Slashdot Mirror
Network Penetration Scans and Executive Reaction?
LazloToth asks: "I'm sure some of you have had this happen: your company pays the big bucks for a 3rd-party security audit and, when it comes back, you get called on the carpet for all the supposed 'holes' in your network. When you see the report, you recognize that it comes from a well-known open-source security scanner, and that the 'holes' in question are so obscure as to be meaningless. I told our risk management VP that to fix every item cited - - many of which were false positives or completely out of context - - would be next to impossible for our small IT staff, and that some of the fixes, if implemented, might have deleterious effects on an otherwise smoothly running operation. How do you handle these 3rd-party security people who make mountains out of every molehill?"
Quit your job and start a 3rd party security consulting company.
Toronto-area transit rider? Rate your ride.
Its their job to be detailed. You have to infer those reports and draw conclusions. They were hired to point out the holes, you have to decide whether its worth covering them
If the boss wants you to "fix" them all, give him a report of your own. "This is setup this way because of X, and the risk is mitigated by Y." If it's not a risk, explain why it is not. If you can't explain why it's a risk or how you're mitigating the risk, then you should be called out on the carpet. NEVER rely on security by obscurity. There is no such thing as a hole "so obscure as to be meaningless." If you mean that the report is vague in defining what the hole is, then you or your boss should get more information from the person you paid to do it.
In the end, if you can't specify why it SHOULD be that way, then you should make it secure. If you can say it HAS to be that way for a specific reason, then you should say how you are mitigating the risk. If you're not mitigating the risk, well, you better come up with a really good reason your boss is going to like.
- AMW
... they have make huge deals out of everything or risk being found out as mostly useless ;)
The Peanut Gallery, Ubergeek, Biblically Sober
NCAAbbs.com: Thousands of fans, Hundreds of teams, Just one place
present your own report, detailing those same holes and why it's not worth it to fix them. Preferably first.
"It is possible to commit no errors and still lose. That is not a weakness. That is life." -Peak Performance
How do you handle these 3rd-party security people who make mountains out of every molehill?
Post the company name and URL on slashdot and let them have a 'specialised security audit'...
One of two ways:
Sit down with your boss and explain what each open port is and why it is open. Then explain what happens if you close that port.
Lock everything down tighter than fort knox, starting with your bosses machine (Yes sir, Im sorry you can't surf the internet, we closed that outgoing port because it was a security risk)
One of these should work (or get you fired) either way, you don't have to deal with employees upset because their VPN or Remote Access doesn't work.
As someone else said - if you can't do that, there's a problem.
smash.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
LazloToth asks: "...How do you handle these 3rd-party security people who make mountains out of every molehill?"
I think we need more details on the severity of your security holes. Give us your company's IP range, and if we find anything significant we'll leave a note for you on your desktop.
When you have nothing left to burn you must set yourself on fire
Document the hell out of everything. And explain why the setup is as it is. It is a real pain when you have some worthless security company telling management that echo, discard, and chargen are major security holes on internal systems. Besides senseless violence directed at the auditors it is a painfull process.
Seriously, you need to work with someone who has a clue. Anyone reviewing these scans should know what they are looking at. If they don't, they have no room to criticize. It is the security consultants job to put the scan and the vulnerabilities in context. They need to explain the risks to management in a manner that management can understand. Their report should come with recommendations on how to correct the problems, and it should at least try to outline the consequences of the fixes. The consultants should have worked with the engineering/admin team to understand the holes before the report went to management. Otherwise you paid for a whole lot of nothing.
the growth in cynicism and rebellion has not been without cause
You've already played Devil's Advocate, so document what you think the risks are/may be, then do *exactly* what he says. Once it breaks, whip out the risks you documented and explain how you did exactly what was asked of you over your stated objections. It's the only real way to do it--and rather satisfying, gotta admit.
If you can't be part of the solution, there is good money to be made in prolonging the problem.
"With sufficient thrust, pigs fly just fine." -- RFC 1925
Take the report, and give costs for covering each hole. Also, give your risk assesment to the company (yes, there is a hole that has a 1% chance of costing the company $5,000 dollars - but it will cost $500 to repair).
