Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Network Penetration Scans and Executive Reaction?

Cliff posted more than 9 years ago | from the mountains-back-to-molehills dept.

Security 434

LazloToth asks: "I'm sure some of you have had this happen: your company pays the big bucks for a 3rd-party security audit and, when it comes back, you get called on the carpet for all the supposed 'holes' in your network. When you see the report, you recognize that it comes from a well-known open-source security scanner, and that the 'holes' in question are so obscure as to be meaningless. I told our risk management VP that to fix every item cited - - many of which were false positives or completely out of context - - would be next to impossible for our small IT staff, and that some of the fixes, if implemented, might have deleterious effects on an otherwise smoothly running operation. How do you handle these 3rd-party security people who make mountains out of every molehill?"

cancel ×

434 comments

Sorry! There are no comments related to the filter you selected.

quit (5, Funny)

s20451 (410424) | more than 9 years ago | (#12239137)

Quit your job and start a 3rd party security consulting company.

Consultants (5, Funny)

WD_40 (156877) | more than 9 years ago | (#12239219)

If you can't be part of the solution, there is good money to be made in prolonging the problem.

Re:quit (2, Funny)

EnronHaliburton2004 (815366) | more than 9 years ago | (#12239228)

I'll sell you Nessus for a discounted price of $4000!

Re:quit (5, Insightful)

Jeremiah Cornelius (137) | more than 9 years ago | (#12239395)

I used to do this work. We always backed the scans up with hand-checks, and examined environments and mitigating circumstances.

The managers and officers we got the attention of had screen captures of payroll-stubs or insurance histories in the report! At least an analysis of weak session obfuscation in cookie-files or the contents of hidden web-forms that exposed site-internals or revealed confidential information.

Also, we re-worded the horrible glut of NASL embedded descriptions, which are not consistent in their use of problem and remedy sections, are produced by hundreds of people with numerous first-languages, etc.

If a third party adds no value to the tools own automation, they are not performing a service.

Re:quit (1)

EnronHaliburton2004 (815366) | more than 9 years ago | (#12239423)

If a third party adds no value to the tools own automation,

Bah, I'm adding value! I'm adding $5000!

Re:quit (1)

EatCheesyPoofs (863956) | more than 9 years ago | (#12239339)

That sir, was a great great fucking pirst fost. Cheers

Re:quit (1)

EatCheesyPoofs (863956) | more than 9 years ago | (#12239361)

Wow, congradulations, that was a great fucking pirst fost if i've ever seen on. Cheers dude

Its their job (4, Insightful)

rovingeyes (575063) | more than 9 years ago | (#12239143)

How do you handle these 3rd-party security people who make mountains out of every molehill?

Its their job to be detailed. You have to infer those reports and draw conclusions. They were hired to point out the holes, you have to decide whether its worth covering them

Re:Its their job (5, Insightful)

rivaldufus (634820) | more than 9 years ago | (#12239209)

Sure, but many executives assume that anything an outside "security" company says is scripture. I think he's looking for the best way to get the point across.

Re:Its their job (5, Insightful)

rovingeyes (575063) | more than 9 years ago | (#12239268)

Actually I had a very different experience so far with my boss. May be I am lucky? I don't know. But my execs never decide on anything unless they consult me. In fact the vendors try to convince me more than my execs. Not to sound too arrogant or cocky, but I have found that if you can convince or prove to your superiors that you are capable, then they will trust you more than any body else.

Re:Its their job (1, Insightful)

Anonymous Coward | more than 9 years ago | (#12239308)

Not for long, they are trying to make these type of scans manditory, if you handle Credit Card information at all. This includes all those Mom and Pop hosted sites too. Basically if you sell something on the internet you will be dealing with these 3rd party scans in one form or another.

I would suggest that you find one that gives detailed reports and has a knowledgable customer support department. Making your life that much easier.

Re:Its their job (1)

tarquin_fim_bim (649994) | more than 9 years ago | (#12239368)

"you have to decide whether its worth covering them"

It's obviously not your decision if outsiders have been called in to check your competence and it has been found out to be be wanting. You have to know when these management manoeuvres are coming, don't you people read BOFH?

Re:Its their job (5, Interesting)

austad (22163) | more than 9 years ago | (#12239380)

Additionally, the security person that did the audit needs to sit down with you and go over every item determining whether or not there is a threat, explaining why certain things might be a threat, and detailing any possible way to mitigate the risk if there is any.

If they just handed you a report from Nessus and a bill, they are not doing their job. The security scanner output needs to be accompanied by another separate report which discusses the TRUE risk.

Every security company out there uses an open-source or commercial security scanner to get a general overview of any weaknesses, but sadly, many take the output at face value and just attach an invoice. You need to see what the scanner found, so I don't think it's right for them to omit anything from it. But, like I said above, they really need to evaluate the data that comes out of whatever product they use, investigate more by hand, ask questions, etc.

I currently work for a company that does this sort of thing. We use a variety of methods, depending on how in depth the customer wants to go. But in all cases, they get the raw output from any tools we use, and they get a thorough report and followup meeting detailing what was found and whether or not it's an actual threat. We make product and methodology suggestions, and even stick around to help them out.

My suggestion is, if you're looking for someone to do a security assessment or pen testing, shop around and find someone with excellent references. Finding someone good isn't going to be cheap, but then again, if you're concerned about price, fire up Nessus or ISS and run it yourself.

