Slashdot Mirror


Network Penetration Scans and Executive Reaction?

LazloToth asks: "I'm sure some of you have had this happen: your company pays the big bucks for a 3rd-party security audit and, when it comes back, you get called on the carpet for all the supposed 'holes' in your network. When you see the report, you recognize that it comes from a well-known open-source security scanner, and that the 'holes' in question are so obscure as to be meaningless. I told our risk management VP that to fix every item cited - - many of which were false positives or completely out of context - - would be next to impossible for our small IT staff, and that some of the fixes, if implemented, might have deleterious effects on an otherwise smoothly running operation. How do you handle these 3rd-party security people who make mountains out of every molehill?"

9 of 434 comments (clear)

  1. quit by s20451 · · Score: 5, Funny

    Quit your job and start a 3rd party security consulting company.

    --
    Toronto-area transit rider? Rate your ride.
    1. Re:quit by jd · · Score: 5, Funny
      You don't understand the market, do you? :)


      With the current paranoia, lack of decent security awareness (and therefore the lack of ability to evaluate the results), and the ability to impress a PHB by wearing the "right" suit, you could easily charge $50,000 for a Nessus scan. $5,000 would barely pay for an NMap sweep. For Unix servers, also use SARA and TARA for $10,000 apiece.


      In today's atmosphere, it should not be possible to walk away from a securty contract with less than $75,000. Double, if you use that random paper generator, covered by Slashdot a day or so ago.

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
    2. Re:quit by Anonymous Coward · · Score: 5, Funny

      Just remember,

      Conning + Insulting = consulting.

      No problem man...

  2. Deal With Them by RobertTaylor · · Score: 5, Funny

    How do you handle these 3rd-party security people who make mountains out of every molehill?

    Post the company name and URL on slashdot and let them have a 'specialised security audit'...

  3. We can help by Lev13than · · Score: 5, Funny

    LazloToth asks: "...How do you handle these 3rd-party security people who make mountains out of every molehill?"

    I think we need more details on the severity of your security holes. Give us your company's IP range, and if we find anything significant we'll leave a note for you on your desktop.

    --
    When you have nothing left to burn you must set yourself on fire
  4. Consultants by WD_40 · · Score: 5, Funny

    If you can't be part of the solution, there is good money to be made in prolonging the problem.

    --

    "With sufficient thrust, pigs fly just fine." -- RFC 1925

    1. Re:Consultants by TheGratefulNet · · Score: 5, Funny

      If you can't be part of the solution, there is good money to be made in prolonging the problem.

      I always thought if you're not part of the solution, you're part of the precipitate.

      --

      --
      "It is now safe to switch off your computer."
  5. Re:Easy solution by Anonymous Coward · · Score: 5, Funny
    Dear Manager of Clueless Company,

    Thank you again for the opportunity to conduct a security audit on your organization. We would like to let you know that you failed your security audit because none of your systems passed a simple availability test and all of them had the same issues the last time we conducted our scans. When we started this scan, all of your systems appeared to be down when we tested your company from a known IP address. Suspecting that your staff thought they could block the scan, we simply changed our IP, and were able to test your servers. Our tests show a number of things:

    1) You show no improvement in security. All the old holes are still there, and we found some new warez servers, along with numerous bots, spam engines and several IRC servers. These make for an excellent addition to the old warez and IRC servers, spam engines and zombies that make up your organization.
    2) Your IT staff is clearly made up some stupid people. How they could have thought blocking IPs would keep us from testing their servers is beyond belief. They really are a piece of work.
    3) Your employees can not be trusted because they are trying to cover up this cluelessness in the most incompetent manner possible.
    4) You are oblivious to the cluelessness on your employees part.
    5) You're company really is dumb if they think they can block the source of an audit from a security company. Come on, we do this for a living, did your IT people really think they could stop us? Seriously, what moron thought this would work? Did they read this on slashdot or something?

    To summarize, your systems are wide open and compromised, your staff is incompetent and untrainable and your attempts to block our scans were additional fruitless indicators of your staffs pathetic grasp on even basic IT concepts. Frankly, we'd like to thank you for the free money, and to pass on our thanks to your clueless staff for making this process trivially easy. If we only had more idiotic customers like you, it would make our jobs so much easier.

    Looking forward to your next follow up scan. Please be sure to promote everyone in your IT department as we are thrilled with their work so far!

  6. Re:Next to worthless by prockcore · · Score: 5, Funny


    "Eliminate the Appletalk networking protocol."


    A worthy and noble goal. Chattiest protocol ever.

    "Are you there printer?"

    "Yeah, I'm still here."

    "Sweet.. just checking"

    "So.. uh.. what's new with you?"

    "Not much, did you see the file share that moved in down the block?"

    "Yeah, he was talking to me earlier"

    "Nice guy. I like him. He shares files you know"

    "So I gathered. As a printer, I don't think I need to talk to him"

    "Heh, yeah, that's probably true. But hey, never hurts to keep in contact with everyone, even if you have nothing in common"

    "I hear you brother! So, um.. did you need to print something?"

    "Me? Oh no.. I'm just keeping tabs on everyone"

    "Yeah... I do that too"