Slashdot Mirror

← Back to Stories (view on slashdot.org)

Convincing Management of Network Security Issues?

Posted by Cliff on from the and-getting-the-problem-solved dept.

An Anonymous Coward asks: "Here at work for internet connectivity, we share a Cisco 2600 router with the administrative folks in the other half of the building. Our development network is isolated from theirs, safely behind a Debain firewall--we just show up as one IP with _very_ few ports open. The Cisco connects directly into a Linksys DSL router, which is *supposed* to be providing NAT for both of our networks. Instead, it's acting needlessly as an extra hub, with the incoming feed plugged into its port 2 and the outgoing feed in port 3. The feed from port 3 plugs into a 24-port hub, which connects all of the admin workstations and our Debian box. Each workstation, in turn, has a static IP (we have one too). This is due to a variety of reasons--so we've been told--but what it boils down to is the incompetence of the 'Microsoft Certified (w/Internet) Network Engineer,' who's responsible for the routers, the administrative network, and their Windows 2000 corporate webserver." Now, the workplace is left with no firewall and a Network Engineer that is downplaying the problem to the higher-ups. What would be the best way to communicate that there really is a problem?

"I went up the chain and explained the problem to my boss. He was horrified. He took it to his boss (who also happens to be in charge of said Network Engineer). The result was less-than spectacular. My boss' boss came out, with The Engineer in tow, who after fiddling with things for a while, proclaimed everything to be 'locked down,' and then they left. What we later discovered was that she'd only closed down a few of the webserver's non-essential ports and had done nothing about the Linksys firewall situation. But in the process, she'd managed to convince our collective higher-ups that the problem wasn't as big as we (read: the lowly, know-nothing, software developers) had made it all out to be and now nobody wants to hear a word about it. In other words, they have NO firewall at all, and we've been unable to convince them that this is a Bad Thing(tm).

Since The Engineer and her boss have always tended to be reactive, rather than proactive, I logged onto Steve Gibson's Leak Test from an admin workstation and showed them the results. Unfortunately, this 'parlor trick' failed to generate much in the way of enthusiasm. So what I'm looking for are (mostly) non-destructive suggestions to alert them to the dangers of their network configuration. Short of posting their IP's in a #skript_kiddie_channel and daring them to trash everything, how should I bring it to their attention in a, shall we say, meaningful way?"

12 of 62 comments (clear)

  1. Tough position. by gaudior · · Score: 5, Insightful
    I suggest you get everything in writing. Document the snot out of the system, paying particular attention to the obvious points of failure.

    Get as many of your peers to agree that there is a problem, and then sign a letter to the top boss, outlining the whole situation. Make it an open letter, if you must. It's clear there is gross incompetence going on, and if you care about the organization, you need to get this thing resolved.

    If a large number of you break the chain of command, and do it loudly, you might succeed.

    1. Re:Tough position. by Thing+1 · · Score: 3, Insightful
      If a large number of you break the chain of command, and do it loudly, you might succeed.

      Or you'll all become the next round of layoffs. Tread carefully; it's a buyer's job market.

      --
      I feel fantastic, and I'm still alive.
    2. Re:Tough position. by Jon+Peterson · · Score: 3, Insightful

      I suggest you get out more.

      You are a developer. You are not responsible for Network Security. It's not your job. How would you like it if this MCSE person can emailed your boss saying she was concerned about the unmaintainability of your code?

      By the sound of your own report, you've not even discussed this (or tried to discuss this) with the Network Admin woman, and instead have gone straight to your boss. That, I'm afraid, is both foolish and rude. No two ways about it.

      I've no idea if there even is a problem here. To be honest, it sounds like there's a developer who reckons they are the mutts nuts and is pissed off about this MCSE girl because she's got more root passwords than he does, even though he is the l33t unix haxxor and she is some lam3a55 windoze type. If you see what I mean.

