Slashdot Mirror
Convincing Management of Network Security Issues?
"I went up the chain and explained the problem to my boss. He was horrified. He took it to his boss (who also happens to be in charge of said Network Engineer). The result was less-than spectacular. My boss' boss came out, with The Engineer in tow, who after fiddling with things for a while, proclaimed everything to be 'locked down,' and then they left. What we later discovered was that she'd only closed down a few of the webserver's non-essential ports and had done nothing about the Linksys firewall situation. But in the process, she'd managed to convince our collective higher-ups that the problem wasn't as big as we (read: the lowly, know-nothing, software developers) had made it all out to be and now nobody wants to hear a word about it. In other words, they have NO firewall at all, and we've been unable to convince them that this is a Bad Thing(tm).
Since The Engineer and her boss have always tended to be reactive, rather than proactive, I logged onto Steve Gibson's Leak Test from an admin workstation and showed them the results. Unfortunately, this 'parlor trick' failed to generate much in the way of enthusiasm. So what I'm looking for are (mostly) non-destructive suggestions to alert them to the dangers of their network configuration. Short of posting their IP's in a #skript_kiddie_channel and daring them to trash everything, how should I bring it to their attention in a, shall we say, meaningful way?"
Get as many of your peers to agree that there is a problem, and then sign a letter to the top boss, outlining the whole situation. Make it an open letter, if you must. It's clear there is gross incompetence going on, and if you care about the organization, you need to get this thing resolved.
If a large number of you break the chain of command, and do it loudly, you might succeed.
I'd say that since you now has "a point to prove", the first thing you should do is pray for your network NOT to be cracked into. If this comes to happen, some very suspicious eyes would fall on you.
Why don't you suggest a limited pen-test, documenting very well how you could get in, what damages you could inflict and, most important, how should it all be fixed (but don't, at any point, be picky with The Engineer, or else this all could be seemed as an ego war.)
Utinam logica falsa tuam philosophiam totam suffodiant!
Do these others using the network belong to the company? They sound like they can be trusted. Have you tried talking to the MCSE guy himself? It might be easier to convince him than the higher ups. As long as the system is working fine I dont think the higher-ups would be worried, so going after the admin guy is the bet. I'm an admin and Ive taken advice from other workers at more than one occasion.
"Give orange me give eat orange me eat orange give me eat orange give me you." -Nim Chimpsky
You've told them about what you think is a problem, they think otherwise, they are responsible -> Don't do anything. Stepping on their toes will get you in trouble, plus there isn't anything legal you could do to provide further proof that there is a problem anyway. You would have to be in a position where you could avoid working "below" the folks, who you are going to make look bad, in the future, either by moving up the ladder, getting them fired or by leaving the company. If you are not in that position: It's not your job to secure the network - don't do it.
What would be the best way to communicate that there really is a problem?
..
1) Post that IP address here
2)
3) Vulnerability demonstrated
--
Andy
Ready yourself with useful examples of the many difference exploits and the insecurities. And keep nagging high ups doomsday scenarios and how it will cost the highest figure possible if the system were to ever be compromised.
Try to get written acknowledgement of your report; merely "to cover yourself".
The bosses bosses may not be keen to give this and wonder why you are so insistent on covering yourself.
They may then take another look for fear that they end up uncovered when the dirt starts to fly.
Sam
blog.sam.liddicott.com
All else failing, go to the linky, move the fscking cable to the right port, and leave...
SIG: HUP
Have your boss try to talk their boos into a security audit by a third party. Try and convince them that an independant third party should be able to satisfy your concerns, and is much cheaper thank recovering from script kiddies. This also keeps your butt out of the frying pan it could be in if you go looking for holes and get accused of cracking.
I'd agree with the first post. Document your objections and the exploits. Give it to your boss. If he wants to CC everybody, that's his business.
... thank goodness I always consider myself a know-nothing... keeps an open mind). But, even a political issue does have a cost/benefits analysis. If you can put a price on fixing the issue (time, people, money), you make an even stronger case.
It sounds like a political issue (know-nothings vs. know-it-alls
Also, if you do get nailed, you can point to the cost/benefits analysis to say "see, $5,000 then would have saved $25,000 in damages". On the other hand, in some cases, you'll end up on the other side of that equasion. If the cost to fix outweighs the potential damage, you put it to unbiased numbers.
You won't be seen as "chicken little" crying about the falling sky; you'll be a professional who bases the comments on a fiscal analysis of the risk. If your professional guess is unsupported by the findings, that's ok (and, let's be honest, you're almost certainly on the right side of the equasion here).
