jason_guy_yeah Posted June 9, 2015 Share Posted June 9, 2015 This is kinda a noob question but, would you guys have any good suggestions for tools for detecting security holes that I can make a report? So basically at work, we've had a revolving door for our security team...actually at times we've had no IT security and the firewall is a mess. I've suggested VDI/thin clients and better password policies or running windows off of a Linux middleware and have a generic snapshots ready. However, my manager thinks having all the passwords on a unencrypted excel spreadsheat is fine because only OU admins can access it and when a computer gets a virus/trojan; rebuilding the OS is all that's needed. End users are allowed to download and add toolbars/extensions....actually some have admin accounts because he doesn't want to set ACL's/security groups for work applications. We've been fortunate enough that the admin accounts haven't had any viruses but, I've rebuilt quite a bit of machines that had undetected keyloggers and trojans...I'm concered of the network getting compromised and spreading. But my knowledge of network security is minimum. What I would like to do is get a good list of tools (nmap, nessus, bitlocker, fileharding, etc), readups or suggestions. Quote Link to comment Share on other sites More sharing options...
digininja Posted June 9, 2015 Share Posted June 9, 2015 By the sound of it tools are not going to help you, you need policies and buy in from management. I've none handy but there are plenty of conference talks about different ways to try to get this. You need to show the cost benefits of implementing good security rather than fighting fires, the initial cost may be more but the ongoing cost of disruption and time wasted recovering will come up to more in the long run. For tools, I'd invest in AV for the common stuff and then good permiter filtering, block all unauthorised in and out bound traffic. Maybe drop a copy of Security Onion on a span port near the gateway and show how much malicious traffic is moving around. Quote Link to comment Share on other sites More sharing options...
Sildaekar Posted June 10, 2015 Share Posted June 10, 2015 Step 1: Silently infect one computer with 2-3 viruses, and 1 worm. Step 2: Once the worm spreads to other machines tell your boss about it Step 3: Inform his boss that it was his fault for allowing all of what you mentioned Step 4: Congrats you have all the security policies in place AND a new boss Note: Don't actually do this. Quote Link to comment Share on other sites More sharing options...
jason_guy_yeah Posted June 10, 2015 Author Share Posted June 10, 2015 Oh ok, after talking with my manager. He's going to resign within a month so he doesn't want to lose brownie points from enforcing policies. I tried asking my director but he said it's up to my manager and to really start looking for a new job. Quote Link to comment Share on other sites More sharing options...
Sildaekar Posted June 10, 2015 Share Posted June 10, 2015 Yeah, all the tools in the world won't work without having those policies in effect. The weakest link in security is the human element, and if no one is willing to enforce it at that end, then it's not going to work. (That was one big run-on wasn't it?) Basically I would just try to shove it down everyone's throats that they need to start enforcing this, or you could anonymously post your company's name somewhere and tell everyone the extreme lack of security prevalent, I'm sure that would have attacks from everywhere rolling in and would force them to put these policies in place. The down side to this is being in the position you're in, you would have to clean it all up :/I hate this but you're really between a rock and a hard place. Quote Link to comment Share on other sites More sharing options...
cooper Posted June 10, 2015 Share Posted June 10, 2015 Oh ok, after talking with my manager. He's going to resign within a month so he doesn't want to lose brownie points from enforcing policies. I tried asking my director but he said it's up to my manager and to really start looking for a new job. Wait... That was his suggestion to YOU? Quote Link to comment Share on other sites More sharing options...
jason_guy_yeah Posted June 10, 2015 Author Share Posted June 10, 2015 Yeah, it's kinda weird, he told the department later on in a meeting the same thing and he's looking for work too. I'm guessing remote support is taking over, another location has thin clients and no IT staff on premise. I just realized that users weren't suppose to save to the desktops (roaming profiles) but the manager changed it, so there profile's aren't backuped up only what's on the file server and mail server. Quote Link to comment Share on other sites More sharing options...
cooper Posted June 10, 2015 Share Posted June 10, 2015 Get your ass to the job market *NOW*! Stay with the place until you have something else (man's gotta eat too) but until management has been replaced don't bother to bring the subject up anymore - nobody cares (and it will be their downfall). It's obvious they aren't taking their own work seriously themselves which means you effectively are unable to properly do yours. When you interview at another place and they ask why you're leaving your current job, just say people are leaving the apparently sinking ship and you're not going to sit around waiting to get sacked (if they don't ask, don't bring it up yourself). Quote Link to comment Share on other sites More sharing options...
Dec100 Posted June 10, 2015 Share Posted June 10, 2015 Not that it helps in the flaky job situation you describe above, but a good way to show the cost benefit of proper security is to show them how much time you and your colleagues waste investigating incidents and cleaning malware. So, for example, say you cost the business $50 a hour, and you're spending 5 hours a day on this, do the maths to show them how much they'd save over 3 years by spending the money on AV and removing user admin rights. You can extend it into how long an average malware call takes to deal with (showing how much time that user can't work) and show how many calls to the support desk would be avoided, etc. Anyway, best of luck to you. Sounds like there are better places to work. Quote Link to comment Share on other sites More sharing options...
jason_guy_yeah Posted June 11, 2015 Author Share Posted June 11, 2015 You guys have a good point so, I've taken a offer that starts in 5 weeks. So in the meantime, I'm gonna lay low and ride it out until I put in my 2 week notice. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.