      So, basically, I'd just forget about it, because your position in this argument is already fatally damaged by not having deigned to talk to the network admin.

      But, let's assume that there is a reall security problem here, and that this MCSE person really is not doing their job properly. Well, yes, you have a responsibility to make sure your concerns are known. In fact, it should be your job to make sure your concerns are known. AND THAT'S IT. IT IS NOT YOUR JOB TO FIX THEM.

      Go and talk to your boss. Give your boss a calm, reasonable assessment of the situation. Explain in simple but thorough terms what you think the issues are. Suggest some ways you think they could be addressed. Say how you'd be happy to help the network team fix the problems.

      And then leave it. It is your boss's responsibility to take the issue further if they see fit.

      --
      ----- .sig: file not found
    3. Re:Tough position. by billn · · Score: 3, Insightful

      "By the sound of your own report, you've not even discussed this (or tried to discuss this) with the Network Admin woman, and instead have gone straight to your boss. That, I'm afraid, is both foolish and rude. No two ways about it."

      Slow down there, Mr. Manners. He did exactly what was right, from his position as a developer. He informed to the next level of HIS chain of command. That's exactly right for someone in his position. It would have actually been worse if he'd crossed the lines and went straight to Engineering. She'd have much more cause for complaint, then.

      The problem lies in that the person in charge of 'network' engineering is a certified 'systems' engineer. I think it's safe to say that Microsoft doesn't place enough emphasis on network fundamentals when it comes to issuing MCSE certificates. Even exposing the network layers via the MS platform generally requires you to shell out some bucks for tools to do it.

      --
      - billn
  2. #script_kiddie_channel could break your legs by DieNadel · · Score: 5, Insightful

    I'd say that since you now has "a point to prove", the first thing you should do is pray for your network NOT to be cracked into. If this comes to happen, some very suspicious eyes would fall on you.
    Why don't you suggest a limited pen-test, documenting very well how you could get in, what damages you could inflict and, most important, how should it all be fixed (but don't, at any point, be picky with The Engineer, or else this all could be seemed as an ego war.)

    --
    Utinam logica falsa tuam philosophiam totam suffodiant!
  3. Why to document by samjam · · Score: 2, Insightful

    Try to get written acknowledgement of your report; merely "to cover yourself".

    The bosses bosses may not be keen to give this and wonder why you are so insistent on covering yourself.

    They may then take another look for fear that they end up uncovered when the dirt starts to fly.

    Sam

    --
    blog.sam.liddicott.com
  4. Ask for a third party security audit by Diamon · · Score: 4, Insightful

    Have your boss try to talk their boos into a security audit by a third party. Try and convince them that an independant third party should be able to satisfy your concerns, and is much cheaper thank recovering from script kiddies. This also keeps your butt out of the frying pan it could be in if you go looking for holes and get accused of cracking.

    1. Re:Ask for a third party security audit by Anonymous Coward · · Score: 1, Insightful

      HAHAHAHAHAHA

      A company that is using a Linksys DSL router, and CHAINED HUBS...

      ...that sound like a company that can afford a security audit?

  5. Document and move on to something else by Bravo_Two_Zero · · Score: 4, Insightful

    I'd agree with the first post. Document your objections and the exploits. Give it to your boss. If he wants to CC everybody, that's his business.

    It sounds like a political issue (know-nothings vs. know-it-alls ... thank goodness I always consider myself a know-nothing... keeps an open mind). But, even a political issue does have a cost/benefits analysis. If you can put a price on fixing the issue (time, people, money), you make an even stronger case.

    Also, if you do get nailed, you can point to the cost/benefits analysis to say "see, $5,000 then would have saved $25,000 in damages". On the other hand, in some cases, you'll end up on the other side of that equasion. If the cost to fix outweighs the potential damage, you put it to unbiased numbers.

