Slashdot Mirror
Network Penetration Scans and Executive Reaction?
LazloToth asks: "I'm sure some of you have had this happen: your company pays the big bucks for a 3rd-party security audit and, when it comes back, you get called on the carpet for all the supposed 'holes' in your network. When you see the report, you recognize that it comes from a well-known open-source security scanner, and that the 'holes' in question are so obscure as to be meaningless. I told our risk management VP that to fix every item cited - - many of which were false positives or completely out of context - - would be next to impossible for our small IT staff, and that some of the fixes, if implemented, might have deleterious effects on an otherwise smoothly running operation. How do you handle these 3rd-party security people who make mountains out of every molehill?"
Quit your job and start a 3rd party security consulting company.
Toronto-area transit rider? Rate your ride.
Its their job to be detailed. You have to infer those reports and draw conclusions. They were hired to point out the holes, you have to decide whether its worth covering them
If the boss wants you to "fix" them all, give him a report of your own. "This is setup this way because of X, and the risk is mitigated by Y." If it's not a risk, explain why it is not. If you can't explain why it's a risk or how you're mitigating the risk, then you should be called out on the carpet. NEVER rely on security by obscurity. There is no such thing as a hole "so obscure as to be meaningless." If you mean that the report is vague in defining what the hole is, then you or your boss should get more information from the person you paid to do it.
In the end, if you can't specify why it SHOULD be that way, then you should make it secure. If you can say it HAS to be that way for a specific reason, then you should say how you are mitigating the risk. If you're not mitigating the risk, well, you better come up with a really good reason your boss is going to like.
- AMW
... they have make huge deals out of everything or risk being found out as mostly useless ;)
The Peanut Gallery, Ubergeek, Biblically Sober
NCAAbbs.com: Thousands of fans, Hundreds of teams, Just one place
present your own report, detailing those same holes and why it's not worth it to fix them. Preferably first.
"It is possible to commit no errors and still lose. That is not a weakness. That is life." -Peak Performance
How do you handle these 3rd-party security people who make mountains out of every molehill?
Post the company name and URL on slashdot and let them have a 'specialised security audit'...
One of two ways:
Sit down with your boss and explain what each open port is and why it is open. Then explain what happens if you close that port.
Lock everything down tighter than fort knox, starting with your bosses machine (Yes sir, Im sorry you can't surf the internet, we closed that outgoing port because it was a security risk)
One of these should work (or get you fired) either way, you don't have to deal with employees upset because their VPN or Remote Access doesn't work.
As someone else said - if you can't do that, there's a problem.
smash.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
And then explain, when users complain of the inability to use their computers, that you were directed to fix all the holes. Tell them your supervisors were made aware of what the result of doing all the fixes would be, but that you were directed to make the changes anyway. A company-wide memo might be appropriate. Or just an email explaining you position accidently forwarded to everyone.
LazloToth asks: "...How do you handle these 3rd-party security people who make mountains out of every molehill?"
I think we need more details on the severity of your security holes. Give us your company's IP range, and if we find anything significant we'll leave a note for you on your desktop.
When you have nothing left to burn you must set yourself on fire
Document the hell out of everything. And explain why the setup is as it is. It is a real pain when you have some worthless security company telling management that echo, discard, and chargen are major security holes on internal systems. Besides senseless violence directed at the auditors it is a painfull process.
All that matters to the managerial types is dollars and cents. Show them how much (in their language - money) how much it will cost to fix the "problems" (even break it down and show them the cost of each problem), vs. how much benefit the company will gain (again in terms of money) from the fix. Be sure to include opportunity costs (and gains). Then let them make their decision.
They will decide whatever they think will be best (based, of course, on a money). Then you fix whatever they tell you to. Hopefully they won't tell you to do anything dumb after they've been shown just what it will cost them.
We have 2 'IT' people - myself and one other.
The owner of the company defers to us on all things technology related - what we say goes. No questions asked.
Seriously, you need to work with someone who has a clue. Anyone reviewing these scans should know what they are looking at. If they don't, they have no room to criticize. It is the security consultants job to put the scan and the vulnerabilities in context. They need to explain the risks to management in a manner that management can understand. Their report should come with recommendations on how to correct the problems, and it should at least try to outline the consequences of the fixes. The consultants should have worked with the engineering/admin team to understand the holes before the report went to management. Otherwise you paid for a whole lot of nothing.
the growth in cynicism and rebellion has not been without cause
You've already played Devil's Advocate, so document what you think the risks are/may be, then do *exactly* what he says. Once it breaks, whip out the risks you documented and explain how you did exactly what was asked of you over your stated objections. It's the only real way to do it--and rather satisfying, gotta admit.
If you can't be part of the solution, there is good money to be made in prolonging the problem.
"With sufficient thrust, pigs fly just fine." -- RFC 1925
I work for the Canadian Government and we have our own in-house security department. This problem is not limited to consultants and third parties. The small staff in our office can create reports hundreds of pages long using open source and proprietary tools. The hard part is finding the owner of each asset and getting them to take responsibility for it. Often the "administrator" isn't even close to qualified to perform system maintenance.
> to sleep with the lead consultant, catch it on tape, and thus damage his credibility. These guy's never get laid so don't worry about him not falling for the bait.
Ummmmm, yeah - that's the ticket! NOT. Stop projecting.
Must-not-watch TV!
Take the report, and give costs for covering each hole. Also, give your risk assesment to the company (yes, there is a hole that has a 1% chance of costing the company $5,000 dollars - but it will cost $500 to repair).
Then, let the boss make the budget decisions, and carry them out. Make sure extra staff is included in your report.
"Giving money and power to government is like giving whiskey and car keys to teenage boys" P. J. O'Rourke
We've had external auditors come through with their "best practice checklists" and ask us all kinds of questions, then they make their report to the ones that brought them in.
Two years ago, after the report went to the Board of Trustees (I work for a state university), we were tasked to give a "when or why not" to each and every issue on the report.
On the bright side, the particular auditor we've had to deal with most of these times was as fair and accurate as can be expected - there were no real surprises sprung on us (she's back next week to do our Oracle systems).
Doug
BOFH
Every chain is only as strong as its weakest link.
This holds true in the military area, more than everywhere else. I work in environments that are very sensitive to security, and we take such external reviews extremely seriously. There's no such thing as an "obscure" or "irrelevant" weakness.
Unlike most vanilla companies, we can't afford to let things slide, security-wise. Knowing that your clients are prime target for highly professional black hats and (not only industrial) spies is highly motivating. This includes (of course) penetration testing (conducted both internally and by independant contractors), but also exclusive use of open source code and internal code auditing. As an aside: personnel (HR) auditing is also very important, if not even more so than technical aspects!
Sure, most companies don't need this level of security awareness and can get away with being "pragmatic", but don't complain when your client database (with all the goodies like credit card data etc.) gets compromized!
cpghost at Cordula's Web.
He wants secure so give him secure - no luser access. What's the guy's username?
BOFH
Say that by making thoughs changes it would hamper creativity and stifle inovation.:P
Coward? Coward! Thems fighten words!!
How does having sex and being surreptitiously videotaped damage a person's credibility? I'd say whoever did the videotaping is the one whose credibility would be damaged.
-Forrest Cameranesi, Geek of all Trades
"I am Sam. Sam I am. I do not like trolls, flames, or spam."
Sorry Boss those Windows servers you insisted we bought are 'bad'.
no Exchange,
No IIS
etc...
Send Peter Clifford Francis Macrae comdoms to 23 Bedford St, St.Neots, PE19 1AX, England
See where they did the scan from and drop all packets at the firewall from that domain?
I Am My Own Worst Enemy
In the mid-1990s, I ran IT for a graphic design firm, which consisted of some 50-75 Macintosh computers. Pretty much everything ran on Macs; even the accounting systems used Great Plains for Mac.
At one point, some of the staffers got the idea that network performance might not be optimal, and it was decided that we should do a performance audit. A contractor was brought in to spend a few hours sniffing our network, then go away and do a thorough, in-depth protocol analysis. The result of this analysis was a 20-page report detailing their findings.
The conclusion was that there was, indeed, a lot of unnecessary packets of traffic flying around the network. Their solution?
"Eliminate the Appletalk networking protocol."
Uh, yeah. Thanks guys, here's your $2,500.
(Maybe the best solution is to do whatever you can to educate management and set expectations at appropriate levels.)
Breakfast served all day!
Except I'm on strike and done picketing for the day.... So I'm actually saving my organization money by not being at the office while reading this..
They get paid to find every little nitpicky thing. It's in their best interest to make everything sound major (ever heard of the term follow-on engagement?)
Sit down, take the list and prepare a reasonable time & budget to fix each item along with your recommendations of the order to fix them in (based on business risk). Make sure your numbers and hours are realistic, because chances are excellent that he'll ask the consultants for the same info.
Then Mr VP can either allot internal resources to fixing the problem or hire outside consultants, or both. Business risk deals with a lot of things both real and perceived. In some cases, having the perception of risk is just as bad a the real thing (from a liability perspective, thank you Millberg Weiss).
Your VPs job is to determine the acceptable level of risk for the company. Yours is to aid him in that decision, not make it for him.
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
And do make sure the consultant gives you some recommendations about prioritization.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
How do you handle these 3rd-party security people who make mountains out of every molehill?"
/whine "hard work." Well, it'll be harder after some n00b takes my personal information off your insecure system. Fix it, or consider changing careers instead of being yet another BOFH.
Since you don't cite any examples of these issues, I would bet you're one of these people who think running PHP with register_globals on is a "molehill?"
Cite some examples, or else this looks like you're complaining that tightening security holes would be
Security through obscurity... that's the spirit ;)
www.whitedust.net
If you want real security, penitration testing is only a small part of the process. Sure, you can pay someone to find valunerabilities....any kid with a copy of nessus, snort, and nmap will do....or you can shell out the big bucks for a Core Impact setup if you get the PHBs paranoid enough. It really won't help fix anything. Even if you do manage to patch every valunerable service and close off everything else that you don't need, you may still be insecure. Policies and procedures are often as important for ensuring security as closing specific holes in software. If your company needs to outsource network security, convince them to get someone who will offer a more complete solution comprising of a specific and custom plan for ensuring the physical, human, and software aspects of security. If you want to get out of your current prediciment, I suggest patching what you can and explaining why other valunerabilities are not relivant. Prove you are smarter then the consultants leeching money that could be yours. If your boss is a real idiot and the security reaserchers he/she hires are dumbasses too, you can safely backdoor the place before you leave!
------ Take away the right to say fuck and you take away the right to say fuck the government.
This is a great oppertunity. Start by consulting with a high priced "security" company about plugging the "holes". Figure on $20k in consulting fees alone. Make sure they recommend only the top end (most expensive) equipment and software. Of course, your staff will need to be doubled (at least) and all will require MANY classes, in far away places, on how to run all this new kit. Figure a good 2 years to train existing and new staff. You will need new quarters for all this equipment too. Temperature and humidity controlled of course. Security cameras, off site storage of all the new backup equipment, co-located servers in another power grid (several states away). Shoot for a cool million and tripple (at least) current operating expences. Then see what your pointy haired boss says.