Then, let the boss make the budget decisions, and carry them out. Make sure extra staff is included in your report.
"Giving money and power to government is like giving whiskey and car keys to teenage boys" P. J. O'Rourke
BOFH
Every chain is only as strong as its weakest link.
This holds true in the military area, more than everywhere else. I work in environments that are very sensitive to security, and we take such external reviews extremely seriously. There's no such thing as an "obscure" or "irrelevant" weakness.
Unlike most vanilla companies, we can't afford to let things slide, security-wise. Knowing that your clients are prime target for highly professional black hats and (not only industrial) spies is highly motivating. This includes (of course) penetration testing (conducted both internally and by independant contractors), but also exclusive use of open source code and internal code auditing. As an aside: personnel (HR) auditing is also very important, if not even more so than technical aspects!
Sure, most companies don't need this level of security awareness and can get away with being "pragmatic", but don't complain when your client database (with all the goodies like credit card data etc.) gets compromized!
cpghost at Cordula's Web.
See where they did the scan from and drop all packets at the firewall from that domain?
I Am My Own Worst Enemy
In the mid-1990s, I ran IT for a graphic design firm, which consisted of some 50-75 Macintosh computers. Pretty much everything ran on Macs; even the accounting systems used Great Plains for Mac.
At one point, some of the staffers got the idea that network performance might not be optimal, and it was decided that we should do a performance audit. A contractor was brought in to spend a few hours sniffing our network, then go away and do a thorough, in-depth protocol analysis. The result of this analysis was a 20-page report detailing their findings.
The conclusion was that there was, indeed, a lot of unnecessary packets of traffic flying around the network. Their solution?
"Eliminate the Appletalk networking protocol."
Uh, yeah. Thanks guys, here's your $2,500.
(Maybe the best solution is to do whatever you can to educate management and set expectations at appropriate levels.)
Breakfast served all day!
They get paid to find every little nitpicky thing. It's in their best interest to make everything sound major (ever heard of the term follow-on engagement?)
Sit down, take the list and prepare a reasonable time & budget to fix each item along with your recommendations of the order to fix them in (based on business risk). Make sure your numbers and hours are realistic, because chances are excellent that he'll ask the consultants for the same info.
Then Mr VP can either allot internal resources to fixing the problem or hire outside consultants, or both. Business risk deals with a lot of things both real and perceived. In some cases, having the perception of risk is just as bad a the real thing (from a liability perspective, thank you Millberg Weiss).
Your VPs job is to determine the acceptable level of risk for the company. Yours is to aid him in that decision, not make it for him.
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
How do you handle these 3rd-party security people who make mountains out of every molehill?"
/whine "hard work." Well, it'll be harder after some n00b takes my personal information off your insecure system. Fix it, or consider changing careers instead of being yet another BOFH.
Since you don't cite any examples of these issues, I would bet you're one of these people who think running PHP with register_globals on is a "molehill?"
Cite some examples, or else this looks like you're complaining that tightening security holes would be
If you want real security, penitration testing is only a small part of the process. Sure, you can pay someone to find valunerabilities....any kid with a copy of nessus, snort, and nmap will do....or you can shell out the big bucks for a Core Impact setup if you get the PHBs paranoid enough. It really won't help fix anything. Even if you do manage to patch every valunerable service and close off everything else that you don't need, you may still be insecure. Policies and procedures are often as important for ensuring security as closing specific holes in software. If your company needs to outsource network security, convince them to get someone who will offer a more complete solution comprising of a specific and custom plan for ensuring the physical, human, and software aspects of security. If you want to get out of your current prediciment, I suggest patching what you can and explaining why other valunerabilities are not relivant. Prove you are smarter then the consultants leeching money that could be yours. If your boss is a real idiot and the security reaserchers he/she hires are dumbasses too, you can safely backdoor the place before you leave!
------ Take away the right to say fuck and you take away the right to say fuck the government.
Human nature being what it is, pointing this out to the boss is likely to embarass him and make him feel like you're being a smartass. In general I find that explaining the security continuum (where at one end you have low security, low cost, and all the functionality you want, and at the other end you have high security, higher cost, and some curtailing of functionality) is helpful in coaxing them out of the mentality that security is a one-way street. In the real world, high security entails compromises, some budgetary (even if only for more sysad time) and some functional (not every new flashy network app can simply be added to the system without security analysis).