Re:Its their job (1)

thouth (815259) | more than 9 years ago | (#12239432)

Put it like this, if they didn't come back with anything because they ommited the 'molehills' and just said "Your network is fine, nothing to report" do you think they would keep their firm going for very long? They have to make mountains out of these things to make it look like they are actually doing their job.

Address The Report (5, Insightful)

Rolan (20257) | more than 9 years ago | (#12239144)

If the boss wants you to "fix" them all, give him a report of your own. "This is setup this way because of X, and the risk is mitigated by Y." If it's not a risk, explain why it is not. If you can't explain why it's a risk or how you're mitigating the risk, then you should be called out on the carpet. NEVER rely on security by obscurity. There is no such thing as a hole "so obscure as to be meaningless." If you mean that the report is vague in defining what the hole is, then you or your boss should get more information from the person you paid to do it.

In the end, if you can't specify why it SHOULD be that way, then you should make it secure. If you can say it HAS to be that way for a specific reason, then you should say how you are mitigating the risk. If you're not mitigating the risk, well, you better come up with a really good reason your boss is going to like.

Re:Address The Report (-1, Redundant)

thunderbee (92099) | more than 9 years ago | (#12239184)

Oh my, an intelligent reply and I'm all out of mod points...

Re:Address The Report (1)

Ninjy (828167) | more than 9 years ago | (#12239227)

I don't think the point of getting a third-party to audit security and write a report of it, is to audit security yourself and write a report of it. Rather, it seems like a misunderstanding in whatever management runs the place, and they should be better instructed that a lot of these aren't worth bothering with. Then again, we all know how stubborn managements can be.

You mean tell the boss the dump windoze? (1)

bananasfalklands (826472) | more than 9 years ago | (#12239278)

Sorry Boss those Windows servers you insisted we bought are 'bad'.

no Exchange,
No IIS
etc...

Re:You mean tell the boss the dump windoze? (5, Insightful)

Tim C (15259) | more than 9 years ago | (#12239370)

If you're an admin and you can't secure a Windows box (or any box you're in charge of) then you shouldn't be admining it, it's that simple.

We run a few sites on IIS and use Exchange for all our corporate email, and haven't had a single incident. Similarly, we've not had a single incident on any of our Linux or Solaris servers, either. You just have to know what you're doing.

Do use the tools yourself too, and prioritize (1)

billstewart (78916) | more than 9 years ago | (#12239325)

Of course many of the tools are popular open-source material - they work well, and they're extensible for people who want to add capabilities or connect them to report generators or other tools or whatever. You should be running these things yourself on occasion - perhaps regularly if there's a convenient way to do so, but certainly when you do major changes. Some of the things they'll find really are minor (e.g. somebody could cause a denial of service attack by sending a gigabit per second of UDP traffic to your company's T1 line, because you're filtering out unwanted packets at your end of the wire and not the ISP's), and they're low on your priority list. Others are important things that you missed, or they're configuration mistakes that you didn't catch and ought to fix.

And do make sure the consultant gives you some recommendations about prioritization.

Re:Address The Report (0)

Anonymous Coward | more than 9 years ago | (#12239343)

I agree with Rolan, and vulnerability management is one of my primary responsibilities.

Part of the problem can be that Bosses don't like to be surprised. When they think things are going well they don't like to have a huge report put down in front of them saying you have all these things wrong.

One of the things you're boss needs to understand is this is the reason why you bring in a third party. It is difficult to know everything about security, especially in a small shop where security is not your only responsibility.

As you said many of the issues on the report do not necessiarly need an imediate fix. They are all problems, but it is important to address them rationally. As Roland says, give your boss a responce to each item on the list. If you have to do some research that is fine take the time you need to understand the problem. In your report you need to give the bossman an idea of how much time and what testing will be necessary to fix each of the problems. That in itself can help him understand why the problems have not been fixed.

Don't get to excited at the boss jumping on you. He dosen't have all the information to understand what he is looking at, and he probably wasn't prepared for it at all. Once you've worked through the process once it will go better the next time.

Re:Address The Report (0)

Anonymous Coward | more than 9 years ago | (#12239394)

I didn't intead to post that as Anonymous Coward, must have not been paying attention.

Don't be so smug and self-righteous. (5, Insightful)

Anonymous Coward | more than 9 years ago | (#12239357)

I've seen the managers that this guy is suffering under and your insightful remark won't help him. You see, his boss is likely referring to "holes" reported by Nessus and others that are not holes but, because some outside company said it, then it must be so.

Outside companies are always more authoritive than in house staff. "they're not form here so, they must be the authority on the subject."

By the way, the "holes" he is referring to are likely things like:

Can determine path to host via traceroute. Danger Will Robinson!
SMTP server returns a header. Shock! Horror!
HTTP server returns a header. OMG! This must be fixed!??

Just like every consultant (3, Insightful)

gt_swagger (799065) | more than 9 years ago | (#12239148)

... they have make huge deals out of everything or risk being found out as mostly useless ;)

Re:Just like every consultant (2, Funny)

gt_swagger (799065) | more than 9 years ago | (#12239384)

Troll pts for that? I see we have a consultant mod in the house.