Human nature being what it is, pointing this out to the boss is likely to embarass him and make him feel like you're being a smartass. In general I find that explaining the security continuum (where at one end you have low security, low cost, and all the functionality you want, and at the other end you have high security, higher cost, and some curtailing of functionality) is helpful in coaxing them out of the mentality that security is a one-way street. In the real world, high security entails compromises, some budgetary (even if only for more sysad time) and some functional (not every new flashy network app can simply be added to the system without security analysis).
I've also found that explaining the security process in terms of priorities is helpful. I used to use a top 10 list that showed management exactly what was highest priority, what came next, and so on. This helped them realize that not all threats are equal .
Best of luck to you.
Read the EFF's Fair Use FAQ
Is put a text file somewhere - tell them where it is and if they can tell you the message in it then you will agree there is a security problem. Otherwise go away. IOW have them produce more than a report. Like a security test for a military base is for someone unauthorized to try to penetrate and see if they can put a tag on some piece of equipment. If they can then they've proven there is a security problem.
try { do() || do_not(); } catch (JediException err) { yoda(err); }
I've seen the managers that this guy is suffering under and your insightful remark won't help him. You see, his boss is likely referring to "holes" reported by Nessus and others that are not holes but, because some outside company said it, then it must be so.
Outside companies are always more authoritive than in house staff. "they're not form here so, they must be the authority on the subject."
By the way, the "holes" he is referring to are likely things like:
Can determine path to host via traceroute. Danger Will Robinson!
SMTP server returns a header. Shock! Horror!
HTTP server returns a header. OMG! This must be fixed!??
...as to be meaningless", you say; can you give a few examples of security holes that are 'obscure' and 'meaningless'?
I mean - a vulnerabilty found should either be a false positive - which you should be able to explain to your boss easily - or it's actually relevant. If you are *knowingly, intentionally* running vulnerable systems, these hopefully do not share *any* infrastructure with your production networks.
Put the focus on your professional relationship; make the technical aspects secondary to that. If you have any history of trust, emphasize that.
"Do you generally trust me to keep the network secure?"
"Do you see the possibility that this company might make mountains out of molehills to demonstrate their value?"
"If we DO find out that I have left some things unattended, will you give me the chance to correct them?"
Etc.
Your boss, more than anything, wants to know he's in good hands. Even though he may not consciously know it, his trust in YOU is the most important thing; his trust in the NETWORK is secondary; his trust in a temporary CONTRACTOR is a fleeting thing.
If you adopt an overly defensive or confrontational posture, you do nothing but hurt your relationship with your boss, and ultimately yourself.
Pete Forsyth
is another man's mountain. If you were "hacked" and when you went back to the 3rd party security company and were told "Well, that opening is so obscure that we really didn't think it was an issue." Who would be having their asses handed to them in court?
Their jobs are to be as thorough as possible, your job is to analyse the data and figure out what it means with the knowledge you have from working within the organization and understanding the quirks that are native to your workplace. Hopefully your boss understands that your organization (like all organizations) have little things that require special consideration and you (and the rest of the IT staff) are given an opportunity to review and provide your own detail to what was submitted.
Rope, duct tape, knife and Hanson CDs. Give them the choice the knife or Hanson with an endless loop of MMMBop.
I say we just grow up, be adults and die.
Use Qualys and dump the free crap. That explains everything. Your boss will love it and it will save you the headache of translating.
Fr. Guido Sarducci replies: Son, you'll just hafta let it go. These bozos just won't get it anyway. Besides, it IS their network, they just pay you to play with it.
Don Novello Pipes up: Who are you wankers anyway?
-- I have a private email server in my basement.
How to avoid being called on the carpet over security? Be at least one degree more paranoid about security than your boss.
How to handle the security report? With the same seriousness as your boss, he signes your paychecks after all.
Ask for the opportunity to have the 3rd party justify, in writing, what each vulnerability means and assess the severity. If your boss won't go for this, you probably don't want to work for an irrational boss.
Or if you don't want to make that drastic of a move, tell him or her that you should outsource that security to the company that did the scan. That's probably why they gave such a mountain-molehill report anyway. If your boss is going to believe them, then make them "fix" the network, and then explain why they broke everything.
A third posibility would be to get a second opinion, although you run the risk of getting an equally over zealous report.
_______
2B1ASK1
At least I get to read this instead of having obnoxious people spittle in my face while sharing this sentiment...
(Side note, the IT dept is lumped in with secretaries here, and they have strength of numbers...)
All you can do is clarify and explain. I only deal with "Critical," "Major" and sometimes "Medium" risk categories. The rest are usually stupid. "You have a share." "Yeah, it's called user directories or shared data drives." As long as you have answers and can show the risk is minimal, if existent, then you may have done all you can.
Without seeing some example vulnerabilities, it would really be hard to give anything but general answers to this problem. That said, there is an abundance of general answers here already and I'll add mine to the pile.
First: do your homework and get a background (securityfocus.com is a great place to start) on all items listed.
I know first-hand where we have a dependance on older versions of certain software packages because some custom apps we ahve running break when these older programs are upgraded. I am fairly certain that there may be some vulnerabilities in our old versions of the software and cannot be fixed without upgrades that would break a much larger system.
Draw a lot of analogies that would make it easy to understand. Stating things like "our front door is a vulnerability, but if we welded it shut, we couldn't make use of it."
Admit frankly and openly where you might have actually overlooked a problem that you should have been aware of. In my view, nothing says you can be trusted more than when you admit to mistakes and vow to correct them... and actually do. But denying everything too often brings a kind of distrust to you from bosses... they know you're human, but if you deny it and claim to be a god, they'll call you on it.
It might actually be helpful to praise the consultant's report as a useful and enlightening tool allowing the boss to feel as if he did a good thing by calling these matters to your attention and then create a plan by which you will be ble to adopt the same measures the consultant took in creating this problem for you. By instituting an additional self-audit upon yourself, you will be able to save yourself from the liklihood of further "testing" from outside while providing him with future (quarterly? semi-annually?) reports of where you stand on issues past present and future.
And of course, break down your own actions on and item-to-item basis.
Try not to say what "can't" or "shouldn't" be done -- that's likely a decision he will want to make. You can, instead, present the factors by which to make these decisions...in such a way that the decisions appear obvious.
When he said hire somebody, he obviously meant hire Michael Jackson.. maybe that wont damage your credibility but others might think differently.
serenity now!
I do a lot of consulting in the business continuity/security networking field and there is only one way to deal with a problem like this.
Every security policy comes straight from management, the IT staff configure the network based on the decisions that management has made. Your company is just revising their security policy and have tasked you with abiding to it. All you need to do is devise a budget for complying with their requirements.
Your company has decided they need more advanced security precautions taken, it really is not your position to question their decision. Just tell them exactly what solutions can be implemented to meet their requirements. If I were you I would be very excited, you have a perfect opportunity to prove your knowledge and value to your employers. You also have a plethora of Open Source solutions available to you - maybe I'm a zealot - but this kind of work is very rewarding.
If you can't provide this, then you are the wrong person for the job, or they need to outsource. It's that simple.
As for places to start, I would consider the pen-test mailing list at www.securityfocus.com, there are also several other lists that they host. The archives should give you some excellent references of where to start. You should also consider this to be the perfect time to request training and reference materials - books.
You shouldn't be surprised that your employers requirements have changed, you work in technology, technology reviews should be undertaken regularly and findings should be acted upon. Don't fear the change, use it as a chance to make your job easier and increase your value to your employer.
I sure wish I could find more clients like your company!
John the Kiwi
Just because technology changes and your job has chganged
Pretty much, yeah, that sums it up. Anyone can walk through the door, do a port scan, and list open ports, etc... Looks to me like they treat security as a commodity, not like the process that it is.
They only did half their job.
Steve's Computer Service, Hobbs, NM
I like to sauté them with a generous amount of garlic and hot sauce. I find without excess seasoning they taste a little unpleasant.
"mmmmmm,my boss wants me to do some work, mmmmm" sheesh.
You are 100% correct.
It's not doing the company nor the consultants any good to provide a report that isn't valuable. I've done I'd guess more than 50 vuln/pen assessments, and when I've spent the time to understand the environments and evaluate the security issues presented, the client always reacted wonderfully to the reports and commented on what a great value they were.
Before I was seasoned enough to do that, reports were largely ignored; vulnerabilities rarely fixed.
It's disappointing to see. I am solely a network engineer now (with a security emphasis). We just had an organization-wide audit and the report...what a complete waste of time, paper and electrons.
sedawkgrep
Is that a salami in my pants or am I just happy to be me?
The well known security scanner in question is probably Nessus.
.. and so forth
It reports _truly_ obscure things, as it should, but which security consluttants has a tendency to blow out of proportion.
One of the points of security consluttants is to use tools to MAP the network. Then they should determine what your network SHOULD do, and which services SHOULD be running - and doing _what_.
Then they should check this against the map of the network, and remove all items which are irrelevant, and interpret the facts.
THEN they should return the report.
Sorry. I don't consider it a hole that the webserver reports which Apache version it's running. Neither do I consider it a hole that BIND returns which version it is. Neither do I consider it a hole that the FTP server puts up a banner identifying it.
"Rune Kristian Viken" - http://www.nwo.no - arca
Don't look a gift horse in the mouth. This is just the excuse you need to purchase that new equipment you've been lusting over. Just remember to put, "patch security hole", on the purchase req.
Show me on the doll where his noodly appendage touched you.
I handle this situation by working for people who know what they're doing. And who don't know what I do (else why would they employe me), but know they don't know, and leave me alone.
Seriously, if your boss trusts some outsider consultant more than his own IT people, either you have the wrong boss, or he has the wrong IT people. Or both.
Don't you mean NSA Server :P
Coward? Coward! Thems fighten words!!
Why bother with all that when nessus already outputs a decent html? It even has _pie_ charts. Gotta love it. Just add your logo on top and collect your payment. That's how it works.
Apparently, having found nessus is sufficient competitive advantage to justify the existance of some companies. I wonder if they have donated to the project.
"If God created us in his own image we have more than reciprocated." - Voltaire
These consultants are trying to rip your company off. Grab the same piece of open source software and run off your own report, making a note of how long it took you. Show it to the boss, and explain that if he wanted such a report, you could have done it for free in only x amount of time. This will put you in a good position to say it's worthless, when you have demonstrated that it's not the result of any serious expenditure of time/effort. Once you've saved the company $x in consultancy fees by kicking the fraudsters out, bring up the small matter of the expenditure of $x/2 on additional hardware you got turned down for a few months back, or something involving a bonus.
The other attacking option, if you are only working there for the money, is to push hard for the doubling of staff and hardware budgets you desperately need to fix all the 'holes', and the regular security conferences in Hawaii that you really need to attend to keep up with things, now you have the proof that it's necessary. Now is your big chance to stab in the back anyone who's ever cut your budget.
