scenario as above, but from outside the campus firewalls (from home) so you can simulate what an outside hacker would experience and see. Please note, your home ISP may not like this, so you better get their permission first to be safe.
I've done those tests the first month I was here. I'm been here for about 4 months. and yes, I even created some nice little reports.
Look around for Physical Security violations -- unlocked areas which should be locked, dark areas that may need lighting and/or camera surveillance, faculty members leaving their laptops unattended thus risking theft, or perhaps administration leaving confidential files out in the open. Look around for Logical Security violations -- anyone in the computer lab shouting out their user name and/or password(s) to one another, shady "black hats" who may come on campus to use the computing facilities but often tend to stick out, internal websites that shouldn't be publicly available or should otherwise be locked down with strict user access. Walk around campus with a laptop, wireless card, and GPS unit to scan the airwaves around the school to plot what you find: good access points, rogue access points, neighboring wireless networks that are wide open allowing students an alternative network from which to cause havoc, maybe even a truck driver in the parking lot making use of the free wireless connection without permission. You could try some social engineering tests - try to trick somebody into giving you their password, offer to install random malware on personal PC's and see how people react just to educate them.
A similar test was done about 3 yrs ago by an outside consulting firm. And to my surprise nothing was ever done.
If your school has a Spam problem, try to improve that situation by deploying better Anti-Spam products/tactics. Could be as easy as purchasing a Barracuda appliance and having it deployed by the Network team. You can configure it to have per-user quarantine, daily or weekly summaries, pretty graphics to show overall spam situation, etc.
I suggested upgrading the spam system about 2 months ago. Talked to several vendors and got quotes etc....still not going very far. in the process but it's very very slow.
Make sure your entire campus is Anti-Virus protected with a leading vendor's product, and if possible centralize the management/configuration of this environment. For example, if you have McAfee deployed, look for their ePO or even Protection Pilot software that lets you push out software and updates, and also make sure everyone complies with the Security policy (which should say that every end-point must have Anti-Virus protection and it must be updated regularly).
I've also recommend centralizing Windows update deployment and antivirus updates in the first 2 months I started here. Still nothing has been done. They don't want to take actions or they don't want to deal with the impact it will have.
Heck, if the school does not already have one, start building/writing a comprehensive Security Policy! Then bring it to your boss for review and approval -- pretty soon you will be the school's Chief Information Security Officer (CISO).
I've already written 3 policies, but again, nothing. I've asked my boss and other engineers to review them, and no one seem to want to add their inputs. And it won't go any further unless they give me some inputs.
All too often, a person finds themselves in charge of something that they think they comprehend, until their boss tells them to go off and do something totally unrelated. I'm afraid it's up to you to both prove your worthiness and better define your role in this school's Security team. Should such a team be lacking, then you have the perfect opportunity to be the leader of such team. It may be a one person team for a while, but as the school grows, and as the security threats increase, you may find yourself needing to hire some people. Keep your chin up and always show a positive "can do" attitude. Who knows, maybe your boss is testing you by placing you with the Network team, just to gauge your reaction. Hope this helps, man! Cheers, Paul
Current thread:
- security not a big priority? Francois Yang (Feb 15)
- Message not available
- Re: security not a big priority? Francois Yang (Feb 15)
- RE: security not a big priority? David Rosenhan (Feb 15)
- Re: security not a big priority? Francois Yang (Feb 15)
- Message not available
- Message not available
- Re: security not a big priority? Francois Yang (Feb 15)
- Re: security not a big priority? secbasics (Feb 16)
- Re: security not a big priority? secbasics (Feb 16)
- Re: security not a big priority? Francois Yang (Feb 15)
- Re: security not a big priority? Josh Miller (Feb 15)
- Re: security not a big priority? Francois Yang (Feb 15)
- RE: security not a big priority? jbeauford (Feb 15)
- Re: security not a big priority? Francois Yang (Feb 15)
- Re: security not a big priority? Brian Loe (Feb 15)
- Re: security not a big priority? Nathaniel Hall (Feb 15)