Re:Just like every consultant (2, Insightful)

tacokill (531275) | more than 9 years ago | (#12239388)

Not everyone can be an expert in everything. Therefore, consultants have their place. I know they take a lot of flack but to someone who knows VERY LITTLE about a given subject, they are invaluable for filling in the gaps.

Details do matter, despite cries of "making huge deals out of everything"

Yay! (-1, Troll)

Anonymous Coward | more than 9 years ago | (#12239150)

Go LINUX!

Back to your circlejerk.

You need to... (4, Informative)

Atlantis-Rising (857278) | more than 9 years ago | (#12239155)

present your own report, detailing those same holes and why it's not worth it to fix them. Preferably first.

42 (0)

Anonymous Coward | more than 9 years ago | (#12239159)

What is it with all the penetration lately?

Spring fever, maybe?

Deal With Them (5, Funny)

RobertTaylor (444958) | more than 9 years ago | (#12239162)

How do you handle these 3rd-party security people who make mountains out of every molehill?

Post the company name and URL on slashdot and let them have a 'specialised security audit'...

Re:Deal With Them (0)

Anonymous Coward | more than 9 years ago | (#12239241)

Most slashdot users can't hack.

Of those that can, most are just script kiddies.

And those with the skill, they wouldn't give a shit.

Re:Deal With Them (4, Funny)

jd (1658) | more than 9 years ago | (#12239272)

They don't need to. Giving the site's webserver a severe slashdotting would seriously stress-test their systems.

Re:Deal With Them (2, Funny)

Anonymous Coward | more than 9 years ago | (#12239280)

It's http://127.0.0.1/, feel free to have a go.

Garbage (0)

Anonymous Coward | more than 9 years ago | (#12239163)

3rd-party security audit's are like consultants. They talk all day long but never actually do anything.

If they didn't make a mountain, then how could they justify their existance?

Simple (1)

whackco (599646) | more than 9 years ago | (#12239166)

Just allow them to spend the money, and if you are in a position, ask for a preliminary copy of the report, and create a reactionary or secondary report dealing with all the issues that were brought up.

Seems simple, and be prepared to answer your VP's silly, but non-the-less important questions in a way that he understands. Don't be technical, just break it down for them.

Other then that, it can't really hurt having the audit done, just so long as you know how to handle it before, during, and after.

Hire somebody... (0)

Anonymous Coward | more than 9 years ago | (#12239179)

to sleep with the lead consultant, catch it on tape, and thus damage his credibility. These guy's never get laid so don't worry about him not falling for the bait.

Re:Hire somebody... (1)

MasTRE (588396) | more than 9 years ago | (#12239232)

> to sleep with the lead consultant, catch it on tape, and thus damage his credibility. These guy's never get laid so don't worry about him not falling for the bait.

Ummmmm, yeah - that's the ticket! NOT. Stop projecting.

Re:Hire somebody... (1)

Pfhorrest (545131) | more than 9 years ago | (#12239270)

How does having sex and being surreptitiously videotaped damage a person's credibility? I'd say whoever did the videotaping is the one whose credibility would be damaged.

Re:Hire somebody... (1)

NoGuffCheck (746638) | more than 9 years ago | (#12239422)

When he said hire somebody, he obviously meant hire Michael Jackson.. maybe that wont damage your credibility but others might think differently.

Here's how I would handle it. (5, Interesting)

UndyingShadow (867720) | more than 9 years ago | (#12239188)

One of two ways:

Sit down with your boss and explain what each open port is and why it is open. Then explain what happens if you close that port.

Lock everything down tighter than fort knox, starting with your bosses machine (Yes sir, Im sorry you can't surf the internet, we closed that outgoing port because it was a security risk)

One of these should work (or get you fired) either way, you don't have to deal with employees upset because their VPN or Remote Access doesn't work.

you do your job (5, Insightful)

smash (1351) | more than 9 years ago | (#12239193)

How do you handle these 3rd-party security people who make mountains out of every molehill?"
You address the issues. That means: fix the problem, or provide a reason as to why things are this way, and *why* it is not a problem in your instance. Explain to the manager in question. Explain that to fix issue "x" may result in lost functionality, ease of use, or whatever - or that the risk has already been mitigated by some other precaution.

As someone else said - if you can't do that, there's a problem.

smash.

Fix all the holes (1, Interesting)

Anonymous Coward | more than 9 years ago | (#12239196)

And then explain, when users complain of the inability to use their computers, that you were directed to fix all the holes. Tell them your supervisors were made aware of what the result of doing all the fixes would be, but that you were directed to make the changes anyway. A company-wide memo might be appropriate. Or just an email explaining you position accidently forwarded to everyone.

Re:Fix all the holes (1)

lotsToLearn (797673) | more than 9 years ago | (#12239316)

I am not sure this would be very productive - emails/memos going back and forth, complaints being fwd'ed up and down the hall. Instead its better to talk with the concerned ppl and resolve the best possible middle of the road strategy.

We can help (5, Funny)

Lev13than (581686) | more than 9 years ago | (#12239197)

LazloToth asks: "...How do you handle these 3rd-party security people who make mountains out of every molehill?"