But, pointing to technical weaknesses won't help your case. It will make you a pain in the side of all parties concerned. They will cut off their heads to spite you (and, may already have done so, according to your details). Put it to dollars, document it and go to your next challenge.
Amateurs discuss tactics. Professionals discuss logistics.
here's something to swing by your boss, see if he has got someone else in management who's willing to hold onto a copy of your analysis in a CYA capacity for archival purposes. Explain that it was brought up before and was not seen as 'vital', but you would like to provide some basic CYA for your group.
Handle it as a purely CYA exercise, and downplay the doom & gloom angle.
Have your boss E-mail your politely worded analysis to the MCSiE goober, Goober's boss, and your boss's buddy. Make sure you thank him afterwords. Goober knows that you've put your analysis into the corporate meme-sphere, and Corner Office dude is likely to be impressed by your forward thinking and tact.
In the best case, Goober gets the hint and lashes together at least a basic firewall. (and if it gets 0wn3d later, he's still going to have some serious shoveling to do if it doesn't address the bullet-points in your CYA of Networking Doom)
Worst Case, the general network becomes kiddie-pr0n central, everyone who owns stock gets heated, and you have a documented paper-trail that keeps you out of harms way.
Since you've already brought up the subject with the Goober's Boss and gotten a less than stellar reaction, further pursuit along that avenue may be interpreted as a petchulant code-geek on a witch-hunt. But maybe showing people that it worries you enough to handle it in a CYA manner will engender a self-preservation interest in folks.
However, if your boss doesn't want to push this one, DO NOT pursue it on your own. That kind of thing is often construed as the work of someone who doesn't know when to hear the word 'NO' and is liable to get you branded as a troublemaker.
Good luck.
"If I wanted your input on my pet project, I'd stick my hand up your ass and use you like a sock-puppet." - Muse
Do you know if she is putting up filters on the firewall? Do you know if you she is NATing? Looking at the information in the artical all you know is that you have internet connectivity and you don't like that way that it is being handled. Seeing how you already took the time to tell her boss and not direct it at her, you have gone on the offense, you are now threat to her. Now she is going to prove you wrong and shut you down. Which it seems she has. Next time think about how you would feel if someone went to there boss, without talking to you and being a MCSE of all things, and said your code sucked. Not knowing an whole hell of a lot in your eyes about code or your job. Then took his boss to you boss and slamed you about your code. What would you do. I know it is hard to see it this way, but your put her in a bad spot right or wrong you went about it the wrong way.
Make a friend not an enemy, and next time just ask for help and ask them to explain it to you so you can learn. Ask the right questions to point them where you want them to look. Believe me they want to cover there ass just like you would, and will fix the problem if they don't have to loose face. Let them think they came up with the idea to change it, or could it be that you are gunning for her job and your pay at "I know more than you" backfired a bit? Anyway, learn the politics they are going to be everywhere.
Neck_of_the_Woods
#/usr/local/surf/glassy/overhead
Please don't use acronyms like CYA (Cover Your Ass for those, like me, who had to look it up) without explaining them. Slashdot is a global comunity and there will be a good number of people who have no idea what it means.
2001 IT Security Survey (PDF)
It's not easy, but the best you can do is document the vulnerabilities, present your case, and KEEP presenting it. See if there are any corporate policies or legal requirements that support your position.
A better way might have been to have a chat with the MCSE and ask them how things are set up. Take an interest in security saying you are looking for ways to make your home network secure and want to know how it is done at work. Treat someone as an expert in their field and (even if they are not) they will take it as a compliment. Treat them as an idiot and they will take offence. You don't mention if the Cisco has been set up with any access control lists. Is that how she is locking down the network? Now the MCSE is going to be on the defensive since you went to her bosses boss.
If you still feel the need to prove a point then take it as read that this is how the company wants the system to work and make imaginative use of it. Ask the admin staff to leave a printer turned on over the weekend because you want to do some work from home and may need to print some stuff out. Plug a box in after your debian firewall to do file serving and ask your boss that, since you have access to files on this machine from home, would he mind you working from home one morning while you wait for a plumber.
Most of all be subtle. The shotgun approach obviously didn't work.
Bob.
How about you just stfu and do your job? Seriously, you just sound like an ass who wants someone else's job. This can only turn out bad for you. Stop now.
You know I feel exactly the same way.
I think just about anyone I know who has a MCSE is incompetent with computers.
I'm a big retard who forgot to log out of Slashdot on Mike's computer! LOOK AT ME.
Next thing you know, black (woops, african-american) people smell bad because they're black (again, woops! african-american), and latins are dishonest because they're latin. It's apalling to see that the technocratic spheres of our society still haven't heard of ye ol' "don't judge a book by it's cover" adage...
