Network Penetration Scans and Executive Reaction? 434
LazloToth asks: "I'm sure some of you have had this happen: your company pays the big bucks for a 3rd-party security audit and, when it comes back, you get called on the carpet for all the supposed 'holes' in your network. When you see the report, you recognize that it comes from a well-known open-source security scanner, and that the 'holes' in question are so obscure as to be meaningless. I told our risk management VP that to fix every item cited - - many of which were false positives or completely out of context - - would be next to impossible for our small IT staff, and that some of the fixes, if implemented, might have deleterious effects on an otherwise smoothly running operation. How do you handle these 3rd-party security people who make mountains out of every molehill?"
quit (Score:5, Funny)
Consultants (Score:5, Funny)
Employees can play this game too. (Score:5, Insightful)
Next, tell him that you need to migrate all the Windows users to MacOS because it's a more secure platform.
It seems a wonderful empire you could build - and have a wonderfully large impact at the company.
And anyway, what resume item looks better for you.
- Did a security audit; but realized that all the problems were minor.
Or.connecting two unrelated events in your favour (Score:4, Funny)
Manager: How can we fix all these security holes?
You: We can fix them no problem, I'll need another unix box for scanning and a 20% pay rise.
Manager: Ha ha ha...very funny.
You: I'm deadly serious.
Manager: What...you're serious...why a 20% pay rise!
You: Ok...you're right...10% is closer to the reality.
Manager: That's better...thought you could pull one over on ol' Bill, didn't you eh?
You: Yeah...sorry about that.
Re:Employees can play this game too. (Score:4, Insightful)
Someone convinces him that he has good ideas and he should express them at the next meeting. Spurred by this revelation, he enters the conference room.
The next scene shows him clearing out his desk.
It's your job as a corporate drone to rate management's decisions on a scale from good to excellent. Anything less might label you as a bump in the road, a thorn in the side.
When I'm in a corporate environment, my goal is to steer my superiors into the correct path without compromising their ideas.
Trust me. I have a large supply of well used cardboard boxes.
Re:Consultants (Score:5, Funny)
I always thought if you're not part of the solution, you're part of the precipitate.
Re:quit (Score:3, Funny)
Re:quit (Score:5, Insightful)
The managers and officers we got the attention of had screen captures of payroll-stubs or insurance histories in the report! At least an analysis of weak session obfuscation in cookie-files or the contents of hidden web-forms that exposed site-internals or revealed confidential information.
Also, we re-worded the horrible glut of NASL embedded descriptions, which are not consistent in their use of problem and remedy sections, are produced by hundreds of people with numerous first-languages, etc.
If a third party adds no value to the tools own automation, they are not performing a service.
Re:quit (Score:2)
Bah, I'm adding value! I'm adding $5000!
Re:quit (Score:5, Funny)
With the current paranoia, lack of decent security awareness (and therefore the lack of ability to evaluate the results), and the ability to impress a PHB by wearing the "right" suit, you could easily charge $50,000 for a Nessus scan. $5,000 would barely pay for an NMap sweep. For Unix servers, also use SARA and TARA for $10,000 apiece.
In today's atmosphere, it should not be possible to walk away from a securty contract with less than $75,000. Double, if you use that random paper generator, covered by Slashdot a day or so ago.
Re:quit (Score:3, Funny)
*NOTE: Yep, that really happened ... , but try adding ANOTHER zero first. And don't forget to kick back 17.5% in "commissions" to your buddies.
Re:quit (Score:5, Funny)
Okay.
$0,500,000.00
Re:quit (Score:4, Funny)
(just a joke, Canadians are cool. Literally).
Re:quit (Score:3, Informative)
For those who don't get it - there is only one Olympic Stadium in Quebec, and it's in Montreal. Didn't stop the guys from doing this:
Re:quit (Score:5, Funny)
Conning + Insulting = consulting.
No problem man...
Attribution... (Score:3, Informative)
Its their job (Score:5, Insightful)
Its their job to be detailed. You have to infer those reports and draw conclusions. They were hired to point out the holes, you have to decide whether its worth covering them
Re:Its their job (Score:5, Insightful)
Re:Its their job (Score:5, Insightful)
Re:Its their job (Score:2)
Re:Its their job (Score:5, Insightful)
Or, you could not be an asshole, and try to calmly and simply explain the report in WRITTEN FORM. Write your own report about their report. Managers like reports. WRITE ANOTHER REPORT. Écrivez un autre rapport. Escriba otro informe.