I've also found that explaining the security process in terms of priorities is helpful. I used to use a top 10 list that showed management exactly what was highest priority, what came next, and so on. This helped them realize that not all threats are equal .
Best of luck to you.
Read the EFF's Fair Use FAQ
...what we say goes. No questions asked.
until you want to be a public company.
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
I've seen the managers that this guy is suffering under and your insightful remark won't help him. You see, his boss is likely referring to "holes" reported by Nessus and others that are not holes but, because some outside company said it, then it must be so.
Outside companies are always more authoritive than in house staff. "they're not form here so, they must be the authority on the subject."
By the way, the "holes" he is referring to are likely things like:
Can determine path to host via traceroute. Danger Will Robinson!
SMTP server returns a header. Shock! Horror!
HTTP server returns a header. OMG! This must be fixed!??
Put the focus on your professional relationship; make the technical aspects secondary to that. If you have any history of trust, emphasize that.
"Do you generally trust me to keep the network secure?"
"Do you see the possibility that this company might make mountains out of molehills to demonstrate their value?"
"If we DO find out that I have left some things unattended, will you give me the chance to correct them?"
Etc.
Your boss, more than anything, wants to know he's in good hands. Even though he may not consciously know it, his trust in YOU is the most important thing; his trust in the NETWORK is secondary; his trust in a temporary CONTRACTOR is a fleeting thing.
If you adopt an overly defensive or confrontational posture, you do nothing but hurt your relationship with your boss, and ultimately yourself.
Pete Forsyth
is another man's mountain. If you were "hacked" and when you went back to the 3rd party security company and were told "Well, that opening is so obscure that we really didn't think it was an issue." Who would be having their asses handed to them in court?
Their jobs are to be as thorough as possible, your job is to analyse the data and figure out what it means with the knowledge you have from working within the organization and understanding the quirks that are native to your workplace. Hopefully your boss understands that your organization (like all organizations) have little things that require special consideration and you (and the rest of the IT staff) are given an opportunity to review and provide your own detail to what was submitted.
If you're an admin and you can't secure a Windows box (or any box you're in charge of) then you shouldn't be admining it, it's that simple.
We run a few sites on IIS and use Exchange for all our corporate email, and haven't had a single incident. Similarly, we've not had a single incident on any of our Linux or Solaris servers, either. You just have to know what you're doing.
It's official. Most of you are morons.
Fr. Guido Sarducci replies: Son, you'll just hafta let it go. These bozos just won't get it anyway. Besides, it IS their network, they just pay you to play with it.
Don Novello Pipes up: Who are you wankers anyway?
-- I have a private email server in my basement.
How to avoid being called on the carpet over security? Be at least one degree more paranoid about security than your boss.
How to handle the security report? With the same seriousness as your boss, he signes your paychecks after all.
Don't look a gift horse in the mouth. This is just the excuse you need to purchase that new equipment you've been lusting over. Just remember to put, "patch security hole", on the purchase req.
Show me on the doll where his noodly appendage touched you.
Security isn't just a matter of collecting raw data. Anyone can collect raw data. Raw data is like raw sewage - it benefits nobody but can be used to make a big stink.
At the very least, to be usable there needs to be an assessment as to the actual threat level of each vulnerability. For example, you could have an insecure, unpatched Windows 95 box locked in a cupboard with no console or network access. A vulnerability assessment would turn up a bazillion holes, but absolutely none of them would be exploitable.
In crude terms, you can measure risks in terms of two scales. Let's use letters for the first and numbers for the second. The first measure is the ease of reaching that vulnerability, the second is the ease of using that vulnerability to access other systems or data.
Thus, any computer directly reachable from the outside world would be an "A" class risk. A machine placed outside of the firewall which does not have direct access to the inside (not an unusual arrangement for informational webservers) would be relatively low risk for data and might be given a 9. So, a vulnerability on your advertising website would be an A9 risk.