I think we need more details on the severity of your security holes. Give us your company's IP range, and if we find anything significant we'll leave a note for you on your desktop.

document (2, Insightful)

gbaldwin2 (548362) | more than 9 years ago | (#12239201)

Document the hell out of everything. And explain why the setup is as it is. It is a real pain when you have some worthless security company telling management that echo, discard, and chargen are major security holes on internal systems. Besides senseless violence directed at the auditors it is a painfull process.

Other hole (0)

Anonymous Coward | more than 9 years ago | (#12239205)

Tell them to stick it up their security hole.

Dollars and sense (1, Insightful)

Anonymous Coward | more than 9 years ago | (#12239207)

All that matters to the managerial types is dollars and cents. Show them how much (in their language - money) how much it will cost to fix the "problems" (even break it down and show them the cost of each problem), vs. how much benefit the company will gain (again in terms of money) from the fix. Be sure to include opportunity costs (and gains). Then let them make their decision.

They will decide whatever they think will be best (based, of course, on a money). Then you fix whatever they tell you to. Hopefully they won't tell you to do anything dumb after they've been shown just what it will cost them.

This is why I love my job (1)

Daedalus_ (38808) | more than 9 years ago | (#12239210)

We have 2 'IT' people - myself and one other.

The owner of the company defers to us on all things technology related - what we say goes. No questions asked.

Re:This is why I love my job (3, Insightful)

winkydink (650484) | more than 9 years ago | (#12239348)

...what we say goes. No questions asked.

until you want to be a public company.

Re:This is why I love my job (1)

lotsToLearn (797673) | more than 9 years ago | (#12239355)

The *other* guy in the team must be the owner :P

Re:This is why I love my job (2, Interesting)

whackco (599646) | more than 9 years ago | (#12239372)

Yeah, until you and your buddy screw up and cost that company money, time, or both.

Having a third eye doesn't hurt as long as you are confident in your abilities and stand behind your work.

Sort of like a lawyer does, never asks a question that they don't know the answer to. A true IT professional would never do an audit they don't know the outcome of.

Shoot, I can't believe I'm give this advice away for FREE! now pay me money!

Re:This is why I love my job (0)

Anonymous Coward | more than 9 years ago | (#12239393)

Hey Daedalus:

Cool to see your post about the 2 of us running IT alone! Heh!

Wanted to let you know I'm taking the afternoon off--the sun is shining and I feel a strong urge to head toward it. See ya tomorrow for the meetings in Sicily, old man.

--Icarus

Get a new consultant (5, Insightful)

Rob Riggs (6418) | more than 9 years ago | (#12239213)

Seriously, you need to work with someone who has a clue. Anyone reviewing these scans should know what they are looking at. If they don't, they have no room to criticize. It is the security consultants job to put the scan and the vulnerabilities in context. They need to explain the risks to management in a manner that management can understand. Their report should come with recommendations on how to correct the problems, and it should at least try to outline the consequences of the fixes. The consultants should have worked with the engineering/admin team to understand the holes before the report went to management. Otherwise you paid for a whole lot of nothing.

Re:Get a new consultant (1)

SpacePunk (17960) | more than 9 years ago | (#12239425)

Pretty much, yeah, that sums it up. Anyone can walk through the door, do a port scan, and list open ports, etc... Looks to me like they treat security as a commodity, not like the process that it is.

They only did half their job.

Do exactly what he says (2)

williewang (567613) | more than 9 years ago | (#12239217)

You've already played Devil's Advocate, so document what you think the risks are/may be, then do *exactly* what he says. Once it breaks, whip out the risks you documented and explain how you did exactly what was asked of you over your stated objections. It's the only real way to do it--and rather satisfying, gotta admit.

Steel Cage Grudge Match? (0)

Anonymous Coward | more than 9 years ago | (#12239226)

How do you handle these 3rd-party security people who make mountains out of every molehill?

Good question (1)

Kimos (859729) | more than 9 years ago | (#12239229)

I work for the Canadian Government and we have our own in-house security department. This problem is not limited to consultants and third parties. The small staff in our office can create reports hundreds of pages long using open source and proprietary tools. The hard part is finding the owner of each asset and getting them to take responsibility for it. Often the "administrator" isn't even close to qualified to perform system maintenance.

Cost (5, Insightful)

japhmi (225606) | more than 9 years ago | (#12239239)

Take the report, and give costs for covering each hole. Also, give your risk assesment to the company (yes, there is a hole that has a 1% chance of costing the company $5,000 dollars - but it will cost $500 to repair).

Then, let the boss make the budget decisions, and carry them out. Make sure extra staff is included in your report.

Re:Cost (1, Informative)

Anonymous Coward | more than 9 years ago | (#12239346)

How do you come up with those numbers other than pulling them directly out of your ass? How can you determine the probability of being compromised by a specific vulnerability? And how can you determine ahead of time what the costs to recover will be (unless it's just a flat-rate format/rebuild cost any time you're compromised)?

auditors are just as bad (1)

dougsyo (84601) | more than 9 years ago | (#12239244)

We've had external auditors come through with their "best practice checklists" and ask us all kinds of questions, then they make their report to the ones that brought them in.

Two years ago, after the report went to the Board of Trustees (I work for a state university), we were tasked to give a "when or why not" to each and every issue on the report.

On the bright side, the particular auditor we've had to deal with most of these times was as fair and accurate as can be expected - there were no real surprises sprung on us (she's back next week to do our Oracle systems).

