Slashdot Mirror
Network Penetration Scans and Executive Reaction?
LazloToth asks: "I'm sure some of you have had this happen: your company pays the big bucks for a 3rd-party security audit and, when it comes back, you get called on the carpet for all the supposed 'holes' in your network. When you see the report, you recognize that it comes from a well-known open-source security scanner, and that the 'holes' in question are so obscure as to be meaningless. I told our risk management VP that to fix every item cited - - many of which were false positives or completely out of context - - would be next to impossible for our small IT staff, and that some of the fixes, if implemented, might have deleterious effects on an otherwise smoothly running operation. How do you handle these 3rd-party security people who make mountains out of every molehill?"
Quit your job and start a 3rd party security consulting company.
Toronto-area transit rider? Rate your ride.
Its their job to be detailed. You have to infer those reports and draw conclusions. They were hired to point out the holes, you have to decide whether its worth covering them
If the boss wants you to "fix" them all, give him a report of your own. "This is setup this way because of X, and the risk is mitigated by Y." If it's not a risk, explain why it is not. If you can't explain why it's a risk or how you're mitigating the risk, then you should be called out on the carpet. NEVER rely on security by obscurity. There is no such thing as a hole "so obscure as to be meaningless." If you mean that the report is vague in defining what the hole is, then you or your boss should get more information from the person you paid to do it.
In the end, if you can't specify why it SHOULD be that way, then you should make it secure. If you can say it HAS to be that way for a specific reason, then you should say how you are mitigating the risk. If you're not mitigating the risk, well, you better come up with a really good reason your boss is going to like.
- AMW
... they have make huge deals out of everything or risk being found out as mostly useless ;)
The Peanut Gallery, Ubergeek, Biblically Sober
NCAAbbs.com: Thousands of fans, Hundreds of teams, Just one place
present your own report, detailing those same holes and why it's not worth it to fix them. Preferably first.
"It is possible to commit no errors and still lose. That is not a weakness. That is life." -Peak Performance
What is it with all the penetration lately?
Spring fever, maybe?
How do you handle these 3rd-party security people who make mountains out of every molehill?
Post the company name and URL on slashdot and let them have a 'specialised security audit'...
3rd-party security audit's are like consultants. They talk all day long but never actually do anything.
If they didn't make a mountain, then how could they justify their existance?
Just allow them to spend the money, and if you are in a position, ask for a preliminary copy of the report, and create a reactionary or secondary report dealing with all the issues that were brought up.
Seems simple, and be prepared to answer your VP's silly, but non-the-less important questions in a way that he understands. Don't be technical, just break it down for them.
Other then that, it can't really hurt having the audit done, just so long as you know how to handle it before, during, and after.
to sleep with the lead consultant, catch it on tape, and thus damage his credibility. These guy's never get laid so don't worry about him not falling for the bait.
One of two ways:
Sit down with your boss and explain what each open port is and why it is open. Then explain what happens if you close that port.
Lock everything down tighter than fort knox, starting with your bosses machine (Yes sir, Im sorry you can't surf the internet, we closed that outgoing port because it was a security risk)
One of these should work (or get you fired) either way, you don't have to deal with employees upset because their VPN or Remote Access doesn't work.
As someone else said - if you can't do that, there's a problem.
smash.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
And then explain, when users complain of the inability to use their computers, that you were directed to fix all the holes. Tell them your supervisors were made aware of what the result of doing all the fixes would be, but that you were directed to make the changes anyway. A company-wide memo might be appropriate. Or just an email explaining you position accidently forwarded to everyone.
LazloToth asks: "...How do you handle these 3rd-party security people who make mountains out of every molehill?"
I think we need more details on the severity of your security holes. Give us your company's IP range, and if we find anything significant we'll leave a note for you on your desktop.
When you have nothing left to burn you must set yourself on fire
Document the hell out of everything. And explain why the setup is as it is. It is a real pain when you have some worthless security company telling management that echo, discard, and chargen are major security holes on internal systems. Besides senseless violence directed at the auditors it is a painfull process.
Tell them to stick it up their security hole.
All that matters to the managerial types is dollars and cents. Show them how much (in their language - money) how much it will cost to fix the "problems" (even break it down and show them the cost of each problem), vs. how much benefit the company will gain (again in terms of money) from the fix. Be sure to include opportunity costs (and gains). Then let them make their decision.
They will decide whatever they think will be best (based, of course, on a money). Then you fix whatever they tell you to. Hopefully they won't tell you to do anything dumb after they've been shown just what it will cost them.
We have 2 'IT' people - myself and one other.
The owner of the company defers to us on all things technology related - what we say goes. No questions asked.
Seriously, you need to work with someone who has a clue. Anyone reviewing these scans should know what they are looking at. If they don't, they have no room to criticize. It is the security consultants job to put the scan and the vulnerabilities in context. They need to explain the risks to management in a manner that management can understand. Their report should come with recommendations on how to correct the problems, and it should at least try to outline the consequences of the fixes. The consultants should have worked with the engineering/admin team to understand the holes before the report went to management. Otherwise you paid for a whole lot of nothing.
the growth in cynicism and rebellion has not been without cause
You've already played Devil's Advocate, so document what you think the risks are/may be, then do *exactly* what he says. Once it breaks, whip out the risks you documented and explain how you did exactly what was asked of you over your stated objections. It's the only real way to do it--and rather satisfying, gotta admit.
If you can't be part of the solution, there is good money to be made in prolonging the problem.
"With sufficient thrust, pigs fly just fine." -- RFC 1925
How do you handle these 3rd-party security people who make mountains out of every molehill?
I work for the Canadian Government and we have our own in-house security department. This problem is not limited to consultants and third parties. The small staff in our office can create reports hundreds of pages long using open source and proprietary tools. The hard part is finding the owner of each asset and getting them to take responsibility for it. Often the "administrator" isn't even close to qualified to perform system maintenance.
Take the report, and give costs for covering each hole. Also, give your risk assesment to the company (yes, there is a hole that has a 1% chance of costing the company $5,000 dollars - but it will cost $500 to repair).
Then, let the boss make the budget decisions, and carry them out. Make sure extra staff is included in your report.
"Giving money and power to government is like giving whiskey and car keys to teenage boys" P. J. O'Rourke
We've had external auditors come through with their "best practice checklists" and ask us all kinds of questions, then they make their report to the ones that brought them in.
Two years ago, after the report went to the Board of Trustees (I work for a state university), we were tasked to give a "when or why not" to each and every issue on the report.
On the bright side, the particular auditor we've had to deal with most of these times was as fair and accurate as can be expected - there were no real surprises sprung on us (she's back next week to do our Oracle systems).
Doug
BOFH
Explain to your boss that they are definately concerns and that you are glad to be aware of them. Then inform im that as you are aware of the holes, and have measures in place to watch for spurious activity, that they are not threats -- of course, make sure this is all true, because sometimes the security company will then be asked to hack the network to prove the seriousness...
Every chain is only as strong as its weakest link.
This holds true in the military area, more than everywhere else. I work in environments that are very sensitive to security, and we take such external reviews extremely seriously. There's no such thing as an "obscure" or "irrelevant" weakness.
Unlike most vanilla companies, we can't afford to let things slide, security-wise. Knowing that your clients are prime target for highly professional black hats and (not only industrial) spies is highly motivating. This includes (of course) penetration testing (conducted both internally and by independant contractors), but also exclusive use of open source code and internal code auditing. As an aside: personnel (HR) auditing is also very important, if not even more so than technical aspects!
Sure, most companies don't need this level of security awareness and can get away with being "pragmatic", but don't complain when your client database (with all the goodies like credit card data etc.) gets compromized!
cpghost at Cordula's Web.
He wants secure so give him secure - no luser access. What's the guy's username?
BOFH
Say that by making thoughs changes it would hamper creativity and stifle inovation.:P
Coward? Coward! Thems fighten words!!
Personally, some of these server monitoring services, in my opinion, create more problems than they claim to solve. Many of these systems claim to measure downtime in tenths or hundreths of seconds, which means they're clogging up bandwidth that could be used for legitimate purposes for their tests, and if there's any outage between their system and yours, their report can blame it on your server being down. It's all bogus in my opinion, but I have no shortage of clients who are signging up to have their web sites monitored, which creates lots of problems for admins. Personally, I'd like to see a site which lists the IP ranges of many of these companies so they can be blocked.
If you actually did work for 8 hours a day instead of reading/posting/emailing slashdot you would have time to secure your network.
Theres work not getting done right now because I'm posting this, and your work isn't getting done because you're reading this!
Sorry Boss those Windows servers you insisted we bought are 'bad'.
no Exchange,
No IIS
etc...
Send Peter Clifford Francis Macrae comdoms to 23 Bedford St, St.Neots, PE19 1AX, England
We had an in house "so called security expert" at my old job who know how to run nmap and was not afraid to use it and email it around.
We also had a 3rd party firm root us through a remote office which we had no control over and was not allowed to block thier acess.
You do what you can or you quit.
See where they did the scan from and drop all packets at the firewall from that domain?
I Am My Own Worst Enemy
In the mid-1990s, I ran IT for a graphic design firm, which consisted of some 50-75 Macintosh computers. Pretty much everything ran on Macs; even the accounting systems used Great Plains for Mac.
At one point, some of the staffers got the idea that network performance might not be optimal, and it was decided that we should do a performance audit. A contractor was brought in to spend a few hours sniffing our network, then go away and do a thorough, in-depth protocol analysis. The result of this analysis was a 20-page report detailing their findings.
The conclusion was that there was, indeed, a lot of unnecessary packets of traffic flying around the network. Their solution?
"Eliminate the Appletalk networking protocol."
Uh, yeah. Thanks guys, here's your $2,500.
(Maybe the best solution is to do whatever you can to educate management and set expectations at appropriate levels.)
Breakfast served all day!
They get paid to find every little nitpicky thing. It's in their best interest to make everything sound major (ever heard of the term follow-on engagement?)
Sit down, take the list and prepare a reasonable time & budget to fix each item along with your recommendations of the order to fix them in (based on business risk). Make sure your numbers and hours are realistic, because chances are excellent that he'll ask the consultants for the same info.
Then Mr VP can either allot internal resources to fixing the problem or hire outside consultants, or both. Business risk deals with a lot of things both real and perceived. In some cases, having the perception of risk is just as bad a the real thing (from a liability perspective, thank you Millberg Weiss).
Your VPs job is to determine the acceptable level of risk for the company. Yours is to aid him in that decision, not make it for him.
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
Right now are be perpetratied on the online vendor community by companies the credit card companies. He is how it works.
/. person is asking. Of course you have to sign up and pay $$$.
1. Visa says you must meet the following (BS) requirements to take their cards on-line.
2. They tell your cc processor that all their on-line stores must meet requirements in 1.
3. CC processor sub-contracts with security firm A that then contacts you so they can perform a "security" scan just like this
4. They then "scan" your sight. Even though you explain that you don't take cards on the site, you pass the order to the cc processor who collects the card info on their site. No matter says the card company you have to pay anyway. Then they claim that it will prevent phishing and all that happy hoo-haw. cough...BS...cough
5. They then make you fill out a survey of meaningless drible that no small company could ever honestly answer yes to all the policy questions, in order to be in the green.
Next year, I'm putting up a honey pot and am going to redirect their scans to that will all kind of exploits. Linux/Unix/Windows exploits all on the same box. Won't that be fun.
Anyway. The credit card companies risk managment department is happy. We lowered our risk. Some company in Utah on a canopy netblock gets my money (fuckers) and I get jack shit.
No choice but to explain why in simple terms. If they don't accept that I am sorry to say you have to leave.
And do make sure the consultant gives you some recommendations about prioritization.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
How do you handle these 3rd-party security people who make mountains out of every molehill?"
/whine "hard work." Well, it'll be harder after some n00b takes my personal information off your insecure system. Fix it, or consider changing careers instead of being yet another BOFH.
Since you don't cite any examples of these issues, I would bet you're one of these people who think running PHP with register_globals on is a "molehill?"
Cite some examples, or else this looks like you're complaining that tightening security holes would be
Security through obscurity... that's the spirit ;)
www.whitedust.net
If you want real security, penitration testing is only a small part of the process. Sure, you can pay someone to find valunerabilities....any kid with a copy of nessus, snort, and nmap will do....or you can shell out the big bucks for a Core Impact setup if you get the PHBs paranoid enough. It really won't help fix anything. Even if you do manage to patch every valunerable service and close off everything else that you don't need, you may still be insecure. Policies and procedures are often as important for ensuring security as closing specific holes in software. If your company needs to outsource network security, convince them to get someone who will offer a more complete solution comprising of a specific and custom plan for ensuring the physical, human, and software aspects of security. If you want to get out of your current prediciment, I suggest patching what you can and explaining why other valunerabilities are not relivant. Prove you are smarter then the consultants leeching money that could be yours. If your boss is a real idiot and the security reaserchers he/she hires are dumbasses too, you can safely backdoor the place before you leave!
------ Take away the right to say fuck and you take away the right to say fuck the government.
This is a great oppertunity. Start by consulting with a high priced "security" company about plugging the "holes". Figure on $20k in consulting fees alone. Make sure they recommend only the top end (most expensive) equipment and software. Of course, your staff will need to be doubled (at least) and all will require MANY classes, in far away places, on how to run all this new kit. Figure a good 2 years to train existing and new staff. You will need new quarters for all this equipment too. Temperature and humidity controlled of course. Security cameras, off site storage of all the new backup equipment, co-located servers in another power grid (several states away). Shoot for a cool million and tripple (at least) current operating expences. Then see what your pointy haired boss says.