A pizza of radius z and thickness a has a volume of pi z z a
They need to explain the risks to management in a manner that management can understand.
Most network vulnerabilities can't be described in monosyllabic words.
Also, here's something to consider.
Clueless Manager Type: "The consultant says we have insecure passwords! Fix it!"
IT: "OK, I'll fix it by the end of the week"
Time passes...
CMT: "Hey! It's making me change my password and it won't let me add a digit to my current one! Fix it!"
IT: "That's part of the solution to the password problem you asked me to fix"
CMT: "I didn't tell you to change how we choose passwords! I told you to fix the password security problem!"
In other words, I want you to lock the door, but I don't want to have to use a key to get in. Repeat the above scenario for any aspect of security you can think of. Managers don't get "Security or convenience, pick ONE."
The real question we should be asking here is why the consultant is even allowed to speak to the executives. All he or she will do is alarm them by using words they don't understand until "set $dummymode=='ON'" and then telling them they better fix it or Bad Things will happen. If the same presentation is made to IT, where the workers might understand more than every third word, real solutions could be found. But that will never happen, because IT can't so much as turn around without executive approval.
Memo to executives: Leave IT the fuck alone. Don't try to make yourself feel important by requiring useless reports and approval. You'll just make yourself look stupid and lose any respect IT might have had for you.
Never underestimate the power of stupid people in large groups.
Actually, even running PHP with register_globals off can be a molehill.
From someone who enjoys using PHP, isn't hating it.
I'm still trying to figure out what people mean by 'social skills' here.
Security isn't just a matter of collecting raw data. Anyone can collect raw data. Raw data is like raw sewage - it benefits nobody but can be used to make a big stink.
At the very least, to be usable there needs to be an assessment as to the actual threat level of each vulnerability. For example, you could have an insecure, unpatched Windows 95 box locked in a cupboard with no console or network access. A vulnerability assessment would turn up a bazillion holes, but absolutely none of them would be exploitable.
In crude terms, you can measure risks in terms of two scales. Let's use letters for the first and numbers for the second. The first measure is the ease of reaching that vulnerability, the second is the ease of using that vulnerability to access other systems or data.
Thus, any computer directly reachable from the outside world would be an "A" class risk. A machine placed outside of the firewall which does not have direct access to the inside (not an unusual arrangement for informational webservers) would be relatively low risk for data and might be given a 9. So, a vulnerability on your advertising website would be an A9 risk.
A firewall, on the other hand, has direct access to the inside. If the firewall has proxy servers sitting on it, it will likely have a high level of trust. So, a vulnerability on such a system might be given a rating of A2 or A3. (It doesn't have valuable information itself, but it can be used to reach a machine that does.)
A data warehouse, on the other hand, might well sit on a SAN that can only be reached through a firewall which runs to the servers on the corporate LAN, which itself is behind a firewall. Now, an attacker needs to go through between three and five layers of security (depending on how secure the network traffic is). On the other hand, access to the data warehouse would expose critical data. A vulnerability in this case might be given a class of E1.
Managers could look at these ratings - A5, E1, etc. They could then use those to get an idea of how urgent fixing the hole was. A rating of F9 (six layers deep, no information of significance) could safely be ignored at the start. A rating of A1 (reachable from the outside, mission-critical data exposed) would want to be fixed the week before last.
These are the kinds of things managers can understand. Nobody should expect them to have a detailed understanding of TCP/IP stacks, buffer overflows and sniffer technology. They may well have, but no sane consultant should require it of them. Unless said consultant knows that the product they are delivering is so bogus that a technically-competent manager would nail them to the wall for it.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
"How do you handle these 3rd-party security people who make mountains out of every molehill?"
That's not the first step. The first step is for your company to make you VP of risk management.
"What would ya say... you DO ... here at Initech? Hmmm?"
The Peanut Gallery, Ubergeek, Biblically Sober
NCAAbbs.com: Thousands of fans, Hundreds of teams, Just one place
Preparing a report in response seems an immense waste of time, but it could well be the only effective method of response - might even be a business obligation to meet some sort of new pain in the ass legislation.
Unless some event prompted the commissioning of the third-party evaluation, an alternative response might be:
With all due respect, Your Executiveness, I don't pretend to understand your business as well as you pretend to, or to criticize your leadership or decisions. Why don't you stick to your area of expertise, and let me stick to mine? I was entrusted with the security of this network, which meant I earned the trust of you or your underlings at one point. Since you and yours are surely only capable of infallibly correct hiring decisions, and since I've done nothing to betray that confidence, don't waste your precious time considering these trivial tactical issues, and go about your lofty strategic visionary business. Let the duly appointed base mortals deal with the annoyingly vulgar manifestations of reality. And with your faultlessly keen judgment you surely know to never trust contractors because they are parasitic false authorities who just want your pot of gold.
Modify for diplomacy.
OK, first off, why haven't you run these scans with these open source tools yourself? And presented the results to your boss? You should be running vulnerability scans like a writer runs a spell checker. Seriously, if you aren't actively looking for holes, the bad guys will.
Second, and most importantly, no one on slashdot has any idea if the vulnerabilities your company paid to discover are indeed "mountains out of every molehill". For all we know, you just think these are molehills, when in fact they are great big huge gapping high risk holes in your enterprise. Or, they might just be molehills. The point is, we don't know. And why is this? Because only *YOUR ORGANIZATION* is the only party that can make that determination. Let me say that again, another way, a vulnerability is just that, nothing more. Its not a mountain, or a molehill, its just a fact. Its up to your organization to take those facts, the vulnerabilities that company found for your company, and apply some risk management to it. You have to make that determination with measured, careful thought. If you come at this with the pre-concieved notion that these are just molehills, you are going to get 0wn3d.
For instance, say the report found that you are running telnet. Thats a vulnerability. If you're running telnet over an out of band network, where integrity and confidentiality are not an issue for you, and you're not concerned with highjacking and other risks that telnet is exposed to - you write off that vulnerability as an acceptable risk. You apply some risk management, you can tell your boss, its not a big deal AND EXPLAIN WHY. By the same token, lets say the vulnerability scan found a remotely exploitable root/system level hole in all your internet facing web servers, which are tied to your database servers, which manage billions of dollars of other peoples money - well, again, you have to assess the risk. Is this an acceptable risk to expose yourself to? If it is, then you have to explain it as such. This is business 101. You take a risk getting up everyday just to go to work. If you want to take bigger risks, people usually demand some explanation, by the same token, if you want to dodge a risk, you need to explain yourself.
In short, the purpose of a vulnerability assessment is to find ALL the holes, not to make any determination about the risk those holes present. You need to have that information before you can do anything else. Now its YOUR JOB to step up to the plate, and look at each of those holes and explain to your boss why they are acceptable risks to take or not.
If your management is too clueless to understand this process, you are screwed and there isn't anything you can do. The fact that you asked what you can do though means they are probably willing to listen.
The bottom line is that this is the way the process works. If your company didn't ask the security firm to do a risk assessment, then someone else has to do it. A vulnerability assessment can not tell you if a risk is acceptable or not, its just going to tell you about the vulnerabilities.
Python
Run the same or other security scanners on some other big name companies servers. You can then show your bosses that your company are not any different from company x and y, and that tends to calm down execs.
Sam has one liberty, which he sacrifices for one security. Can you tell me what Sam has now?
I ran into this situation at the end of last year when we had to hire some people to do a external network audit as a requirement for a major credit card company. The company used nessus and Nitko and it preceded to throw out all sorts of false positives. Like apache 2.0.34 warning for windows (we're running linux and 2.0.52+), wrong php versions (detecting 4.3.10 as 4.3.2), etc. It wasn't fun. We ended up having to rebuke every false claim and send a notorized letter explaing these things and why they really aren't true/bad. I'm of the opinion that this should be the responsibility of the audit company to fix not my companiy's responsibility to have to prove our innocence. We brought these false positives to the audit company and they wouldn't do anything about it. They just said not our problem and they wouldn't fix their software to not report the blatently false positives. But I guess that's just part of businesses these days, with the sarbanes-oxley and other such audits being required by law. It's very frustrating, but it's here to stay I guess.
What you have been given is a list of your vulnerabilities.
Now it's your turn to do Threat Risk Analysis, or convince your company to fund it.
Once the TRA has been done. Take it to management for their signoff. If they are not happy to sign off on the risks associated with your current IT stance use the TRA to prioritize the mitigation of these risks.
Yes audits are a pain in the arse however any competent IT tech should be able to fashion the report into a tool for improving the IT infrastructure.
It is open source, but nobody seems to do QA on a lot of the modules. I remember looking at the registry keys which were being checked for a Windows Messenger vulnerability and the developer had got it right for Windows 2000 and XP but has basically guessed wrong for NT. It still isn't fixed to this day.
On top of the false positives it's also the scanner most likely to DoS random systems during the scan.
I'm not sure open source really applies any more either, there's some question as to Tenable networks claiming copyright over modules that have been submitted.
i've seen this bullshit. exec's get baffled by some salesmans bullshit and they bring in a "consultant" who does moring then run nmap on your firewall and say "OMG LOOK!!! 25 and 80 are verunable to attack i can see them!!! pay $$$$$$ for doing this!!!!"
If you mod me down, I will become more powerful than you can imagine....
I work for a very reputable company that provides network and application vulnerability assessments along with some other security related offerings. In the last few years I've seen a lot of companies pop up doing just what you describe. They charge a few thousand dollars, run a few automated tools, and provide an extremely large report that's basically just a big useless nessus dump with prettier formatting.
This sucks for my company because we charge quite a bit more, but also offer an extremely valuable service for that price. We perform detailed manual analysis in addition to automated scans and verify if there is a real threat associated with a finding. For each finding we provide detailed remediation guidance, which means we have to work closely people like you who develop and maintain the systems. That's the only way an assessment can really be of any use.
So my guess is that your boss went with the bargain basement security consultants and that's why you're dealing with a steaming pile of crap. Your only recourse in this situation to provide enough information to show your boss how shoddy this job really was. In the future perhaps you can provide input that might help in choosing a better security assessment firm, or determining if an assessment is really necessary.
I went through a similar thing years ago at my former place of work.
We had a habit of taking services off the computers. Then the Security Auditors came through, and could not find much in the port scan. Except for ICMP, which was claimed to be a "big" security issue because someone could knock out the server with an Ping Flood.
The problem is that disabling the entire ICMP protocol is not a very good idea. I took a "block all but allow specific" rule to this (as most sites would). But still allowed ICMP Echo and Echo Reply.. It still showed on the next report, and I was grilled. Explaining to them that blocking ICMP all together was pointless, because a Ping Flood will still overload the link regardless, and the security of the upstream router was not the concern of the report...
Anyway, because the Port scan was not producing a thick enough "phone book" to begin with, they scanned the security permissions of the entire file system as well. Then went to task about how the computer in it's default installation was so open to abuse by "guest" accounts. For example the "tmp" directory.