This is indicitave of a classic problem between Devs and Sys Admins -- SysAdmins thinking that they know something that the Devs don't, (all the while owning responsibility for the systems in question) and the Devs, who think that they don't necessarily need an overpaid SysAdmin to do fulltime stuff that they can do in a heartbeat (and maintain rights to their development and production systems and networks).
(Disclaimer: I do not necessarily believe either of the two above statements, it is just a simplfication of my understanding of this canonical problem)
I think that the first thing that you should do is to make nice with your admin. I know that you might not like her, and its clear that you see her as a know-nothing Microsoft Certified with no real-world expertise...and this may be the case. But its important that you put these feelings aside and first try a little harder to work with her on this.
Its also important to take a CYA approach and document everything that you suggest to her...especially the stuff that she is not receptive to. This is much easier to do in a mid to larger sized company than a really small one (really small
Show where the vulnerabilities are in writing, using well-known and respected tools and methodologies. Recommend a course of action (again, in writing). You can keep this informal be doing the "in-writing" stuff over email -- this way its not overtly official, but you have a paper-trail just the same. Also, ask your SA to document her changes.
Now if she is not receptive to your suggestions, then it will be time to report this stuff to higher-ups. Be careful about trying too hard to point this stuff out, because you'll start looking like you're spending too much time doing someone else's job.
After all this is said and done, and your butt is covered. The last thing that I'd suggest you do is to recommend an external security audit. If you are being discredited due to your recommendations, you should have a third party come in and do a full write-up on your network's security. This is something that every manager will see, and if the auditors are from the right place, your MCSE will be hard-pressed to discredit them -- and will be forced to make the changes.
Hope this helps.
-Turkey
-Turkey
First, talk to the lady. She may very well feel threatened by you. That may sound rediculous, but it can easily be true. Once that happens, defense mechanisms go up, and regardless of how correct you are, she'll fight.
You may want to talk to her. Lose your pride, and ask her if she is willing to set aside an hour, with the next week, to discuss your concerns. With that flexibility she'll probably accept the offer and set aside an hour after work, or the next day. She may be tense, because she may think this is merely a ploy of yours to "one-up" her. So, during the meeting, you must be very carefull to let her know that she makes the decisions, and that you are only offering information and concerns for her evaluation. Be apologetic, this gives her an easy way out of your erstwhile confrontation.
Finally, should all else fail, ask your boss to allow the developers to have their own subnet. Then, simply, put up a firewall for your subnet. This way, you'll be safe, and (if you don't shove it in their face) the rest of the company may want to be as "safe" as you.
Have you read my journal today?
You are at risk of hurting your career if you push this too hard if there is no audience. If the top management does not want to hear they have a problem, then they will not, and they will get mad at you for pushing it. Send out a butt-covering memo. (Another post covered that well.) and then make sure all of your stuff and your teams stuff is backed up and protected as well as possible, and then drop it.
The only thing worse than seeing it coming and having it happen, is seeing it coming, having it happen, and then people being mad at you for it. People tend to vent on people in a position to say "I told you so".
What we later discovered was that she'd only closed down a few of the webserver's non-essential ports and had done nothing about the Linksys firewall situation
She? You have a whole different problem. You should be nailing this grrl geek!
It's probably worse - you're now a troublemaker. Everything you do to correct the situation will be tainted.
Document evrything - hardcopy, not email. All conversations, all meetings, the tripwire demo, write it up, date/time stamp it and print it. Make two copies, seal them and write the date/time across the seal. If (when) it all boomarangs back to you, you'll get to spend a fun day in the head guy's office, with your boss, and your paper trail.
Make sure YOUR stuff is backed up, of course.
Display some adaptability.
Well "she" is probably sucking off higher ups.
So unless your great at giving blowjobs, you're SOL.
Better open up real wide. =O
I'm in a similar situation currently, although I've come to realize that going to the higher-ups isn't the way to go. They don't give a sh*t about technical details; as long as we haven't had any problems _yet_ they won't be interested in my suggestions. My plan is just to wait until something bad happens (and it will, as it will with your mental-midget MCSE.) You have control of your department's firewall, so when Bad Things do happen you won't be affected.
-- Never hit a man with glasses. Hit him with a baseball bat.
Here's a convincing argument: If you don't close it, you might very well get sued when some 1337 h4xx0r kiddie uses your network as a jumpoff point.
;)
I should know - this happened to my site literally an hour ago, the database got quite comprehensively trashed. Your domain name wouldn't happen to end in infogroup.com by any chance, would it?
