Slashdot Mirror
Network Penetration Scans and Executive Reaction?
LazloToth asks: "I'm sure some of you have had this happen: your company pays the big bucks for a 3rd-party security audit and, when it comes back, you get called on the carpet for all the supposed 'holes' in your network. When you see the report, you recognize that it comes from a well-known open-source security scanner, and that the 'holes' in question are so obscure as to be meaningless. I told our risk management VP that to fix every item cited - - many of which were false positives or completely out of context - - would be next to impossible for our small IT staff, and that some of the fixes, if implemented, might have deleterious effects on an otherwise smoothly running operation. How do you handle these 3rd-party security people who make mountains out of every molehill?"
Quit your job and start a 3rd party security consulting company.
Toronto-area transit rider? Rate your ride.
Its their job to be detailed. You have to infer those reports and draw conclusions. They were hired to point out the holes, you have to decide whether its worth covering them
If the boss wants you to "fix" them all, give him a report of your own. "This is setup this way because of X, and the risk is mitigated by Y." If it's not a risk, explain why it is not. If you can't explain why it's a risk or how you're mitigating the risk, then you should be called out on the carpet. NEVER rely on security by obscurity. There is no such thing as a hole "so obscure as to be meaningless." If you mean that the report is vague in defining what the hole is, then you or your boss should get more information from the person you paid to do it.
In the end, if you can't specify why it SHOULD be that way, then you should make it secure. If you can say it HAS to be that way for a specific reason, then you should say how you are mitigating the risk. If you're not mitigating the risk, well, you better come up with a really good reason your boss is going to like.
- AMW
... they have make huge deals out of everything or risk being found out as mostly useless ;)
The Peanut Gallery, Ubergeek, Biblically Sober
NCAAbbs.com: Thousands of fans, Hundreds of teams, Just one place
present your own report, detailing those same holes and why it's not worth it to fix them. Preferably first.
"It is possible to commit no errors and still lose. That is not a weakness. That is life." -Peak Performance
How do you handle these 3rd-party security people who make mountains out of every molehill?
Post the company name and URL on slashdot and let them have a 'specialised security audit'...
One of two ways:
Sit down with your boss and explain what each open port is and why it is open. Then explain what happens if you close that port.
Lock everything down tighter than fort knox, starting with your bosses machine (Yes sir, Im sorry you can't surf the internet, we closed that outgoing port because it was a security risk)
One of these should work (or get you fired) either way, you don't have to deal with employees upset because their VPN or Remote Access doesn't work.
As someone else said - if you can't do that, there's a problem.
smash.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
LazloToth asks: "...How do you handle these 3rd-party security people who make mountains out of every molehill?"
I think we need more details on the severity of your security holes. Give us your company's IP range, and if we find anything significant we'll leave a note for you on your desktop.
When you have nothing left to burn you must set yourself on fire
Seriously, you need to work with someone who has a clue. Anyone reviewing these scans should know what they are looking at. If they don't, they have no room to criticize. It is the security consultants job to put the scan and the vulnerabilities in context. They need to explain the risks to management in a manner that management can understand. Their report should come with recommendations on how to correct the problems, and it should at least try to outline the consequences of the fixes. The consultants should have worked with the engineering/admin team to understand the holes before the report went to management. Otherwise you paid for a whole lot of nothing.
the growth in cynicism and rebellion has not been without cause
If you can't be part of the solution, there is good money to be made in prolonging the problem.
"With sufficient thrust, pigs fly just fine." -- RFC 1925
Take the report, and give costs for covering each hole. Also, give your risk assesment to the company (yes, there is a hole that has a 1% chance of costing the company $5,000 dollars - but it will cost $500 to repair).
Then, let the boss make the budget decisions, and carry them out. Make sure extra staff is included in your report.
"Giving money and power to government is like giving whiskey and car keys to teenage boys" P. J. O'Rourke
Every chain is only as strong as its weakest link.
This holds true in the military area, more than everywhere else. I work in environments that are very sensitive to security, and we take such external reviews extremely seriously. There's no such thing as an "obscure" or "irrelevant" weakness.
Unlike most vanilla companies, we can't afford to let things slide, security-wise. Knowing that your clients are prime target for highly professional black hats and (not only industrial) spies is highly motivating. This includes (of course) penetration testing (conducted both internally and by independant contractors), but also exclusive use of open source code and internal code auditing. As an aside: personnel (HR) auditing is also very important, if not even more so than technical aspects!
Sure, most companies don't need this level of security awareness and can get away with being "pragmatic", but don't complain when your client database (with all the goodies like credit card data etc.) gets compromized!
cpghost at Cordula's Web.