A firewall, on the other hand, has direct access to the inside. If the firewall has proxy servers sitting on it, it will likely have a high level of trust. So, a vulnerability on such a system might be given a rating of A2 or A3. (It doesn't have valuable information itself, but it can be used to reach a machine that does.)
A data warehouse, on the other hand, might well sit on a SAN that can only be reached through a firewall which runs to the servers on the corporate LAN, which itself is behind a firewall. Now, an attacker needs to go through between three and five layers of security (depending on how secure the network traffic is). On the other hand, access to the data warehouse would expose critical data. A vulnerability in this case might be given a class of E1.
Managers could look at these ratings - A5, E1, etc. They could then use those to get an idea of how urgent fixing the hole was. A rating of F9 (six layers deep, no information of significance) could safely be ignored at the start. A rating of A1 (reachable from the outside, mission-critical data exposed) would want to be fixed the week before last.
These are the kinds of things managers can understand. Nobody should expect them to have a detailed understanding of TCP/IP stacks, buffer overflows and sniffer technology. They may well have, but no sane consultant should require it of them. Unless said consultant knows that the product they are delivering is so bogus that a technically-competent manager would nail them to the wall for it.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
"How do you handle these 3rd-party security people who make mountains out of every molehill?"
That's not the first step. The first step is for your company to make you VP of risk management.
I went through a similar thing years ago at my former place of work.
We had a habit of taking services off the computers. Then the Security Auditors came through, and could not find much in the port scan. Except for ICMP, which was claimed to be a "big" security issue because someone could knock out the server with an Ping Flood.
The problem is that disabling the entire ICMP protocol is not a very good idea. I took a "block all but allow specific" rule to this (as most sites would). But still allowed ICMP Echo and Echo Reply.. It still showed on the next report, and I was grilled. Explaining to them that blocking ICMP all together was pointless, because a Ping Flood will still overload the link regardless, and the security of the upstream router was not the concern of the report...
Anyway, because the Port scan was not producing a thick enough "phone book" to begin with, they scanned the security permissions of the entire file system as well. Then went to task about how the computer in it's default installation was so open to abuse by "guest" accounts. For example the "tmp" directory.
It was necessary to tighten up the security of the file system as well. They did not beat us up as much on the 2nd, or subsequent passes, in that area, so they then turned their attention to procedures.
In the end it was more worthwile to simply leave something as simple as ICMP echo and echo reply in the system, so that the quaterly 3rd party audits did not start delving into the social and financial history of the computer operators.
Next, tell him that you need to migrate all the Windows users to MacOS because it's a more secure platform.
It seems a wonderful empire you could build - and have a wonderfully large impact at the company.
And anyway, what resume item looks better for you.
- Did a security audit; but realized that all the problems were minor.
Or.The third party is being paid to spot holes. If they are worth the money they will do more than just a Nessus scan ie they will look at the how the vulnerability might be exploited, and what kind of impact an exploit could have.
Whatever they do, they will not have much info on the real impact on your company of any security breach, nor will they have any clue as to your company priorities. This can only come from inside your company. Some would call this "putting a spin" on the report, but in reality all you are doing is adding the extra columns to the report:
Likelihood of an exploit of this vulnerability
Impact of a successful exploit
Cost to fix
If you can't put numbers to these things then just say Low/Medium/High.
Undoubtedly there will be some things that really do need fixing, but for the low priority items maybe you can batch them together into a work packet and get budget or resource to tackle them properly. Better you guys do this and make sure there are no deleterious effects on live systems than some contractor is pulled in to do it blindly.
If it is being detected by a "well known open source" security mapping package, then I would fix any "obsure" hole it finds. If the tool is well known, and detects the hole, then you can bet your ass that all the black hats with that scanner are going to find your obscure hole.
-William
God is everything science has yet to explain.
As I said in my first paragraph:
If the boss wants you to "fix" them all, give him a report of your own. "This is setup this way because of X, and the risk is mitigated by Y." If it's not a risk, explain why it is not. If you can't explain why it's a risk or how you're mitigating the risk, then you should be called out on the carpet.