Human nature being what it is, pointing this out to the boss is likely to embarass him and make him feel like you're being a smartass. In general I find that explaining the security continuum (where at one end you have low security, low cost, and all the functionality you want, and at the other end you have high security, higher cost, and some curtailing of functionality) is helpful in coaxing them out of the mentality that security is a one-way street. In the real world, high security entails compromises, some budgetary (even if only for more sysad time) and some functional (not every new flashy network app can simply be added to the system without security analysis).
I've also found that explaining the security process in terms of priorities is helpful. I used to use a top 10 list that showed management exactly what was highest priority, what came next, and so on. This helped them realize that not all threats are equal .
Best of luck to you.
Read the EFF's Fair Use FAQ
Is put a text file somewhere - tell them where it is and if they can tell you the message in it then you will agree there is a security problem. Otherwise go away. IOW have them produce more than a report. Like a security test for a military base is for someone unauthorized to try to penetrate and see if they can put a tag on some piece of equipment. If they can then they've proven there is a security problem.
try { do() || do_not(); } catch (JediException err) { yoda(err); }
I've seen the managers that this guy is suffering under and your insightful remark won't help him. You see, his boss is likely referring to "holes" reported by Nessus and others that are not holes but, because some outside company said it, then it must be so.
Outside companies are always more authoritive than in house staff. "they're not form here so, they must be the authority on the subject."
By the way, the "holes" he is referring to are likely things like:
Can determine path to host via traceroute. Danger Will Robinson!
SMTP server returns a header. Shock! Horror!
HTTP server returns a header. OMG! This must be fixed!??
I'm kidding, so calm your ass down.
...as to be meaningless", you say; can you give a few examples of security holes that are 'obscure' and 'meaningless'?
I mean - a vulnerabilty found should either be a false positive - which you should be able to explain to your boss easily - or it's actually relevant. If you are *knowingly, intentionally* running vulnerable systems, these hopefully do not share *any* infrastructure with your production networks.
Put the focus on your professional relationship; make the technical aspects secondary to that. If you have any history of trust, emphasize that.
"Do you generally trust me to keep the network secure?"
"Do you see the possibility that this company might make mountains out of molehills to demonstrate their value?"
"If we DO find out that I have left some things unattended, will you give me the chance to correct them?"
Etc.
Your boss, more than anything, wants to know he's in good hands. Even though he may not consciously know it, his trust in YOU is the most important thing; his trust in the NETWORK is secondary; his trust in a temporary CONTRACTOR is a fleeting thing.
If you adopt an overly defensive or confrontational posture, you do nothing but hurt your relationship with your boss, and ultimately yourself.
Pete Forsyth
is another man's mountain. If you were "hacked" and when you went back to the 3rd party security company and were told "Well, that opening is so obscure that we really didn't think it was an issue." Who would be having their asses handed to them in court?
Their jobs are to be as thorough as possible, your job is to analyse the data and figure out what it means with the knowledge you have from working within the organization and understanding the quirks that are native to your workplace. Hopefully your boss understands that your organization (like all organizations) have little things that require special consideration and you (and the rest of the IT staff) are given an opportunity to review and provide your own detail to what was submitted.
Rope, duct tape, knife and Hanson CDs. Give them the choice the knife or Hanson with an endless loop of MMMBop.
I say we just grow up, be adults and die.
Use Qualys and dump the free crap. That explains everything. Your boss will love it and it will save you the headache of translating.
No offense, well, okay, perhaps a little offense meant, but I imagine that if you were a top notch security expert, your company wouldn't be going to 3rd parties to check. Or at least they wouldn't be going to some [supposed] dope with a tool who [you think] gave you bogus stuff.
You might want to consider the possibility that the security expert is right. You also might want to consider the possibility that such 'obscure' holes are the exact thing attackers will look for, because once the machine is owned, it's all over. A hole is a hole.
From a more practical point of view, you should create a sandbox network with one [or many] of the holes the security expert disclosed, and then ask them to exploit one for you. Should be a quick sign if they're right, or they're a dope.
If you're sure you know what you're doing, have a bit of fun with it.
:)
I'm sure you have logs of where, when and how the scan happened. A few simple scripts and iptables/netfilter rules can go a long way toward having fun with the 3rd party company.
Suggest that this is a 'normal' level of security, but offer the option to 'really secure' the site and spend a few hours/days putting together some clever scripts to block apparently mallicious hosts.
Also, don't forget to point out that their scan was detected, logged, etc under the 'normal' security plan. It helps demonstrate you're actually on the ball. Remind them this type of activity is usually preceeded by an attack-- just like theives IRL case places before they break in.
Some shell scripts, rate limiting and arbitrary -J targets in iptables, for example, can help block scans from programs such as Nessus. For example, ban for 60 minutes any host (or netblock if you feel so inclined) that attempts to connect more than 10 times to a port on which no service is running.
Most of the time, the 3rd party techs will clog through starting at port 1 and by the time they get to your first open port (21, 22 or 25 I'm guessing) you've already blocked incoming requests from that ip/netblock for the next hour.
Another rule might be if you have VPN services (port 1723 I think) on but no terminal services or other remote access, ban for 24 hours if an IP accesses your VPN service (and gets a connect) BUT also attempts to access other common services, such as terminal services, radius auth, etc. If you aren't running those services no legitimate user should be poking about there, right?
Someone send us three big pings? Bannination for a week!
It is a level of craziness that is probably not necessary, but in my experience the 3rd party tech team usually looses their mind when they have to wait 20 minutes, an hour, or more to keep trying to scan your host. That is, if they even figure out what is going on.
Starts happening from more than one ip in a netblock? Drop incoming traffic on the whole netblock for a while.
It really is loads of fun. Be careful about some services, though. For some things its normal for one host to set up and tear down a lot of connections per second, so be sure that your rules depend on accessing sets of services in weird ways (a la a scanner looking for holes).
Fr. Guido Sarducci replies: Son, you'll just hafta let it go. These bozos just won't get it anyway. Besides, it IS their network, they just pay you to play with it.
Don Novello Pipes up: Who are you wankers anyway?
-- I have a private email server in my basement.
How to avoid being called on the carpet over security? Be at least one degree more paranoid about security than your boss.
How to handle the security report? With the same seriousness as your boss, he signes your paychecks after all.
Ask for the opportunity to have the 3rd party justify, in writing, what each vulnerability means and assess the severity. If your boss won't go for this, you probably don't want to work for an irrational boss.
Or if you don't want to make that drastic of a move, tell him or her that you should outsource that security to the company that did the scan. That's probably why they gave such a mountain-molehill report anyway. If your boss is going to believe them, then make them "fix" the network, and then explain why they broke everything.
A third posibility would be to get a second opinion, although you run the risk of getting an equally over zealous report.
_______
2B1ASK1
All you can do is clarify and explain. I only deal with "Critical," "Major" and sometimes "Medium" risk categories. The rest are usually stupid. "You have a share." "Yeah, it's called user directories or shared data drives." As long as you have answers and can show the risk is minimal, if existent, then you may have done all you can.
Without seeing some example vulnerabilities, it would really be hard to give anything but general answers to this problem. That said, there is an abundance of general answers here already and I'll add mine to the pile.
First: do your homework and get a background (securityfocus.com is a great place to start) on all items listed.
I know first-hand where we have a dependance on older versions of certain software packages because some custom apps we ahve running break when these older programs are upgraded. I am fairly certain that there may be some vulnerabilities in our old versions of the software and cannot be fixed without upgrades that would break a much larger system.
Draw a lot of analogies that would make it easy to understand. Stating things like "our front door is a vulnerability, but if we welded it shut, we couldn't make use of it."
Admit frankly and openly where you might have actually overlooked a problem that you should have been aware of. In my view, nothing says you can be trusted more than when you admit to mistakes and vow to correct them... and actually do. But denying everything too often brings a kind of distrust to you from bosses... they know you're human, but if you deny it and claim to be a god, they'll call you on it.
It might actually be helpful to praise the consultant's report as a useful and enlightening tool allowing the boss to feel as if he did a good thing by calling these matters to your attention and then create a plan by which you will be ble to adopt the same measures the consultant took in creating this problem for you. By instituting an additional self-audit upon yourself, you will be able to save yourself from the liklihood of further "testing" from outside while providing him with future (quarterly? semi-annually?) reports of where you stand on issues past present and future.
And of course, break down your own actions on and item-to-item basis.
Try not to say what "can't" or "shouldn't" be done -- that's likely a decision he will want to make. You can, instead, present the factors by which to make these decisions...in such a way that the decisions appear obvious.
There are plenty of well-known, professional security consulting companies out there who do the job right. If you hire a lower-cost consulting company who is just going to run a few variations of nmap and nessus and slop the results into a report, then you deserve the kind of pain you get.
Hire quality, get quality results.
I do a lot of consulting in the business continuity/security networking field and there is only one way to deal with a problem like this.
Every security policy comes straight from management, the IT staff configure the network based on the decisions that management has made. Your company is just revising their security policy and have tasked you with abiding to it. All you need to do is devise a budget for complying with their requirements.
Your company has decided they need more advanced security precautions taken, it really is not your position to question their decision. Just tell them exactly what solutions can be implemented to meet their requirements. If I were you I would be very excited, you have a perfect opportunity to prove your knowledge and value to your employers. You also have a plethora of Open Source solutions available to you - maybe I'm a zealot - but this kind of work is very rewarding.
If you can't provide this, then you are the wrong person for the job, or they need to outsource. It's that simple.
As for places to start, I would consider the pen-test mailing list at www.securityfocus.com, there are also several other lists that they host. The archives should give you some excellent references of where to start. You should also consider this to be the perfect time to request training and reference materials - books.
You shouldn't be surprised that your employers requirements have changed, you work in technology, technology reviews should be undertaken regularly and findings should be acted upon. Don't fear the change, use it as a chance to make your job easier and increase your value to your employer.
I sure wish I could find more clients like your company!
John the Kiwi
Just because technology changes and your job has chganged
Pretty much, yeah, that sums it up. Anyone can walk through the door, do a port scan, and list open ports, etc... Looks to me like they treat security as a commodity, not like the process that it is.
They only did half their job.
Steve's Computer Service, Hobbs, NM
I like to sauté them with a generous amount of garlic and hot sauce. I find without excess seasoning they taste a little unpleasant.
"mmmmmm,my boss wants me to do some work, mmmmm" sheesh.
You are 100% correct.
It's not doing the company nor the consultants any good to provide a report that isn't valuable. I've done I'd guess more than 50 vuln/pen assessments, and when I've spent the time to understand the environments and evaluate the security issues presented, the client always reacted wonderfully to the reports and commented on what a great value they were.
Before I was seasoned enough to do that, reports were largely ignored; vulnerabilities rarely fixed.
It's disappointing to see. I am solely a network engineer now (with a security emphasis). We just had an organization-wide audit and the report...what a complete waste of time, paper and electrons.
sedawkgrep
Is that a salami in my pants or am I just happy to be me?
The well known security scanner in question is probably Nessus.
.. and so forth
It reports _truly_ obscure things, as it should, but which security consluttants has a tendency to blow out of proportion.
One of the points of security consluttants is to use tools to MAP the network. Then they should determine what your network SHOULD do, and which services SHOULD be running - and doing _what_.
Then they should check this against the map of the network, and remove all items which are irrelevant, and interpret the facts.
THEN they should return the report.
Sorry. I don't consider it a hole that the webserver reports which Apache version it's running. Neither do I consider it a hole that BIND returns which version it is. Neither do I consider it a hole that the FTP server puts up a banner identifying it.
"Rune Kristian Viken" - http://www.nwo.no - arca
Don't look a gift horse in the mouth. This is just the excuse you need to purchase that new equipment you've been lusting over. Just remember to put, "patch security hole", on the purchase req.
Show me on the doll where his noodly appendage touched you.
I handle this situation by working for people who know what they're doing. And who don't know what I do (else why would they employe me), but know they don't know, and leave me alone.
Seriously, if your boss trusts some outsider consultant more than his own IT people, either you have the wrong boss, or he has the wrong IT people. Or both.
I resemble that remark! In defense of the consultants...
The same PHB that the article complains about would give the consultant a hard time if he came back with a one page report saying that everything looks good and there aren't any issues. Afterall, the PHB paid the consultant to find holes. Therefore if he doesn't find any then he shouldn't be paid. Right?
The consultant has adapted a means of avoiding this arguement. Instead of fighting over money because the consultant didn't find anything, the consultant provides a voluminous report that cites things like traceroutes, banners and the lack of "adequate" documenation. Also, so as not to have the admin come accross the table at the consultant's throat, he tosses in a bone for the admin siting a lack of funding for regular training and a lack of written corporate procedures, where the boss backs up the policy.
Standard pen-test. Thanks very much. That'll be $40,000
Why bother with all that when nessus already outputs a decent html? It even has _pie_ charts. Gotta love it. Just add your logo on top and collect your payment. That's how it works.
Apparently, having found nessus is sufficient competitive advantage to justify the existance of some companies. I wonder if they have donated to the project.