It was necessary to tighten up the security of the file system as well. They did not beat us up as much on the 2nd, or subsequent passes, in that area, so they then turned their attention to procedures.
In the end it was more worthwile to simply leave something as simple as ICMP echo and echo reply in the system, so that the quaterly 3rd party audits did not start delving into the social and financial history of the computer operators.
Don't use 3rd party auditing agencies. Buy a better scanner than Nessus for use in-house. There are plenty out there. With a higher-end commercial vulnerability scanner, you are not just buying the scanning engine, but the research that goes into the vulnerability descriptions and solutions. There is a big difference in the amount of time you waste dealing with false positives and "solutions" that just parrot the vendor's original advisory without telling you what you need to know (e.g. is this patch going to break compatibility, etc.).
All products can do more or less the same kind of scans, but once you have seen the better products you will realize that using Nessus is often a false economy. Not to say Nessus is useless, but the money you save will often be wasted chasing down all of the bogus information. Plus, telling people to fix vulns which are false positives will undermine your credibility in the organization. Which means in the future, people will be less willing to take your word on security when it really matters.
Plus, most auditors these days (I'm talking about the big names as well as the little guys) tend to buy and use 2 or 3 different tools and just copy and paste the reports together in Microsoft Word. There's seldom any real additional analysis being performed by the auditors. Certainly no analysis with any technical depth to it.
Next, tell him that you need to migrate all the Windows users to MacOS because it's a more secure platform.
It seems a wonderful empire you could build - and have a wonderfully large impact at the company.
And anyway, what resume item looks better for you.
- Did a security audit; but realized that all the problems were minor.
Or.The third party is being paid to spot holes. If they are worth the money they will do more than just a Nessus scan ie they will look at the how the vulnerability might be exploited, and what kind of impact an exploit could have.
Whatever they do, they will not have much info on the real impact on your company of any security breach, nor will they have any clue as to your company priorities. This can only come from inside your company. Some would call this "putting a spin" on the report, but in reality all you are doing is adding the extra columns to the report:
Likelihood of an exploit of this vulnerability
Impact of a successful exploit
Cost to fix
If you can't put numbers to these things then just say Low/Medium/High.
Undoubtedly there will be some things that really do need fixing, but for the low priority items maybe you can batch them together into a work packet and get budget or resource to tackle them properly. Better you guys do this and make sure there are no deleterious effects on live systems than some contractor is pulled in to do it blindly.
Then they would have to justify their methodology, to show how they are worthwhile. They would most definitely remain in business.
XML is like violence. If it doesn't solve the problem, use more.
... 'nuff said.
Do not mock my vision of impractical footwear
...and block the offending IP.
I've seen a few people offering security auditing and pay a stupid amount just to perform a nessus or or other out of the box scanner. Even worse then false positives are exploits actually getting missed... Sort of leaves a lot of companies with a false sense of security... Handy though if contracted with a pentest after ;)
"I disapprove of what you say, but I will defend to the death your right to say it." - Voltaire
I'd like to get paid consulting fees to just run nessus a few times...hell, where can I sign up?
But then, I could also run it myself, and simply understand the FACT, that a "secure network" is a pipe dream....
sometimes, i wonder if i'm the only conservative on teh intarweb. ah well, back to mah hogs and warmongerin'....
Memo to the IT department: get off of your high horse! The only reason you are there is so that the rest of the company can do their job properly. Don't try to make yourself feel important by assuming that knowledge of IT is somehow *better* than knowledge of accounting, personnel or pretty much any other supportive department in a company. Yes, there are a lot of incompetent managers walking around, but this whole notion that IT specialists somehow approach deity status because they have mastered the black arts of adminning a number of boxes is ridiculous.
People replying to my sig annoy me. That's why I change it all the time.
"Of course, this should read "haven't had a single incident that we know about"."
Wow. Insulting the intelligence of someone you don't even know under the veil of anonymity. You must be pround of yourself.
"Not really. With Windows, you both have to know what you are doing, and have a budget for third-party tools to help (and with the tools, you don't really even need to know what you're doing). With Linux you just have to know what you're doing."
If you think that third party tools that cost money are required to protect Windows servers, then it's you who don't know what you're doing. Can you even give an example of a third party tool that is required to make a Windows server secure?
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
Saying there is no such thing as a hole so obscure as to be meaningless is a bit disingenous. Some holes are literally meaningless (More correctly stated, the risk of their exploitation is very low, the severity of any exploit is insignificant, and the methods of exploitation are involved).
Proper security analysis means analyzing the degree of likelihood of an exploit, the difficulty of the exploit, the cost incurred in setting up the exploit, the technical savvy required to conduct the exploit, the availability of tools to conduct the exploit automatically, and then assessing the impact of the exploit, the vulnerability of data or the system itself as a consequence of the exploit, and then moving on to examing the cost of dealing with the possible hole (ideally several options). This cost has to both cover hardware & software costs as well as personel related costs associated with it and any business implications (service outages, etc). Also, of course, another part of the analysis is whether or not there is a business reason (and if so, if it is valid) for the loophole to exist.
In the end result, you have to weigh each exploit and say "Knowing the cost to fix it in terms of cash, time, service issues, and potentially reduced services, and knowing the likelihood of an exploit and the impact it would have, is it worth fixing?" All exploit potentials ARE NOT worth fixing. Not to a business, nor even necessarily to your government.
It depends a lot on what the exploit is. I worked with some top notch security people reviewing several Canadian wireless providers for a Canadian federal policing body. Were there potential exploits in the wireless systems? Sure there were.
The wireless guys built their networks with *network integrity* as their main constraint. Security they applied was related to keeping the network up and going, not protecting user data integrity. So there were holes they had to address before the policing agency would feel comfortable running data over them, even with encryption on the data.
There are more risks than just data loss in these situations - even bogus network access or denial of service can be a critical issue.
In the end, the policing agency and the providers sat down, went over the reports with the consultants, had the consultants elaborate some of the threats and help the provider's network engineers understand them, and then some negotiation was done about which exploitable points would be fixed, what the fixes would be, etc. Not all exploits were dealt with - some were deemed to be too hard, of too little impact, or of too great an expense to fix, even for this type of system. But the major ones of concern were, sometimes by things as banal as a reorg of how network service folks accessed their network. In the end, a reasonably secure result was obtained and things went ahead.
But this is how *real* security consultants work. They know their biz, they learn your biz, they see where your biz can be broken, and they help you understand how to fix things. They don't just provide you with a list of problems and flee. Of course, they send you a *real* bill too... !
-- Mal: "Well they tell you: never hit a man with a closed fist. But it is, on occasion, hilarious."
disconnect your boss from the network and tell him the holes are fixed. when he complains, plug him back in, but advise him that the network is insecure.
High horse?
IT takes abuse that accounting, HR, marketing, etc would NEVER accept. Just this morning I had some douchebag POUND on the door to the storage room I work in, get in my face and DEMAND that I fix a problem with a laptop I'd worked on last week. The fact that the problem wasn't one I could do anything about didn't make the slightest bit of difference; when I gave him the name of the person he would need to talk to, he looked at me like I'd shot his dog. I asked him if there was something else I could help him with, and he proceeded to shut the door in my face while ranting about how I hadn't done anything to help him. He then went and complained about me to my boss's boss's boss's boss (I wish I were exaggerating.) If I'd been in marketing, he'd have been escorted out of the building by security. But since I work in IT, there will be no consequences for an action that meets the legal definition of assault.
If you went to accounting and said "Pay all our payables but don't spend any money" they'd laugh until they figured out you were serious, and then they'd quit. If you went to HR and said "Hire us some world class employees, but don't interview anyone" they'd do the same. If you went to marketing and said "Get our name out there but don't use any advertising", same result.
Yet people regularly go to IT and say "Fix this problem, but don't do anything that would affect anyone in any way". IT is no more or less important than other departments, but it gets far far less respect in most companies, because the average employee's knowledge of IT matters is far lower than the average employee's knowledge of, say, accounting. The perception is, "I don't understand it, so it can't be important" and thus we get the problems we're discussing.
I'd get off my high horse if I could get said horse and myself out of the trench that the executives have dug for us. Equal treatment would be welcome; we might even be able to fix some of the things you've broken.
Never underestimate the power of stupid people in large groups.
If it is being detected by a "well known open source" security mapping package, then I would fix any "obsure" hole it finds. If the tool is well known, and detects the hole, then you can bet your ass that all the black hats with that scanner are going to find your obscure hole.
-William
God is everything science has yet to explain.
Well said old chap!
It's essential that you include a breakdown of a cost/benifit analysis, as well as resource requirements and budget issues. If you are seasoned at this, it shouldn't be too hard.
Another little 'trick' is to include a projected 'ROI' because your VP will be suseptible to this as a 'catch' word at his level, you can come up with lots of nasty math that shows the ROI on some of the consultants issues is actually zero or negitive. The key is using language that nails the VP or MIS or whoever between the eyes at his/her level.
I think every IT person should be a consultant for a period of time, it would give them an appreciation of these and other finer points.
I can tell you that it's not the job of an auditor or "security tester" to regurgitate Nessus reports. In fact, it's downright unethical if that's what really happened here. We're being payed for our expertise and our advice, not on how well we click the "Scan" button.
Check out my eclectic infosec blog at InfoSecPotpou
Do what the bastard operator from hell would do - unplug the switch that the security eggspert is plugged into and go to lunch.
If he tries to break into the wiring closet, have him severly beaten by PHYSICAL security guards and thrown out for trying to compromise and possibly expose your WIRED network to external attacks via 802.11b. (have a wireless router or an access point planted in his enormous laptop bag for that no-further questions needed factor...helps if the brand matches his wireless pcmcia card)
Seriously, they should not be plugging their own equipment into your network. If they lose that laptop, all your internal secrects will be exposed and may end up posted on the web.
Work with the consultant every step of the way - give them a pc, install their scanning software, etc. Don't let them use pirated or downloaded from the web scanning tools - it may contain a keystroke logger or some other nasty trojan.
How do you handle these 3rd-party security people who make mountains out of every molehill?
I am currently dealing with this. I work in a very small IT shop (by small I mean me) in a not so small company (100+ million $ in revenue). We also have MIS, but they are just users in the network context. We recently were blessed with a new COO who very much wants to control all departments... can you say burnout in progress. Anyway, he wanted to get a third party audit. We (MIS who has control of me) turned it into a major project and accepted proposals from many companys (this burned a lot of hours). Then when a vendor was selected I took the audit report and thoroughly documented each hole and its risk to us. The amount of work and risk caused by fixing it as well as the cost. Then, when it is done I prepared a cost benefit analysis of the various actions. My goal was to teach them a lesson. Instead, I learned one. Because my documentation was able to show them the complexity of the network I work with and the technology which we take for granted. They agreed to hire me a technician. Also, they allowed me to decide what in the security was worthwhile to address and source out a chunk of it as a project. The lesson is, use this to your advantage. How many times do you feel excluded from decisions because it is "a business matter", I do frequently. This showed them that I understood my job from the point of view of adding value to the organization and that is very important in business. In short, as my subject read, mountains are nothing make it into a mountainrange. Once they see it and they see you willing to conquer it for them, you all win.
