Network Penetration Scans and Executive Reaction?

LazloToth asks: "I'm sure some of you have had this happen: your company pays the big bucks for a 3rd-party security audit and, when it comes back, you get called on the carpet for all the supposed 'holes' in your network. When you see the report, you recognize that it comes from a well-known open-source security scanner, and that the 'holes' in question are so obscure as to be meaningless. I told our risk management VP that to fix every item cited - - many of which were false positives or completely out of context - - would be next to impossible for our small IT staff, and that some of the fixes, if implemented, might have deleterious effects on an otherwise smoothly running operation. How do you handle these 3rd-party security people who make mountains out of every molehill?"

quit

[s20451]

Quit your job and start a 3rd party security consulting company.

Re:quit

[EnronHaliburton2004]

I'll sell you Nessus for a discounted price of $4000!

Re:quit

[jd]

You don't understand the market, do you? :)

With the current paranoia, lack of decent security awareness (and therefore the lack of ability to evaluate the results), and the ability to impress a PHB by wearing the "right" suit, you could easily charge $50,000 for a Nessus scan. $5,000 would barely pay for an NMap sweep. For Unix servers, also use SARA and TARA for $10,000 apiece.

In today's atmosphere, it should not be possible to walk away from a securty contract with less than $75,000. Double, if you use that random paper generator, covered by Slashdot a day or so ago.

Re:quit

Just remember,

Conning + Insulting = consulting.

No problem man...

Re:quit

[EnronHaliburton2004]

Well, I also charge $500 per ping attempt, and $1000 if ping doesn't recieve a response. Flood pings are free.

Re:quit

[tomhudson]

Bah, I'm adding value! I'm adding $5000!

There's your problem. If you worked for the Liberal Party of Canada, you'd be adding $500,000.00. And billing the government 3 times for the same report. For events at 5 sites in 5 different cities. On the same day. For work that was never done.*

*NOTE: Yep, that really happened ... , but try adding ANOTHER zero first. And don't forget to kick back 17.5% in "commissions" to your buddies.

Re:quit

[Rei]

but try adding ANOTHER zero first.

Okay.

$0,500,000.00

Re:quit

[ErikTheRed]

$100,000,000.00 is a lot of money even today ...

Even in Canadian Dollars? I thought it cost more than that just to fill up...

(just a joke, Canadians are cool. Literally).

Deal With Them

[RobertTaylor]

How do you handle these 3rd-party security people who make mountains out of every molehill?

Post the company name and URL on slashdot and let them have a 'specialised security audit'...

Re:Deal With Them

[jd]

They don't need to. Giving the site's webserver a severe slashdotting would seriously stress-test their systems.

Re:Deal With Them

It's http://127.0.0.1/, feel free to have a go.

Re:Deal With Them

[JAppi]

Before I could DDos him they DDosed me back :(

We can help

[Lev13than]

LazloToth asks: "...How do you handle these 3rd-party security people who make mountains out of every molehill?"

I think we need more details on the severity of your security holes. Give us your company's IP range, and if we find anything significant we'll leave a note for you on your desktop.

Re:We can help

Sure... its 172.16.0.0/16 - I'm posting anonymously so my boss doesn't know I told.

Consultants

[WD_40]

If you can't be part of the solution, there is good money to be made in prolonging the problem.

Re:Consultants

[TheGratefulNet]

If you can't be part of the solution, there is good money to be made in prolonging the problem.

I always thought if you're not part of the solution, you're part of the precipitate.

One word...

[LeJoueur]

BOFH

Easy solution

[nizo]

How do you handle these 3rd-party security people who make mountains out of every molehill?

See where they did the scan from and drop all packets at the firewall from that domain?

Re:Easy solution

Dear Manager of Clueless Company,

Thank you again for the opportunity to conduct a security audit on your organization. We would like to let you know that you failed your security audit because none of your systems passed a simple availability test and all of them had the same issues the last time we conducted our scans. When we started this scan, all of your systems appeared to be down when we tested your company from a known IP address. Suspecting that your staff thought they could block the scan, we simply changed our IP, and were able to test your servers. Our tests show a number of things:

1) You show no improvement in security. All the old holes are still there, and we found some new warez servers, along with numerous bots, spam engines and several IRC servers. These make for an excellent addition to the old warez and IRC servers, spam engines and zombies that make up your organization.
2) Your IT staff is clearly made up some stupid people. How they could have thought blocking IPs would keep us from testing their servers is beyond belief. They really are a piece of work.
3) Your employees can not be trusted because they are trying to cover up this cluelessness in the most incompetent manner possible.
4) You are oblivious to the cluelessness on your employees part.
5) You're company really is dumb if they think they can block the source of an audit from a security company. Come on, we do this for a living, did your IT people really think they could stop us? Seriously, what moron thought this would work? Did they read this on slashdot or something?

To summarize, your systems are wide open and compromised, your staff is incompetent and untrainable and your attempts to block our scans were additional fruitless indicators of your staffs pathetic grasp on even basic IT concepts. Frankly, we'd like to thank you for the free money, and to pass on our thanks to your clueless staff for making this process trivially easy. If we only had more idiotic customers like you, it would make our jobs so much easier.