See where they did the scan from and drop all packets at the firewall from that domain?
I Am My Own Worst Enemy
In the mid-1990s, I ran IT for a graphic design firm, which consisted of some 50-75 Macintosh computers. Pretty much everything ran on Macs; even the accounting systems used Great Plains for Mac.
At one point, some of the staffers got the idea that network performance might not be optimal, and it was decided that we should do a performance audit. A contractor was brought in to spend a few hours sniffing our network, then go away and do a thorough, in-depth protocol analysis. The result of this analysis was a 20-page report detailing their findings.
The conclusion was that there was, indeed, a lot of unnecessary packets of traffic flying around the network. Their solution?
"Eliminate the Appletalk networking protocol."
Uh, yeah. Thanks guys, here's your $2,500.
(Maybe the best solution is to do whatever you can to educate management and set expectations at appropriate levels.)
Breakfast served all day!
They get paid to find every little nitpicky thing. It's in their best interest to make everything sound major (ever heard of the term follow-on engagement?)
Sit down, take the list and prepare a reasonable time & budget to fix each item along with your recommendations of the order to fix them in (based on business risk). Make sure your numbers and hours are realistic, because chances are excellent that he'll ask the consultants for the same info.
Then Mr VP can either allot internal resources to fixing the problem or hire outside consultants, or both. Business risk deals with a lot of things both real and perceived. In some cases, having the perception of risk is just as bad a the real thing (from a liability perspective, thank you Millberg Weiss).
Your VPs job is to determine the acceptable level of risk for the company. Yours is to aid him in that decision, not make it for him.
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
How do you handle these 3rd-party security people who make mountains out of every molehill?"
/whine "hard work." Well, it'll be harder after some n00b takes my personal information off your insecure system. Fix it, or consider changing careers instead of being yet another BOFH.
Since you don't cite any examples of these issues, I would bet you're one of these people who think running PHP with register_globals on is a "molehill?"
Cite some examples, or else this looks like you're complaining that tightening security holes would be
...what we say goes. No questions asked.
until you want to be a public company.
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
I've seen the managers that this guy is suffering under and your insightful remark won't help him. You see, his boss is likely referring to "holes" reported by Nessus and others that are not holes but, because some outside company said it, then it must be so.
Outside companies are always more authoritive than in house staff. "they're not form here so, they must be the authority on the subject."
By the way, the "holes" he is referring to are likely things like:
Can determine path to host via traceroute. Danger Will Robinson!
SMTP server returns a header. Shock! Horror!
HTTP server returns a header. OMG! This must be fixed!??
Put the focus on your professional relationship; make the technical aspects secondary to that. If you have any history of trust, emphasize that.
"Do you generally trust me to keep the network secure?"
"Do you see the possibility that this company might make mountains out of molehills to demonstrate their value?"
"If we DO find out that I have left some things unattended, will you give me the chance to correct them?"
Etc.
Your boss, more than anything, wants to know he's in good hands. Even though he may not consciously know it, his trust in YOU is the most important thing; his trust in the NETWORK is secondary; his trust in a temporary CONTRACTOR is a fleeting thing.
If you adopt an overly defensive or confrontational posture, you do nothing but hurt your relationship with your boss, and ultimately yourself.
Pete Forsyth
If you're an admin and you can't secure a Windows box (or any box you're in charge of) then you shouldn't be admining it, it's that simple.
We run a few sites on IIS and use Exchange for all our corporate email, and haven't had a single incident. Similarly, we've not had a single incident on any of our Linux or Solaris servers, either. You just have to know what you're doing.
It's official. Most of you are morons.
Don't look a gift horse in the mouth. This is just the excuse you need to purchase that new equipment you've been lusting over. Just remember to put, "patch security hole", on the purchase req.
Show me on the doll where his noodly appendage touched you.
Security isn't just a matter of collecting raw data. Anyone can collect raw data. Raw data is like raw sewage - it benefits nobody but can be used to make a big stink.
At the very least, to be usable there needs to be an assessment as to the actual threat level of each vulnerability. For example, you could have an insecure, unpatched Windows 95 box locked in a cupboard with no console or network access. A vulnerability assessment would turn up a bazillion holes, but absolutely none of them would be exploitable.
In crude terms, you can measure risks in terms of two scales. Let's use letters for the first and numbers for the second. The first measure is the ease of reaching that vulnerability, the second is the ease of using that vulnerability to access other systems or data.
Thus, any computer directly reachable from the outside world would be an "A" class risk. A machine placed outside of the firewall which does not have direct access to the inside (not an unusual arrangement for informational webservers) would be relatively low risk for data and might be given a 9. So, a vulnerability on your advertising website would be an A9 risk.