Doug

One word... (2, Funny)

LeJoueur (766021) | more than 9 years ago | (#12239252)

BOFH [theregister.co.uk]

How to deal (0)

Anonymous Coward | more than 9 years ago | (#12239257)

Explain to your boss that they are definately concerns and that you are glad to be aware of them. Then inform im that as you are aware of the holes, and have measures in place to watch for spurious activity, that they are not threats -- of course, make sure this is all true, because sometimes the security company will then be asked to hack the network to prove the seriousness...

The weakest link... (4, Interesting)

cpghost (719344) | more than 9 years ago | (#12239264)

Every chain is only as strong as its weakest link.

This holds true in the military area, more than everywhere else. I work in environments that are very sensitive to security, and we take such external reviews extremely seriously. There's no such thing as an "obscure" or "irrelevant" weakness.

Unlike most vanilla companies, we can't afford to let things slide, security-wise. Knowing that your clients are prime target for highly professional black hats and (not only industrial) spies is highly motivating. This includes (of course) penetration testing (conducted both internally and by independant contractors), but also exclusive use of open source code and internal code auditing. As an aside: personnel (HR) auditing is also very important, if not even more so than technical aspects!

Sure, most companies don't need this level of security awareness and can get away with being "pragmatic", but don't complain when your client database (with all the goodies like credit card data etc.) gets compromized!

Advice from an old timer (1)

namgge (777284) | more than 9 years ago | (#12239265)

He wants secure so give him secure - no luser access. What's the guy's username?

BOFH

Use the Microsoft Defence (1)

What me a Coward (875774) | more than 9 years ago | (#12239266)

Say that by making thoughs changes it would hamper creativity and stifle inovation.:P

security companies create problems (0)

Anonymous Coward | more than 9 years ago | (#12239267)

Personally, some of these server monitoring services, in my opinion, create more problems than they claim to solve. Many of these systems claim to measure downtime in tenths or hundreths of seconds, which means they're clogging up bandwidth that could be used for legitimate purposes for their tests, and if there's any outage between their system and yours, their report can blame it on your server being down. It's all bogus in my opinion, but I have no shortage of clients who are signging up to have their web sites monitored, which creates lots of problems for admins. Personally, I'd like to see a site which lists the IP ranges of many of these companies so they can be blocked.

Do you job instead of slashdotting all day (0)

Anonymous Coward | more than 9 years ago | (#12239277)

If you actually did work for 8 hours a day instead of reading/posting/emailing slashdot you would have time to secure your network.

Theres work not getting done right now because I'm posting this, and your work isn't getting done because you're reading this!

Re:Do you job instead of slashdotting all day (1)

Zunni (565203) | more than 9 years ago | (#12239310)

Except I'm on strike and done picketing for the day.... So I'm actually saving my organization money by not being at the office while reading this..

Re:Do you job instead of slashdotting all day (0)

Anonymous Coward | more than 9 years ago | (#12239350)

Lazy bum. You should be greatful you even have a job. Some poeple aren't so lucky.

Re:Do you job instead of slashdotting all day (1)

Zunni (565203) | more than 9 years ago | (#12239412)

At least I get to read this instead of having obnoxious people spittle in my face while sharing this sentiment...

(Side note, the IT dept is lumped in with secretaries here, and they have strength of numbers...)

Warning Port 25 open on the mail server (0)

Anonymous Coward | more than 9 years ago | (#12239290)

We had an in house "so called security expert" at my old job who know how to run nmap and was not afraid to use it and email it around.

We also had a 3rd party firm root us through a remote office which we had no control over and was not allowed to block thier acess.

You do what you can or you quit.

Easy solution (4, Funny)

nizo (81281) | more than 9 years ago | (#12239291)

How do you handle these 3rd-party security people who make mountains out of every molehill?

See where they did the scan from and drop all packets at the firewall from that domain?

Re:Easy solution (2, Insightful)

nizo (81281) | more than 9 years ago | (#12239371)

This would probably make more sense if I had added, "before they do a follow-up scan of your network".

Next to worthless (4, Funny)

PCM2 (4486) | more than 9 years ago | (#12239296)

In the mid-1990s, I ran IT for a graphic design firm, which consisted of some 50-75 Macintosh computers. Pretty much everything ran on Macs; even the accounting systems used Great Plains for Mac.

At one point, some of the staffers got the idea that network performance might not be optimal, and it was decided that we should do a performance audit. A contractor was brought in to spend a few hours sniffing our network, then go away and do a thorough, in-depth protocol analysis. The result of this analysis was a 20-page report detailing their findings.

The conclusion was that there was, indeed, a lot of unnecessary packets of traffic flying around the network. Their solution?

"Eliminate the Appletalk networking protocol."

Uh, yeah. Thanks guys, here's your $2,500.

(Maybe the best solution is to do whatever you can to educate management and set expectations at appropriate levels.)

They did their job, now do yours (4, Insightful)

winkydink (650484) | more than 9 years ago | (#12239317)

They get paid to find every little nitpicky thing. It's in their best interest to make everything sound major (ever heard of the term follow-on engagement?)

Sit down, take the list and prepare a reasonable time & budget to fix each item along with your recommendations of the order to fix them in (based on business risk). Make sure your numbers and hours are realistic, because chances are excellent that he'll ask the consultants for the same info.