"If God created us in his own image we have more than reciprocated." - Voltaire
These consultants are trying to rip your company off. Grab the same piece of open source software and run off your own report, making a note of how long it took you. Show it to the boss, and explain that if he wanted such a report, you could have done it for free in only x amount of time. This will put you in a good position to say it's worthless, when you have demonstrated that it's not the result of any serious expenditure of time/effort. Once you've saved the company $x in consultancy fees by kicking the fraudsters out, bring up the small matter of the expenditure of $x/2 on additional hardware you got turned down for a few months back, or something involving a bonus.
The other attacking option, if you are only working there for the money, is to push hard for the doubling of staff and hardware budgets you desperately need to fix all the 'holes', and the regular security conferences in Hawaii that you really need to attend to keep up with things, now you have the proof that it's necessary. Now is your big chance to stab in the back anyone who's ever cut your budget.
A pizza of radius z and thickness a has a volume of pi z z a
They need to explain the risks to management in a manner that management can understand.
Most network vulnerabilities can't be described in monosyllabic words.
Also, here's something to consider.
Clueless Manager Type: "The consultant says we have insecure passwords! Fix it!"
IT: "OK, I'll fix it by the end of the week"
Time passes...
CMT: "Hey! It's making me change my password and it won't let me add a digit to my current one! Fix it!"
IT: "That's part of the solution to the password problem you asked me to fix"
CMT: "I didn't tell you to change how we choose passwords! I told you to fix the password security problem!"
In other words, I want you to lock the door, but I don't want to have to use a key to get in. Repeat the above scenario for any aspect of security you can think of. Managers don't get "Security or convenience, pick ONE."
The real question we should be asking here is why the consultant is even allowed to speak to the executives. All he or she will do is alarm them by using words they don't understand until "set $dummymode=='ON'" and then telling them they better fix it or Bad Things will happen. If the same presentation is made to IT, where the workers might understand more than every third word, real solutions could be found. But that will never happen, because IT can't so much as turn around without executive approval.
Memo to executives: Leave IT the fuck alone. Don't try to make yourself feel important by requiring useless reports and approval. You'll just make yourself look stupid and lose any respect IT might have had for you.
Never underestimate the power of stupid people in large groups.
Actually, even running PHP with register_globals off can be a molehill.
From someone who enjoys using PHP, isn't hating it.
I'm still trying to figure out what people mean by 'social skills' here.
Security isn't just a matter of collecting raw data. Anyone can collect raw data. Raw data is like raw sewage - it benefits nobody but can be used to make a big stink.
At the very least, to be usable there needs to be an assessment as to the actual threat level of each vulnerability. For example, you could have an insecure, unpatched Windows 95 box locked in a cupboard with no console or network access. A vulnerability assessment would turn up a bazillion holes, but absolutely none of them would be exploitable.
In crude terms, you can measure risks in terms of two scales. Let's use letters for the first and numbers for the second. The first measure is the ease of reaching that vulnerability, the second is the ease of using that vulnerability to access other systems or data.
Thus, any computer directly reachable from the outside world would be an "A" class risk. A machine placed outside of the firewall which does not have direct access to the inside (not an unusual arrangement for informational webservers) would be relatively low risk for data and might be given a 9. So, a vulnerability on your advertising website would be an A9 risk.
A firewall, on the other hand, has direct access to the inside. If the firewall has proxy servers sitting on it, it will likely have a high level of trust. So, a vulnerability on such a system might be given a rating of A2 or A3. (It doesn't have valuable information itself, but it can be used to reach a machine that does.)
A data warehouse, on the other hand, might well sit on a SAN that can only be reached through a firewall which runs to the servers on the corporate LAN, which itself is behind a firewall. Now, an attacker needs to go through between three and five layers of security (depending on how secure the network traffic is). On the other hand, access to the data warehouse would expose critical data. A vulnerability in this case might be given a class of E1.
Managers could look at these ratings - A5, E1, etc. They could then use those to get an idea of how urgent fixing the hole was. A rating of F9 (six layers deep, no information of significance) could safely be ignored at the start. A rating of A1 (reachable from the outside, mission-critical data exposed) would want to be fixed the week before last.
These are the kinds of things managers can understand. Nobody should expect them to have a detailed understanding of TCP/IP stacks, buffer overflows and sniffer technology. They may well have, but no sane consultant should require it of them. Unless said consultant knows that the product they are delivering is so bogus that a technically-competent manager would nail them to the wall for it.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
...something more professional.
Dedicated Linux servers (root access) $45 p.M.
"How do you handle these 3rd-party security people who make mountains out of every molehill?"
That's not the first step. The first step is for your company to make you VP of risk management.
"What would ya say... you DO ... here at Initech? Hmmm?"
The Peanut Gallery, Ubergeek, Biblically Sober
NCAAbbs.com: Thousands of fans, Hundreds of teams, Just one place
This is a very common situation. It occurs in all audits, assessments, etc. It gives the outside consultants the ability to justify why they are there in the first place. Seriously, if they had nothing to report then they could not get more consulting dollars to come in and fix it or to come back again to run more scans in the future.
If your management is upset then you need to counter the assessment with documenting exactly what those holes are and how much of a risk they really are. Yes, documenting is a pain in the neck but it is what management wants to see. If your management still cannot see how small these holes are then I recommend you have the consultants to come in and clean things up. Your management will generally back off after this one since they will not want to spend the consulting dollars.
Good luck..
Preparing a report in response seems an immense waste of time, but it could well be the only effective method of response - might even be a business obligation to meet some sort of new pain in the ass legislation.
Unless some event prompted the commissioning of the third-party evaluation, an alternative response might be:
With all due respect, Your Executiveness, I don't pretend to understand your business as well as you pretend to, or to criticize your leadership or decisions. Why don't you stick to your area of expertise, and let me stick to mine? I was entrusted with the security of this network, which meant I earned the trust of you or your underlings at one point. Since you and yours are surely only capable of infallibly correct hiring decisions, and since I've done nothing to betray that confidence, don't waste your precious time considering these trivial tactical issues, and go about your lofty strategic visionary business. Let the duly appointed base mortals deal with the annoyingly vulgar manifestations of reality. And with your faultlessly keen judgment you surely know to never trust contractors because they are parasitic false authorities who just want your pot of gold.
Modify for diplomacy.
Short answer:
:-(
Use 3 different, reputible companies in rotation, and then your boss will see that company X said this was vulnerable, but company Y and Z said it isn't, and neither do you. Who does he then believe?. Too many black markes against company X, and they are replaced by another company, to compete with companies Y and Z.
Long, experienced answer:
3rd parties are paid to find problems, and they should either:
Understand what is an significant risk for your organisation (I've just co-ordinated once of these, costing $100,000 (!!!) as they take a lot of time and effort, 6 man-weeks of external consulants, and two of mine, in this case).
Alternatively, and much more commonly, they SHOULD report every tiny little detail, and it is YOUR JOB to assess VULNERABILITY against the potential THREAT and IMPACT, in order to calculate the RISK.
You put these risks in a 'Risk Register', with factors like "cost to fix" and "liklihood of occurance", to get factors of how much this risk costs the company, each year. (***key point: These risks are TRUE costs, e.g. How much do viruses cost your company each year? How much do you spend stopping them?)
These costs are therefore NOT "made up" figures, but a true estimates of expected expenditure, and investments to prevent these expenditures.
Take the average of many estimates and you get a REAL cost for those risks, occuring or not, over the year.
Now to fix (mitigate until insignificant) the stuff in the register:
e.g. They say "server X is not patched."
That server may be broken into once every 5 years, costing $5000 each time (including potential bad press, customer churn etc). So cost per year for this is $1000. But the cost to patch this server, per year may be $500, due to labor and downtime.
So an investment of $500pa returns $1000pa.
Order your risks by RIO, and do them in that order. Be aware that regulatory breaches are likely to have really big penalties associated with them.
Job done.
Overall, sadly, most reports are crap - even those done by government agencies
I once told my boss not to pay the company that just sent him a CD with the output of half a dozen scans on it. Make your boss aware that it's PEOPLE time, represented as reports written in layman's language, that he should be paying for, not twenty minutes of CPU on a Pentium 3...
OK, first off, why haven't you run these scans with these open source tools yourself? And presented the results to your boss? You should be running vulnerability scans like a writer runs a spell checker. Seriously, if you aren't actively looking for holes, the bad guys will.
Second, and most importantly, no one on slashdot has any idea if the vulnerabilities your company paid to discover are indeed "mountains out of every molehill". For all we know, you just think these are molehills, when in fact they are great big huge gapping high risk holes in your enterprise. Or, they might just be molehills. The point is, we don't know. And why is this? Because only *YOUR ORGANIZATION* is the only party that can make that determination. Let me say that again, another way, a vulnerability is just that, nothing more. Its not a mountain, or a molehill, its just a fact. Its up to your organization to take those facts, the vulnerabilities that company found for your company, and apply some risk management to it. You have to make that determination with measured, careful thought. If you come at this with the pre-concieved notion that these are just molehills, you are going to get 0wn3d.
For instance, say the report found that you are running telnet. Thats a vulnerability. If you're running telnet over an out of band network, where integrity and confidentiality are not an issue for you, and you're not concerned with highjacking and other risks that telnet is exposed to - you write off that vulnerability as an acceptable risk. You apply some risk management, you can tell your boss, its not a big deal AND EXPLAIN WHY. By the same token, lets say the vulnerability scan found a remotely exploitable root/system level hole in all your internet facing web servers, which are tied to your database servers, which manage billions of dollars of other peoples money - well, again, you have to assess the risk. Is this an acceptable risk to expose yourself to? If it is, then you have to explain it as such. This is business 101. You take a risk getting up everyday just to go to work. If you want to take bigger risks, people usually demand some explanation, by the same token, if you want to dodge a risk, you need to explain yourself.
In short, the purpose of a vulnerability assessment is to find ALL the holes, not to make any determination about the risk those holes present. You need to have that information before you can do anything else. Now its YOUR JOB to step up to the plate, and look at each of those holes and explain to your boss why they are acceptable risks to take or not.
If your management is too clueless to understand this process, you are screwed and there isn't anything you can do. The fact that you asked what you can do though means they are probably willing to listen.
The bottom line is that this is the way the process works. If your company didn't ask the security firm to do a risk assessment, then someone else has to do it. A vulnerability assessment can not tell you if a risk is acceptable or not, its just going to tell you about the vulnerabilities.
Python
Run the same or other security scanners on some other big name companies servers. You can then show your bosses that your company are not any different from company x and y, and that tends to calm down execs.
Sam has one liberty, which he sacrifices for one security. Can you tell me what Sam has now?
Yes, it's annoying to have your company pay an outsider to come into YOUR network and poke around. But you have to eat your pride and fix the problems. When your boss asks why all this stuff was 'insecure' to begin with, ask him why they hired the security company in the first place. They where hired to find holes, remind your boss they did their job and now it's time to do yours. Fix the problems. Yes, a lot of it may be busy work, but at least you can now show that every security hole found has been accounted for. If it's not accounted for, get your boss to sign off on why it was not changed and what mitigations you have in place to minimize exposure. It may be that NFS is the only possible way to solve a problem, but let them know that NFS is only accessable on the private switch interface of the host and not the public network interface. Busywork and politics suck, but if you don't play you will get burned whether you are a good tech or not.
I ran into this situation at the end of last year when we had to hire some people to do a external network audit as a requirement for a major credit card company. The company used nessus and Nitko and it preceded to throw out all sorts of false positives. Like apache 2.0.34 warning for windows (we're running linux and 2.0.52+), wrong php versions (detecting 4.3.10 as 4.3.2), etc. It wasn't fun. We ended up having to rebuke every false claim and send a notorized letter explaing these things and why they really aren't true/bad. I'm of the opinion that this should be the responsibility of the audit company to fix not my companiy's responsibility to have to prove our innocence. We brought these false positives to the audit company and they wouldn't do anything about it. They just said not our problem and they wouldn't fix their software to not report the blatently false positives. But I guess that's just part of businesses these days, with the sarbanes-oxley and other such audits being required by law. It's very frustrating, but it's here to stay I guess.
What you have been given is a list of your vulnerabilities.
Now it's your turn to do Threat Risk Analysis, or convince your company to fund it.
Once the TRA has been done. Take it to management for their signoff. If they are not happy to sign off on the risks associated with your current IT stance use the TRA to prioritize the mitigation of these risks.
Yes audits are a pain in the arse however any competent IT tech should be able to fashion the report into a tool for improving the IT infrastructure.
It is open source, but nobody seems to do QA on a lot of the modules. I remember looking at the registry keys which were being checked for a Windows Messenger vulnerability and the developer had got it right for Windows 2000 and XP but has basically guessed wrong for NT. It still isn't fixed to this day.
On top of the false positives it's also the scanner most likely to DoS random systems during the scan.
I'm not sure open source really applies any more either, there's some question as to Tenable networks claiming copyright over modules that have been submitted.
i've seen this bullshit. exec's get baffled by some salesmans bullshit and they bring in a "consultant" who does moring then run nmap on your firewall and say "OMG LOOK!!! 25 and 80 are verunable to attack i can see them!!! pay $$$$$$ for doing this!!!!"
If you mod me down, I will become more powerful than you can imagine....
