Network Penetration Scans and Executive Reaction?

LazloToth asks: "I'm sure some of you have had this happen: your company pays the big bucks for a 3rd-party security audit and, when it comes back, you get called on the carpet for all the supposed 'holes' in your network. When you see the report, you recognize that it comes from a well-known open-source security scanner, and that the 'holes' in question are so obscure as to be meaningless. I told our risk management VP that to fix every item cited - - many of which were false positives or completely out of context - - would be next to impossible for our small IT staff, and that some of the fixes, if implemented, might have deleterious effects on an otherwise smoothly running operation. How do you handle these 3rd-party security people who make mountains out of every molehill?"

You fix them.

[Telastyn]

No offense, well, okay, perhaps a little offense meant, but I imagine that if you were a top notch security expert, your company wouldn't be going to 3rd parties to check. Or at least they wouldn't be going to some [supposed] dope with a tool who [you think] gave you bogus stuff.

You might want to consider the possibility that the security expert is right. You also might want to consider the possibility that such 'obscure' holes are the exact thing attackers will look for, because once the machine is owned, it's all over. A hole is a hole.

From a more practical point of view, you should create a sandbox network with one [or many] of the holes the security expert disclosed, and then ask them to exploit one for you. Should be a quick sign if they're right, or they're a dope.