Slashdot Mirror


Network Penetration Scans and Executive Reaction?

LazloToth asks: "I'm sure some of you have had this happen: your company pays the big bucks for a 3rd-party security audit and, when it comes back, you get called on the carpet for all the supposed 'holes' in your network. When you see the report, you recognize that it comes from a well-known open-source security scanner, and that the 'holes' in question are so obscure as to be meaningless. I told our risk management VP that to fix every item cited - - many of which were false positives or completely out of context - - would be next to impossible for our small IT staff, and that some of the fixes, if implemented, might have deleterious effects on an otherwise smoothly running operation. How do you handle these 3rd-party security people who make mountains out of every molehill?"

8 of 434 comments (clear)

  1. Here's how I would handle it. by UndyingShadow · · Score: 5, Interesting

    One of two ways:

    Sit down with your boss and explain what each open port is and why it is open. Then explain what happens if you close that port.

    Lock everything down tighter than fort knox, starting with your bosses machine (Yes sir, Im sorry you can't surf the internet, we closed that outgoing port because it was a security risk)

    One of these should work (or get you fired) either way, you don't have to deal with employees upset because their VPN or Remote Access doesn't work.

  2. The weakest link... by cpghost · · Score: 4, Interesting

    Every chain is only as strong as its weakest link.

    This holds true in the military area, more than everywhere else. I work in environments that are very sensitive to security, and we take such external reviews extremely seriously. There's no such thing as an "obscure" or "irrelevant" weakness.

    Unlike most vanilla companies, we can't afford to let things slide, security-wise. Knowing that your clients are prime target for highly professional black hats and (not only industrial) spies is highly motivating. This includes (of course) penetration testing (conducted both internally and by independant contractors), but also exclusive use of open source code and internal code auditing. As an aside: personnel (HR) auditing is also very important, if not even more so than technical aspects!

    Sure, most companies don't need this level of security awareness and can get away with being "pragmatic", but don't complain when your client database (with all the goodies like credit card data etc.) gets compromized!

    --
    cpghost at Cordula's Web.
  3. it's haaaard work by humankind · · Score: 4, Interesting

    How do you handle these 3rd-party security people who make mountains out of every molehill?"

    Since you don't cite any examples of these issues, I would bet you're one of these people who think running PHP with register_globals on is a "molehill?"

    Cite some examples, or else this looks like you're complaining that tightening security holes would be /whine "hard work." Well, it'll be harder after some n00b takes my personal information off your insecure system. Fix it, or consider changing careers instead of being yet another BOFH.

    1. Re:it's haaaard work by DA-MAN · · Score: 4, Interesting

      Cite some examples, or else this looks like you're complaining that tightening security holes would be /whine "hard work." Well, it'll be harder after some n00b takes my personal information off your insecure system. Fix it, or consider changing careers instead of being yet another BOFH.

      The poster had stated that the report came from "well-known open-source security scanner" which I can only assume means that it was generated from Nessus. As someone who runs Nessus on a regular basis for my company I have to say that the reports generated from nessus can be next to useless if not properly interpretted.

      For example it will flag our RHEL boxes for running Apache 2.0.46 due to some obscure DoS or bug. Recommendation: Upgrade to latest. However it doesn't take into account that Red Hat has backported the fix into 2.0.46 and that RH Apache 2.0.46 is not vulnerable.

      In addition, Nessus bitches about everything it sees, such as mail.domain.com is listening in on port 25. This is not a security risk, but rather intended behaviour.

      I found myself in a similar position last year when a user brought in his home laptop and scanned the internal net with Nessus. This user brought the results to upper management at my company without even talking to us sysadmin folks. The manager freaked when she saw her servers so "vulnerable" and asked the sysadmin manager "what the hell is going on?".

      Fortunately I had been conducting weekly Nessus scans myself. I showed my manager our archive dating back for months, and explained how this is prone to false positives. Explained how we had taken care of the real problems, and what can show as a false positive. He was impressed, went back to the other manager and explained the rest. In addition he had the user suspended for a week without pay for violating the terms of service for our network.

      Long story short, cover your ass and run your own scans. Take care of issues as they come up. If a consulting company comes in and just runs a Nessus scan on your network, explain to your managers how the company is not offering anything new and how they haven't put any effort into interpretting the results.

      It's not about spin, it's about interpretting what a security risk truly is.