"How do you handle these 3rd-party security people who make mountains out of every molehill?"
Easy. Cattle-prod.
Sendmail is like emacs: A nice operating system, but missing an editor and a MTA.
Here's the real thing!
http://bofh.ntk.net/Bastard_1995.html
I worked at a company a couple years ago that had some "security experts" come in and run scans. They ended up totally screwing up a bunch of in house applications. Being the lead System Administrator I got in a meeting with these guys and starting grilling them on security (they were using a tool that used nmap and hey I know nmap ;). So I started drilling them and it turned out they new nothing. So I kept hitting em and hitting em (verbally) till management had to pull me off em. I think the company I was working for at the time ended up sueing them ;)
The poster obviously is not in the position to `get a new consultant'. His problem is how he can hit his management with the clue stick.
Let me tell you a story that happened just a few weeks ago: I'm the CEO of a consulting company that does quite some security work. We were brought into the following situation: A customer of an outsourcer got an `independent' security audit by HP. The HP folks took the (actually very good) CIS benchmarks and demanded that each and every item of that benchmark is followed to the letter. As part of that, they demanded that the NFS and Samba servers are turned off.
There's just one small problem -- the actual service the outsourcer was providing to the customer is -- tada! -- file service over NFS and CIFS! The outsourcer pointed this out to their customer's management. That management is a bunch of morons and just told them back: But this is a security audit of HP, they know their thing! So they had to bring us in, to give their opinion `management cloud' by creating pretty PPTs.
Even though we earned quite some money on that job; I would have prefered to work on really improving the security, in particular the processes, instead of fencing unprofessional HP security `consultants' and idiotic management PHBs.
Joachim
People don't write Manifestos any more -- what's going on in this world? [Frank Zappa]
How about this....
During a large project where I work, we discovered that the product the college bought, at that time, was still using unsecured telnet (in the year 2001 and I ain't kidding!). We had not gone live yet and mentioned that as well as very poor performance on the hardware reccomended by the company. Of course now they have released some patches that mitgate this, but they tell me I have to redeploy about 1,000-1,500 clients in order to implement the fix.....this in the MIDDLE of rollout. We mentioned many times that we did NOT like this and said it ws unsecured many many times. It's not a product that would have been chosen if the decision was left up to us (it wasn't....it was left up to a comittee...). So now we have a audit coming. We KNOW this is going to show up unless we rush implementation of security out so I start investigating what is needed. I come to find out that the client roll out is not needed even though support had told me 2-3 times that I had to do the client upgrade. In the meantime, Iam highly pissed about the whole deal. Even WITH the "security fix", the product STILL requires the use of ftp for a portion of it plus it also requires a DB config that, by it's nature, is unsecured. ALSO, during activities like data refreshes, the encryption must be DISABLED! I would LOVE to get rid of this product but my superiors would never allow it plus it would cost MILLIONS to do anything with any other product. I say millions even though the software would not cost anywhere near that.....millions because of the man hours that would have to be put in to install the new product as well as convert data from the old to new and maybe even hardware upgrades or additional equipment may be needed...this is why I would say millions. We NOTIFIED our superiors that the product was a unsecured piece of crap that could not be secured easily but noone listened. Our users ASKED us to create generic signons for actual users because it would be too time consuming to fill out complete paperwork on temporary users. The product also has many other requirements that require some very bad unsecured setups. When we have blown the whistle loudly and not even the President refused payment of these idiots, how can I be held accountable? It's been reported I don't know how many times but noone listens. Where do you go when your leadership won't listen??? Granted, we will now have the connections secured before the audit, but when will people listen to the people that they pay to do this kind of thing? My only hope is they don't have the money for a GOOD company and they get a mediocre one. My only other hope is that they FINALLY see how much of a piece of crap the software the purchased really is.
Gorkman
This poster's simply playing the victim.
So why was the audit asked for in the first place and why did you not have at least a modicum of management control over the process? You should have gone in, hand in hand with management and looked at the result in unison, not being subjected to it - in the spirit of learning, not generating fault. Clearly, this audit was set up to generate fault, whether through management caprice or someone reading that it was a trendy thing to do.
My opinion is that you screwed up by permitting yourself to prostrate yourself to this white-hat audit without being part of the process and making yourself a beneficial part of the results; not a victim.
Not in the notion of the "not my fault" notion of management, but in terms of engaging the organization in demanding beneficial analysis and results, and working with them to improve your processes.
Being dive-bombed by a 3rd party means your management has a poor view of your organization or at least, you are communicating poorly with them.
Stop being a victim. Get your ass in gear.
A shovel, a bag of lime and some carpet.
I'm me. I think.
Rather than bitching about it, look at fixing the problems via one of the best tools on the market:
Retina Security Scanner: www.eeye.com
There is a demo available that can apply patches and registry fixes remotely. If your serious about it, purchasing a copy of Retina is very easy and ROI is tremendous -- especially via their free updates.
Artificial intelligence is no match for natural stupidity.
Frankly, while the consultants we have coming in are expensive, they are very knowledgeable people who keep things simple and uncomplicated.
I find that they are the ones keeping our more enthusiastic employees in check with a little "shut the hell up".
--"It's Bradford Company, slash your last name, dot your first name"
If the "hole" is something like "imap can be insecure unless properly configured, in which case it can be quite secure", then show how your implementation is secure, and any example exploits fail on your systems.... Otherwise, fix 'em!
The choice between smoothly-running vs secure is for management to make... to an extent. I'd expect mgmt to choose easy, and techies to choose secure. In this case, it sounds like it's the other way around.
Personally, I'd rather take grief from users about "But I used to be able to do 'X' without any hassle" than deal with security holes... especially when you can answer "It's a management decision - out of my hands. Your boss wants it that way".
Sounds like a dream job
Author, Shell Scripting : Expert Re
Your basic risk analysis takes a look at all of the vulnerabilities on the system. For each one, you list the following:
- the likelihood of that vulnerability being realized
- the impact if that vulnerability were realized
- any mitigation that has been done to reduce the chance of it being fully realized and exploited.
Of course, management likes numbers, so you rank each item from 1 to 10 (or 1 to 100, or whatever), using whatever scale you want (so long as you're consistent in your rankings for all of the items). Then, you use the secret fomula : For the top 10 items (or however many you feel like, you come up with some rough estimates on how much it would cost to fix or reduce the impact, or otherwise mitigate each of the problems.Note: Some people will say that the 'impact' should be a dollar amount to signify the damages done to the company... but it's impossible. How much is a human life worth? Is it worth more than the company losing millions of dollars in sales? How does it compare to the loss of reputation if your clients found out about whatever it was?
Example: There is a real vulnerability that you may have an electrical fire. The threat of it happening however, tends to be very low, if the building inspectors did their job. The impact, if this happened on a weekend could result in the lost of the entire building. Countermeasures include fire extinguishers, sprinklers, temperature alarms, off site backups, redundant servers, etc. You can never get rid of the vulnerability, because there is always a chance of that fire happening.
Example 2: There is a possibiliy of all of the system administrators quitting, leaving you with no operations staff. This can be mitigated by treating them with respect, not forcing them to wear ties to work, and paying them better.
Use this to your advantage. Don't fight the report, done by someone who knows enough to schmooze the boss, and get paid many thousands of dollars to click a 'run' button. Use it to get rid of those nagging little things that have been bothering you, that you've never been given a chance to sit down and fix.
Build it, and they will come^Hplain.
I'm one of those people who does 3rd party security audits. Having been in the position of the 1st party before I always make sure the report doesn't include all the junk that the poster is complaining about. I provide any gaping holes that should be addressed on the first 2 pages, then put all the wishy-washy junk at the end with a notice that it's not important. Any good security auditor would do the same.
Just be sure who ends up looking like the ass....
"Where quality is like a dead stinking rat - you just can't miss it."
I work in a tightly regulated non-profit industry and management is required to host periodic 3rd-party assessments of IT. So no matter what executive management thinks of me - - and they've always treated me well - - I have to be subjected to this, at varying levels of intensity, at least annually. This year, it will happen three times. I'm not sure why. Possibly because we have a rather aggressive new crop of execs.
It's only funny until someone gets hurt. Then, it's hilarious.
Having been through this numerous times I have to say it sounds like you got yourself into this mess. By not explaining what "deliverables" you wanted from the consultant you set yourself up.
If you said "give me a report card" and that's what you got then you have a serious problem.
Tell the consultant what you want the report to look like. Tell him that all results should be placed in context to a) risk; b) ease of attack and c) liklihood of attack. Tell them that you want a concrete list of what to do and when to do it. If he can't do that then his firm needs someone else to write the final report.
You should also have been sitting sidecar during the whole VA so you could help them understand the risks and your environment. Most of the time it makes their VA more accurate because you can point out where you know you are weak and they give you credit for at least being aware of your shortcomings. You've got to tell them what they don't know. If you don't help them contextualize their results then they have to cover their a** and spit out the raw data.
Finally, you should meet with the consultants to view the draft of the report so you get a heads up and they get to polish the deliverable.
What do you really want out of the VA? The VA is a tool to help you determine where to focus your limited resources. It is not a report card.
Your risk managment VP sounds like a complete moron. If you don't understand at least the basics of something, you shouldn't be managing it.
;-)
Anyone with common sense (and after some explaining from their sysadmin if you're a clueless n00b) can see through scare mongering. Seeing as your VP can't he obviously doens't have common sense.
Just explain it to him in a calm, reasonable manner. If he still bitches, tell him what you need to fix every little "vulnerability" and what the effects will be for the company. That way he has to OK anything and it's not your problem anymore. Shit can also go upstream if you learn how
Honestly the best thing you can probably do in a situation like this is to make sure the suits know the score going in. Explain to them that a security audit is just like a financial audit: the auditors aren't leaving until they find something wrong. They have to have something for their report.
Before the results are sent up, schedule to meet with the audit team and go over all findings to classify them, (things like: false positive, mitigated by architecture, low risk, medium risk, etc). Fight tooth and nail to get those stupid findings removed from the short list that goes to the boss.
I do security
I have been called to account for results of various scanning tools. First of all, I suggest taking a deep breath to calm down.
When I have worked with this type of "vulnerability report", I've considered it understood to add 'possible' to the title.
For instance, one of the scanners would report a piece of middleware which was used in the organization as w3-msql (the moral equivalent of php+mysql in the late 90's). It should be fairly easy to go down the results for an individual server, item-by-item and pick out which ones aren't sane.
Share those results with the security consultant. Ideally, you will be working with them, and your response will be included in any report (possibly by simply removing obvious false positives). After all, you're the expert on your own network. They're just poking around to see if anything looks amiss.
Their reaction to the false positive report may also help you gauge how to deal with them. For instance, if they insist that a false-positive is actually a problem, you will need to get solid facts together to demonstrate them as being wrong. When you lay out the facts, turn the emotions down as much as possible. If you look defensive and emotional, management will think you might the problem.