A firewall, on the other hand, has direct access to the inside. If the firewall has proxy servers sitting on it, it will likely have a high level of trust. So, a vulnerability on such a system might be given a rating of A2 or A3. (It doesn't have valuable information itself, but it can be used to reach a machine that does.)
A data warehouse, on the other hand, might well sit on a SAN that can only be reached through a firewall which runs to the servers on the corporate LAN, which itself is behind a firewall. Now, an attacker needs to go through between three and five layers of security (depending on how secure the network traffic is). On the other hand, access to the data warehouse would expose critical data. A vulnerability in this case might be given a class of E1.
Managers could look at these ratings - A5, E1, etc. They could then use those to get an idea of how urgent fixing the hole was. A rating of F9 (six layers deep, no information of significance) could safely be ignored at the start. A rating of A1 (reachable from the outside, mission-critical data exposed) would want to be fixed the week before last.
These are the kinds of things managers can understand. Nobody should expect them to have a detailed understanding of TCP/IP stacks, buffer overflows and sniffer technology. They may well have, but no sane consultant should require it of them. Unless said consultant knows that the product they are delivering is so bogus that a technically-competent manager would nail them to the wall for it.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Next, tell him that you need to migrate all the Windows users to MacOS because it's a more secure platform.
It seems a wonderful empire you could build - and have a wonderfully large impact at the company.
And anyway, what resume item looks better for you.
- Did a security audit; but realized that all the problems were minor.
Or.The poster obviously is not in the position to `get a new consultant'. His problem is how he can hit his management with the clue stick.
Let me tell you a story that happened just a few weeks ago: I'm the CEO of a consulting company that does quite some security work. We were brought into the following situation: A customer of an outsourcer got an `independent' security audit by HP. The HP folks took the (actually very good) CIS benchmarks and demanded that each and every item of that benchmark is followed to the letter. As part of that, they demanded that the NFS and Samba servers are turned off.
There's just one small problem -- the actual service the outsourcer was providing to the customer is -- tada! -- file service over NFS and CIFS! The outsourcer pointed this out to their customer's management. That management is a bunch of morons and just told them back: But this is a security audit of HP, they know their thing! So they had to bring us in, to give their opinion `management cloud' by creating pretty PPTs.
Even though we earned quite some money on that job; I would have prefered to work on really improving the security, in particular the processes, instead of fencing unprofessional HP security `consultants' and idiotic management PHBs.
Joachim
People don't write Manifestos any more -- what's going on in this world? [Frank Zappa]
They've done nothing wrong. It's their job to point out every molehill. It's your job to perform a threat/risk assessment for each molehill and present a range of mitigations to your boss. For example:
This honestly isn't rocket science. The consultick isn't out to destroy you. He's just doing his job. And yes, it's amusing that the consulticks charge huge amounts of money to run nmap and Nessus, but they were only brought in because you obviously don't have the time to do it yourself.
I get the impression that you've taken this as a personal slight. I think that you believe the consultick's report has made you look bad. Get over it. Maybe you have made a mistake. Maybe you haven't. Your boss doesn't know yet because he isn't informed. Informing your boss of the risks and the costs raised by the consultick's report should be your #1 priority. If you do a good job, you and the consultick will both look good.
it's surprising how often you can connect two completely unrelated events/actions and make them seem interdependent simply by matter-of-factly asserting that the connection exists.
Manager: How can we fix all these security holes?
You: We can fix them no problem, I'll need another unix box for scanning and a 20% pay rise.
Manager: Ha ha ha...very funny.
You: I'm deadly serious.
Manager: What...you're serious...why a 20% pay rise!
You: Ok...you're right...10% is closer to the reality.
Manager: That's better...thought you could pull one over on ol' Bill, didn't you eh?
You: Yeah...sorry about that.
There is an issue of trust in the ability of your engineers though. I had this problem at my previous employer (which I left). If the manager consistently does not listen to your advice (however presented), think about it a bit: It means he/she actually does not have much faith in your skills, and does not trust your advice. This is inherently going to be a problem for you, regardless of whether or not you are able to 'document your thought processes'. What kind of reference are you going to get from a manager who doesn't trust your capabilities and thinks you're probably mediocre? What kind of opportunities for promotion, salary increases, increased responsibility etc. are you going to get from a manager who doesn't recognize or trust your capabilities? If this is what is going on, you need to get out anyway, because you're going to hit a "glass ceiling" very soon in your career.
IMO, good managers recognize skills, and place trust in their employees, giving them enough 'free rein' to 'work their magic' and not preventing them from doing so.