Then Mr VP can either allot internal resources to fixing the problem or hire outside consultants, or both. Business risk deals with a lot of things both real and perceived. In some cases, having the perception of risk is just as bad a the real thing (from a liability perspective, thank you Millberg Weiss).

Your VPs job is to determine the acceptable level of risk for the company. Yours is to aid him in that decision, not make it for him.

So called security audits/scans (0)

Anonymous Coward | more than 9 years ago | (#12239320)

Right now are be perpetratied on the online vendor community by companies the credit card companies. He is how it works.

1. Visa says you must meet the following (BS) requirements to take their cards on-line.
2. They tell your cc processor that all their on-line stores must meet requirements in 1.
3. CC processor sub-contracts with security firm A that then contacts you so they can perform a "security" scan just like this /. person is asking. Of course you have to sign up and pay $$$.
4. They then "scan" your sight. Even though you explain that you don't take cards on the site, you pass the order to the cc processor who collects the card info on their site. No matter says the card company you have to pay anyway. Then they claim that it will prevent phishing and all that happy hoo-haw. cough...BS...cough
5. They then make you fill out a survey of meaningless drible that no small company could ever honestly answer yes to all the policy questions, in order to be in the green.

Next year, I'm putting up a honey pot and am going to redirect their scans to that will all kind of exploits. Linux/Unix/Windows exploits all on the same box. Won't that be fun.

Anyway. The credit card companies risk managment department is happy. We lowered our risk. Some company in Utah on a canopy netblock gets my money (fuckers) and I get jack shit.

they don't trust you already (0)

Anonymous Coward | more than 9 years ago | (#12239323)

No choice but to explain why in simple terms. If they don't accept that I am sorry to say you have to leave.

it's haaaard work (4, Interesting)

humankind (704050) | more than 9 years ago | (#12239327)

How do you handle these 3rd-party security people who make mountains out of every molehill?"

Since you don't cite any examples of these issues, I would bet you're one of these people who think running PHP with register_globals on is a "molehill?"

Cite some examples, or else this looks like you're complaining that tightening security holes would be /whine "hard work." Well, it'll be harder after some n00b takes my personal information off your insecure system. Fix it, or consider changing careers instead of being yet another BOFH.

Sarcasm (1)

Paris The Pirate (799954) | more than 9 years ago | (#12239330)

Security through obscurity... that's the spirit ;)

Tell your boss not to hire penitration testers (2, Informative)

delirium of disorder (701392) | more than 9 years ago | (#12239331)

If you want real security, penitration testing is only a small part of the process. Sure, you can pay someone to find valunerabilities....any kid with a copy of nessus, snort, and nmap will do....or you can shell out the big bucks for a Core Impact setup if you get the PHBs paranoid enough. It really won't help fix anything. Even if you do manage to patch every valunerable service and close off everything else that you don't need, you may still be insecure. Policies and procedures are often as important for ensuring security as closing specific holes in software. If your company needs to outsource network security, convince them to get someone who will offer a more complete solution comprising of a specific and custom plan for ensuring the physical, human, and software aspects of security. If you want to get out of your current prediciment, I suggest patching what you can and explaining why other valunerabilities are not relivant. Prove you are smarter then the consultants leeching money that could be yours. If your boss is a real idiot and the security reaserchers he/she hires are dumbasses too, you can safely backdoor the place before you leave!

The true cost of plugging holes. (1)

Curley123 (876189) | more than 9 years ago | (#12239336)

This is a great oppertunity. Start by consulting with a high priced "security" company about plugging the "holes". Figure on $20k in consulting fees alone. Make sure they recommend only the top end (most expensive) equipment and software. Of course, your staff will need to be doubled (at least) and all will require MANY classes, in far away places, on how to run all this new kit. Figure a good 2 years to train existing and new staff. You will need new quarters for all this equipment too. Temperature and humidity controlled of course. Security cameras, off site storage of all the new backup equipment, co-located servers in another power grid (several states away). Shoot for a cool million and tripple (at least) current operating expences. Then see what your pointy haired boss says.

Dealing with "out of context" issues (2, Informative)

Infonaut (96956) | more than 9 years ago | (#12239337)

In my experience, most of the out of context issues usually come down to someone in management saying something like this at one time or another, "Goddammit! I don't *care* if there's some infinitesmally small chance that we'll have a security problem. I want the ability to IM, and I want it now!"

Human nature being what it is, pointing this out to the boss is likely to embarass him and make him feel like you're being a smartass. In general I find that explaining the security continuum (where at one end you have low security, low cost, and all the functionality you want, and at the other end you have high security, higher cost, and some curtailing of functionality) is helpful in coaxing them out of the mentality that security is a one-way street. In the real world, high security entails compromises, some budgetary (even if only for more sysad time) and some functional (not every new flashy network app can simply be added to the system without security analysis).

I've also found that explaining the security process in terms of priorities is helpful. I used to use a top 10 list that showed management exactly what was highest priority, what came next, and so on. This helped them realize that not all threats are equal .

Best of luck to you.

what I would do (1)

ch-chuck (9622) | more than 9 years ago | (#12239356)

Is put a text file somewhere - tell them where it is and if they can tell you the message in it then you will agree there is a security problem. Otherwise go away. IOW have them produce more than a report. Like a security test for a military base is for someone unauthorized to try to penetrate and see if they can put a tag on some piece of equipment. If they can then they've proven there is a security problem.