I work for a very reputable company that provides network and application vulnerability assessments along with some other security related offerings. In the last few years I've seen a lot of companies pop up doing just what you describe. They charge a few thousand dollars, run a few automated tools, and provide an extremely large report that's basically just a big useless nessus dump with prettier formatting.
This sucks for my company because we charge quite a bit more, but also offer an extremely valuable service for that price. We perform detailed manual analysis in addition to automated scans and verify if there is a real threat associated with a finding. For each finding we provide detailed remediation guidance, which means we have to work closely people like you who develop and maintain the systems. That's the only way an assessment can really be of any use.
So my guess is that your boss went with the bargain basement security consultants and that's why you're dealing with a steaming pile of crap. Your only recourse in this situation to provide enough information to show your boss how shoddy this job really was. In the future perhaps you can provide input that might help in choosing a better security assessment firm, or determining if an assessment is really necessary.
you join them
mwahahahahaha!!!
Don't use 3rd party auditing agencies. Buy a better scanner than Nessus for use in-house. There are plenty out there. With a higher-end commercial vulnerability scanner, you are not just buying the scanning engine, but the research that goes into the vulnerability descriptions and solutions. There is a big difference in the amount of time you waste dealing with false positives and "solutions" that just parrot the vendor's original advisory without telling you what you need to know (e.g. is this patch going to break compatibility, etc.).
All products can do more or less the same kind of scans, but once you have seen the better products you will realize that using Nessus is often a false economy. Not to say Nessus is useless, but the money you save will often be wasted chasing down all of the bogus information. Plus, telling people to fix vulns which are false positives will undermine your credibility in the organization. Which means in the future, people will be less willing to take your word on security when it really matters.
Plus, most auditors these days (I'm talking about the big names as well as the little guys) tend to buy and use 2 or 3 different tools and just copy and paste the reports together in Microsoft Word. There's seldom any real additional analysis being performed by the auditors. Certainly no analysis with any technical depth to it.
Next, tell him that you need to migrate all the Windows users to MacOS because it's a more secure platform.
It seems a wonderful empire you could build - and have a wonderfully large impact at the company.
And anyway, what resume item looks better for you.
- Did a security audit; but realized that all the problems were minor.
Or.The third party is being paid to spot holes. If they are worth the money they will do more than just a Nessus scan ie they will look at the how the vulnerability might be exploited, and what kind of impact an exploit could have.
Whatever they do, they will not have much info on the real impact on your company of any security breach, nor will they have any clue as to your company priorities. This can only come from inside your company. Some would call this "putting a spin" on the report, but in reality all you are doing is adding the extra columns to the report:
Likelihood of an exploit of this vulnerability
Impact of a successful exploit
Cost to fix
If you can't put numbers to these things then just say Low/Medium/High.
Undoubtedly there will be some things that really do need fixing, but for the low priority items maybe you can batch them together into a work packet and get budget or resource to tackle them properly. Better you guys do this and make sure there are no deleterious effects on live systems than some contractor is pulled in to do it blindly.
Then they would have to justify their methodology, to show how they are worthwhile. They would most definitely remain in business.
XML is like violence. If it doesn't solve the problem, use more.
Hire a better 3rd Party security company that deliveres substance, and is willing to come in and show you how to fix anything it reports on.
In one case, I pointed out that the 'consultants' spelled server as "sever" on the bold title line on every page, hence how trustworthy is their report, we do not run "Microsoft Commerce Server" nor is it installed, deleting/removing the administrator login makes it hard to actually admin the server (yes we always rename the admin account and then put a 'dummy admin' account in place), turning off "http" port 80 makes it difficult to serve web pages, and there are many freebie utilities that could have done a much better job and saved us $25,000.
... 'nuff said.
Do not mock my vision of impractical footwear
keep modding this one up. it's a gem!
...and block the offending IP.
I've seen a few people offering security auditing and pay a stupid amount just to perform a nessus or or other out of the box scanner. Even worse then false positives are exploits actually getting missed... Sort of leaves a lot of companies with a false sense of security... Handy though if contracted with a pentest after ;)
"I disapprove of what you say, but I will defend to the death your right to say it." - Voltaire
I'd like to get paid consulting fees to just run nessus a few times...hell, where can I sign up?
But then, I could also run it myself, and simply understand the FACT, that a "secure network" is a pipe dream....
sometimes, i wonder if i'm the only conservative on teh intarweb. ah well, back to mah hogs and warmongerin'....
Stop being lazy and just fix the problem. Grumbling to Slashdot in hopes of getting a collective pat on the back isn't going to help you. If you have security holes - fix them. If they aren't problems - explain that to management. Griping about how a 3rd party points out *YOUR* flaws is just gonna get you fired...
-My 2 bucks. [I'm rich biach]
Memo to the IT department: get off of your high horse! The only reason you are there is so that the rest of the company can do their job properly. Don't try to make yourself feel important by assuming that knowledge of IT is somehow *better* than knowledge of accounting, personnel or pretty much any other supportive department in a company. Yes, there are a lot of incompetent managers walking around, but this whole notion that IT specialists somehow approach deity status because they have mastered the black arts of adminning a number of boxes is ridiculous.
People replying to my sig annoy me. That's why I change it all the time.
At least once a month, someone opens a support request which contains a long laundry list of supposed problems with the server. The catch is that the server is usually completely up to date thanks to Red Hat's patching system, but the scans are too stupid to know.
These things connect to port 22, see an old version from the banner, and assume the worst. Few of them actually run on the server, so the simplest 'rpm -q openssh' is not an option.
People still spend money on this, and it's usually pointless. About the only good thing that comes from it is that a competent support team will log into the box to run 'up2date -l' to refute them, and at that point, anything which hasn't been applied yet (new kernel?) will be caught.
I don't see why the parent was marked as a troll.
You must be new here.
This is slashdot we're talking about here. moderators and editors with the intellectual capacity of cabbage.
Tell your boss to ignore these 'security expert' trolls and to simply hire a 12yo script kiddy who uses ubuntu or something. *duh*
the only permanence in existence, is the impermanence of existence.
"Of course, this should read "haven't had a single incident that we know about"."
Wow. Insulting the intelligence of someone you don't even know under the veil of anonymity. You must be pround of yourself.
"Not really. With Windows, you both have to know what you are doing, and have a budget for third-party tools to help (and with the tools, you don't really even need to know what you're doing). With Linux you just have to know what you're doing."
If you think that third party tools that cost money are required to protect Windows servers, then it's you who don't know what you're doing. Can you even give an example of a third party tool that is required to make a Windows server secure?
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
Saying there is no such thing as a hole so obscure as to be meaningless is a bit disingenous. Some holes are literally meaningless (More correctly stated, the risk of their exploitation is very low, the severity of any exploit is insignificant, and the methods of exploitation are involved).
Proper security analysis means analyzing the degree of likelihood of an exploit, the difficulty of the exploit, the cost incurred in setting up the exploit, the technical savvy required to conduct the exploit, the availability of tools to conduct the exploit automatically, and then assessing the impact of the exploit, the vulnerability of data or the system itself as a consequence of the exploit, and then moving on to examing the cost of dealing with the possible hole (ideally several options). This cost has to both cover hardware & software costs as well as personel related costs associated with it and any business implications (service outages, etc). Also, of course, another part of the analysis is whether or not there is a business reason (and if so, if it is valid) for the loophole to exist.
In the end result, you have to weigh each exploit and say "Knowing the cost to fix it in terms of cash, time, service issues, and potentially reduced services, and knowing the likelihood of an exploit and the impact it would have, is it worth fixing?" All exploit potentials ARE NOT worth fixing. Not to a business, nor even necessarily to your government.
It depends a lot on what the exploit is. I worked with some top notch security people reviewing several Canadian wireless providers for a Canadian federal policing body. Were there potential exploits in the wireless systems? Sure there were.
The wireless guys built their networks with *network integrity* as their main constraint. Security they applied was related to keeping the network up and going, not protecting user data integrity. So there were holes they had to address before the policing agency would feel comfortable running data over them, even with encryption on the data.
There are more risks than just data loss in these situations - even bogus network access or denial of service can be a critical issue.
In the end, the policing agency and the providers sat down, went over the reports with the consultants, had the consultants elaborate some of the threats and help the provider's network engineers understand them, and then some negotiation was done about which exploitable points would be fixed, what the fixes would be, etc. Not all exploits were dealt with - some were deemed to be too hard, of too little impact, or of too great an expense to fix, even for this type of system. But the major ones of concern were, sometimes by things as banal as a reorg of how network service folks accessed their network. In the end, a reasonably secure result was obtained and things went ahead.
But this is how *real* security consultants work. They know their biz, they learn your biz, they see where your biz can be broken, and they help you understand how to fix things. They don't just provide you with a list of problems and flee. Of course, they send you a *real* bill too... !
-- Mal: "Well they tell you: never hit a man with a closed fist. But it is, on occasion, hilarious."
disconnect your boss from the network and tell him the holes are fixed. when he complains, plug him back in, but advise him that the network is insecure.
High horse?
IT takes abuse that accounting, HR, marketing, etc would NEVER accept. Just this morning I had some douchebag POUND on the door to the storage room I work in, get in my face and DEMAND that I fix a problem with a laptop I'd worked on last week. The fact that the problem wasn't one I could do anything about didn't make the slightest bit of difference; when I gave him the name of the person he would need to talk to, he looked at me like I'd shot his dog. I asked him if there was something else I could help him with, and he proceeded to shut the door in my face while ranting about how I hadn't done anything to help him. He then went and complained about me to my boss's boss's boss's boss (I wish I were exaggerating.) If I'd been in marketing, he'd have been escorted out of the building by security. But since I work in IT, there will be no consequences for an action that meets the legal definition of assault.
If you went to accounting and said "Pay all our payables but don't spend any money" they'd laugh until they figured out you were serious, and then they'd quit. If you went to HR and said "Hire us some world class employees, but don't interview anyone" they'd do the same. If you went to marketing and said "Get our name out there but don't use any advertising", same result.
Yet people regularly go to IT and say "Fix this problem, but don't do anything that would affect anyone in any way". IT is no more or less important than other departments, but it gets far far less respect in most companies, because the average employee's knowledge of IT matters is far lower than the average employee's knowledge of, say, accounting. The perception is, "I don't understand it, so it can't be important" and thus we get the problems we're discussing.
I'd get off my high horse if I could get said horse and myself out of the trench that the executives have dug for us. Equal treatment would be welcome; we might even be able to fix some of the things you've broken.
Never underestimate the power of stupid people in large groups.
Yep, that's true. Executives make life difficult for all departments by trying to micro-manage things they don't understand, not just IT.
If it is being detected by a "well known open source" security mapping package, then I would fix any "obsure" hole it finds. If the tool is well known, and detects the hole, then you can bet your ass that all the black hats with that scanner are going to find your obscure hole.
-William
God is everything science has yet to explain.
Hey! That's not nice.
Cabbage doesn't deserve being described like that.
I can tell you that it's not the job of an auditor or "security tester" to regurgitate Nessus reports. In fact, it's downright unethical if that's what really happened here. We're being payed for our expertise and our advice, not on how well we click the "Scan" button.
Check out my eclectic infosec blog at InfoSecPotpou
Seems your opinion is not regarded as highly by your employer as some anonymous 3rd party contractor who has been tasked with a part of your job.
I don't see how you are in any position to complain, or do anything except what you are told to do, the last way you're told to do it.
If you're so smart and experienced and skillful, why is someone else in charge of you?
Do what the bastard operator from hell would do - unplug the switch that the security eggspert is plugged into and go to lunch.
If he tries to break into the wiring closet, have him severly beaten by PHYSICAL security guards and thrown out for trying to compromise and possibly expose your WIRED network to external attacks via 802.11b. (have a wireless router or an access point planted in his enormous laptop bag for that no-further questions needed factor...helps if the brand matches his wireless pcmcia card)
Seriously, they should not be plugging their own equipment into your network. If they lose that laptop, all your internal secrects will be exposed and may end up posted on the web.
Work with the consultant every step of the way - give them a pc, install their scanning software, etc. Don't let them use pirated or downloaded from the web scanning tools - it may contain a keystroke logger or some other nasty trojan.
How do you handle these 3rd-party security people who make mountains out of every molehill?
I am currently dealing with this. I work in a very small IT shop (by small I mean me) in a not so small company (100+ million $ in revenue). We also have MIS, but they are just users in the network context. We recently were blessed with a new COO who very much wants to control all departments... can you say burnout in progress. Anyway, he wanted to get a third party audit. We (MIS who has control of me) turned it into a major project and accepted proposals from many companys (this burned a lot of hours). Then when a vendor was selected I took the audit report and thoroughly documented each hole and its risk to us. The amount of work and risk caused by fixing it as well as the cost. Then, when it is done I prepared a cost benefit analysis of the various actions. My goal was to teach them a lesson. Instead, I learned one. Because my documentation was able to show them the complexity of the network I work with and the technology which we take for granted. They agreed to hire me a technician. Also, they allowed me to decide what in the security was worthwhile to address and source out a chunk of it as a project. The lesson is, use this to your advantage. How many times do you feel excluded from decisions because it is "a business matter", I do frequently. This showed them that I understood my job from the point of view of adding value to the organization and that is very important in business. In short, as my subject read, mountains are nothing make it into a mountainrange. Once they see it and they see you willing to conquer it for them, you all win.