Risk mitigation doesn't necessarily mean you have to close the "hole". Simply that you are aware of it and you've done what make sense to address it. If there is a hole that's risk is very low to the point where it would cost more to fix it than to recover, the mitigation is that you are aware of it and can recover from it if it happens.
- AMW
How do you handle these 3rd-party security people who make mountains out of every molehill?
I am currently dealing with this. I work in a very small IT shop (by small I mean me) in a not so small company (100+ million $ in revenue). We also have MIS, but they are just users in the network context. We recently were blessed with a new COO who very much wants to control all departments... can you say burnout in progress. Anyway, he wanted to get a third party audit. We (MIS who has control of me) turned it into a major project and accepted proposals from many companys (this burned a lot of hours). Then when a vendor was selected I took the audit report and thoroughly documented each hole and its risk to us. The amount of work and risk caused by fixing it as well as the cost. Then, when it is done I prepared a cost benefit analysis of the various actions. My goal was to teach them a lesson. Instead, I learned one. Because my documentation was able to show them the complexity of the network I work with and the technology which we take for granted. They agreed to hire me a technician. Also, they allowed me to decide what in the security was worthwhile to address and source out a chunk of it as a project. The lesson is, use this to your advantage. How many times do you feel excluded from decisions because it is "a business matter", I do frequently. This showed them that I understood my job from the point of view of adding value to the organization and that is very important in business. In short, as my subject read, mountains are nothing make it into a mountainrange. Once they see it and they see you willing to conquer it for them, you all win.
Here's the real thing!
http://bofh.ntk.net/Bastard_1995.html
I worked at a company a couple years ago that had some "security experts" come in and run scans. They ended up totally screwing up a bunch of in house applications. Being the lead System Administrator I got in a meeting with these guys and starting grilling them on security (they were using a tool that used nmap and hey I know nmap ;). So I started drilling them and it turned out they new nothing. So I kept hitting em and hitting em (verbally) till management had to pull me off em. I think the company I was working for at the time ended up sueing them ;)
Change your qmail banner string to read what an exchange server would read - an old, unpatched exchange server - and then watch the consultant's smile disappear after they list all of the vulnerabilities that you've got and you tell them that you were lying.
A fine is a tax you pay for doing wrong and a tax is a fine you pay for doing all right.
Not a defense. Who has attacked you, or tried?
I don't mean to single you out, but I have to rant...
I had a vendor that wanted me to open up a Mac to any IP address so he could support it anywhere he was at. I asked him if was prepared for handling the 44Mb/s traffic while people were probing the box. His response was he had it at another location and nothing has happened. NOT an a defense.
We have defended against the "million password attack", 1Gb/s denial of service, and various others. Do I think I am secure NO.
I have worked in a group that reported, and analyzed a day one virus effecting windows computers. It came from inside our network internal firewall helps, but does not stop this.
end of rant
The poster obviously is not in the position to `get a new consultant'. His problem is how he can hit his management with the clue stick.
Let me tell you a story that happened just a few weeks ago: I'm the CEO of a consulting company that does quite some security work. We were brought into the following situation: A customer of an outsourcer got an `independent' security audit by HP. The HP folks took the (actually very good) CIS benchmarks and demanded that each and every item of that benchmark is followed to the letter. As part of that, they demanded that the NFS and Samba servers are turned off.
There's just one small problem -- the actual service the outsourcer was providing to the customer is -- tada! -- file service over NFS and CIFS! The outsourcer pointed this out to their customer's management. That management is a bunch of morons and just told them back: But this is a security audit of HP, they know their thing! So they had to bring us in, to give their opinion `management cloud' by creating pretty PPTs.
Even though we earned quite some money on that job; I would have prefered to work on really improving the security, in particular the processes, instead of fencing unprofessional HP security `consultants' and idiotic management PHBs.
Joachim
People don't write Manifestos any more -- what's going on in this world? [Frank Zappa]
This poster's simply playing the victim.
So why was the audit asked for in the first place and why did you not have at least a modicum of management control over the process? You should have gone in, hand in hand with management and looked at the result in unison, not being subjected to it - in the spirit of learning, not generating fault. Clearly, this audit was set up to generate fault, whether through management caprice or someone reading that it was a trendy thing to do.