Serves you right for not buying ISA Server. (0, Flamebait)

LibertineR (591918) | more than 9 years ago | (#12239358)

I'm kidding, so calm your ass down.

"The 'holes' in question are so obscure... (1)

altamira (639298) | more than 9 years ago | (#12239363)

...as to be meaningless", you say; can you give a few examples of security holes that are 'obscure' and 'meaningless'?

I mean - a vulnerabilty found should either be a false positive - which you should be able to explain to your boss easily - or it's actually relevant. If you are *knowingly, intentionally* running vulnerable systems, these hopefully do not share *any* infrastructure with your production networks.

As with most potential conflicts with a manager... (4, Insightful)

peteforsyth (730130) | more than 9 years ago | (#12239366)

Put the focus on your professional relationship; make the technical aspects secondary to that. If you have any history of trust, emphasize that.

"Do you generally trust me to keep the network secure?"
"Do you see the possibility that this company might make mountains out of molehills to demonstrate their value?"
"If we DO find out that I have left some things unattended, will you give me the chance to correct them?"

Etc.

Your boss, more than anything, wants to know he's in good hands. Even though he may not consciously know it, his trust in YOU is the most important thing; his trust in the NETWORK is secondary; his trust in a temporary CONTRACTOR is a fleeting thing.

If you adopt an overly defensive or confrontational posture, you do nothing but hurt your relationship with your boss, and ultimately yourself.

1 man's molehill... (2, Informative)

Zunni (565203) | more than 9 years ago | (#12239367)

is another man's mountain. If you were "hacked" and when you went back to the 3rd party security company and were told "Well, that opening is so obscure that we really didn't think it was an issue." Who would be having their asses handed to them in court?

Their jobs are to be as thorough as possible, your job is to analyse the data and figure out what it means with the knowledge you have from working within the organization and understanding the quirks that are native to your workplace. Hopefully your boss understands that your organization (like all organizations) have little things that require special consideration and you (and the rest of the IT staff) are given an opportunity to review and provide your own detail to what was submitted.

Easy (1)

spidereyes (599443) | more than 9 years ago | (#12239375)

Rope, duct tape, knife and Hanson CDs. Give them the choice the knife or Hanson with an endless loop of MMMBop.

Real Security Audits with Reports (1)

investr (876192) | more than 9 years ago | (#12239381)

Use Qualys and dump the free crap. That explains everything. Your boss will love it and it will save you the headache of translating.

You fix them. (0, Troll)

Telastyn (206146) | more than 9 years ago | (#12239391)

No offense, well, okay, perhaps a little offense meant, but I imagine that if you were a top notch security expert, your company wouldn't be going to 3rd parties to check. Or at least they wouldn't be going to some [supposed] dope with a tool who [you think] gave you bogus stuff.

You might want to consider the possibility that the security expert is right. You also might want to consider the possibility that such 'obscure' holes are the exact thing attackers will look for, because once the machine is owned, it's all over. A hole is a hole.

From a more practical point of view, you should create a sandbox network with one [or many] of the holes the security expert disclosed, and then ask them to exploit one for you. Should be a quick sign if they're right, or they're a dope.

Get creative / have fun with the 3rd party (0)

Anonymous Coward | more than 9 years ago | (#12239396)

If you're sure you know what you're doing, have a bit of fun with it.

I'm sure you have logs of where, when and how the scan happened. A few simple scripts and iptables/netfilter rules can go a long way toward having fun with the 3rd party company.

Suggest that this is a 'normal' level of security, but offer the option to 'really secure' the site and spend a few hours/days putting together some clever scripts to block apparently mallicious hosts.

Also, don't forget to point out that their scan was detected, logged, etc under the 'normal' security plan. It helps demonstrate you're actually on the ball. Remind them this type of activity is usually preceeded by an attack-- just like theives IRL case places before they break in.

Some shell scripts, rate limiting and arbitrary -J targets in iptables, for example, can help block scans from programs such as Nessus. For example, ban for 60 minutes any host (or netblock if you feel so inclined) that attempts to connect more than 10 times to a port on which no service is running.

Most of the time, the 3rd party techs will clog through starting at port 1 and by the time they get to your first open port (21, 22 or 25 I'm guessing) you've already blocked incoming requests from that ip/netblock for the next hour.

Another rule might be if you have VPN services (port 1723 I think) on but no terminal services or other remote access, ban for 24 hours if an IP accesses your VPN service (and gets a connect) BUT also attempts to access other common services, such as terminal services, radius auth, etc. If you aren't running those services no legitimate user should be poking about there, right?

Someone send us three big pings? Bannination for a week! :)

It is a level of craziness that is probably not necessary, but in my experience the 3rd party tech team usually looses their mind when they have to wait 20 minutes, an hour, or more to keep trying to scan your host. That is, if they even figure out what is going on.

Starts happening from more than one ip in a netblock? Drop incoming traffic on the whole netblock for a while.

It really is loads of fun. Be careful about some services, though. For some things its normal for one host to set up and tear down a lot of connections per second, so be sure that your rules depend on accessing sets of services in weird ways (a la a scanner looking for holes).