The second pass is vulnerabilities that you wanted to fix, but were prevented from fixing, whether it be by a vendor, app support team, or management. Ideally, you will give the other party a heads up to let them know their item has been identified in a security assessment to give them a chance to respond, too. It's entirely possible that the same guy who hired the security consultants who found the 'hole' pressured another team to put it there to begin with.
Third pass is low-hanging fruit. The stuff you can write a script to fix across the board on yoru servers. For instance, unneeded services listening? Take a few minutes to write an update script with perl or sed to turn them off.
Then, you put together a work estimate on how much time and effort will be required to fix the rest. Need low-priority local OS patches? Report the time it will take to do the work, then put together some good interview questions for the guy who will be working alongside you on the project!
Once management has identified security as a priority, it's in your interest to put together a process (signed off on by management) That way, when this kind of thing comes in the future, they will have been involved in the decisions.
This also applies when they have a hot project that takes precedence over security fixes. If your new process statest that low-priority local vulnerabilities should be fixed in 30 days, for instance, and a project will push it to 45, you simply ask them to decide between the competing projects. Once you get the sign-off, you're set.
If you handle this correctly, it can be to your advantage, since management will have a bit more of a view into what sort demands you face on your job. And, if they feel that you've handled the problem effectively, addressing their concerns rather than brushing them under the rug, that earns bonus points.
...Is what a lot of security auditor guys are basically saying. In all honesty, it helps to be up to date on the subject of security itself so you can counter any exagerations. It REALY helps if you find vulnerabilities in the machines they use to do the scan. Most do. You'll look smart, they'll look like cheats. (assuming you run snort and know your toolz)
Any schmuck (well, let me rephrase that, any schmuck who can run a Linux box or who can buy NeWT from Tenable) can run a Nessus scan - and, as you've seen, get a lot of meaningless output as well.
Nessus is definitely nowhere near perfect - for one thing, a lot of the plugins tend to yell about things that may matter if you're doing an external scan, but are perfectly normal on an internal scan. (Like, for example, port 135 being accessable on a Windows box).
The value a consultant should provide is going through that output, checking for false positives, doing hand inspection of some results, then calling out the ones that really matter. I'm in the documentation phase of an assessment for a major law firm right now, and, although I'll provide them scan output with the final document, I won't talk from it or even print it out - the important stuff will be in MY document, spelled out in understandable terms, and ordered according to level of risk versus remediation effort.
Tell your boss that any security consultant that hasn't done that hasn't done anything worth a damn.
This, actually, was a Dilbert cartoon... Dogbert was saying: "I like to con, and I like to insult. I'll be a CONSULTANT!"
In Soviet Washington the swamp drains you.
If they just handed you a report from Nessus and a bill
. . . then they are quite similar to most of the fly-by-night security companies in existance today.
They really are a plague. Typically a small number of university students, or recent graduates, trying their hand at "start-up dotcom". There are two or three guys who know linux, a little about cisco routers, maybe had a course where they learned about Nessus. There will be fast talking marketing and sales slime involved as well. They are all very young and inexperienced, none of them will have spent any time in a large company with a complex IT infrastructure. Their M.O. will be to approach a company with the output of a Nessus scan of the firewall and web servers, showing a whole bunch of false problems, and try to get a security audit contract out of it.
if you're looking for someone to do a security assessment or pen testing
These external audit companies don't sit around waiting for an IT group to give them a call, because they'd never get one. They will not approach the head of IT, but a sales or a CEO level person with nary a clue. They leverage their way in from the initial external scan of the firewall and web servers. They get permission to run an internal scan, then hand over an unedited Nessus report, hundreds of pages long with their invoice.
The term over here is Cowboys. They ride into town unannounced, pretend to save the day, and ride into the sunset after claiming their reward, never to be seen again. Their victims, of course, are the struggling IT departments like the OP, who have done what they can with their limited budget, and suddenly have to answer to a mostly worthless Nessus report.
the AC
Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
As a security professional it's frustrating to see companies choose my competitors becuase they are cheaper without realizing how worthless they are. Guess what, if you skimp on a pentest, all you are gonna get is a nessus scan with a cover page. If you actually get a company that knows what they are doing, then you are paying not only for the scans and the activities, but for the knowledge and effort to wead out the false positives and to *verify* the results.
Guess what folks, a nessus scan is *not* a penetration test. It's a vulnerability scan. A penetration test is executed by consultants, not automated by generic tools. Sure, they will use those tools, but they will also use their own understanding of information systems, they will also gain an understanding of the overall picture and they will also be usefull experiences and reports! If you really paid top dollar for what you described, you got screwed, shop for a different pentesting vendor.
e.g. 2 days >> 8 weeks
John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
Specialists like Jay Beale, Ed Skoudis and Mike Poor. My firm meets with them for a security audit once a year every January.It takes them a few days to audit our systems and they report to us with a draft and final report. We usually have everythign buttoned down by the time the final report arrives.
To avoid corruption, one must remain dishonest.
There are two main sources of value that come out of a pentest; the experience of the test, and the report.
The experience should help you answer the following questions:
Were my controls effective at detecting and/or thwarting the attacks?
How well did my staff respond to the test?
At what point will I notice malicious activity?
Are my current logging and review procedures effective at recording all necessary information and identifying the attacks?
Is my staff capable of responding to intrusion attempts?
Is my incident response plan effective?
Where should I invest more in training?
Are my IDS and Firewall operating as designed?
Do I fully understand my network and internet presence?
Where should I focus my future IT audit efforts, was anything identified as a result of the testing that needs to be included in future audit coverage?
And the report should help you answer the following:
What testing was performed?
What were the results of those tests?
What do those results mean?
How do those results impact your business?
What do the problems that have been pointed out mean?
What is the potential impact of items that have been identified?
Has any of the conjectured impact been verified?
What level of compromise of data or control of resources was obtained?
What is the amount of effort, knowledge, and access needed to perpetrate the things your test say are possible?
What do you need to do to fix the problem or how can you control the problem in a way that fits into your business?
The more of these questions that the pentest can answer for you, the more valuable, and the more expensive, that test will be.
How do you handle these 3rd-party security people who make mountains out of every molehill?"
"Well," said I, "Tell me... exactly how much did you pay for this report?"
"What's that got to do with anything?!" the PHB said.
"You see, if you paid more than $1,000USD for it, well, the way I see it, the people have to find something to make you feel as if you got your monies worth. These "holes" and such are nothing more than just how a system works, you see. And the tools they used to do the report are all free tools that we could have used ourselves had you given us the time to do it." sezs I.
"You're just covering your incompentent backside!" growled the PHB.
"As for being incompentent, well, I'll take just a slight bit of umbrige at that. After all, when is the last time we fell down on the job for you? When were we hacked last, and the time before that? And how long did it take to recover?
"You see," I continue, "the problem here is that we simply cannot afford perfect security. Our staff would be four times larger, our ability to do things would be less than 10% of what we do now, and all for something that hardly ever happens. Now, I admit, there are some things we have to protect without fail, but we cannot protect everything without fail all the time, in all ways. We know what it is you need done, we know what limits you'll accept, and we work in those bounds to keep the plates spinning and the systems humming, and we plan for the times when our security will fail and be able to recover quickly."
"Well, these guys say you are falling down on the job! What about that!!!?" howls the PHB.
"Well, now, boss man, it's like this. When was the last time you turned on a news report and they said "Everything's fine, turn off the news and go back to your life."? Never, I'll bet. You see, security audits and news are a lot alike. There's more money in gloom and doom than ever there was in green fields and times of plenty. Jeffe, if these guys were so good, they'd be mewed up in some large corporate lab and would never, ever be allowed to speak with anyone, lest they violate some clause of their NDAs. God like security people simply DO NOT work freelance. Never. Any tyro can look at a masterpiece and see flaws, but a true Master can see past surface blemishes and capture the work of art. Now, I admit, there are lots of things I'd like to do if we had time, but, we have to keep the money flowing, the systems humming, and the work going. We simply cannot stop the whole company to fix things that are minor or very tough to crack instead of impossible. But I tell you what. Why don't you allow us 4 hours per person a week to work on the top priorities that report shows, and we'll crack that out."
"FOUR HOURS!! EVERY WEEK!!! FOR EVERY I.T. GUY!!!? ARE YOU NUTS!!! DO YOU THINK I AM!!!?" shreaked the PHB.
"Well, Sahbib, that's why we haven't already been jumping on those issues. I didn't feel you'd support the manpower cost, and let us put aside our current projects to address, what is after all, some minor problems. But we work for you, and if you want it done, by golly kingmosabe, we'll jump after it!" I exclaimed, almost saluting.
"Well, four hours a week is out of the question. I simply won't permit it!" bellows the big guy.
"Bigguy, we'll do the best we can with two hours a week..." I trail off...
"NO WAY. You slackers get no more than ONE man, ONE hour a week!"
"Well, your gold, we'll do the best we can." I sez.
"See that you do. Now get out of here and go do whatever it is I pay you to do." the PHB says, punctuation his dismissal with a distainful sniff.
I slink out of the office with rounded shoulders and the air of defeat about me. As soon as I turn the corner, I perk up, realizing that now I get off an hour early every Friday...
Months later, after the jerk of a PHB had run off anyone with any slight ability, he went out during the dot bomb bust. Word was he managed to hire some of those "security" people that felt that BGP announcements were a security risk and should be discontinued...
Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves.
I for one *love* ripping these guys new ones. In particular when I produce the same report in a couple of hours. All kinds of fun.
It doesn't matter what you produce. Your boss is bringing in an outside consultancy to get an independent assessment of what you are doing. That's a prudent and sensible thing to do, because he doesn't know what is going on technically (he isn't supposed to--it's not his job), and you could be lying to him to cover your ass. It's no different from bringing in outside accounting firms to check the books, outside HR experts to check compliance with anti-discrimination laws, or outside consultants to check on customer service.
If you are unprofessional, uncooperative, or insulting in the process, you only hurt yourself.
On the other hand, if you think you can do a better job than the outside consulting agencies, start your own and try to convince companies of that.
Others have said it, I'll say it too: You need a formal risk analysis done. Ideally it should be done by the idiots who said you're vulnerable in the first place--make them actually WORK for their money.
Are you at risk? Probably. All companies are based on managing risk, and reaping the rewards. Computers are no different--to have internet access incurs some risk. Your job isn't to ELIMINATE risk, it's to MANAGE it, to reasonable levels. If the consulting company says that you're exposed, it should be up to them to calculate the likelihood of being exploited (i.e. x% chance per year that this exploit will be used), the libility of the exposure (i.e. money lost either directly or indirectly), and the cost to fix. If there's a 0.1% chance per year of someone breaking a server in the DMZ and it will cost your company $10000 to recover from it (lost information, time to rebuild, etc.), then any remedy that closes it will have to be almost free to be worthwhile ($20/year on the outside). On the other hand, something with a 15% chance of being exploited that's going to lose $3MM of market advantage should be fixed ASAP, as long as it costs less than nearly half a million.