"How do you handle these 3rd-party security people who make mountains out of every molehill?"
Easy. Cattle-prod.
Sendmail is like emacs: A nice operating system, but missing an editor and a MTA.
Here's the real thing!
http://bofh.ntk.net/Bastard_1995.html
I worked at a company a couple years ago that had some "security experts" come in and run scans. They ended up totally screwing up a bunch of in house applications. Being the lead System Administrator I got in a meeting with these guys and starting grilling them on security (they were using a tool that used nmap and hey I know nmap ;). So I started drilling them and it turned out they new nothing. So I kept hitting em and hitting em (verbally) till management had to pull me off em. I think the company I was working for at the time ended up sueing them ;)
Did you know that when you google LazloToth the first return is slashdot?
The poster obviously is not in the position to `get a new consultant'. His problem is how he can hit his management with the clue stick.
Let me tell you a story that happened just a few weeks ago: I'm the CEO of a consulting company that does quite some security work. We were brought into the following situation: A customer of an outsourcer got an `independent' security audit by HP. The HP folks took the (actually very good) CIS benchmarks and demanded that each and every item of that benchmark is followed to the letter. As part of that, they demanded that the NFS and Samba servers are turned off.
There's just one small problem -- the actual service the outsourcer was providing to the customer is -- tada! -- file service over NFS and CIFS! The outsourcer pointed this out to their customer's management. That management is a bunch of morons and just told them back: But this is a security audit of HP, they know their thing! So they had to bring us in, to give their opinion `management cloud' by creating pretty PPTs.
Even though we earned quite some money on that job; I would have prefered to work on really improving the security, in particular the processes, instead of fencing unprofessional HP security `consultants' and idiotic management PHBs.
Joachim
People don't write Manifestos any more -- what's going on in this world? [Frank Zappa]
How about this....
During a large project where I work, we discovered that the product the college bought, at that time, was still using unsecured telnet (in the year 2001 and I ain't kidding!). We had not gone live yet and mentioned that as well as very poor performance on the hardware reccomended by the company. Of course now they have released some patches that mitgate this, but they tell me I have to redeploy about 1,000-1,500 clients in order to implement the fix.....this in the MIDDLE of rollout. We mentioned many times that we did NOT like this and said it ws unsecured many many times. It's not a product that would have been chosen if the decision was left up to us (it wasn't....it was left up to a comittee...). So now we have a audit coming. We KNOW this is going to show up unless we rush implementation of security out so I start investigating what is needed. I come to find out that the client roll out is not needed even though support had told me 2-3 times that I had to do the client upgrade. In the meantime, Iam highly pissed about the whole deal. Even WITH the "security fix", the product STILL requires the use of ftp for a portion of it plus it also requires a DB config that, by it's nature, is unsecured. ALSO, during activities like data refreshes, the encryption must be DISABLED! I would LOVE to get rid of this product but my superiors would never allow it plus it would cost MILLIONS to do anything with any other product. I say millions even though the software would not cost anywhere near that.....millions because of the man hours that would have to be put in to install the new product as well as convert data from the old to new and maybe even hardware upgrades or additional equipment may be needed...this is why I would say millions. We NOTIFIED our superiors that the product was a unsecured piece of crap that could not be secured easily but noone listened. Our users ASKED us to create generic signons for actual users because it would be too time consuming to fill out complete paperwork on temporary users. The product also has many other requirements that require some very bad unsecured setups. When we have blown the whistle loudly and not even the President refused payment of these idiots, how can I be held accountable? It's been reported I don't know how many times but noone listens. Where do you go when your leadership won't listen??? Granted, we will now have the connections secured before the audit, but when will people listen to the people that they pay to do this kind of thing? My only hope is they don't have the money for a GOOD company and they get a mediocre one. My only other hope is that they FINALLY see how much of a piece of crap the software the purchased really is.
Gorkman
As one of these cursed external security consultants myself, it sounds to me as if your provider hasn't quite got their approach right.
External security assessments should be performed with a risk focus. Sure, they may be done using a fairly standard set of tools, but the value the consultant adds should come from their business knowledge and risk focus.
Our standard approach involves:
- agreement on scope with both business and IT sides of the organisation
- performance of testing (nmap, nessus, and the other tools in our quiver)
- analysis of results; identification of real issues, not just a dump of all issues identified by the tools
- identification of risk associated with each issue
- discussion of findings with IT side of business, attempting to get agreement on each issue and associated risk
- presentation of draft report to the business
- obtain responses from business and IT sides of the organisation and incorporate into a final report
The report will never be delivered to the business without the IT side being made aware of the issues - good or bad. And the report will most definitely not be a simple cut-and-paste from the output of whatever tools we used to perform the testing.
Treat the external provider as a link between yourself and your management. This is your chance to let another party communicate your problems to managment, use it! Do not look at the report as being a laundry list of problems that you will be blamed for, but as a means by which you can have real problems identified and obtain the budget to improve security of your environment.
Do NOT let the external assessor overexaggerate the risk associated with the issues raised. If you disagree let them, your management, and the business-side know immediately. Do not just sit there and quietly take it.
If the executive do not trust you to have some form of input into the risk assessment, identification of mitigating factors, and decision of the way forward, then I would suggest that this is indicative of a deeper problem than just this.
And just as an aside, unfortunately the current reporting format used by a lot of security assessors is only exception-based; we don't really have space to say "yes you are doing this really well". Something I'm looking to change in the future, at least within our organisation.
Disclaimer: I work for Amenaza Technologies (creators of SecurITree). However, I don't stand to gain anything from this post, and I truly do feel strongly that this is a good product.
SecurITree is a program that allows analysts to model threats to any assets, including (but not limited to) computers and communication infrastructures. Through using threat trees, (also known as attack trees), an analyst can combine the results of third party or in-house vulnerability assessments, and determine the potential threat to the organization. By modelling the actual architecture of the system(s), an analyst can make a detailed, yet easy to read model. This can then be shown to management, who can then decide for themselves if the ROI to fix the problems is justified or not. All assumptions are clearly stated, and 'what if' scenarios are easy to perform.
You can look at much more detailed information (and request a free demo) by visiting http://www.amenaza.com/. Hopefully this helps!
Wyatt
This poster's simply playing the victim.
So why was the audit asked for in the first place and why did you not have at least a modicum of management control over the process? You should have gone in, hand in hand with management and looked at the result in unison, not being subjected to it - in the spirit of learning, not generating fault. Clearly, this audit was set up to generate fault, whether through management caprice or someone reading that it was a trendy thing to do.
My opinion is that you screwed up by permitting yourself to prostrate yourself to this white-hat audit without being part of the process and making yourself a beneficial part of the results; not a victim.
Not in the notion of the "not my fault" notion of management, but in terms of engaging the organization in demanding beneficial analysis and results, and working with them to improve your processes.
Being dive-bombed by a 3rd party means your management has a poor view of your organization or at least, you are communicating poorly with them.
Stop being a victim. Get your ass in gear.
A shovel, a bag of lime and some carpet.
I'm me. I think.
Rather than bitching about it, look at fixing the problems via one of the best tools on the market:
Retina Security Scanner: www.eeye.com
There is a demo available that can apply patches and registry fixes remotely. If your serious about it, purchasing a copy of Retina is very easy and ROI is tremendous -- especially via their free updates.
Artificial intelligence is no match for natural stupidity.
Frankly, while the consultants we have coming in are expensive, they are very knowledgeable people who keep things simple and uncomplicated.
I find that they are the ones keeping our more enthusiastic employees in check with a little "shut the hell up".
--"It's Bradford Company, slash your last name, dot your first name"
If the "hole" is something like "imap can be insecure unless properly configured, in which case it can be quite secure", then show how your implementation is secure, and any example exploits fail on your systems.... Otherwise, fix 'em!
The choice between smoothly-running vs secure is for management to make... to an extent. I'd expect mgmt to choose easy, and techies to choose secure. In this case, it sounds like it's the other way around.
Personally, I'd rather take grief from users about "But I used to be able to do 'X' without any hassle" than deal with security holes... especially when you can answer "It's a management decision - out of my hands. Your boss wants it that way".
Sounds like a dream job
Author, Shell Scripting : Expert Re
Your basic risk analysis takes a look at all of the vulnerabilities on the system. For each one, you list the following:
- the likelihood of that vulnerability being realized
- the impact if that vulnerability were realized
- any mitigation that has been done to reduce the chance of it being fully realized and exploited.
Of course, management likes numbers, so you rank each item from 1 to 10 (or 1 to 100, or whatever), using whatever scale you want (so long as you're consistent in your rankings for all of the items). Then, you use the secret fomula : For the top 10 items (or however many you feel like, you come up with some rough estimates on how much it would cost to fix or reduce the impact, or otherwise mitigate each of the problems.Note: Some people will say that the 'impact' should be a dollar amount to signify the damages done to the company... but it's impossible. How much is a human life worth? Is it worth more than the company losing millions of dollars in sales? How does it compare to the loss of reputation if your clients found out about whatever it was?
Example: There is a real vulnerability that you may have an electrical fire. The threat of it happening however, tends to be very low, if the building inspectors did their job. The impact, if this happened on a weekend could result in the lost of the entire building. Countermeasures include fire extinguishers, sprinklers, temperature alarms, off site backups, redundant servers, etc. You can never get rid of the vulnerability, because there is always a chance of that fire happening.
Example 2: There is a possibiliy of all of the system administrators quitting, leaving you with no operations staff. This can be mitigated by treating them with respect, not forcing them to wear ties to work, and paying them better.
Use this to your advantage. Don't fight the report, done by someone who knows enough to schmooze the boss, and get paid many thousands of dollars to click a 'run' button. Use it to get rid of those nagging little things that have been bothering you, that you've never been given a chance to sit down and fix.
Build it, and they will come^Hplain.
I'm one of those people who does 3rd party security audits. Having been in the position of the 1st party before I always make sure the report doesn't include all the junk that the poster is complaining about. I provide any gaping holes that should be addressed on the first 2 pages, then put all the wishy-washy junk at the end with a notice that it's not important. Any good security auditor would do the same.
Just be sure who ends up looking like the ass....
"Where quality is like a dead stinking rat - you just can't miss it."
I work in a tightly regulated non-profit industry and management is required to host periodic 3rd-party assessments of IT. So no matter what executive management thinks of me - - and they've always treated me well - - I have to be subjected to this, at varying levels of intensity, at least annually. This year, it will happen three times. I'm not sure why. Possibly because we have a rather aggressive new crop of execs.
It's only funny until someone gets hurt. Then, it's hilarious.
Having been through this numerous times I have to say it sounds like you got yourself into this mess. By not explaining what "deliverables" you wanted from the consultant you set yourself up.
If you said "give me a report card" and that's what you got then you have a serious problem.
Tell the consultant what you want the report to look like. Tell him that all results should be placed in context to a) risk; b) ease of attack and c) liklihood of attack. Tell them that you want a concrete list of what to do and when to do it. If he can't do that then his firm needs someone else to write the final report.
You should also have been sitting sidecar during the whole VA so you could help them understand the risks and your environment. Most of the time it makes their VA more accurate because you can point out where you know you are weak and they give you credit for at least being aware of your shortcomings. You've got to tell them what they don't know. If you don't help them contextualize their results then they have to cover their a** and spit out the raw data.
Finally, you should meet with the consultants to view the draft of the report so you get a heads up and they get to polish the deliverable.
What do you really want out of the VA? The VA is a tool to help you determine where to focus your limited resources. It is not a report card.
Your risk managment VP sounds like a complete moron. If you don't understand at least the basics of something, you shouldn't be managing it.
;-)
Anyone with common sense (and after some explaining from their sysadmin if you're a clueless n00b) can see through scare mongering. Seeing as your VP can't he obviously doens't have common sense.
Just explain it to him in a calm, reasonable manner. If he still bitches, tell him what you need to fix every little "vulnerability" and what the effects will be for the company. That way he has to OK anything and it's not your problem anymore. Shit can also go upstream if you learn how
Honestly the best thing you can probably do in a situation like this is to make sure the suits know the score going in. Explain to them that a security audit is just like a financial audit: the auditors aren't leaving until they find something wrong. They have to have something for their report.
I've been on both sides of this.
Item one: hire a better security company/consultant. A good consultant with sit down with you and your PHBs and go over the results, classify them, and help you decide on what needs remediation and how to go about it.
Item two: *write* your response to the findings. The PHBs have meetings, they talk to one another: they need something in front of them to talk about. "Frank says it's ok, really" doesn't cut it.
But classic clueless security company:
Report: Server is running ftpd. This may be a vulnerability. If you do not need this service you may wish to disable it by [...].
Response: Server is called "ftp1". There's a reason for this.
Some companies can't even be bothered to actually take a look at the environment. On the other hand, they make us look really, really good.
Before the results are sent up, schedule to meet with the audit team and go over all findings to classify them, (things like: false positive, mitigated by architecture, low risk, medium risk, etc). Fight tooth and nail to get those stupid findings removed from the short list that goes to the boss.
I do security
I have been called to account for results of various scanning tools. First of all, I suggest taking a deep breath to calm down.
When I have worked with this type of "vulnerability report", I've considered it understood to add 'possible' to the title.
For instance, one of the scanners would report a piece of middleware which was used in the organization as w3-msql (the moral equivalent of php+mysql in the late 90's). It should be fairly easy to go down the results for an individual server, item-by-item and pick out which ones aren't sane.