Fr. Guido Sarducci (2, Informative)

Nethead (1563) | more than 9 years ago | (#12239401)

LazloToth asks: "I'm sure some of you have had this happen: your company pays the big bucks for a 3rd-party security audit and, when it comes back, you get called on the carpet for all the supposed 'holes' in your network.

Fr. Guido Sarducci replies: Son, you'll just hafta let it go. These bozos just won't get it anyway. Besides, it IS their network, they just pay you to play with it.

Don Novello Pipes up: Who are you wankers anyway?

How to handle Security issues? (2, Interesting)

Spacepup (695354) | more than 9 years ago | (#12239405)

How to avoid being called on the carpet over security? Be at least one degree more paranoid about security than your boss.

How to handle the security report? With the same seriousness as your boss, he signes your paychecks after all.

Proof (1)

eyeball (17206) | more than 9 years ago | (#12239408)

Ask for the opportunity to have the 3rd party justify, in writing, what each vulnerability means and assess the severity. If your boss won't go for this, you probably don't want to work for an irrational boss.

Or if you don't want to make that drastic of a move, tell him or her that you should outsource that security to the company that did the scan. That's probably why they gave such a mountain-molehill report anyway. If your boss is going to believe them, then make them "fix" the network, and then explain why they broke everything.

A third posibility would be to get a second opinion, although you run the risk of getting an equally over zealous report.

Clarify (1)

jav1231 (539129) | more than 9 years ago | (#12239415)

All you can do is clarify and explain. I only deal with "Critical," "Major" and sometimes "Medium" risk categories. The rest are usually stupid. "You have a share." "Yeah, it's called user directories or shared data drives." As long as you have answers and can show the risk is minimal, if existent, then you may have done all you can.

Examples? (1)

erroneus (253617) | more than 9 years ago | (#12239416)

Without seeing some example vulnerabilities, it would really be hard to give anything but general answers to this problem. That said, there is an abundance of general answers here already and I'll add mine to the pile.

First: do your homework and get a background (securityfocus.com is a great place to start) on all items listed.

I know first-hand where we have a dependance on older versions of certain software packages because some custom apps we ahve running break when these older programs are upgraded. I am fairly certain that there may be some vulnerabilities in our old versions of the software and cannot be fixed without upgrades that would break a much larger system.

Draw a lot of analogies that would make it easy to understand. Stating things like "our front door is a vulnerability, but if we welded it shut, we couldn't make use of it."

Admit frankly and openly where you might have actually overlooked a problem that you should have been aware of. In my view, nothing says you can be trusted more than when you admit to mistakes and vow to correct them... and actually do. But denying everything too often brings a kind of distrust to you from bosses... they know you're human, but if you deny it and claim to be a god, they'll call you on it.

It might actually be helpful to praise the consultant's report as a useful and enlightening tool allowing the boss to feel as if he did a good thing by calling these matters to your attention and then create a plan by which you will be ble to adopt the same measures the consultant took in creating this problem for you. By instituting an additional self-audit upon yourself, you will be able to save yourself from the liklihood of further "testing" from outside while providing him with future (quarterly? semi-annually?) reports of where you stand on issues past present and future.

And of course, break down your own actions on and item-to-item basis.

Try not to say what "can't" or "shouldn't" be done -- that's likely a decision he will want to make. You can, instead, present the factors by which to make these decisions...in such a way that the decisions appear obvious.

Don't hire unqualified security consultants (1)

inherent monkey love (875830) | more than 9 years ago | (#12239421)

There are plenty of well-known, professional security consulting companies out there who do the job right. If you hire a lower-cost consulting company who is just going to run a few variations of nmap and nessus and slop the results into a report, then you deserve the kind of pain you get.

Hire quality, get quality results.

Give them a budget (1)

John the Kiwi (653757) | more than 9 years ago | (#12239424)

I do a lot of consulting in the business continuity/security networking field and there is only one way to deal with a problem like this.

Every security policy comes straight from management, the IT staff configure the network based on the decisions that management has made. Your company is just revising their security policy and have tasked you with abiding to it. All you need to do is devise a budget for complying with their requirements.

Your company has decided they need more advanced security precautions taken, it really is not your position to question their decision. Just tell them exactly what solutions can be implemented to meet their requirements. If I were you I would be very excited, you have a perfect opportunity to prove your knowledge and value to your employers. You also have a plethora of Open Source solutions available to you - maybe I'm a zealot - but this kind of work is very rewarding.

If you can't provide this, then you are the wrong person for the job, or they need to outsource. It's that simple.

As for places to start, I would consider the pen-test mailing list at www.securityfocus.com, there are also several other lists that they host. The archives should give you some excellent references of where to start. You should also consider this to be the perfect time to request training and reference materials - books.

You shouldn't be surprised that your employers requirements have changed, you work in technology, technology reviews should be undertaken regularly and findings should be acted upon. Don't fear the change, use it as a chance to make your job easier and increase your value to your employer.

I sure wish I could find more clients like your company!

John the Kiwi

Just because technology changes and your job has chganged

Personally, (1)

Leers (159585) | more than 9 years ago | (#12239428)

I like to sauté them with a generous amount of garlic and hot sauce. I find without excess seasoning they taste a little unpleasant.

Stop being such a crybaby. (1)

ponyslaystation (769016) | more than 9 years ago | (#12239429)

"mmmmmm,my boss wants me to do some work, mmmmm" sheesh.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?