Instead of running in there all willy nilly acting like they're complete idiots, just work with them on their level. They're paid to make decisions, and they know that it's dangerous to make a decision if there aren't hard facts on paper. Explain yourself. Give references to your conclusions -- back yourself up! Show that you have a brain in your body instead of just coming off as another annoying, slacker engineer.
Re:Its their job (Score:4, Insightful)
Yup, sorry. My mistake.
Trust in your skills (Score:4, Insightful)
There is an issue of trust in the ability of your engineers though. I had this problem at my previous employer (which I left). If the manager consistently does not listen to your advice (however presented), think about it a bit: It means he/she actually does not have much faith in your skills, and does not trust your advice. This is inherently going to be a problem for you, regardless of whether or not you are able to 'document your thought processes'. What kind of reference are you going to get from a manager who doesn't trust your capabilities and thinks you're probably mediocre? What kind of opportunities for promotion, salary increases, increased responsibility etc. are you going to get from a manager who doesn't recognize or trust your capabilities? If this is what is going on, you need to get out anyway, because you're going to hit a "glass ceiling" very soon in your career.
IMO, good managers recognize skills, and place trust in their employees, giving them enough 'free rein' to 'work their magic' and not preventing them from doing so.
Re:Its their job (Score:5, Interesting)
Second best - sit them down and ask them to demonstrate the problem by breaking into your system NOW. Make sure it's a linux or bsd box, at a console, not a graphical login, and don't give them a user name or password. Most of these weenies are only comfortable with Windows.
Third best - tell them they were running nmap against your honeypot, not against your real network. They won't know if you're lying or not.
Re:Its their job (Score:5, Insightful)
If the security holes are on Windows systems and found by security professionals that deal mainly or exclusively with Windows, I fail to see how using an alternate os as a strawman to cast doubt on their technical ability helps anyone.
Re:Its their job (Score:4, Insightful)
You would have a point if they claimed to be "Windows Security" people but that's not the way they sell their services or present their results.
I for one *love* ripping these guys new ones. In particular when I produce the same report in a couple of hours. All kinds of fun.
Re:Its their job (Score:5, Funny)
The computer security expert sat there for 30 minutes confused as to why simply pressing escape at the login prompt did not get him into the system on our W2K boxes.
he mentioned to our Director that our systems must be mis-configured and that he noticed that our cisco 2950 switches were also not configured for 1000BaseT and we should enable the gigabit features of that switch.
I am NOT joking. this was the security expert hired by our company to see if we had security problems and to find any networking bottlenecks.
we simply let him leave after thanking him for his expertiese, the CTO of the company reccomended this moron and we cant tell the CTO that his brother-in-law is a complete and utter idiot.
Thankfully this was 3 years ago. and we were owned by a different company then... the executive staff all were sacked during the last merger.... One of the few times I welcomed a merger.
Re:Its their job (Score:3, Interesting)
Yeah, and that will make you look...co-operative, right?
I've done security consulting for years: tens of Nessus scans, web app tests, pen. tests etc. From this background I have some points here.
One clear problem for a third party consultant is that the risk level assignment is not necessarily as clear cut as the Nessus/ISS/whatever report says. We've never given a client a report directly from the tool, but have written our own detail
Re:Its their job (Score:3, Interesting)
Maybe I'm being naive here but I would hope that the "risk management VP" knows something about risk management. So, the approach I would take is to categorize the risks: seriousness of vulnerability, difficulty of fixing, priority.
If you break it into priorities, and put in some effort estimates, and the VP says, "fix all of them", that's tough for
Re:Its their job (Score:5, Insightful)
I think the very best way is to tie it back to things the boss cares about: money and productivity.
Go through the report and come up with solutions that cover all the points, at least the ones that aren't bogus. Explain what each solution will cost (both in cash and in business impact), and what, in business terms, the benefits are.
