I need to come up with some projects for the 2010-2011 year.  The projects should be something with a scope of a few months.  I will research/deploy/test/etc. some kind of technology or process that benefits the company.

Anyone got any ideas???  Maybe something fun you have done in the past?

 

Unfortunately as fun as it may be you can't implement security for the sake of security. There needs to be a valid business need to for any sort of security project. You should look for a problem to solve, and find ways to solve it. Look around and ask around, chances are if you're like a normal company there are an embarassingly large number of problems that need to solved. Once you have the problems identified, then you can come up with the projects in order to solve them.

Thanks for the replies, and yes I know it needs to be decided by business need.  Thankfully I'm allowed some latitude in my choice of projects as long as I can show a business impact.

In this case, let me rephrase the question:

What do you do on a daily/weekly/monthly basis that you enjoy?

(Maybe I can use some of the ideas to see how they fit my environment, something that I hadn't yet know that needed to be done.)

From a Systems Administration standpoint two projects that I've worked on recently that were a lot of fun (and fairly inexpensive) were setting up OSSEC on our PCI segment and Splunk/Syslog-ng SIEM implementation.

If you're not doing log aggregation and monitoring, this can be a huge "quick win." Not only is log monitoring incredibly important for security, it will make misconfigurations glaringly obvious most of the time! Not only will the Security folks be happy, but Operations will get on-board with the project if you can show them how useful a tool it is...

Good luck!

I have to agree with Ziggy_567

Centralized syslog server or a dedicated syslog server per site based on inter-office interconnectivity (I have small pipes I don't want to flood with udp syslog traffic). I prefer syslog, rsyslog and syslog-ng.

Network monitoring tools, like Nagios (if you're not monitoring already).

I'm building new network monitoring boxes:
OS - Debian
Nagios
Bandwidthd
rsyslogd
ntop
wireshark (for packet monitoring)


Things I've done in the past.
Something else, depending on your firewall / network design a Proxy server would be nice. My ASA can use WCCC (I think that's the protocol) to check with Squid to allow traffic or not.

There is some fun scripting you can do with log files. I have one log file that's just for my firewall logs. I have a couple of nice scripts that check for policy violations.

You could also write a few scripts looking for multimedia (music and movies), on network drives, or peoples desktops if you have the right permissions.

I had to undergo a SIGv5 audit for AT&T recently so I took up a project on my own accord to keep us compliant well after the fact. The tasks consisted of a semi-automated pentesting platform to do two things... Perform a quarterly pentest from the outside scope, perform one from the inside scope, correlate all the data, then slap that data into OSSIM. The images were created from scratch using VMWare and a slew of tools. CANVAS, Metasploit, RRDTool (for graphing on my own), Acunetix and W3AF with a push/pull custom configuration I update daily. Horribly butchered in a shell script using expect. For applications we develop, Klockwork and beStorm ... Wish I had Codenomicon, but they won't let me purchase it.

The initial configuration and parameters for testing get tweaked, uploaded to a server and both the "outside scope" and "inside scope" server downloads the parameters and fires away the tests. Now be advised, all my parameters are usually set to cover/stealth/decoys so it is as real as an attack as I can perform. My network admins were not told the entire gist of this (management is aware) so we get to test incident response (whose gonna contact the security team of the issues). Initially I thought about vanilla Nessus for auditing, but metasploit using a modified (targeted) autopwn works wonders. CANVAS usually mops up the place for anything unique...

The goal... Give my company a realistic view of the low to mid level hanging fruit and lock it down. Provide reporting on a quarterly basis for the powers that be, backup and log all information across syslog for future parsing. Backup and copy over tcpdump output for Netwitness analysis. Since we're trying to be on point, my goal was super simple... "I will hack my own company on a quarterly basis... I know what we use, I know the strengths and weaknesses... I could create a super focused attack..." As it stands... I could "social engineer" individuals in my company from time to time, but that's severly flawed... Most people are paranoid about the things I do with my testing let alone what someone else sends. OSSIM? Gathers up the aftermath of the testing, stores event data in which I can go back and clean up the false positives and false negatives.

Lastly, every week or two I try to create a new "By the way..." notice on security to send to colleagues in order to make them aware of attacks. Why people attack and what are they after. Many of my colleagues now get it, but that's because I've found so many analogies outside of technology to correlate attack situations to. It's also helped that media now reports anything and its mother so to my colleagues (especially in this economy) the last thing anyone wants to think about it "getting owned"

Anyhow, my project was a large undertaking, but think about it for a minute. If you work in a company that needs to meet certain compliance levels, its a mechanism to implement a "red team" on demand. One would seriously have to keep in tune with what's going on in order to update the scripts, tools used, etc., and vigilance is ALWAYS key. My other project I still tinker with is a VoIP based IPS made from scratch. I can randomly assign it to push people into a honeypot, etc...