Looking forward to your next follow up scan. Please be sure to promote everyone in your IT department as we are thrilled with their work so far!

Next to worthless

[PCM2]

In the mid-1990s, I ran IT for a graphic design firm, which consisted of some 50-75 Macintosh computers. Pretty much everything ran on Macs; even the accounting systems used Great Plains for Mac.

At one point, some of the staffers got the idea that network performance might not be optimal, and it was decided that we should do a performance audit. A contractor was brought in to spend a few hours sniffing our network, then go away and do a thorough, in-depth protocol analysis. The result of this analysis was a 20-page report detailing their findings.

The conclusion was that there was, indeed, a lot of unnecessary packets of traffic flying around the network. Their solution?

"Eliminate the Appletalk networking protocol."

Uh, yeah. Thanks guys, here's your $2,500.

(Maybe the best solution is to do whatever you can to educate management and set expectations at appropriate levels.)

Re:Next to worthless

[prockcore]

"Eliminate the Appletalk networking protocol."

A worthy and noble goal. Chattiest protocol ever.

"Are you there printer?"

"Yeah, I'm still here."

"Sweet.. just checking"

"So.. uh.. what's new with you?"

"Not much, did you see the file share that moved in down the block?"

"Yeah, he was talking to me earlier"

"Nice guy. I like him. He shares files you know"

"So I gathered. As a printer, I don't think I need to talk to him"

"Heh, yeah, that's probably true. But hey, never hurts to keep in contact with everyone, even if you have nothing in common"

"I hear you brother! So, um.. did you need to print something?"

"Me? Oh no.. I'm just keeping tabs on everyone"

"Yeah... I do that too"

Re:Just like every consultant

[gt_swagger]

Troll pts for that? I see we have a consultant mod in the house.

Excuse for new equipment

[pyrrhonist]

Don't look a gift horse in the mouth. This is just the excuse you need to purchase that new equipment you've been lusting over. Just remember to put, "patch security hole", on the purchase req.

You should be the V.P.

[Futurepower(R)]

"How do you handle these 3rd-party security people who make mountains out of every molehill?"

That's not the first step. The first step is for your company to make you VP of risk management.

Re:BOFH! here's the link

[nxs212]

Here's the real thing!
http://bofh.ntk.net/Bastard_1995.html

Re:Bullshit.

[TykeClone]

My preference: Set it to identify itself as something it's not.

Change your qmail banner string to read what an exchange server would read - an old, unpatched exchange server - and then watch the consultant's smile disappear after they list all of the vulnerabilities that you've got and you tell them that you were lying.

Re:Cost

[yack0]

Hire a risk analyst to come in and look at the security report and then attach numbers to all the security issues and what those security issues could potentially lead to...

Then you can hire another consultant to analyze the risk analyst's analysis to see how much it should cost you to clean those things up.

Then you'll have to hire some technical writers or some such to write up what you've done.

Like, duh! :)

(you'd think I were a consultant still! But no, I'm not anymore!)

Re:Its their job

[nacturation]

Finding someone good isn't going to be cheap, but then again, if you're concerned about price, fire up Nessus or ISS and run it yourself.

Whoah... I'm all for good security, but don't you think using the International Space Station is a bit overkill? ;-)

The BOFH Way

[FruitCak]

A shovel, a bag of lime and some carpet.

Re:Its their job

[Lumpy]

We had one of these experts come in and look, he said we had huge security holes and gave us an estimate of how long he would take to fix them... I called him on the carpet and said, demonstrate one... so he did, and failed to..

The computer security expert sat there for 30 minutes confused as to why simply pressing escape at the login prompt did not get him into the system on our W2K boxes.

he mentioned to our Director that our systems must be mis-configured and that he noticed that our cisco 2950 switches were also not configured for 1000BaseT and we should enable the gigabit features of that switch.

I am NOT joking. this was the security expert hired by our company to see if we had security problems and to find any networking bottlenecks.

we simply let him leave after thanking him for his expertiese, the CTO of the company reccomended this moron and we cant tell the CTO that his brother-in-law is a complete and utter idiot.

Thankfully this was 3 years ago. and we were owned by a different company then... the executive staff all were sacked during the last merger.... One of the few times I welcomed a merger.

Re:You mean tell the boss the dump windoze?

[lauterm]

Could we get some IPs? We would like to independently verify your assertions.

connecting two unrelated events in your favour

[the-build-chicken]

it's surprising how often you can connect two completely unrelated events/actions and make them seem interdependent simply by matter-of-factly asserting that the connection exists.

Manager: How can we fix all these security holes?
You: We can fix them no problem, I'll need another unix box for scanning and a 20% pay rise.
Manager: Ha ha ha...very funny.
You: I'm deadly serious.
Manager: What...you're serious...why a 20% pay rise!
You: Ok...you're right...10% is closer to the reality.
Manager: That's better...thought you could pull one over on ol' Bill, didn't you eh?
You: Yeah...sorry about that.

Re:Its their job

[jargoone]

If you're reading slashdot, what's the poor mechanical engineer doing?

Christ, man, you even suck at slacking! :-)