If your instincts are right, your boss will say something like "Better security is well and good, but I'm not doubling the IT budget and inconveniencing our staff for so little improvement." And if it turns out there are some things that they're willing to pay extra for, then that's great: you get more budget and new toys.
Note that if they suggest you do more stuff without changing the budget, then you should be ready to say, "Oh, ok! Which things were you thinking of cutting? I recommend X, Y, and Z." Never let them get the idea that they can just heap unfunded mandates on you. That's not an option, just like haggling with the clerk at WalMart isn't an option. It's not that you refuse; it's just that it isn't an option.
Re:Its their job (Score:5, Insightful)
Tell him what in that report what you think is worth fixing and why and how much it would cost and tell him what you think isn't worth fixing and why and how much you will save by not fixing things that don't need fixing.
If the security check was a waste of company money and your time, make recommendations on how to do/get a security check more effectively next time. Might be best to not say it was a complete waste of money, since your boss may have been involved in buying the security check.
Re:Its their job (Score:4, Insightful)
Never say, "It can't be done."
Say, "We can and will do it; here are the resources required to do it." Remember Scotty's Rule to double-double the resources you think it will take; once because it always takes twice as many resources as you think it will, and a second time because sometimes it takes more than twice as long.
I never tell my superiors that something can't be done, because any technical problem is solvable given infinite resources. The key is to assess the number of resources and make sure they're informed of the resources required. Once they know that, then it's up to them to make the decision.
Re:Its their job (Score:3, Interesting)
I set up monitoring on the network so that if anyone started to do anything funky on the network my terminals would beep.
I would then printout a piece of clip art with hand cuffs on it.
Trace down the ip address. Then walk to the correct office an say "Hi, are you doing something strange on the network?"
When they said the were, I would hand them the paper with cuffs and ask them to let
Comment removed (Score:5, Interesting)
Re:Its their job (Score:3, Funny)
Whoah... I'm all for good security, but don't you think using the International Space Station is a bit overkill?
Re:Its their job (Score:3, Interesting)
So, one day I get a call that there's a seri
Cowboys (Score:3, Interesting)
. . . then they are quite similar to most of the fly-by-night security companies in existance today.
They really are a plague. Typically a small number of university students, or recent graduates, trying their hand at "start-up dotcom". There are two or three guys who know linux, a little about cisco routers, maybe had a course where they learned about Nessus. There will be fast talking marketing and sales slime involved as well. They are all very you
Re:Its their job (Score:3, Interesting)
Yes...and this is why they should be providing context whenever possible to the "holes" they find, and verifying false positives (or qualifying them). I work for a security company, and we're very careful about this. For example, on many systems when a daemon is patched, the banners are not updated and so we'll see fully patched servers that flag on having vulnerable versions of software. We've seen this time and time again, and know that it could be the case each time w
Address The Report (Score:5, Insightful)
In the end, if you can't specify why it SHOULD be that way, then you should make it secure. If you can say it HAS to be that way for a specific reason, then you should say how you are mitigating the risk. If you're not mitigating the risk, well, you better come up with a really good reason your boss is going to like.
Do use the tools yourself too, and prioritize (Score:2)
Don't be so smug and self-righteous. (Score:5, Insightful)
Outside companies are always more authoritive than in house staff. "they're not form here so, they must be the authority on the subject."
By the way, the "holes" he is referring to are likely things like:
Can determine path to host via traceroute. Danger Will Robinson!
SMTP server returns a header. Shock! Horror!
HTTP server returns a header. OMG! This must be fixed!??
Bullshit. (Score:2)
It reports _truly_ obscure things, as it should, but which security consluttants has a tendency to blow out of proportion.
One of the points of security consluttants is to use tools to MAP the network. Then they should determine what your network SHOULD do, and which services SHOULD be running - and doing _what_.
Then they should check this against the map of the network, and remove all items which are irrelevant, and interpret the facts.
THEN
Re:Bullshit. (Score:3, Funny)
Change your qmail banner string to read what an exchange server would read - an old, unpatched exchange server - and then watch the consultant's smile disappear after they list all of the vulnerabilities that you've got and you tell them that you were lying.