Share those results with the security consultant. Ideally, you will be working with them, and your response will be included in any report (possibly by simply removing obvious false positives). After all, you're the expert on your own network. They're just poking around to see if anything looks amiss.
Their reaction to the false positive report may also help you gauge how to deal with them. For instance, if they insist that a false-positive is actually a problem, you will need to get solid facts together to demonstrate them as being wrong. When you lay out the facts, turn the emotions down as much as possible. If you look defensive and emotional, management will think you might the problem.
The second pass is vulnerabilities that you wanted to fix, but were prevented from fixing, whether it be by a vendor, app support team, or management. Ideally, you will give the other party a heads up to let them know their item has been identified in a security assessment to give them a chance to respond, too. It's entirely possible that the same guy who hired the security consultants who found the 'hole' pressured another team to put it there to begin with.
Third pass is low-hanging fruit. The stuff you can write a script to fix across the board on yoru servers. For instance, unneeded services listening? Take a few minutes to write an update script with perl or sed to turn them off.
Then, you put together a work estimate on how much time and effort will be required to fix the rest. Need low-priority local OS patches? Report the time it will take to do the work, then put together some good interview questions for the guy who will be working alongside you on the project!
Once management has identified security as a priority, it's in your interest to put together a process (signed off on by management) That way, when this kind of thing comes in the future, they will have been involved in the decisions.
This also applies when they have a hot project that takes precedence over security fixes. If your new process statest that low-priority local vulnerabilities should be fixed in 30 days, for instance, and a project will push it to 45, you simply ask them to decide between the competing projects. Once you get the sign-off, you're set.
If you handle this correctly, it can be to your advantage, since management will have a bit more of a view into what sort demands you face on your job. And, if they feel that you've handled the problem effectively, addressing their concerns rather than brushing them under the rug, that earns bonus points.
...Is what a lot of security auditor guys are basically saying. In all honesty, it helps to be up to date on the subject of security itself so you can counter any exagerations. It REALY helps if you find vulnerabilities in the machines they use to do the scan. Most do. You'll look smart, they'll look like cheats. (assuming you run snort and know your toolz)
Obscure and not worth fixing? What exactly? I'm a security professional and hear this all the time, to things I mark "high risk". Things that the industry considers "high risk". When admins or developers get called on it, this is the typical reaction. In security, it's the corner-case that will kill you! The more obscure the better in my book. HTTP response splitting - drool.
Any schmuck (well, let me rephrase that, any schmuck who can run a Linux box or who can buy NeWT from Tenable) can run a Nessus scan - and, as you've seen, get a lot of meaningless output as well.
Nessus is definitely nowhere near perfect - for one thing, a lot of the plugins tend to yell about things that may matter if you're doing an external scan, but are perfectly normal on an internal scan. (Like, for example, port 135 being accessable on a Windows box).
The value a consultant should provide is going through that output, checking for false positives, doing hand inspection of some results, then calling out the ones that really matter. I'm in the documentation phase of an assessment for a major law firm right now, and, although I'll provide them scan output with the final document, I won't talk from it or even print it out - the important stuff will be in MY document, spelled out in understandable terms, and ordered according to level of risk versus remediation effort.
Tell your boss that any security consultant that hasn't done that hasn't done anything worth a damn.
This, actually, was a Dilbert cartoon... Dogbert was saying: "I like to con, and I like to insult. I'll be a CONSULTANT!"
In Soviet Washington the swamp drains you.
If they just handed you a report from Nessus and a bill
. . . then they are quite similar to most of the fly-by-night security companies in existance today.
They really are a plague. Typically a small number of university students, or recent graduates, trying their hand at "start-up dotcom". There are two or three guys who know linux, a little about cisco routers, maybe had a course where they learned about Nessus. There will be fast talking marketing and sales slime involved as well. They are all very young and inexperienced, none of them will have spent any time in a large company with a complex IT infrastructure. Their M.O. will be to approach a company with the output of a Nessus scan of the firewall and web servers, showing a whole bunch of false problems, and try to get a security audit contract out of it.
if you're looking for someone to do a security assessment or pen testing
These external audit companies don't sit around waiting for an IT group to give them a call, because they'd never get one. They will not approach the head of IT, but a sales or a CEO level person with nary a clue. They leverage their way in from the initial external scan of the firewall and web servers. They get permission to run an internal scan, then hand over an unedited Nessus report, hundreds of pages long with their invoice.
The term over here is Cowboys. They ride into town unannounced, pretend to save the day, and ride into the sunset after claiming their reward, never to be seen again. Their victims, of course, are the struggling IT departments like the OP, who have done what they can with their limited budget, and suddenly have to answer to a mostly worthless Nessus report.
the AC
Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
"...to fix every item cited - - many of which were false positives or completely out of context - - would be next to impossible for our small IT staff..."
I totally agree, being asked to fix every little security hole in your company's firewall is totally reasonable.
Er, by the way, what's your company's URL, anyway...?
As a security professional it's frustrating to see companies choose my competitors becuase they are cheaper without realizing how worthless they are. Guess what, if you skimp on a pentest, all you are gonna get is a nessus scan with a cover page. If you actually get a company that knows what they are doing, then you are paying not only for the scans and the activities, but for the knowledge and effort to wead out the false positives and to *verify* the results.
Guess what folks, a nessus scan is *not* a penetration test. It's a vulnerability scan. A penetration test is executed by consultants, not automated by generic tools. Sure, they will use those tools, but they will also use their own understanding of information systems, they will also gain an understanding of the overall picture and they will also be usefull experiences and reports! If you really paid top dollar for what you described, you got screwed, shop for a different pentesting vendor.
e.g. 2 days >> 8 weeks
John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
Specialists like Jay Beale, Ed Skoudis and Mike Poor. My firm meets with them for a security audit once a year every January.It takes them a few days to audit our systems and they report to us with a draft and final report. We usually have everythign buttoned down by the time the final report arrives.
To avoid corruption, one must remain dishonest.
There are two main sources of value that come out of a pentest; the experience of the test, and the report.
The experience should help you answer the following questions:
Were my controls effective at detecting and/or thwarting the attacks?
How well did my staff respond to the test?
At what point will I notice malicious activity?
Are my current logging and review procedures effective at recording all necessary information and identifying the attacks?
Is my staff capable of responding to intrusion attempts?
Is my incident response plan effective?
Where should I invest more in training?
Are my IDS and Firewall operating as designed?
Do I fully understand my network and internet presence?
Where should I focus my future IT audit efforts, was anything identified as a result of the testing that needs to be included in future audit coverage?
And the report should help you answer the following:
What testing was performed?
What were the results of those tests?
What do those results mean?
How do those results impact your business?
What do the problems that have been pointed out mean?
What is the potential impact of items that have been identified?
Has any of the conjectured impact been verified?
What level of compromise of data or control of resources was obtained?
What is the amount of effort, knowledge, and access needed to perpetrate the things your test say are possible?
What do you need to do to fix the problem or how can you control the problem in a way that fits into your business?
The more of these questions that the pentest can answer for you, the more valuable, and the more expensive, that test will be.
How do you handle these 3rd-party security people who make mountains out of every molehill?"
"Well," said I, "Tell me... exactly how much did you pay for this report?"
"What's that got to do with anything?!" the PHB said.
"You see, if you paid more than $1,000USD for it, well, the way I see it, the people have to find something to make you feel as if you got your monies worth. These "holes" and such are nothing more than just how a system works, you see. And the tools they used to do the report are all free tools that we could have used ourselves had you given us the time to do it." sezs I.
"You're just covering your incompentent backside!" growled the PHB.
"As for being incompentent, well, I'll take just a slight bit of umbrige at that. After all, when is the last time we fell down on the job for you? When were we hacked last, and the time before that? And how long did it take to recover?
"You see," I continue, "the problem here is that we simply cannot afford perfect security. Our staff would be four times larger, our ability to do things would be less than 10% of what we do now, and all for something that hardly ever happens. Now, I admit, there are some things we have to protect without fail, but we cannot protect everything without fail all the time, in all ways. We know what it is you need done, we know what limits you'll accept, and we work in those bounds to keep the plates spinning and the systems humming, and we plan for the times when our security will fail and be able to recover quickly."
"Well, these guys say you are falling down on the job! What about that!!!?" howls the PHB.
"Well, now, boss man, it's like this. When was the last time you turned on a news report and they said "Everything's fine, turn off the news and go back to your life."? Never, I'll bet. You see, security audits and news are a lot alike. There's more money in gloom and doom than ever there was in green fields and times of plenty. Jeffe, if these guys were so good, they'd be mewed up in some large corporate lab and would never, ever be allowed to speak with anyone, lest they violate some clause of their NDAs. God like security people simply DO NOT work freelance. Never. Any tyro can look at a masterpiece and see flaws, but a true Master can see past surface blemishes and capture the work of art. Now, I admit, there are lots of things I'd like to do if we had time, but, we have to keep the money flowing, the systems humming, and the work going. We simply cannot stop the whole company to fix things that are minor or very tough to crack instead of impossible. But I tell you what. Why don't you allow us 4 hours per person a week to work on the top priorities that report shows, and we'll crack that out."
"FOUR HOURS!! EVERY WEEK!!! FOR EVERY I.T. GUY!!!? ARE YOU NUTS!!! DO YOU THINK I AM!!!?" shreaked the PHB.
"Well, Sahbib, that's why we haven't already been jumping on those issues. I didn't feel you'd support the manpower cost, and let us put aside our current projects to address, what is after all, some minor problems. But we work for you, and if you want it done, by golly kingmosabe, we'll jump after it!" I exclaimed, almost saluting.
"Well, four hours a week is out of the question. I simply won't permit it!" bellows the big guy.
"Bigguy, we'll do the best we can with two hours a week..." I trail off...
"NO WAY. You slackers get no more than ONE man, ONE hour a week!"
"Well, your gold, we'll do the best we can." I sez.
"See that you do. Now get out of here and go do whatever it is I pay you to do." the PHB says, punctuation his dismissal with a distainful sniff.
I slink out of the office with rounded shoulders and the air of defeat about me. As soon as I turn the corner, I perk up, realizing that now I get off an hour early every Friday...
Months later, after the jerk of a PHB had run off anyone with any slight ability, he went out during the dot bomb bust. Word was he managed to hire some of those "security" people that felt that BGP announcements were a security risk and should be discontinued...
Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves.
I for one *love* ripping these guys new ones. In particular when I produce the same report in a couple of hours. All kinds of fun.
It doesn't matter what you produce. Your boss is bringing in an outside consultancy to get an independent assessment of what you are doing. That's a prudent and sensible thing to do, because he doesn't know what is going on technically (he isn't supposed to--it's not his job), and you could be lying to him to cover your ass. It's no different from bringing in outside accounting firms to check the books, outside HR experts to check compliance with anti-discrimination laws, or outside consultants to check on customer service.
If you are unprofessional, uncooperative, or insulting in the process, you only hurt yourself.
On the other hand, if you think you can do a better job than the outside consulting agencies, start your own and try to convince companies of that.
Others have said it, I'll say it too: You need a formal risk analysis done. Ideally it should be done by the idiots who said you're vulnerable in the first place--make them actually WORK for their money.
Are you at risk? Probably. All companies are based on managing risk, and reaping the rewards. Computers are no different--to have internet access incurs some risk. Your job isn't to ELIMINATE risk, it's to MANAGE it, to reasonable levels. If the consulting company says that you're exposed, it should be up to them to calculate the likelihood of being exploited (i.e. x% chance per year that this exploit will be used), the libility of the exposure (i.e. money lost either directly or indirectly), and the cost to fix. If there's a 0.1% chance per year of someone breaking a server in the DMZ and it will cost your company $10000 to recover from it (lost information, time to rebuild, etc.), then any remedy that closes it will have to be almost free to be worthwhile ($20/year on the outside). On the other hand, something with a 15% chance of being exploited that's going to lose $3MM of market advantage should be fixed ASAP, as long as it costs less than nearly half a million.
Risk analysis. Risk management. Risk containment. NOT risk elimination.
"People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
I've seen the managers that this guy is suffering under and your insightful remark won't help him. You see, his boss is likely referring to "holes" reported by Nessus and others that are not holes but, because some outside company said it, then it must be so.
And what is your boss supposed to do? He isn't a network security expert. His in-house staff has strong incentives to pretend that everything is alright, whether it actually is or not. He has to bring in outside experts to verify that his staff is doing what it is supposed to be doing. That's not different from outside accounting firms and other kinds of outside review in other areas.
If you think the quality of the outside security firm your boss selected is poor, talk to him about it and get him to pick one that you think is good. But whether there is going to be an external audit is not debatable--the boss wouldn't be doing his job if he didn't do these things.
They've done nothing wrong. It's their job to point out every molehill. It's your job to perform a threat/risk assessment for each molehill and present a range of mitigations to your boss. For example:
This honestly isn't rocket science. The consultick isn't out to destroy you. He's just doing his job. And yes, it's amusing that the consulticks charge huge amounts of money to run nmap and Nessus, but they were only brought in because you obviously don't have the time to do it yourself.