      --
      Can I get an eye poke?
      Dog House Forum
  4. Re:Its their job by austad · · Score: 5, Interesting

    Additionally, the security person that did the audit needs to sit down with you and go over every item determining whether or not there is a threat, explaining why certain things might be a threat, and detailing any possible way to mitigate the risk if there is any.

    If they just handed you a report from Nessus and a bill, they are not doing their job. The security scanner output needs to be accompanied by another separate report which discusses the TRUE risk.

    Every security company out there uses an open-source or commercial security scanner to get a general overview of any weaknesses, but sadly, many take the output at face value and just attach an invoice. You need to see what the scanner found, so I don't think it's right for them to omit anything from it. But, like I said above, they really need to evaluate the data that comes out of whatever product they use, investigate more by hand, ask questions, etc.

    I currently work for a company that does this sort of thing. We use a variety of methods, depending on how in depth the customer wants to go. But in all cases, they get the raw output from any tools we use, and they get a thorough report and followup meeting detailing what was found and whether or not it's an actual threat. We make product and methodology suggestions, and even stick around to help them out.

    My suggestion is, if you're looking for someone to do a security assessment or pen testing, shop around and find someone with excellent references. Finding someone good isn't going to be cheap, but then again, if you're concerned about price, fire up Nessus or ISS and run it yourself.

    --
    Need Free Juniper/NetScreen Support? JuniperForum
  5. Re:Its their job by tomhudson · · Score: 5, Interesting
    the article:
    How do you handle these 3rd-party security people who make mountains out of every molehill?"
    Parent poster:
    I think he's looking for the best way to get the point across.
    The best way to get your point across - hack the consultants' box!

    Second best - sit them down and ask them to demonstrate the problem by breaking into your system NOW. Make sure it's a linux or bsd box, at a console, not a graphical login, and don't give them a user name or password. Most of these weenies are only comfortable with Windows.

    Third best - tell them they were running nmap against your honeypot, not against your real network. They won't know if you're lying or not.

  6. Re:Get a new consultant by jschrod · · Score: 4, Interesting
    Yes, the parent ain't no troll; but it ain't no good advice either.

    The poster obviously is not in the position to `get a new consultant'. His problem is how he can hit his management with the clue stick.

    Let me tell you a story that happened just a few weeks ago: I'm the CEO of a consulting company that does quite some security work. We were brought into the following situation: A customer of an outsourcer got an `independent' security audit by HP. The HP folks took the (actually very good) CIS benchmarks and demanded that each and every item of that benchmark is followed to the letter. As part of that, they demanded that the NFS and Samba servers are turned off.

    There's just one small problem -- the actual service the outsourcer was providing to the customer is -- tada! -- file service over NFS and CIFS! The outsourcer pointed this out to their customer's management. That management is a bunch of morons and just told them back: But this is a security audit of HP, they know their thing! So they had to bring us in, to give their opinion `management cloud' by creating pretty PPTs.

    Even though we earned quite some money on that job; I would have prefered to work on really improving the security, in particular the processes, instead of fencing unprofessional HP security `consultants' and idiotic management PHBs.

    --

    Joachim

    People don't write Manifestos any more -- what's going on in this world? [Frank Zappa]

  7. Re:Its their job by ladybugfi · · Score: 3, Interesting

    >The best way to get your point across - hack the consultants' box!

    Yeah, and that will make you look...co-operative, right?

    I've done security consulting for years: tens of Nessus scans, web app tests, pen. tests etc. From this background I have some points here.

    One clear problem for a third party consultant is that the risk level assignment is not necessarily as clear cut as the Nessus/ISS/whatever report says. We've never given a client a report directly from the tool, but have written our own detailing the problem and in what circumstances the problem is exploitable. This manually compiled report is definitely the killer when project price is concerned. Web-based scans with automatically generated reports are so much cheaper...

    Moreover, we usually work WITH the sysadmins instead of against them. This is a key thing in a successfull security audit. Most sysadmins are not security experts and if they happen to be, they still do not usually have the time to do a thorough sweep of the whole network. The sysadmins in my experience have usually been very HAPPY with our results. In all company internal scans there have been major holes, but after our report, they know exactly where they should put the time/effort to enhance their security and what patches/fixes/tools to use for this.

    Besides, in my experience, most of the time sysadmins have not been given any direction whatsoever on the desired security level of the systems. So in the absence of any direction, the audit can NOT claim lack of compliance. We can only say that because the mgmt hasn't committed to security, their systems have ad-hoc security, i.e. security is occasionally good in spots where someone has had the time and clue.

    Regards, a GSNA