My opinion is that you screwed up by permitting yourself to prostrate yourself to this white-hat audit without being part of the process and making yourself a beneficial part of the results; not a victim.
Not in the notion of the "not my fault" notion of management, but in terms of engaging the organization in demanding beneficial analysis and results, and working with them to improve your processes.
Being dive-bombed by a 3rd party means your management has a poor view of your organization or at least, you are communicating poorly with them.
Stop being a victim. Get your ass in gear.
A shovel, a bag of lime and some carpet.
I'm me. I think.
Your basic risk analysis takes a look at all of the vulnerabilities on the system. For each one, you list the following:
- the likelihood of that vulnerability being realized
- the impact if that vulnerability were realized
- any mitigation that has been done to reduce the chance of it being fully realized and exploited.
Of course, management likes numbers, so you rank each item from 1 to 10 (or 1 to 100, or whatever), using whatever scale you want (so long as you're consistent in your rankings for all of the items). Then, you use the secret fomula : For the top 10 items (or however many you feel like, you come up with some rough estimates on how much it would cost to fix or reduce the impact, or otherwise mitigate each of the problems.Note: Some people will say that the 'impact' should be a dollar amount to signify the damages done to the company... but it's impossible. How much is a human life worth? Is it worth more than the company losing millions of dollars in sales? How does it compare to the loss of reputation if your clients found out about whatever it was?
Example: There is a real vulnerability that you may have an electrical fire. The threat of it happening however, tends to be very low, if the building inspectors did their job. The impact, if this happened on a weekend could result in the lost of the entire building. Countermeasures include fire extinguishers, sprinklers, temperature alarms, off site backups, redundant servers, etc. You can never get rid of the vulnerability, because there is always a chance of that fire happening.
Example 2: There is a possibiliy of all of the system administrators quitting, leaving you with no operations staff. This can be mitigated by treating them with respect, not forcing them to wear ties to work, and paying them better.
Use this to your advantage. Don't fight the report, done by someone who knows enough to schmooze the boss, and get paid many thousands of dollars to click a 'run' button. Use it to get rid of those nagging little things that have been bothering you, that you've never been given a chance to sit down and fix.
Build it, and they will come^Hplain.
Just be sure who ends up looking like the ass....
"Where quality is like a dead stinking rat - you just can't miss it."
Having been through this numerous times I have to say it sounds like you got yourself into this mess. By not explaining what "deliverables" you wanted from the consultant you set yourself up.
If you said "give me a report card" and that's what you got then you have a serious problem.
Tell the consultant what you want the report to look like. Tell him that all results should be placed in context to a) risk; b) ease of attack and c) liklihood of attack. Tell them that you want a concrete list of what to do and when to do it. If he can't do that then his firm needs someone else to write the final report.
You should also have been sitting sidecar during the whole VA so you could help them understand the risks and your environment. Most of the time it makes their VA more accurate because you can point out where you know you are weak and they give you credit for at least being aware of your shortcomings. You've got to tell them what they don't know. If you don't help them contextualize their results then they have to cover their a** and spit out the raw data.
Finally, you should meet with the consultants to view the draft of the report so you get a heads up and they get to polish the deliverable.
What do you really want out of the VA? The VA is a tool to help you determine where to focus your limited resources. It is not a report card.
Could we get some IPs? We would like to independently verify your assertions.
This, actually, was a Dilbert cartoon... Dogbert was saying: "I like to con, and I like to insult. I'll be a CONSULTANT!"
In Soviet Washington the swamp drains you.
If they just handed you a report from Nessus and a bill
. . . then they are quite similar to most of the fly-by-night security companies in existance today.
They really are a plague. Typically a small number of university students, or recent graduates, trying their hand at "start-up dotcom". There are two or three guys who know linux, a little about cisco routers, maybe had a course where they learned about Nessus. There will be fast talking marketing and sales slime involved as well. They are all very young and inexperienced, none of them will have spent any time in a large company with a complex IT infrastructure. Their M.O. will be to approach a company with the output of a Nessus scan of the firewall and web servers, showing a whole bunch of false problems, and try to get a security audit contract out of it.
if you're looking for someone to do a security assessment or pen testing
These external audit companies don't sit around waiting for an IT group to give them a call, because they'd never get one. They will not approach the head of IT, but a sales or a CEO level person with nary a clue. They leverage their way in from the initial external scan of the firewall and web servers. They get permission to run an internal scan, then hand over an unedited Nessus report, hundreds of pages long with their invoice.