Risk analysis. Risk management. Risk containment. NOT risk elimination.
"People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
I've seen the managers that this guy is suffering under and your insightful remark won't help him. You see, his boss is likely referring to "holes" reported by Nessus and others that are not holes but, because some outside company said it, then it must be so.
And what is your boss supposed to do? He isn't a network security expert. His in-house staff has strong incentives to pretend that everything is alright, whether it actually is or not. He has to bring in outside experts to verify that his staff is doing what it is supposed to be doing. That's not different from outside accounting firms and other kinds of outside review in other areas.
If you think the quality of the outside security firm your boss selected is poor, talk to him about it and get him to pick one that you think is good. But whether there is going to be an external audit is not debatable--the boss wouldn't be doing his job if he didn't do these things.
They've done nothing wrong. It's their job to point out every molehill. It's your job to perform a threat/risk assessment for each molehill and present a range of mitigations to your boss. For example:
This honestly isn't rocket science. The consultick isn't out to destroy you. He's just doing his job. And yes, it's amusing that the consulticks charge huge amounts of money to run nmap and Nessus, but they were only brought in because you obviously don't have the time to do it yourself.
I get the impression that you've taken this as a personal slight. I think that you believe the consultick's report has made you look bad. Get over it. Maybe you have made a mistake. Maybe you haven't. Your boss doesn't know yet because he isn't informed. Informing your boss of the risks and the costs raised by the consultick's report should be your #1 priority. If you do a good job, you and the consultick will both look good.
it's surprising how often you can connect two completely unrelated events/actions and make them seem interdependent simply by matter-of-factly asserting that the connection exists.
Manager: How can we fix all these security holes?
You: We can fix them no problem, I'll need another unix box for scanning and a 20% pay rise.
Manager: Ha ha ha...very funny.
You: I'm deadly serious.
Manager: What...you're serious...why a 20% pay rise!
You: Ok...you're right...10% is closer to the reality.
Manager: That's better...thought you could pull one over on ol' Bill, didn't you eh?
You: Yeah...sorry about that.
I am part of a small IT firm that deals with Community banks and their networks. Each of our banks get audited quarterly. For years we've been explaining to our customers the real risks to their networks...themselves. The audits are always going to find SOMETHING. That's what they're designed to do. You can always explain the "holes, warnings, and notes" away without losing integrity as long as you have a good relationship with your boss/clients/whoever pays you. There are times when nothing but a squeaky clean audit will do for our clients...we can always provide a total lockdown...then they pay us to open up their network again for functionality. It's all about perception...if they think you're caught off guard, they're worried. If they think you're an IT mastermind...well then they're right.
Mmmm....Frosted....
...will tell your company one and only one thing, and that is your network is unsecurable unless you outsource all your network security and administrating to them because you company's own I.T. crew is too incompetant to do it themselves.
My employer recently went thru one of these and I prepared for it (I am the network admin) by writing a list of everything the consultants would find, and why they would find it and what could or could not be done about it short of completely unplugging the affected bunch of machines and users off the network entirely. I also wrote down exactly what they would find when they attempted a penetration test from the outside to try to come thru our firewalls. I sealed up all my reports into an envelope and got my boss and his bosses above him to agree to keep the envelope sealed and not read it until after the consultants submitted their findings report and they'd read it.
During the tests, the consultants could not break in of course, and I got accused of refusing to cooperate with them. I told them to their faces in front of my boss that they weren't even worth half their weight in dirt and were basically committing a con against us. (con + insult = consult).
After their report was finished and my bosses paid them and read it, followed by reading my sealed reports, my employer basically agreed with me they'd just wasted $15K and my network security talents have never come in question again. The consultants didn't even find everything that I already knew was wrong with our network, and I haven't been permitted to fix the stuff that really needs fixing because too many user will bitch about the inconvenience it would impose on them.
Well I'm not goin to give out specific details, but I've got the exact opposite problem. I'm a sort of lower level sysadmin (the kind that fixes minor computer issues; 'I can't connect' 'it says I have Sasser, MsBlast, and Netsky, can you help me?' 'Can you come over and install Kazaa for me?' etc. that sort of job) the upper admins run the network, if you can call it that, and do the more important stuff. Basically our network admins are idiots. They've got lots of really cool, expensive toys, but they have no clue how to use them. I suggest you try doing the same thing for your software compliance that we do for netadmins. Blow them off. Secure your network to the best of your abilities, then engage in extensive penetration testing of your network, while you document EVERYTHING you do. This accomplishes (hopefully): securing your network, watching your back, making less work for you in the future/more time for Doom 3/Halflife 2/Halo/2 etc. That's a lot of work upfront, but if you can show them that your network if secure, with documented proof, they'll probably bite. Even better, if your company will shell out the cash for it, hire a reputable 3rd party to hack the network, and have them thoroughly document your security measures/and the success/failure of the hack, then bring it to your boss. The alternative is to do everything the software asks, and chances are your company will get so sick of 14 letter-digit-special character random passwords, that change every 2 weeks (and similar security measures; welcome to my world) that they'll just say screw it and not bother you again about security.
It doesn't take much to quickly set the right tone for a security audit. Even the Pointiest of HBs can understand the basic rules:
If you have a chance, take them through this: ... you get the idea.
The only way to really secure a system is to turn it off. Not very useful, but highly secure. Ok, so maybe turn it on, but unplug the network cable. And lock the door. (Who has a key? Who cleans the room? ) But it's a server, so it sort of has to be on the network to be useful. So plug it in, but use a firewall it off from the rest of the network with every service but files blocked. Well,
It's all about tradeoffs. Sometimes something comes along that makes life better, easier, and cheaper at the same time, but usually you only get one or two out of three.
Raise your children as if you were teaching them to raise your grandchildren, because you are.
A couple of variations:
Some recommend you multiply 2 or 3 factors to give a score, e.g. ease of exploitation x impact of possible exploitation.
You could go one further and do the equivalent of a "safety risk score calculator" (from OHS practices) where you look at:
- extent of what could happen
- how likely it is
- cost of alteration
- extent after alteration
- likelihood after alteration
Of course we're talking about highly inter-related aspects of security which get more complex, but feel free to group a bunch of things together (e.g. all items that relate to fingerprinting but aren't actually exploitable holes)
Time consuming, but you don't need to complete the calculation on items that are near zero risk to start with.
-- All your bass are below two Hz
We did so, and was working with them in the process. Having them scan the internal and external network.
Since it was competent people picking the security consultant, we got a good company to do the work. Adn not just the friend of the boss' cousin.
If the security company thinks it is fixable, have them come up with a price quote.
I so sympathize with this.
:)
One of our credit card processing companies got a wild hair up their ass about security. Security is a good thing, I fully believe in it. But they hired their own 3rd party company to scan us. Over, and over, and over again.
The 3rd party sent them a big list, where we were just on the friendly side of a passing score. I'm not pleased with "just" passing. They sent me the list, and "suggested" that we fix all these obvious holes in our security.
Some of them were that the sites resolved in DNS. Ummm, you go to example.com, it's gotta resolve.
Another was that we had a firewall up. Because packets disappeared into our network (dropped, instead of rejected), it was a clue to potential hackers that we had a firewall up.. {sigh} Ok, so our firewall did exactly what we wanted, and we get scored down??
The remainder of the list were assumptions. They (through fingerprinting) identified that we were using *nix machines, we are running Apache running on the web servers in question. At the time, Apache_SSL was about 2 subrevisions behind Apache itself, which made it impossible to stay with Apache_SSL, and pass their test. Their beef with it was that there was an exploit for Win32 and OS2 for the particular version we were running. I wrote them a nice email and said "Ok, so there's an exploit for Win32 and OS2 for that version, but we're running on *nix".
The temporary fix for the Apache "warning" was to not display the version of Apache. I later changed over to mod_ssl, and stuck with the current version.
We still get quarterly reports from them. I sigh every time I see them. They just piss me off. Not that we're getting a security review, but the fact that I have to explain why perfectly acceptable things are listed. I can never get my score to 0 threats. Even if I firewalled off the machine, so they couldn't see it, I'd still get points against me, because they can see there is a black hole, where they know there is a machine. {sigh}
I glance over the list when it comes in, and look for anything interesting. Do they have anything relevant to tell me? Nope? Ok, put it off til next week to decorate around their mental problems. Most days, I have real work to deal with, and don't feel like doing stupid tricks for their entertainment. Of course, if I have the time, I love messing with them. Let them wonder why I'm running Apache 4.9.1 on an unknown platform.
Serious? Seriousness is well above my pay grade.
I am sorry for all the people who had experience with bad auditors. Truth is that learning scanning software (ISS, Nessus, Harris Stat) etc. is fairly easy. Its the analysis part that is hard. When I do audits I go over every vulnerability found (by whatever particular scanner) with the client and we discuss each one to find out whether it is valid for their environment or not. Additionally, a post report should include a thourough analyis of all the finding not just a printout of the ISS report (which in my opinion is poor) and match these vulnerabilities with realistic mitigations. Just like in every field, there are bad people and there are really good people as well. I have met TONS of people recently who are in security because they heard it was hot field but even with the CISSP they don't know jack!!!
Tell the VP that the fast that he saves all his internet passwords in his browser, replicates all his confidential data to his palm-pilot, tapes his passwords to the inside of his laptop, gives full access to all data to his managers, is a far greater security risk than a non-renamed administrator account on a small print server.
That should shut him up for a couple of weeks.
Reply to each item with a cost to fix, including the cost of addressing other problems you introduce.
The reasonable stuff that you can realistically do should have a reasonable cost attached.
The stuff you really don't want to get into, just say that requires $10 million to build a brand new datacentre. If you take this approach, even the most Pointy-Headed of Bosses can be brought around to your way of thinking.
-- Nick "Hallo this is Beel Gates, und I pronounce weendows as
There is an issue of trust in the ability of your engineers though. I had this problem at my previous employer (which I left). If the manager consistently does not listen to your advice (however presented), think about it a bit: It means he/she actually does not have much faith in your skills, and does not trust your advice. This is inherently going to be a problem for you, regardless of whether or not you are able to 'document your thought processes'. What kind of reference are you going to get from a manager who doesn't trust your capabilities and thinks you're probably mediocre? What kind of opportunities for promotion, salary increases, increased responsibility etc. are you going to get from a manager who doesn't recognize or trust your capabilities? If this is what is going on, you need to get out anyway, because you're going to hit a "glass ceiling" very soon in your career.
IMO, good managers recognize skills, and place trust in their employees, giving them enough 'free rein' to 'work their magic' and not preventing them from doing so.
These tools are guides only. Anyone who treats them as 100% reliable is not a professional admin.
If you know enough about your systems that these are false positives, you can document each false positive so that as your systems change or the scanner tools are updates you can tell what is a potential problem and what is not.
If the 'security company' supposedly did a complete audit and does not have a reply to what you find, they ripped off your company.
