Slashdot Mirror
Network Penetration Scans and Executive Reaction?
LazloToth asks: "I'm sure some of you have had this happen: your company pays the big bucks for a 3rd-party security audit and, when it comes back, you get called on the carpet for all the supposed 'holes' in your network. When you see the report, you recognize that it comes from a well-known open-source security scanner, and that the 'holes' in question are so obscure as to be meaningless. I told our risk management VP that to fix every item cited - - many of which were false positives or completely out of context - - would be next to impossible for our small IT staff, and that some of the fixes, if implemented, might have deleterious effects on an otherwise smoothly running operation. How do you handle these 3rd-party security people who make mountains out of every molehill?"
Quit your job and start a 3rd party security consulting company.
Toronto-area transit rider? Rate your ride.
If the boss wants you to "fix" them all, give him a report of your own. "This is setup this way because of X, and the risk is mitigated by Y." If it's not a risk, explain why it is not. If you can't explain why it's a risk or how you're mitigating the risk, then you should be called out on the carpet. NEVER rely on security by obscurity. There is no such thing as a hole "so obscure as to be meaningless." If you mean that the report is vague in defining what the hole is, then you or your boss should get more information from the person you paid to do it.
In the end, if you can't specify why it SHOULD be that way, then you should make it secure. If you can say it HAS to be that way for a specific reason, then you should say how you are mitigating the risk. If you're not mitigating the risk, well, you better come up with a really good reason your boss is going to like.
- AMW
How do you handle these 3rd-party security people who make mountains out of every molehill?
Post the company name and URL on slashdot and let them have a 'specialised security audit'...
One of two ways:
Sit down with your boss and explain what each open port is and why it is open. Then explain what happens if you close that port.
Lock everything down tighter than fort knox, starting with your bosses machine (Yes sir, Im sorry you can't surf the internet, we closed that outgoing port because it was a security risk)
One of these should work (or get you fired) either way, you don't have to deal with employees upset because their VPN or Remote Access doesn't work.
As someone else said - if you can't do that, there's a problem.
smash.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
LazloToth asks: "...How do you handle these 3rd-party security people who make mountains out of every molehill?"
I think we need more details on the severity of your security holes. Give us your company's IP range, and if we find anything significant we'll leave a note for you on your desktop.
When you have nothing left to burn you must set yourself on fire
Sure, but many executives assume that anything an outside "security" company says is scripture. I think he's looking for the best way to get the point across.
Seriously, you need to work with someone who has a clue. Anyone reviewing these scans should know what they are looking at. If they don't, they have no room to criticize. It is the security consultants job to put the scan and the vulnerabilities in context. They need to explain the risks to management in a manner that management can understand. Their report should come with recommendations on how to correct the problems, and it should at least try to outline the consequences of the fixes. The consultants should have worked with the engineering/admin team to understand the holes before the report went to management. Otherwise you paid for a whole lot of nothing.
the growth in cynicism and rebellion has not been without cause
If you can't be part of the solution, there is good money to be made in prolonging the problem.
"With sufficient thrust, pigs fly just fine." -- RFC 1925
Take the report, and give costs for covering each hole. Also, give your risk assesment to the company (yes, there is a hole that has a 1% chance of costing the company $5,000 dollars - but it will cost $500 to repair).
Then, let the boss make the budget decisions, and carry them out. Make sure extra staff is included in your report.
"Giving money and power to government is like giving whiskey and car keys to teenage boys" P. J. O'Rourke
Actually I had a very different experience so far with my boss. May be I am lucky? I don't know. But my execs never decide on anything unless they consult me. In fact the vendors try to convince me more than my execs. Not to sound too arrogant or cocky, but I have found that if you can convince or prove to your superiors that you are capable, then they will trust you more than any body else.
I've seen the managers that this guy is suffering under and your insightful remark won't help him. You see, his boss is likely referring to "holes" reported by Nessus and others that are not holes but, because some outside company said it, then it must be so.
Outside companies are always more authoritive than in house staff. "they're not form here so, they must be the authority on the subject."
By the way, the "holes" he is referring to are likely things like:
Can determine path to host via traceroute. Danger Will Robinson!
SMTP server returns a header. Shock! Horror!
HTTP server returns a header. OMG! This must be fixed!??
If you're an admin and you can't secure a Windows box (or any box you're in charge of) then you shouldn't be admining it, it's that simple.
We run a few sites on IIS and use Exchange for all our corporate email, and haven't had a single incident. Similarly, we've not had a single incident on any of our Linux or Solaris servers, either. You just have to know what you're doing.
It's official. Most of you are morons.
Additionally, the security person that did the audit needs to sit down with you and go over every item determining whether or not there is a threat, explaining why certain things might be a threat, and detailing any possible way to mitigate the risk if there is any.
If they just handed you a report from Nessus and a bill, they are not doing their job. The security scanner output needs to be accompanied by another separate report which discusses the TRUE risk.