The term over here is Cowboys. They ride into town unannounced, pretend to save the day, and ride into the sunset after claiming their reward, never to be seen again. Their victims, of course, are the struggling IT departments like the OP, who have done what they can with their limited budget, and suddenly have to answer to a mostly worthless Nessus report.
the AC
Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
As a security professional it's frustrating to see companies choose my competitors becuase they are cheaper without realizing how worthless they are. Guess what, if you skimp on a pentest, all you are gonna get is a nessus scan with a cover page. If you actually get a company that knows what they are doing, then you are paying not only for the scans and the activities, but for the knowledge and effort to wead out the false positives and to *verify* the results.
Guess what folks, a nessus scan is *not* a penetration test. It's a vulnerability scan. A penetration test is executed by consultants, not automated by generic tools. Sure, they will use those tools, but they will also use their own understanding of information systems, they will also gain an understanding of the overall picture and they will also be usefull experiences and reports! If you really paid top dollar for what you described, you got screwed, shop for a different pentesting vendor.
Specialists like Jay Beale, Ed Skoudis and Mike Poor. My firm meets with them for a security audit once a year every January.It takes them a few days to audit our systems and they report to us with a draft and final report. We usually have everythign buttoned down by the time the final report arrives.
To avoid corruption, one must remain dishonest.
I for one *love* ripping these guys new ones. In particular when I produce the same report in a couple of hours. All kinds of fun.
It doesn't matter what you produce. Your boss is bringing in an outside consultancy to get an independent assessment of what you are doing. That's a prudent and sensible thing to do, because he doesn't know what is going on technically (he isn't supposed to--it's not his job), and you could be lying to him to cover your ass. It's no different from bringing in outside accounting firms to check the books, outside HR experts to check compliance with anti-discrimination laws, or outside consultants to check on customer service.
If you are unprofessional, uncooperative, or insulting in the process, you only hurt yourself.
On the other hand, if you think you can do a better job than the outside consulting agencies, start your own and try to convince companies of that.
They've done nothing wrong. It's their job to point out every molehill. It's your job to perform a threat/risk assessment for each molehill and present a range of mitigations to your boss. For example:
This honestly isn't rocket science. The consultick isn't out to destroy you. He's just doing his job. And yes, it's amusing that the consulticks charge huge amounts of money to run nmap and Nessus, but they were only brought in because you obviously don't have the time to do it yourself.
I get the impression that you've taken this as a personal slight. I think that you believe the consultick's report has made you look bad. Get over it. Maybe you have made a mistake. Maybe you haven't. Your boss doesn't know yet because he isn't informed. Informing your boss of the risks and the costs raised by the consultick's report should be your #1 priority. If you do a good job, you and the consultick will both look good.
it's surprising how often you can connect two completely unrelated events/actions and make them seem interdependent simply by matter-of-factly asserting that the connection exists.
Manager: How can we fix all these security holes?
You: We can fix them no problem, I'll need another unix box for scanning and a 20% pay rise.
Manager: Ha ha ha...very funny.
You: I'm deadly serious.
Manager: What...you're serious...why a 20% pay rise!
You: Ok...you're right...10% is closer to the reality.
Manager: That's better...thought you could pull one over on ol' Bill, didn't you eh?
You: Yeah...sorry about that.
...will tell your company one and only one thing, and that is your network is unsecurable unless you outsource all your network security and administrating to them because you company's own I.T. crew is too incompetant to do it themselves.
My employer recently went thru one of these and I prepared for it (I am the network admin) by writing a list of everything the consultants would find, and why they would find it and what could or could not be done about it short of completely unplugging the affected bunch of machines and users off the network entirely. I also wrote down exactly what they would find when they attempted a penetration test from the outside to try to come thru our firewalls. I sealed up all my reports into an envelope and got my boss and his bosses above him to agree to keep the envelope sealed and not read it until after the consultants submitted their findings report and they'd read it.