If they were hired to do a basic review not a complete audit, you can't blaim them. The folks who hired them to do a minimal job got exactly what they asked for.
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
we had one of these security consultants, first I heard about it, was detecting a nessus scan coming over the WAN, so I fired up email and sent one off warning of possible reconnaissance on the network, the eventual reply I got after followups went something like this:
We have yet to receive the full report, the security company just finished up a web scan of the **** Network last Sunday so it will be a couple of week before we get the total results.
I am not aware at this time of any issues with the UK network, but will let you know if any were found.
Thanks for the info, I will let the Security Company know that they didn't go undetected.
I never did get a report, but as there penetration scan caused me to put out a full alert on an internal IP in our company, I doubt they ever got paid.
I have to ask why the tone is so defensive? They've been paid to find every little bit ... now it's your job to help your management put the report into context.
Do your job.
-Jeff
Please learn the difference between a dissenting opinion and a troll before you moderate.
Strike first. Do a scan yourself, note the items as "false positives" and give the list to the auditors.
If the auditors come back with the same list, your defense is: those are all false positives as noted in the initial report to the auditors. Get new auditors; these didn't do their job.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
We just finished our first DDoS assessment, it went wonderful and we had the best security related results that we have seen in years. The guys over at Prolexic know what they are doing. You may want to check them out, www.prolexic.com. They just started a new product they call DDoS security testing, I am not sure if it's on their web site.
-steve
>> How do you handle these 3rd-party security people who make mountains out of every molehill?
Err, you dont. They are commissioned to do thier job. Since they were hired, did work, that you had to react to ( called on the carpet ) that means you are out of the loop in regards to mangement & how they perceive security.
The beauty of 3rd party consultants ( security or otherwise ) is management gains external veri- or villi- fication of whatever thier agenda is.
In short, you have to handle management ( ie: the people who brought in the 3rd party peeps ). Your description of the situation doesnt disclose your role in detail, so i will assume away a troll.
>>I told our risk management VP that to fix every item cited - - many of which were false positives or completely out of context - - would be next to impossible for our small IT staff, and that some of the fixes, if implemented, might have deleterious effects on an otherwise smoothly running operation.
Nope. Let me verbally slap you for this one. Not for effort, I get that. It is impractical to fix "everything". However, being reactionary to a report changes the discussion from " what are we doing to help the business " ( VPs love this shit ) to "why didnt you do you job" ( which at best means a verbal remand, or at worst is used as justification to fire your ass ).
Your approach to the vp of "whateverthehell" should be more of a "ok, bossman/bitch" here's the recommendations of the people someone ( or YOU ) hired, since you clearly dont trust me ( dont say this part out loud ) and here is my estimate of what it would take to fix each and every bullet point. Further, toss in a risk assessment, that covers... what is the downside of NOT fixing this. Take your time, make a nicely formatted report. Dont exaggerate, and do NOT let an item go by without pointing out the pros/cons of closing each "hole".
The downside of this is it is work. The upshot is you've handed the VP a check list. The VP can then make decisions ( y/n/dodge ) about what they fix and dont.
Most importantly, you at least look like someone who is trying to help, rather than a defensive employee trying to ( at worst ) cover up incompetence, or (at best) doesnt know any better ( incompetence variation ).
VP is watching behavior, since typically they dont know tech. What does your behavior tell them ?
Since you had to ask slashdot, there ya go.
We have to justify any exceptions to our security policy.
By their nature the security guys want everything tight as a drum. On the other hand the realities of running applications (some of which may be 20 years old) makes it cost prohibitive to make global changes.
For example the security gurus banned FTP. However we had old code that depended upon FTP, and would have cost too much to modify to use other alternatives (sftp etc..). You could justify these sorts of exceptions based upon the needs of the business - in this case the need not to break the budget. To ameliorate the problem we do routing/firewall configurations that only allow the two boxes in question to talk to one another using the forbidden protocol - a much cheaper solution.
When you put things in dollar terms the powers that be tend to shy away from knee jerk reactions based on the advice of 'experts'.
Lodragan Draoidh
The more you explain it, the more I don't understand it. - Mark Twain
- Run common tools like nessus yourself, and document the results. Indicate the false positives in a report. Indicate how real issues have been fixed. Give a copy to whoever might care.
- Don't pay third party companies if all you are going to get back is the output of nessus or some such thing. If all they are going to give you is the unverified output of open source tools, they aren't adding any value to your operation.
- If you guys are going to hire third parties, YOU, the sysadmin, be the one to initiate the process. You are also the only one qualified to interpret the results. If there are things on the list that are not valid or not high enough risk to worry about, document the fact and be done with it.
Many companies require external IT security audits as part of their financial controls. I used to routinely do my own assessments since it was a useful way to police my infrastructure (used to becasue I retired). The auditors rarely uncovered anything significant since we had already corrected the vulnerabilities. We were aware of and ready to explain the routine false positives as well as the low level "vulnerabilities" that we wanted for one reason or another or were not concnerned about.
Don
Why did you let yourself be blindsided by this? Even if you weren't notified that a "security consultant" would be working the network, you should be running your own scans and classifying the risks. And if you were notified, that's even more reason to do your own independent scan/analysis.
There are some situations where even if you're overworked, you have to make the time to be pro-active in self-defense. Any work done by outside consultants to evaluate your performance falls into this category.
We are the 198 proof..
Otherwise follow the advice of one of the first posts - quit. You are being paid good money to do a job, don't get upset because they want you to do your job. This doesn't mean fix everything today, it means fix the machines as you can. Next go out and get the open source scanner and run your own scan. Even if you have to take a machine that is currently in a closet to do it with, do it. Load Linux and the scanner and go to it. I often use old beat up machines for Linux serves and audit machines.
Next you should have scripts to do monitoring. Check e-mail in and out of your site, not the contents of the mail, what is going on with the mail. One machine suddenly sending out 1000 X as much mail? It is probably a spam machine now. Things like that. I catch a lot of windows machines that way.
Remember to use computers to your advantage. They do work very fast and very efficiently. Keep track of how to fix one machine then automate it. That can save you a LOT of time!
After running tools and manual methods we work out what the results really mean (unlike a small shop who might just provide the nessus/ISS/retina/whatever output) from a technical and business perspective. Then we go through this draft report with the client to discuss context - as they will know the environment better that us - so we can work out what risk mitigation is in place.
Only then do we issue a final report!
It boils down to a risk analysis and a cost benefits analysis. Since you're looking at the situation in terms of dollars, ie how expensive it would be to patch the holes reported by the auditor, you'll need to do a quantitative risk analysis. For each of the items you were dinged on you'll need to come up with a risk analysis. Or you could get your auditors to do one, but they're not exactly impartial. Once you come up with an estimate of what it costs a year to have that vulnerability unchecked, then you can do your cost benefits analysis. That's where you get to show that spending 100k on disabling ICMP timestamp requests on your workstations is a waste of money.
Yes, my only tool is a hammer. And you're starting to look like a nail.
Back in the hey-day of cross-browser compatibility, before CSS really took a good hold and everyone had moved to IE, I used to spend a LOT of time making things work cross-browser. A lot of the work I did was not strictly within the current HTML DOM, as things needed to be built with a combination of IE, Netscape, and DOM compliance. During one project, I built a series of HTML templates for a client who was having the application written by another company, but wanted me to do the front-end design. Because the developer was stalling for time, they ran a strict HTML verification program against my code and sent back a HUGE list of issues. I spent an afternoon responding to each individual issue, explaining why this was either (a) not really an issue, or (b) because of the layout/design, the only way to "fix" the issue would be to redesign the entire page. The problem was that, when viewed on screen in any contemporary browser, the pages worked fine. I was able to make a very good argument against ALL of their issues, and turn their attempt to make me look bad against them. What this boils down to is this...document the hell out of their responses, with specific reasons why each issue is not an issue. It may take some time and effort, but at the end of the day you'll make the VP happy, prove (again) that you have the capabilities to perform at your job, and make yourself look good. It's a pain in the ass, but will be worth it in the end.
Reading down through all the comments I saw some very interesting points to ponder on this. I just presented my findings to an organization after doing an in depth security review. I agree with most of the comments about checking your work. Quite honestly, I use Nessus as one of the tools to do the assessment, but my report only includes a few pieces from that. The Nessus report is just added on in digital form, for review, but my recommendations and findings have more to do with lax password policy, leaving default services enabled, lack of Patching/updates/hotfixes. I used Nessus to identify which machines were "most vulnerable" and then went to each of the top machines and did a check on them. Sure, Nessus cam back with bunches of stuff, and guess what folks? most of the High values were TRUE! People who make blanket statements like "Nessus only shows obscure vulnerabilities" really should take a look sometime at the fact that most of those are detailed with either a fix, or if on a windows machine a KB article. Several of those that I checked when I ran nessus actually linked to KB articles that were fixed with silly little things like, oh I dunno, a service pack released two years ago? Ya know? Simple little obscure things like that. I actually resent the idiot who implies that I don't know my job as a security proffesional to go back and verify what ANY tool tells me is vulnerable. If a tool says "this service is not patched, and you go and look at the machine, and it isn't patched...then MAYBE, just MAYBE the machine is vulnerable to malicious intent!!!!
--Security; try it, you might like it...
It is by caffeine alone I put my mind in motion...
If you have advance warning that these consultants are coming, make a list of everything they may find that is harmless and give it to your boss before they get there. The reference sheet should go a long way to show how important you are, and what a bunch of idiots they are.
First thing that sticks out at me, is did the execs approach the IT department about doing a security study? If they went straight to an outside source, it could be a sign that they don't trust you. I can understand if they felt their own IT department was overwhelmed with current projects, but did they even get your input before moving forward? Were they intersted in plugging their security holes, or where they interested in checking up on the IT department?
I believe your viewpoint is that the 3rd party company over exaggerated the security risks inorder to justify their price tag for the study. I don't think I would necessarily disagree with you. It isn't indicative of the entire security industry, but there are some companies that are just out for the quick buck. I wouldn't be so fast to dismiss their findings, though
Most execs only understand money. They wouldn't give a rat's butt about security holes, if they weren't convinced it would cost them money. So what you need to do is itemize each security hole. List the possiblity of an attack through the security hole, and how long it would take to fix it. Give a cost estimate for how much it would cost in terms of labor hours to fix it. Also figure up how much money would be lost during down time. Lastly, estimate how many hours and the labor costs it would take to fix the problem. If it is going to take $1200 to patch a hole now that at worst would cost $100 to recover from, and $100 in lost revenue; then it shouldn't be a priority. On the other hand if it would take $100 to fix it now and $300 to recover from it during down time, then obviously it is worth fixing. Basic just show them the cost difference between patching and recovering. Allow the execs to review and decide how they want to spend money. This will also show them how petty some holes might be.
Lastly, don't take it personally. Yes it does look like they are trying to blame the IT department for the security holes, but in the world of IT their can be a difference of opinion. There can be multiple rights and wrongs. You need to stress this; that although the 3rd party has one opinion, you have another. Doesn't mean one party is right and the other is wrong.