It's your duty to the internet community to fix this and fast.
so if the book's cover is
"Warning: This is a book for idiots."
What are you susposed to think of the book?
I'm a big retard who forgot to log out of Slashdot on Mike's computer! LOOK AT ME.
You tried to convince them. They were retards. Any more, and you risk negative side effects from the management ("Look! He's a troublemaker, he probably hacks into it himself!"). Make sure yourr own workstations are secure (they seem to be reasonably so), and just laugh if anything happens to the administrative boxen. Really, it's not your problem *or* fault.
Does make me sad that another bootcamp MCSE is filling a job that I could do more comptently. It sucks being unemployed. Oh well, my life will get back on track when millions of these managers realize that millions of these bootcamp MCSE's are worthless, and I get a million job offers. Haha.
If you really want to pursue this, try using ethereal and watch the net... a thirty-60 second snip will probably give a nice slice of viral life (if there is any).
Look for things like:
- Port 1443 scans (the recent MS worm),
- lot's of Nimda-type HTTP requests ( GET
/scripts , GET /c/winnt, get /_mem_bin )
- other wierd activity
Check at a couple of odd times (especially late at night, early morning).If this MCNE is as bad as your story makes her out to be, chances are that you've been trojaned up the butt. Doing the Cover Your Ass dance sounds like a good idea too, since that one would be seen as doing your job -- as opposed to the MCNE's job.
Just for the fun of it, see if you can mount the unprotectes work file systems from home. Your ISP may have blocked that port at their boundary -- but who knows.
______________
The best approach (if you can pull it off, having already gone over her head), might be to go quietly offer to help the MCNA. If you can make her receptive to some support, she may be willing to work on problems that she probably doesn't have the solutions to at the moment. I doubt that she's negligent... More likely, the MCNA doesn't actually teach you how to secure networks in a real environment .. :-{
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
A while ago I read an interesting 'business guide book' for westerners going to Japan, covering lunch and meeting etiquette etc.
The book couldn't stress enough about never making your client say 'No, I'm wrong' etc. Even though it may give you a few moments of pleasure watching the MCSE squirm in embrassment, and ignorance, it will be MUCH better if you can both come out winning.
Maybe you could suggest an alternative option, that would be good for her. That way neither of you have to admit to being wrong, and you both come out looking positive, helpful and co-operative, which will impress your bosses too.
per mere, per terras
I'll be the first to admit that I'm not a network security expert, but I gave LeakTest a go, and as far as I can tell, all it does is make an outbound connection to grc.com on port 80. What exactly would that prove?
;)
Hmm, maybe it uses SOAP...
At this point its too late. They have already flagged you as a troublemaker. All you can do now is to get it in writing that there may be a problem..
The issue is that since it is not in your job description to be looking at this, in the best case situation you may have already put yourself on a "short list"... If ANYTHING goes wrong, you are going to be the first person they suspect; and the MCSE may even try to use you as the scapegoat... "we didnt have any problems till he mentioned them"....
[I know of at least one sitiation where a person informed an ISP of a security issue on thier network that they failed to fix. When it was exploited, to cover their asses, they blamed the person that told them of the issue by saying that it could only have been exploited by someone with "specific" knowledge]
--
Time is on my side
No NAT? So am I to understand that you are going live to the net with real IPs or is your debian firewall taking care of NAT for you? Either way, the situation you described is a network sniffer's wet dream. At this point I would assume that at least one if not more of the boxes on this net are compromised and actively capturing traffic. I suggest you learn a bit of Nessus trickery and thouroughly assess all of your systems. Steve Gibson is a joke, sorry to disappoint you but his service is flawed to the core. Try host based firewalls for *all* of your systems, mabe included a bit of Snort in there as well. But seriously, try Nessus from home one night on your network, the admin apparently will not notice and you will be horrified at the results more than likely.
First, make sure you are squeaky clean. Double check your ACLs on the Debian box. At least your part of the LAN is safe then.
Secondly, document everything you can see wrong with the current infrastructure. Go into as much detail as you can - lack of ingress/egress, vulnerability of Win2K server, etc, etc. Compile a meaty report, and put your name on it.
Then, send a copy to everyone in the company remotely involved. If anyone at all listens, perhaps something will happen about it, if not, you get the last laugh when something bad does befall your company, especially as you will be straight in line for a security-related promotion.
Remember that its harder for someone to ignore something in writing than it is if you start a conversation in passing on the way to the coffee machine.
If you can gain written authority, consider running your own penetration test from an external location, or hire an inexpensive company to give you a quick once-over.