Cindy Patterson, CETPA CTO Mentor Candidate

 

Please note: the entire scan is 1637 pages.  The first 30 pages have been presented due to size constraints

 

Learning Outcomes:

 

SeF-06.  Demonstrate a working knowledge of one or more tools used in network security.

SeF-08.  Demonstrate the ability to apply what they have learned from network security tools to improve network security.

 

Context

 

The Santa Clara County Office of Education Technology Services Branch separates duties as do many other IT operations and businesses.  There is a group that is primarily responsible for the customer facing activities and a second group that is responsible for infrastructure responsibilities.  The group that is more customer-facing is Technology Programs and Instructional Support and is comprised of 3 groups; Educational Technology, Web Development and Technology Resource Advisors.  I manage the Technology Resource Advisors group which support Enterprise Level off-the-shelf software with the majority of our focus on the Enterprise Resource Planning  system.  I have worked in network operations at other entities in the past however it has not been my area of focus nor responsibility for the last 10 years.

 

SCCOE provides various networking services to districts in Santa Clara and San Benito counties. The operations of Santa Clara County Office of Education span a large geographical region for various different business units that range from a science camp in the mountains to Special Education in urban areas.  This entire infrastructure is maintained by a few dedicated individuals who are very seasoned and astute.

 

Artifact

 

The artifact presented is a Nessus vulnerability scan of the SCCOE network; 1,637 pages.  The report provides summaries in several different ways and detailed information about each item. There were a variety of findings and the report categorized them from critical to informational.  A significant portion of the findings were due to missing updates. There were also some outdated versions of operating systems.  I reviewed this report with our Network Manager who also uses this tool to assess our vulnerabilities.  Given enough resources he would prefer to assign certain ranges of the network to individuals and have them be responsible for maintaining that range.  However there is never enough time to complete expansion and enhancement projects, and complete required patch updates and security maintenance work.  Currently he balances and prioritizes.