Now that I've gotten into the groove so to speak, I can reflect on what I've seen in the new position. Here are some of the projects I'm working on.
I have started to build out a security awareness program. This program is going to focus heavily on phishing, but will also include a monthly email, a blog, and an internal site to check email addresses against data breach datasets. The monthly emails will feature a unique topic on information security as a method to educate the users. I started a blog to post information security stories that the user base can learn from and to read about non-mainstream stories. As for phishing, we'll be making heavy use of PhishMe.
I'm also starting to build a vulnerability management program. Right now, there are no internal vulnerability scans performed on the user-space. And really, from what I've seen, the external scans (performed by a managed service) are sorely lacking. For low-hanging fruit, I've purchased a Nessus license and will start working on internal assesses. I will also start working on the servers, but I know what I will find, and I know it will be very hard to change the culture of non-patching. I'm afraid of what it will take to make the changes to install a regular patch management program.
The results of my mini-gap assessment have shown me where there are many opportunities to get better. I plan on using the SANS Top 20 Controls in order clip the low hanging fruit and make improvements.
Right now my most tangible success has been the creation of a "security server" where I'll be able to stage vulnerability scans, pen tests, and other security tasks. I'm also in the process of building a "scanning" account to be used by the tools such that we should ONLY see this account used during security engagements...any other use may indicate an incident.
Finally, I'm working on information sharing. I firmly believe that the sharing of information by the Good Guys helps us combat the Bad Guys. To that end, I started working as our company's representative to one of the sharing resource centers. Down the line, I hope to get involved with Infraguard as well.
It's been a busy two months....and I only see it getting busier.