    You won't be seen as "chicken little" crying about the falling sky; you'll be a professional who bases the comments on a fiscal analysis of the risk. If your professional guess is unsupported by the findings, that's ok (and, let's be honest, you're almost certainly on the right side of the equasion here).

    But, pointing to technical weaknesses won't help your case. It will make you a pain in the side of all parties concerned. They will cut off their heads to spite you (and, may already have done so, according to your details). Put it to dollars, document it and go to your next challenge.

    --


    Amateurs discuss tactics. Professionals discuss logistics.

  6. dangerous quandry... by digitalmuse · · Score: 3, Insightful

    here's something to swing by your boss, see if he has got someone else in management who's willing to hold onto a copy of your analysis in a CYA capacity for archival purposes. Explain that it was brought up before and was not seen as 'vital', but you would like to provide some basic CYA for your group.
    Handle it as a purely CYA exercise, and downplay the doom & gloom angle.
    Have your boss E-mail your politely worded analysis to the MCSiE goober, Goober's boss, and your boss's buddy. Make sure you thank him afterwords. Goober knows that you've put your analysis into the corporate meme-sphere, and Corner Office dude is likely to be impressed by your forward thinking and tact.
    In the best case, Goober gets the hint and lashes together at least a basic firewall. (and if it gets 0wn3d later, he's still going to have some serious shoveling to do if it doesn't address the bullet-points in your CYA of Networking Doom)
    Worst Case, the general network becomes kiddie-pr0n central, everyone who owns stock gets heated, and you have a documented paper-trail that keeps you out of harms way.
    Since you've already brought up the subject with the Goober's Boss and gotten a less than stellar reaction, further pursuit along that avenue may be interpreted as a petchulant code-geek on a witch-hunt. But maybe showing people that it worries you enough to handle it in a CYA manner will engender a self-preservation interest in folks.
    However, if your boss doesn't want to push this one, DO NOT pursue it on your own. That kind of thing is often construed as the work of someone who doesn't know when to hear the word 'NO' and is liable to get you branded as a troublemaker.
    Good luck.

    --
    "If I wanted your input on my pet project, I'd stick my hand up your ass and use you like a sock-puppet." - Muse
  7. You left a lot out. by Neck_of_the_Woods · · Score: 3, Insightful

    Do you know if she is putting up filters on the firewall? Do you know if you she is NATing? Looking at the information in the artical all you know is that you have internet connectivity and you don't like that way that it is being handled. Seeing how you already took the time to tell her boss and not direct it at her, you have gone on the offense, you are now threat to her. Now she is going to prove you wrong and shut you down. Which it seems she has. Next time think about how you would feel if someone went to there boss, without talking to you and being a MCSE of all things, and said your code sucked. Not knowing an whole hell of a lot in your eyes about code or your job. Then took his boss to you boss and slamed you about your code. What would you do. I know it is hard to see it this way, but your put her in a bad spot right or wrong you went about it the wrong way.

    Make a friend not an enemy, and next time just ask for help and ask them to explain it to you so you can learn. Ask the right questions to point them where you want them to look. Believe me they want to cover there ass just like you would, and will fix the problem if they don't have to loose face. Let them think they came up with the idea to change it, or could it be that you are gunning for her job and your pay at "I know more than you" backfired a bit? Anyway, learn the politics they are going to be everywhere.

    --
    Neck_of_the_Woods
    #/usr/local/surf/glassy/overhead
  8. Cover your butt, then drop it by Some+Wanker · · Score: 3, Insightful

    You are at risk of hurting your career if you push this too hard if there is no audience. If the top management does not want to hear they have a problem, then they will not, and they will get mad at you for pushing it. Send out a butt-covering memo. (Another post covered that well.) and then make sure all of your stuff and your teams stuff is backed up and protected as well as possible, and then drop it.

    The only thing worse than seeing it coming and having it happen, is seeing it coming, having it happen, and then people being mad at you for it. People tend to vent on people in a position to say "I told you so".