I've been with the company a little over a month and a half. I've run numerous gap analysis, and I know where we are deficient. And some of it is not good. I've compared ourselves to the SANS Top 20, and again, it's not good. Management wanted an internal pentest, to get a feel for the security posture. We in IT wanted a good boutique pentesting company, but we were told to use the company that already audits the finance department. Fortunately, these guys were good.
We failed the pentest, miserable. Most of my guesses as to how it would happen came to pass. And I'm ok with that. Heck, they had domain admin in about a day. There were some good surprises, and there were some good wins. I'm good with it; as it confirmed most of what I have been raising to management for the past year. The hope is that management will open their eyes and start making changes.
So mentally, I've put a stake in the ground. I want to see how long it takes for any real change to take place. I'm waiting to see when management starts mandating change in the form of implementation of controls in order to raise the security posture of the company. Or, is management just checking a box that an audit was performed.
I'll update as controls start being implemented.
P.S.: I have to say, as a former auditor, it was interesting to experience the audit from the other side of the fence. I was able to understand what the auditors were looking for and better able to answer their questions since I had been in their shoes.
Showing posts with label Information Security Engineer. Show all posts
Showing posts with label Information Security Engineer. Show all posts
Wednesday, July 15, 2015
Wednesday, December 18, 2013
Taking stock
Now that I've gotten into the groove so to speak, I can reflect on what I've seen in the new position. Here are some of the projects I'm working on.
I have started to build out a security awareness program. This program is going to focus heavily on phishing, but will also include a monthly email, a blog, and an internal site to check email addresses against data breach datasets. The monthly emails will feature a unique topic on information security as a method to educate the users. I started a blog to post information security stories that the user base can learn from and to read about non-mainstream stories. As for phishing, we'll be making heavy use of PhishMe.
I'm also starting to build a vulnerability management program. Right now, there are no internal vulnerability scans performed on the user-space. And really, from what I've seen, the external scans (performed by a managed service) are sorely lacking. For low-hanging fruit, I've purchased a Nessus license and will start working on internal assesses. I will also start working on the servers, but I know what I will find, and I know it will be very hard to change the culture of non-patching. I'm afraid of what it will take to make the changes to install a regular patch management program.
The results of my mini-gap assessment have shown me where there are many opportunities to get better. I plan on using the SANS Top 20 Controls in order clip the low hanging fruit and make improvements.
Right now my most tangible success has been the creation of a "security server" where I'll be able to stage vulnerability scans, pen tests, and other security tasks. I'm also in the process of building a "scanning" account to be used by the tools such that we should ONLY see this account used during security engagements...any other use may indicate an incident.
Finally, I'm working on information sharing. I firmly believe that the sharing of information by the Good Guys helps us combat the Bad Guys. To that end, I started working as our company's representative to one of the sharing resource centers. Down the line, I hope to get involved with Infraguard as well.
It's been a busy two months....and I only see it getting busier.
I have started to build out a security awareness program. This program is going to focus heavily on phishing, but will also include a monthly email, a blog, and an internal site to check email addresses against data breach datasets. The monthly emails will feature a unique topic on information security as a method to educate the users. I started a blog to post information security stories that the user base can learn from and to read about non-mainstream stories. As for phishing, we'll be making heavy use of PhishMe.
I'm also starting to build a vulnerability management program. Right now, there are no internal vulnerability scans performed on the user-space. And really, from what I've seen, the external scans (performed by a managed service) are sorely lacking. For low-hanging fruit, I've purchased a Nessus license and will start working on internal assesses. I will also start working on the servers, but I know what I will find, and I know it will be very hard to change the culture of non-patching. I'm afraid of what it will take to make the changes to install a regular patch management program.
The results of my mini-gap assessment have shown me where there are many opportunities to get better. I plan on using the SANS Top 20 Controls in order clip the low hanging fruit and make improvements.
Right now my most tangible success has been the creation of a "security server" where I'll be able to stage vulnerability scans, pen tests, and other security tasks. I'm also in the process of building a "scanning" account to be used by the tools such that we should ONLY see this account used during security engagements...any other use may indicate an incident.
Finally, I'm working on information sharing. I firmly believe that the sharing of information by the Good Guys helps us combat the Bad Guys. To that end, I started working as our company's representative to one of the sharing resource centers. Down the line, I hope to get involved with Infraguard as well.
It's been a busy two months....and I only see it getting busier.
Monday, November 4, 2013
First Day
Today was a great first day, I'm glad I made the move to the new company. So far, I've learned that most of the security controls are outsourced, managed by many of the big providers. I think one of our tasks will be to aggregate data from those outsourced providers.
And, it looks like I'll get to go to my first conference, as we will be going to RSA in February. I'm psyched as I've never really gone to a security conference before.
And, it looks like I'll get to go to my first conference, as we will be going to RSA in February. I'm psyched as I've never really gone to a security conference before.
Subscribe to:
Posts (Atom)