I get the impression that you've taken this as a personal slight. I think that you believe the consultick's report has made you look bad. Get over it. Maybe you have made a mistake. Maybe you haven't. Your boss doesn't know yet because he isn't informed. Informing your boss of the risks and the costs raised by the consultick's report should be your #1 priority. If you do a good job, you and the consultick will both look good.
it's surprising how often you can connect two completely unrelated events/actions and make them seem interdependent simply by matter-of-factly asserting that the connection exists.
Manager: How can we fix all these security holes?
You: We can fix them no problem, I'll need another unix box for scanning and a 20% pay rise.
Manager: Ha ha ha...very funny.
You: I'm deadly serious.
Manager: What...you're serious...why a 20% pay rise!
You: Ok...you're right...10% is closer to the reality.
Manager: That's better...thought you could pull one over on ol' Bill, didn't you eh?
You: Yeah...sorry about that.
I am part of a small IT firm that deals with Community banks and their networks. Each of our banks get audited quarterly. For years we've been explaining to our customers the real risks to their networks...themselves. The audits are always going to find SOMETHING. That's what they're designed to do. You can always explain the "holes, warnings, and notes" away without losing integrity as long as you have a good relationship with your boss/clients/whoever pays you. There are times when nothing but a squeaky clean audit will do for our clients...we can always provide a total lockdown...then they pay us to open up their network again for functionality. It's all about perception...if they think you're caught off guard, they're worried. If they think you're an IT mastermind...well then they're right.
Mmmm....Frosted....
...will tell your company one and only one thing, and that is your network is unsecurable unless you outsource all your network security and administrating to them because you company's own I.T. crew is too incompetant to do it themselves.
My employer recently went thru one of these and I prepared for it (I am the network admin) by writing a list of everything the consultants would find, and why they would find it and what could or could not be done about it short of completely unplugging the affected bunch of machines and users off the network entirely. I also wrote down exactly what they would find when they attempted a penetration test from the outside to try to come thru our firewalls. I sealed up all my reports into an envelope and got my boss and his bosses above him to agree to keep the envelope sealed and not read it until after the consultants submitted their findings report and they'd read it.
During the tests, the consultants could not break in of course, and I got accused of refusing to cooperate with them. I told them to their faces in front of my boss that they weren't even worth half their weight in dirt and were basically committing a con against us. (con + insult = consult).
After their report was finished and my bosses paid them and read it, followed by reading my sealed reports, my employer basically agreed with me they'd just wasted $15K and my network security talents have never come in question again. The consultants didn't even find everything that I already knew was wrong with our network, and I haven't been permitted to fix the stuff that really needs fixing because too many user will bitch about the inconvenience it would impose on them.
Well I'm not goin to give out specific details, but I've got the exact opposite problem. I'm a sort of lower level sysadmin (the kind that fixes minor computer issues; 'I can't connect' 'it says I have Sasser, MsBlast, and Netsky, can you help me?' 'Can you come over and install Kazaa for me?' etc. that sort of job) the upper admins run the network, if you can call it that, and do the more important stuff. Basically our network admins are idiots. They've got lots of really cool, expensive toys, but they have no clue how to use them. I suggest you try doing the same thing for your software compliance that we do for netadmins. Blow them off. Secure your network to the best of your abilities, then engage in extensive penetration testing of your network, while you document EVERYTHING you do. This accomplishes (hopefully): securing your network, watching your back, making less work for you in the future/more time for Doom 3/Halflife 2/Halo/2 etc. That's a lot of work upfront, but if you can show them that your network if secure, with documented proof, they'll probably bite. Even better, if your company will shell out the cash for it, hire a reputable 3rd party to hack the network, and have them thoroughly document your security measures/and the success/failure of the hack, then bring it to your boss. The alternative is to do everything the software asks, and chances are your company will get so sick of 14 letter-digit-special character random passwords, that change every 2 weeks (and similar security measures; welcome to my world) that they'll just say screw it and not bother you again about security.
It doesn't take much to quickly set the right tone for a security audit. Even the Pointiest of HBs can understand the basic rules:
If you have a chance, take them through this: ... you get the idea.
The only way to really secure a system is to turn it off. Not very useful, but highly secure. Ok, so maybe turn it on, but unplug the network cable. And lock the door. (Who has a key? Who cleans the room? ) But it's a server, so it sort of has to be on the network to be useful. So plug it in, but use a firewall it off from the rest of the network with every service but files blocked. Well,
It's all about tradeoffs. Sometimes something comes along that makes life better, easier, and cheaper at the same time, but usually you only get one or two out of three.
Raise your children as if you were teaching them to raise your grandchildren, because you are.
A couple of variations:
Some recommend you multiply 2 or 3 factors to give a score, e.g. ease of exploitation x impact of possible exploitation.
You could go one further and do the equivalent of a "safety risk score calculator" (from OHS practices) where you look at:
- extent of what could happen
- how likely it is
- cost of alteration
- extent after alteration
- likelihood after alteration
Of course we're talking about highly inter-related aspects of security which get more complex, but feel free to group a bunch of things together (e.g. all items that relate to fingerprinting but aren't actually exploitable holes)
Time consuming, but you don't need to complete the calculation on items that are near zero risk to start with.
-- All your bass are below two Hz
We did so, and was working with them in the process. Having them scan the internal and external network.
Since it was competent people picking the security consultant, we got a good company to do the work. Adn not just the friend of the boss' cousin.
If the security company thinks it is fixable, have them come up with a price quote.
I so sympathize with this.
:)
One of our credit card processing companies got a wild hair up their ass about security. Security is a good thing, I fully believe in it. But they hired their own 3rd party company to scan us. Over, and over, and over again.
The 3rd party sent them a big list, where we were just on the friendly side of a passing score. I'm not pleased with "just" passing. They sent me the list, and "suggested" that we fix all these obvious holes in our security.
Some of them were that the sites resolved in DNS. Ummm, you go to example.com, it's gotta resolve.
Another was that we had a firewall up. Because packets disappeared into our network (dropped, instead of rejected), it was a clue to potential hackers that we had a firewall up.. {sigh} Ok, so our firewall did exactly what we wanted, and we get scored down??
The remainder of the list were assumptions. They (through fingerprinting) identified that we were using *nix machines, we are running Apache running on the web servers in question. At the time, Apache_SSL was about 2 subrevisions behind Apache itself, which made it impossible to stay with Apache_SSL, and pass their test. Their beef with it was that there was an exploit for Win32 and OS2 for the particular version we were running. I wrote them a nice email and said "Ok, so there's an exploit for Win32 and OS2 for that version, but we're running on *nix".
The temporary fix for the Apache "warning" was to not display the version of Apache. I later changed over to mod_ssl, and stuck with the current version.
We still get quarterly reports from them. I sigh every time I see them. They just piss me off. Not that we're getting a security review, but the fact that I have to explain why perfectly acceptable things are listed. I can never get my score to 0 threats. Even if I firewalled off the machine, so they couldn't see it, I'd still get points against me, because they can see there is a black hole, where they know there is a machine. {sigh}
I glance over the list when it comes in, and look for anything interesting. Do they have anything relevant to tell me? Nope? Ok, put it off til next week to decorate around their mental problems. Most days, I have real work to deal with, and don't feel like doing stupid tricks for their entertainment. Of course, if I have the time, I love messing with them. Let them wonder why I'm running Apache 4.9.1 on an unknown platform.
Serious? Seriousness is well above my pay grade.
I am sorry for all the people who had experience with bad auditors. Truth is that learning scanning software (ISS, Nessus, Harris Stat) etc. is fairly easy. Its the analysis part that is hard. When I do audits I go over every vulnerability found (by whatever particular scanner) with the client and we discuss each one to find out whether it is valid for their environment or not. Additionally, a post report should include a thourough analyis of all the finding not just a printout of the ISS report (which in my opinion is poor) and match these vulnerabilities with realistic mitigations. Just like in every field, there are bad people and there are really good people as well. I have met TONS of people recently who are in security because they heard it was hot field but even with the CISSP they don't know jack!!!
There was no context and no attempt to exploit the holes. If they managed to get in, then that is information that is necessary (otherwise you get your internal people doing their own security audit - so why did you pay consultants?)
They did part of their job, tell them to finish it.
"So I started drilling them and it turned out they new nothing. So I kept hitting em and hitting em (verbally) till management had to pull me off em. I think the company I was working for at the time ended up sueing them "
It sounds like you had the clout and credibility among your boss(es), that let them put your opinion first and the consultants after. This is something you (and I) take for granted, and the main thing that's lacking where people like the OP come in asking questions about how to handle it.
It sounds like the OP's biggest problem is that his boss trusts a consultant's opinion more than he trusts the OP. That is a pretty serious situation, if you ask me.
If I told my boss that he was being fleeced, lied to, defrauded, or that someone was incompetent or dishonest or whatever, action would follow. I don't know how I could work in any other environment.
20 years experience, 10 with the same company, helps I guess.
Tell the VP that the fast that he saves all his internet passwords in his browser, replicates all his confidential data to his palm-pilot, tapes his passwords to the inside of his laptop, gives full access to all data to his managers, is a far greater security risk than a non-renamed administrator account on a small print server.
That should shut him up for a couple of weeks.
Reply to each item with a cost to fix, including the cost of addressing other problems you introduce.
The reasonable stuff that you can realistically do should have a reasonable cost attached.
The stuff you really don't want to get into, just say that requires $10 million to build a brand new datacentre. If you take this approach, even the most Pointy-Headed of Bosses can be brought around to your way of thinking.
-- Nick "Hallo this is Beel Gates, und I pronounce weendows as
There is an issue of trust in the ability of your engineers though. I had this problem at my previous employer (which I left). If the manager consistently does not listen to your advice (however presented), think about it a bit: It means he/she actually does not have much faith in your skills, and does not trust your advice. This is inherently going to be a problem for you, regardless of whether or not you are able to 'document your thought processes'. What kind of reference are you going to get from a manager who doesn't trust your capabilities and thinks you're probably mediocre? What kind of opportunities for promotion, salary increases, increased responsibility etc. are you going to get from a manager who doesn't recognize or trust your capabilities? If this is what is going on, you need to get out anyway, because you're going to hit a "glass ceiling" very soon in your career.
IMO, good managers recognize skills, and place trust in their employees, giving them enough 'free rein' to 'work their magic' and not preventing them from doing so.
These tools are guides only. Anyone who treats them as 100% reliable is not a professional admin.
If you know enough about your systems that these are false positives, you can document each false positive so that as your systems change or the scanner tools are updates you can tell what is a potential problem and what is not.
If the 'security company' supposedly did a complete audit and does not have a reply to what you find, they ripped off your company.
If they were hired to do a basic review not a complete audit, you can't blaim them. The folks who hired them to do a minimal job got exactly what they asked for.
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
we had one of these security consultants, first I heard about it, was detecting a nessus scan coming over the WAN, so I fired up email and sent one off warning of possible reconnaissance on the network, the eventual reply I got after followups went something like this:
We have yet to receive the full report, the security company just finished up a web scan of the **** Network last Sunday so it will be a couple of week before we get the total results.
I am not aware at this time of any issues with the UK network, but will let you know if any were found.
Thanks for the info, I will let the Security Company know that they didn't go undetected.
I never did get a report, but as there penetration scan caused me to put out a full alert on an internal IP in our company, I doubt they ever got paid.
I have to ask why the tone is so defensive? They've been paid to find every little bit ... now it's your job to help your management put the report into context.
Do your job.
-Jeff
Please learn the difference between a dissenting opinion and a troll before you moderate.
.. in the UK. And the reports they generated did flag up some pretty trivial things. Also reports came up with the same minor things each time (some clients would be scanned every month and the scan would return the same thing over and over). Whats more shocking though is that some staff running the scans/reports upgraded the security risk level of some trivial items in the reports as "they believed them to be of higher risk"!!
Strike first. Do a scan yourself, note the items as "false positives" and give the list to the auditors.
If the auditors come back with the same list, your defense is: those are all false positives as noted in the initial report to the auditors. Get new auditors; these didn't do their job.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
We just finished our first DDoS assessment, it went wonderful and we had the best security related results that we have seen in years. The guys over at Prolexic know what they are doing. You may want to check them out, www.prolexic.com. They just started a new product they call DDoS security testing, I am not sure if it's on their web site.
-steve
>> How do you handle these 3rd-party security people who make mountains out of every molehill?
Err, you dont. They are commissioned to do thier job. Since they were hired, did work, that you had to react to ( called on the carpet ) that means you are out of the loop in regards to mangement & how they perceive security.
The beauty of 3rd party consultants ( security or otherwise ) is management gains external veri- or villi- fication of whatever thier agenda is.
In short, you have to handle management ( ie: the people who brought in the 3rd party peeps ). Your description of the situation doesnt disclose your role in detail, so i will assume away a troll.
>>I told our risk management VP that to fix every item cited - - many of which were false positives or completely out of context - - would be next to impossible for our small IT staff, and that some of the fixes, if implemented, might have deleterious effects on an otherwise smoothly running operation.
Nope. Let me verbally slap you for this one. Not for effort, I get that. It is impractical to fix "everything". However, being reactionary to a report changes the discussion from " what are we doing to help the business " ( VPs love this shit ) to "why didnt you do you job" ( which at best means a verbal remand, or at worst is used as justification to fire your ass ).