Every security company out there uses an open-source or commercial security scanner to get a general overview of any weaknesses, but sadly, many take the output at face value and just attach an invoice. You need to see what the scanner found, so I don't think it's right for them to omit anything from it. But, like I said above, they really need to evaluate the data that comes out of whatever product they use, investigate more by hand, ask questions, etc.
I currently work for a company that does this sort of thing. We use a variety of methods, depending on how in depth the customer wants to go. But in all cases, they get the raw output from any tools we use, and they get a thorough report and followup meeting detailing what was found and whether or not it's an actual threat. We make product and methodology suggestions, and even stick around to help them out.
My suggestion is, if you're looking for someone to do a security assessment or pen testing, shop around and find someone with excellent references. Finding someone good isn't going to be cheap, but then again, if you're concerned about price, fire up Nessus or ISS and run it yourself.
Need Free Juniper/NetScreen Support? JuniperForum
Second best - sit them down and ask them to demonstrate the problem by breaking into your system NOW. Make sure it's a linux or bsd box, at a console, not a graphical login, and don't give them a user name or password. Most of these weenies are only comfortable with Windows.
Third best - tell them they were running nmap against your honeypot, not against your real network. They won't know if you're lying or not.
Next, tell him that you need to migrate all the Windows users to MacOS because it's a more secure platform.
It seems a wonderful empire you could build - and have a wonderfully large impact at the company.
And anyway, what resume item looks better for you.
- Did a security audit; but realized that all the problems were minor.
Or.Thank you again for the opportunity to conduct a security audit on your organization. We would like to let you know that you failed your security audit because none of your systems passed a simple availability test and all of them had the same issues the last time we conducted our scans. When we started this scan, all of your systems appeared to be down when we tested your company from a known IP address. Suspecting that your staff thought they could block the scan, we simply changed our IP, and were able to test your servers. Our tests show a number of things:
1) You show no improvement in security. All the old holes are still there, and we found some new warez servers, along with numerous bots, spam engines and several IRC servers. These make for an excellent addition to the old warez and IRC servers, spam engines and zombies that make up your organization.
2) Your IT staff is clearly made up some stupid people. How they could have thought blocking IPs would keep us from testing their servers is beyond belief. They really are a piece of work.
3) Your employees can not be trusted because they are trying to cover up this cluelessness in the most incompetent manner possible.
4) You are oblivious to the cluelessness on your employees part.
5) You're company really is dumb if they think they can block the source of an audit from a security company. Come on, we do this for a living, did your IT people really think they could stop us? Seriously, what moron thought this would work? Did they read this on slashdot or something?
To summarize, your systems are wide open and compromised, your staff is incompetent and untrainable and your attempts to block our scans were additional fruitless indicators of your staffs pathetic grasp on even basic IT concepts. Frankly, we'd like to thank you for the free money, and to pass on our thanks to your clueless staff for making this process trivially easy. If we only had more idiotic customers like you, it would make our jobs so much easier.
Looking forward to your next follow up scan. Please be sure to promote everyone in your IT department as we are thrilled with their work so far!
I think he's looking for the best way to get the point across.
I think the very best way is to tie it back to things the boss cares about: money and productivity.
Go through the report and come up with solutions that cover all the points, at least the ones that aren't bogus. Explain what each solution will cost (both in cash and in business impact), and what, in business terms, the benefits are.
If your instincts are right, your boss will say something like "Better security is well and good, but I'm not doubling the IT budget and inconveniencing our staff for so little improvement." And if it turns out there are some things that they're willing to pay extra for, then that's great: you get more budget and new toys.
Note that if they suggest you do more stuff without changing the budget, then you should be ready to say, "Oh, ok! Which things were you thinking of cutting? I recommend X, Y, and Z." Never let them get the idea that they can just heap unfunded mandates on you. That's not an option, just like haggling with the clerk at WalMart isn't an option. It's not that you refuse; it's just that it isn't an option.
His job is to take his boss solutions, not problems.
Tell him what in that report what you think is worth fixing and why and how much it would cost and tell him what you think isn't worth fixing and why and how much you will save by not fixing things that don't need fixing.
If the security check was a waste of company money and your time, make recommendations on how to do/get a security check more effectively next time. Might be best to not say it was a complete waste of money, since your boss may have been involved in buying the security check.
"Eliminate the Appletalk networking protocol."
A worthy and noble goal. Chattiest protocol ever.
"Are you there printer?"
"Yeah, I'm still here."
"Sweet.. just checking"
"So.. uh.. what's new with you?"
"Not much, did you see the file share that moved in down the block?"
"Yeah, he was talking to me earlier"
"Nice guy. I like him. He shares files you know"
"So I gathered. As a printer, I don't think I need to talk to him"
"Heh, yeah, that's probably true. But hey, never hurts to keep in contact with everyone, even if you have nothing in common"
"I hear you brother! So, um.. did you need to print something?"
"Me? Oh no.. I'm just keeping tabs on everyone"
"Yeah... I do that too"