December 17th, 2003, 05:35 PM
pitching network security
I am a network admin looking for articles or text files stressing the extreme importance of security. I am running into a huge problem people over me not caring about network or system security. I would truly appreciate it if anyone would give me an article that would scare the living daylights out of them.
December 17th, 2003, 05:43 PM
I am so confused....do you or don't you care?
I am running into a huge problem people over me not caring about network or system security
I'll go with you do care, in which case you have a few choices.
1. Do nothing, wait until the network gets taken to its knees, then run around, stick your toungue out, and saying "neener, neener, I told you so"
2. Take down the network yourself, just to prove a point, then run around saying "neener, neener, I told you so" just to throw them off. Before you do this, make sure you have another job, just in case they don't fall for it.
3. Go to Symantec, or any virus tracking site, and show them the amount of viruses that crop up every month. Google for statistics concerning actual losses due to downtime and restoration.
December 17th, 2003, 05:44 PM
Well...ehrm...you know what really really scares the living daylights out of them?
Having a virus run rampant on their network (just make sure YOU didn't introduce it )
After a few days of failing services you can be sure they'll start listening.
Experience is something you don't get until just after you need it.
December 17th, 2003, 05:45 PM
I am sorry, it is they that dont care about network security.
December 17th, 2003, 05:46 PM
There are tons of papers out there. It just depends on what and how technical you want the articles/papers to be.
Have a look at the Symantec Internet Security Threat Report here .
You may want to do some looking around at www.securityfocus.com and www.sans.org
They both have some great articles/papers there.
is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.
December 17th, 2003, 05:52 PM
thank you phishphreek80, i appreciate it. I found what I am looking for.
December 17th, 2003, 08:19 PM
Having a network shut down is the best wake up call possible! Or you can always have fun creating them strange behavior like unplugging the server ethernet cable for a hours or two and watch them run around!
December 17th, 2003, 08:35 PM
getting them to care about network security
The first time I ran spybot and spyhunter on the CEO and CIO systems the results scared the hell out of them. I guess I got their attention. They thought a firewall was enough. They don't think that any more.
December 30th, 2003, 10:32 PM
I see they dont like adware or malware! O.K., now that you've got their attention, here's what you do. Get their permission to perform a complete security audit of the system. Get a couple of old boxes out and load them up similar to a production system or server and put them on an isolated subnet. Now it's time to think from the other side of the fence!
Attack the systems from both outside and inside the firewall. Try common attacks like BO or NetBus, then repackage and encapsulate them and try again. Attempt a DoS attack. Play with your ports. Attempt to brute force the firewall itself. Also, download a product like Webtrends Security Analyzer and scan the entire network for vulnerabilities.
See how they find out first...from another admin showing them the firewall logs, or from you showing them the lack of security. See how many times your antivirus doesn't alarm.
It's great fun...just don't attack your production servers (downtime sucks- so does job hunting.)
Also, make sure that no one is using any P2P software on your LAN. If they are, good idea to show them how insecure P2P is too.
Hack your own network first, before a hacker does. That way, you know where the vulnerabilities are in your system and are better prepared to counter and minimize the damage. Know your Enemy!
When you're done, make sure all your activities are clearly documented and show them exactly how vulnerable they are. Then install an IDS system, syslog servers, scanners, and apply countermeasures where you are vulnerable.
December 31st, 2003, 01:08 AM
I cannot believe what I am reading in these replies. Many of these "solutions" will most likely result in instant termination of your employment and a huge hole in your resume if not land you in jail outright. Additionally the forfeiture of any CISSP/CISA type certifications you may hold.
If your company lacks a risk management department and you are really seeking extra work, develop your own risk analysis and mitigation report. What you'll need:
An index of asset values (AV) and an index of threats. Using these you'll need to determine the exposure factor (EF, what percentage of an asset will be lost as a result of the realization of a threat) and the annual rate of occurrence. (ARO, how frequently a threat will be realized)
This should leave you with several figures, your Single Loss Expectancy (SLE) which is equal to EF * AV can be calculated. The SLE * ARO = your annualized loss expectancy (ALE) or how much money you should expect to lose from a particular threat in a given year.
Now that you know how much money the risk is costing the company to a particular asset you need to determine an acceptable risk. Frequently this figure is the lowest you can get by combining the costs of counter measures and the ARO after the counter measure are in place. For example, if you have an ALE of $10,000 and you can spend $1,000 annually on counter measures (CM) to lower your ALE to $5,000 the CM are a good investment as your total risk costs is now $6,000 (CM + ALE). One the other hand if you spend $9,000 annually on CM and end up with an ALE of $2,000, your total risk cost is $11,000 which is clearly a worse investment than doing nothing.
Using this document you should be able to demonstrate to your Sr. Management that you can effectively reduce their risk costs, and Sr. Management people tend to like to save money. If this doesn't work then there is not much else you can expect, either they don't care about money or they've already had an assessement done and feel they are managing their risks correctly.