Your approach to the vp of "whateverthehell" should be more of a "ok, bossman/bitch" here's the recommendations of the people someone ( or YOU ) hired, since you clearly dont trust me ( dont say this part out loud ) and here is my estimate of what it would take to fix each and every bullet point. Further, toss in a risk assessment, that covers... what is the downside of NOT fixing this. Take your time, make a nicely formatted report. Dont exaggerate, and do NOT let an item go by without pointing out the pros/cons of closing each "hole".
The downside of this is it is work. The upshot is you've handed the VP a check list. The VP can then make decisions ( y/n/dodge ) about what they fix and dont.
Most importantly, you at least look like someone who is trying to help, rather than a defensive employee trying to ( at worst ) cover up incompetence, or (at best) doesnt know any better ( incompetence variation ).
VP is watching behavior, since typically they dont know tech. What does your behavior tell them ?
Since you had to ask slashdot, there ya go.
We have to justify any exceptions to our security policy.
By their nature the security guys want everything tight as a drum. On the other hand the realities of running applications (some of which may be 20 years old) makes it cost prohibitive to make global changes.
For example the security gurus banned FTP. However we had old code that depended upon FTP, and would have cost too much to modify to use other alternatives (sftp etc..). You could justify these sorts of exceptions based upon the needs of the business - in this case the need not to break the budget. To ameliorate the problem we do routing/firewall configurations that only allow the two boxes in question to talk to one another using the forbidden protocol - a much cheaper solution.
When you put things in dollar terms the powers that be tend to shy away from knee jerk reactions based on the advice of 'experts'.
Lodragan Draoidh
The more you explain it, the more I don't understand it. - Mark Twain
Speaking as someone who used to do security internally, I can definitely vouch for this one. Some of the internal R&D labs still use NFS and the Berkeley r-tools ina big way, just because the infrastructure is too massive for a change to ssh-based authentication and Secure NFS any time soon.
But notice, I said internal. 2 layers deep, no outward facing systems in the NFS/NIS environment. Yeah, as a security person I was supposed to say "remsh bad! ssh good!" (HP-UX calls rsh 'remsh' and rsh is a restrict posix shell), but when we have 40 people in a lab of several hundred using non-obfuscated dilbert character names as passwords, some systems with 644 permissions on the btmp file, and the occasional empty root password, an NFS share open to an NIS netgroup on an internal corporate network just isn't as big a problem.
And honestly, I think is a large company like that, where you are dealing with many 'non' empolyees (see the contractor lawsuit trying to get off the ground), data theft is not as immediate a problem as hardware theft. We certainly caught more people selling parts purchased internally selling on eBay or out of their trunk in the local Wal-Mat parkin lot (yes, this happened...) than we logged access attempts to SCM systems.
- Run common tools like nessus yourself, and document the results. Indicate the false positives in a report. Indicate how real issues have been fixed. Give a copy to whoever might care.
- Don't pay third party companies if all you are going to get back is the output of nessus or some such thing. If all they are going to give you is the unverified output of open source tools, they aren't adding any value to your operation.
- If you guys are going to hire third parties, YOU, the sysadmin, be the one to initiate the process. You are also the only one qualified to interpret the results. If there are things on the list that are not valid or not high enough risk to worry about, document the fact and be done with it.
Many companies require external IT security audits as part of their financial controls. I used to routinely do my own assessments since it was a useful way to police my infrastructure (used to becasue I retired). The auditors rarely uncovered anything significant since we had already corrected the vulnerabilities. We were aware of and ready to explain the routine false positives as well as the low level "vulnerabilities" that we wanted for one reason or another or were not concnerned about.
Don
Sorry about the AC post but I do value my job somewhat.
I work for a VERY large 2 letter corporation that among other things provides "managed services". One of our clients is a large financial institution who thought it would be a good idea to perform some "network testing". One of the interesting items flagged, was a server that was listening on some port (cannot remember the port number) that usually indicated a common Windows trojan. Unfortunately, I was the poor slob who got tagged with explaining this one.
The client demanded to know what steps we were taking to "sanitize the environment" and "determine the extent of the damge". Now comes the fun part. The system that had the "trojan" was an AIX SP2 node behind four layers of firewalls. The application listening on the port was the client's application configured as per the client's design.
So all of this resulted in:
1) The server being isolated from the application pool for one week for "forensic" study.
2) IPTRACE (AIX equivilent of TCPDUMP) being run continiously for one week on two firewalls and the node in question.
3) Analysis and comparisons of backups for one year to determine when the "compromise" took place.
4) Trying to explain to the client's security group why some other group within the client's organization decided it was a good idea to use this "well known trojan port" for their application.
End result, 10 days of my life I will never get back. I LOVE SECURITY CONSULTANTS!
I'm a security professional and it sounds to me like they didn't do their job properly. They should have scanned the network and then verified their findings afterwards by hand. Oh ya and I can't forget, when you have the list of real vulnerabilities you refer the the documentation provided by the IT staff (or talk to them in the case where there are poor documentation procedures) and determine which vulnerabilities, if any would have a severe negative impact on the operation on the business and document them.
Why did you let yourself be blindsided by this? Even if you weren't notified that a "security consultant" would be working the network, you should be running your own scans and classifying the risks. And if you were notified, that's even more reason to do your own independent scan/analysis.
There are some situations where even if you're overworked, you have to make the time to be pro-active in self-defense. Any work done by outside consultants to evaluate your performance falls into this category.
We are the 198 proof..
Otherwise follow the advice of one of the first posts - quit. You are being paid good money to do a job, don't get upset because they want you to do your job. This doesn't mean fix everything today, it means fix the machines as you can. Next go out and get the open source scanner and run your own scan. Even if you have to take a machine that is currently in a closet to do it with, do it. Load Linux and the scanner and go to it. I often use old beat up machines for Linux serves and audit machines.
Next you should have scripts to do monitoring. Check e-mail in and out of your site, not the contents of the mail, what is going on with the mail. One machine suddenly sending out 1000 X as much mail? It is probably a spam machine now. Things like that. I catch a lot of windows machines that way.
Remember to use computers to your advantage. They do work very fast and very efficiently. Keep track of how to fix one machine then automate it. That can save you a LOT of time!
Be *very* careful about running your own scans.
Nessus and several other tools including NMap can cause production issues with servers and workstations.
Even those in the know can include a parameter that will trash a web server, or something that you didn't realize would be a problem.
It's much wiser to ask for approval to run these scans, and then when turned down, keep them in a log. When not, run your scans and check your servers afterwords.
After running tools and manual methods we work out what the results really mean (unlike a small shop who might just provide the nessus/ISS/retina/whatever output) from a technical and business perspective. Then we go through this draft report with the client to discuss context - as they will know the environment better that us - so we can work out what risk mitigation is in place.
Only then do we issue a final report!
You let your director see a report before you reviewed it? Bwahahahahahahaha.
:\
As a pentester, we give all "Draft" reports to the IT staff/customer at least a day before a report meeting so they can propose changes and call us on the findings. An NO WAY would we ever put a raw ISS/nessus/GFI scan into a report, all of those contain a butt load of false positives. You need to find a better security company, get some reccomendations, ask for references, do yer friggin homework, and don't let them make you look like a dumbass!
For instance, as soon as I arrive on site, have all the leaglese signed, and proceed to I break into a Domain controller and take over Company X, I notify their IT. How, When, and Where I did it. Therefore they can begin steps on fixing the problem as soon as I leave. By the time the report comes, the problem is already fixed, they look like superman to their boss and we all win.
this is how it should be, right?
-AC #9013845109X
(not to say that people don't get "let go" a week after they get the report.)
It boils down to a risk analysis and a cost benefits analysis. Since you're looking at the situation in terms of dollars, ie how expensive it would be to patch the holes reported by the auditor, you'll need to do a quantitative risk analysis. For each of the items you were dinged on you'll need to come up with a risk analysis. Or you could get your auditors to do one, but they're not exactly impartial. Once you come up with an estimate of what it costs a year to have that vulnerability unchecked, then you can do your cost benefits analysis. That's where you get to show that spending 100k on disabling ICMP timestamp requests on your workstations is a waste of money.
Yes, my only tool is a hammer. And you're starting to look like a nail.
The phrasing of this question sounded a little defensive.
If you are the "responsible person" for your IT fiefdom, then you should be ready and able to accept and handle criticism.
If your work isn't being questioned, then nobody knows who or what you are doing. I don't mean attacked - I just mean that we are usually asked on a fairly regular basis to justify our actions. If you haven't already questioned and justified almost everything you do - you should start. If you don't have a good reason for something, then it probably needs changing.
In this specific situation, I would take a positive, proactive tact:
1 - review every single item carefully - ask for time to specifically analyze and answer each issue.
2- some of these issues you should obviously already know about - list those, and explain the how, why and costs of changing the system casuing the issue.
3 - if there are any issues you didn't already know about, grant the VP that - he thinks he did good by bringing in an outsider; tell him he did good. Then address these issues, too.
Finally, boil everything down to a full report.
Summarize what you recommend as necessary / possible/ duplicate work / useless information..
Tally up the costs of remediation for each and the total.. then ask for the resources to do the job.
Compare your in-house costs to outsider cost estimates - be sure to factor in your people's time working with any outside vendor.
If you can - do a cost/benefit risk analysis to indicate which changes should be prioritized, and which do not need to be.
If you cannot perform these functions, your job is already in danger. Learn these skills, and update your resume.
Back in the hey-day of cross-browser compatibility, before CSS really took a good hold and everyone had moved to IE, I used to spend a LOT of time making things work cross-browser. A lot of the work I did was not strictly within the current HTML DOM, as things needed to be built with a combination of IE, Netscape, and DOM compliance. During one project, I built a series of HTML templates for a client who was having the application written by another company, but wanted me to do the front-end design. Because the developer was stalling for time, they ran a strict HTML verification program against my code and sent back a HUGE list of issues. I spent an afternoon responding to each individual issue, explaining why this was either (a) not really an issue, or (b) because of the layout/design, the only way to "fix" the issue would be to redesign the entire page. The problem was that, when viewed on screen in any contemporary browser, the pages worked fine. I was able to make a very good argument against ALL of their issues, and turn their attempt to make me look bad against them. What this boils down to is this...document the hell out of their responses, with specific reasons why each issue is not an issue. It may take some time and effort, but at the end of the day you'll make the VP happy, prove (again) that you have the capabilities to perform at your job, and make yourself look good. It's a pain in the ass, but will be worth it in the end.
Reading down through all the comments I saw some very interesting points to ponder on this. I just presented my findings to an organization after doing an in depth security review. I agree with most of the comments about checking your work. Quite honestly, I use Nessus as one of the tools to do the assessment, but my report only includes a few pieces from that. The Nessus report is just added on in digital form, for review, but my recommendations and findings have more to do with lax password policy, leaving default services enabled, lack of Patching/updates/hotfixes. I used Nessus to identify which machines were "most vulnerable" and then went to each of the top machines and did a check on them. Sure, Nessus cam back with bunches of stuff, and guess what folks? most of the High values were TRUE! People who make blanket statements like "Nessus only shows obscure vulnerabilities" really should take a look sometime at the fact that most of those are detailed with either a fix, or if on a windows machine a KB article. Several of those that I checked when I ran nessus actually linked to KB articles that were fixed with silly little things like, oh I dunno, a service pack released two years ago? Ya know? Simple little obscure things like that. I actually resent the idiot who implies that I don't know my job as a security proffesional to go back and verify what ANY tool tells me is vulnerable. If a tool says "this service is not patched, and you go and look at the machine, and it isn't patched...then MAYBE, just MAYBE the machine is vulnerable to malicious intent!!!!
--Security; try it, you might like it...
It is by caffeine alone I put my mind in motion...
If you have advance warning that these consultants are coming, make a list of everything they may find that is harmless and give it to your boss before they get there. The reference sheet should go a long way to show how important you are, and what a bunch of idiots they are.
First thing that sticks out at me, is did the execs approach the IT department about doing a security study? If they went straight to an outside source, it could be a sign that they don't trust you. I can understand if they felt their own IT department was overwhelmed with current projects, but did they even get your input before moving forward? Were they intersted in plugging their security holes, or where they interested in checking up on the IT department?
I believe your viewpoint is that the 3rd party company over exaggerated the security risks inorder to justify their price tag for the study. I don't think I would necessarily disagree with you. It isn't indicative of the entire security industry, but there are some companies that are just out for the quick buck. I wouldn't be so fast to dismiss their findings, though
Most execs only understand money. They wouldn't give a rat's butt about security holes, if they weren't convinced it would cost them money. So what you need to do is itemize each security hole. List the possiblity of an attack through the security hole, and how long it would take to fix it. Give a cost estimate for how much it would cost in terms of labor hours to fix it. Also figure up how much money would be lost during down time. Lastly, estimate how many hours and the labor costs it would take to fix the problem. If it is going to take $1200 to patch a hole now that at worst would cost $100 to recover from, and $100 in lost revenue; then it shouldn't be a priority. On the other hand if it would take $100 to fix it now and $300 to recover from it during down time, then obviously it is worth fixing. Basic just show them the cost difference between patching and recovering. Allow the execs to review and decide how they want to spend money. This will also show them how petty some holes might be.
Lastly, don't take it personally. Yes it does look like they are trying to blame the IT department for the security holes, but in the world of IT their can be a difference of opinion. There can be multiple rights and wrongs. You need to stress this; that although the 3rd party has one opinion, you have another. Doesn't mean one party is right and the other is wrong.