Slashdot Mirror
Network Penetration Scans and Executive Reaction?
LazloToth asks: "I'm sure some of you have had this happen: your company pays the big bucks for a 3rd-party security audit and, when it comes back, you get called on the carpet for all the supposed 'holes' in your network. When you see the report, you recognize that it comes from a well-known open-source security scanner, and that the 'holes' in question are so obscure as to be meaningless. I told our risk management VP that to fix every item cited - - many of which were false positives or completely out of context - - would be next to impossible for our small IT staff, and that some of the fixes, if implemented, might have deleterious effects on an otherwise smoothly running operation. How do you handle these 3rd-party security people who make mountains out of every molehill?"
present your own report, detailing those same holes and why it's not worth it to fix them. Preferably first.
"It is possible to commit no errors and still lose. That is not a weakness. That is life." -Peak Performance
If you want real security, penitration testing is only a small part of the process. Sure, you can pay someone to find valunerabilities....any kid with a copy of nessus, snort, and nmap will do....or you can shell out the big bucks for a Core Impact setup if you get the PHBs paranoid enough. It really won't help fix anything. Even if you do manage to patch every valunerable service and close off everything else that you don't need, you may still be insecure. Policies and procedures are often as important for ensuring security as closing specific holes in software. If your company needs to outsource network security, convince them to get someone who will offer a more complete solution comprising of a specific and custom plan for ensuring the physical, human, and software aspects of security. If you want to get out of your current prediciment, I suggest patching what you can and explaining why other valunerabilities are not relivant. Prove you are smarter then the consultants leeching money that could be yours. If your boss is a real idiot and the security reaserchers he/she hires are dumbasses too, you can safely backdoor the place before you leave!
------ Take away the right to say fuck and you take away the right to say fuck the government.
Human nature being what it is, pointing this out to the boss is likely to embarass him and make him feel like you're being a smartass. In general I find that explaining the security continuum (where at one end you have low security, low cost, and all the functionality you want, and at the other end you have high security, higher cost, and some curtailing of functionality) is helpful in coaxing them out of the mentality that security is a one-way street. In the real world, high security entails compromises, some budgetary (even if only for more sysad time) and some functional (not every new flashy network app can simply be added to the system without security analysis).
I've also found that explaining the security process in terms of priorities is helpful. I used to use a top 10 list that showed management exactly what was highest priority, what came next, and so on. This helped them realize that not all threats are equal .
Best of luck to you.
Read the EFF's Fair Use FAQ
How do you come up with those numbers other than pulling them directly out of your ass? How can you determine the probability of being compromised by a specific vulnerability? And how can you determine ahead of time what the costs to recover will be (unless it's just a flat-rate format/rebuild cost any time you're compromised)?
is another man's mountain. If you were "hacked" and when you went back to the 3rd party security company and were told "Well, that opening is so obscure that we really didn't think it was an issue." Who would be having their asses handed to them in court?
Their jobs are to be as thorough as possible, your job is to analyse the data and figure out what it means with the knowledge you have from working within the organization and understanding the quirks that are native to your workplace. Hopefully your boss understands that your organization (like all organizations) have little things that require special consideration and you (and the rest of the IT staff) are given an opportunity to review and provide your own detail to what was submitted.
Fr. Guido Sarducci replies: Son, you'll just hafta let it go. These bozos just won't get it anyway. Besides, it IS their network, they just pay you to play with it.
Don Novello Pipes up: Who are you wankers anyway?
-- I have a private email server in my basement.
Of course, this should read "haven't had a single incident that we know about".
Hell, I've had an unpatched Windows 98 box on the internet for years without any incidents that I knew about either.
Sure, the same may be said for Linux/Solaris; but at least there it's a lot easier to know when you have an incident.
You just have to know what you're doing
Not really. With Windows, you both have to know what you are doing, and have a budget for third-party tools to help (and with the tools, you don't really even need to know what you're doing). With Linux you just have to know what you're doing.
http://start.shaw.ca/start/enCA/News/NationalNews
As I said in my first paragraph:
If the boss wants you to "fix" them all, give him a report of your own. "This is setup this way because of X, and the risk is mitigated by Y." If it's not a risk, explain why it is not. If you can't explain why it's a risk or how you're mitigating the risk, then you should be called out on the carpet.
Risk mitigation doesn't necessarily mean you have to close the "hole". Simply that you are aware of it and you've done what make sense to address it. If there is a hole that's risk is very low to the point where it would cost more to fix it than to recover, the mitigation is that you are aware of it and can recover from it if it happens.
- AMW
the grandparent post (consultants: if you're not part of the solution, there's good money to be made in prolonging the problem) is a dispair.inc poster, I believe with a closeup on a handshake as the image. Gotta love dispair.inc :)
This, actually, was a Dilbert cartoon... Dogbert was saying: "I like to con, and I like to insult. I'll be a CONSULTANT!"
In Soviet Washington the swamp drains you.
As a security professional it's frustrating to see companies choose my competitors becuase they are cheaper without realizing how worthless they are. Guess what, if you skimp on a pentest, all you are gonna get is a nessus scan with a cover page. If you actually get a company that knows what they are doing, then you are paying not only for the scans and the activities, but for the knowledge and effort to wead out the false positives and to *verify* the results.
Guess what folks, a nessus scan is *not* a penetration test. It's a vulnerability scan. A penetration test is executed by consultants, not automated by generic tools. Sure, they will use those tools, but they will also use their own understanding of information systems, they will also gain an understanding of the overall picture and they will also be usefull experiences and reports! If you really paid top dollar for what you described, you got screwed, shop for a different pentesting vendor.
I've purchased some of their calendars (didn't get this year's because it's all old designs), and they're always funny, and far, far too true.
I used up all my sick days, so I'm calling in dead.
I for one *love* ripping these guys new ones. In particular when I produce the same report in a couple of hours. All kinds of fun.
It doesn't matter what you produce. Your boss is bringing in an outside consultancy to get an independent assessment of what you are doing. That's a prudent and sensible thing to do, because he doesn't know what is going on technically (he isn't supposed to--it's not his job), and you could be lying to him to cover your ass. It's no different from bringing in outside accounting firms to check the books, outside HR experts to check compliance with anti-discrimination laws, or outside consultants to check on customer service.
If you are unprofessional, uncooperative, or insulting in the process, you only hurt yourself.
On the other hand, if you think you can do a better job than the outside consulting agencies, start your own and try to convince companies of that.
I am sorry for all the people who had experience with bad auditors. Truth is that learning scanning software (ISS, Nessus, Harris Stat) etc. is fairly easy. Its the analysis part that is hard. When I do audits I go over every vulnerability found (by whatever particular scanner) with the client and we discuss each one to find out whether it is valid for their environment or not. Additionally, a post report should include a thourough analyis of all the finding not just a printout of the ISS report (which in my opinion is poor) and match these vulnerabilities with realistic mitigations. Just like in every field, there are bad people and there are really good people as well. I have met TONS of people recently who are in security because they heard it was hot field but even with the CISSP they don't know jack!!!