During the tests, the consultants could not break in of course, and I got accused of refusing to cooperate with them. I told them to their faces in front of my boss that they weren't even worth half their weight in dirt and were basically committing a con against us. (con + insult = consult).
After their report was finished and my bosses paid them and read it, followed by reading my sealed reports, my employer basically agreed with me they'd just wasted $15K and my network security talents have never come in question again. The consultants didn't even find everything that I already knew was wrong with our network, and I haven't been permitted to fix the stuff that really needs fixing because too many user will bitch about the inconvenience it would impose on them.
I so sympathize with this.
:)
One of our credit card processing companies got a wild hair up their ass about security. Security is a good thing, I fully believe in it. But they hired their own 3rd party company to scan us. Over, and over, and over again.
The 3rd party sent them a big list, where we were just on the friendly side of a passing score. I'm not pleased with "just" passing. They sent me the list, and "suggested" that we fix all these obvious holes in our security.
Some of them were that the sites resolved in DNS. Ummm, you go to example.com, it's gotta resolve.
Another was that we had a firewall up. Because packets disappeared into our network (dropped, instead of rejected), it was a clue to potential hackers that we had a firewall up.. {sigh} Ok, so our firewall did exactly what we wanted, and we get scored down??
The remainder of the list were assumptions. They (through fingerprinting) identified that we were using *nix machines, we are running Apache running on the web servers in question. At the time, Apache_SSL was about 2 subrevisions behind Apache itself, which made it impossible to stay with Apache_SSL, and pass their test. Their beef with it was that there was an exploit for Win32 and OS2 for the particular version we were running. I wrote them a nice email and said "Ok, so there's an exploit for Win32 and OS2 for that version, but we're running on *nix".
The temporary fix for the Apache "warning" was to not display the version of Apache. I later changed over to mod_ssl, and stuck with the current version.
We still get quarterly reports from them. I sigh every time I see them. They just piss me off. Not that we're getting a security review, but the fact that I have to explain why perfectly acceptable things are listed. I can never get my score to 0 threats. Even if I firewalled off the machine, so they couldn't see it, I'd still get points against me, because they can see there is a black hole, where they know there is a machine. {sigh}
I glance over the list when it comes in, and look for anything interesting. Do they have anything relevant to tell me? Nope? Ok, put it off til next week to decorate around their mental problems. Most days, I have real work to deal with, and don't feel like doing stupid tricks for their entertainment. Of course, if I have the time, I love messing with them. Let them wonder why I'm running Apache 4.9.1 on an unknown platform.
Serious? Seriousness is well above my pay grade.
I am sorry for all the people who had experience with bad auditors. Truth is that learning scanning software (ISS, Nessus, Harris Stat) etc. is fairly easy. Its the analysis part that is hard. When I do audits I go over every vulnerability found (by whatever particular scanner) with the client and we discuss each one to find out whether it is valid for their environment or not. Additionally, a post report should include a thourough analyis of all the finding not just a printout of the ISS report (which in my opinion is poor) and match these vulnerabilities with realistic mitigations. Just like in every field, there are bad people and there are really good people as well. I have met TONS of people recently who are in security because they heard it was hot field but even with the CISSP they don't know jack!!!
There is an issue of trust in the ability of your engineers though. I had this problem at my previous employer (which I left). If the manager consistently does not listen to your advice (however presented), think about it a bit: It means he/she actually does not have much faith in your skills, and does not trust your advice. This is inherently going to be a problem for you, regardless of whether or not you are able to 'document your thought processes'. What kind of reference are you going to get from a manager who doesn't trust your capabilities and thinks you're probably mediocre? What kind of opportunities for promotion, salary increases, increased responsibility etc. are you going to get from a manager who doesn't recognize or trust your capabilities? If this is what is going on, you need to get out anyway, because you're going to hit a "glass ceiling" very soon in your career.
IMO, good managers recognize skills, and place trust in their employees, giving them enough 'free rein' to 'work their magic' and not preventing them from doing so.