Re:You mean tell the boss the dump windoze? (Score:5, Insightful)
We run a few sites on IIS and use Exchange for all our corporate email, and haven't had a single incident. Similarly, we've not had a single incident on any of our Linux or Solaris servers, either. You just have to know what you're doing.
Re:Risk Assessment Done By Professionals (Score:3, Informative)
If the boss wants you to "fix" them all, give him a report of your own. "This is setup this way because of X, and the risk is mitigated by Y." If it's not a risk, explain why it is not. If you can't explain why it's a risk or how you're mitigating the risk, then you should be called out on the carpet.
Risk mitigation doesn't necessarily mean you have to close the "hole". Simply that you are aware of it and you've done what make sense to address it. If there is a hole tha
Just like every consultant (Score:3, Insightful)
Re:Just like every consultant (Score:2, Funny)
Re:Just like every consultant (Score:3, Insightful)
Details do matter, despite cries of "making huge deals out of everything"
You need to... (Score:4, Informative)
It's called a 'Risk Analysis'. (Score:3, Interesting)
Your basic risk analysis takes a look at all of the vulnerabilities on the system. For each one, you list the following:
Of course, management likes numbers, so you rank each item f
Deal With Them (Score:5, Funny)
Post the company name and URL on slashdot and let them have a 'specialised security audit'...
Re:Deal With Them (Score:2, Funny)
Re:Deal With Them (Score:3, Funny)
Re:Deal With Them (Score:5, Funny)
Here's how I would handle it. (Score:5, Interesting)
Sit down with your boss and explain what each open port is and why it is open. Then explain what happens if you close that port.
Lock everything down tighter than fort knox, starting with your bosses machine (Yes sir, Im sorry you can't surf the internet, we closed that outgoing port because it was a security risk)
One of these should work (or get you fired) either way, you don't have to deal with employees upset because their VPN or Remote Access doesn't work.
you do your job (Score:5, Insightful)
As someone else said - if you can't do that, there's a problem.
smash.
We can help (Score:5, Funny)
I think we need more details on the severity of your security holes. Give us your company's IP range, and if we find anything significant we'll leave a note for you on your desktop.
document (Score:2, Insightful)
Get a new consultant (Score:5, Insightful)
Re:Get a new consultant (Score:2)
They only did half their job.
Re:Get a new consultant (Score:2)
It's not doing the company nor the consultants any good to provide a report that isn't valuable. I've done I'd guess more than 50 vuln/pen assessments, and when I've spent the time to understand the environments and evaluate the security issues presented, the client always reacted wonderfully to the reports and commented on what a great value they were.
Before I was seasoned enough to do that, reports were largely ignored; vulnerabilities rarely fixed.
It's disappointing to see. I am
Re:Get a new consultant (Score:5, Insightful)
Security isn't just a matter of collecting raw data. Anyone can collect raw data. Raw data is like raw sewage - it benefits nobody but can be used to make a big stink.
At the very least, to be usable there needs to be an assessment as to the actual threat level of each vulnerability. For example, you could have an insecure, unpatched Windows 95 box locked in a cupboard with no console or network access. A vulnerability assessment would turn up a bazillion holes, but absolutely none of them would be exploitable.
In crude terms, you can measure risks in terms of two scales. Let's use letters for the first and numbers for the second. The first measure is the ease of reaching that vulnerability, the second is the ease of using that vulnerability to access other systems or data.
Thus, any computer directly reachable from the outside world would be an "A" class risk. A machine placed outside of the firewall which does not have direct access to the inside (not an unusual arrangement for informational webservers) would be relatively low risk for data and might be given a 9. So, a vulnerability on your advertising website would be an A9 risk.
A firewall, on the other hand, has direct access to the inside. If the firewall has proxy servers sitting on it, it will likely have a high level of trust. So, a vulnerability on such a system might be given a rating of A2 or A3. (It doesn't have valuable information itself, but it can be used to reach a machine that does.)
A data warehouse, on the other hand, might well sit on a SAN that can only be reached through a firewall which runs to the servers on the corporate LAN, which itself is behind a firewall. Now, an attacker needs to go through between three and five layers of security (depending on how secure the network traffic is). On the other hand, access to the data warehouse would expose critical data. A vulnerability in this case might be given a class of E1.
Managers could look at these ratings - A5, E1, etc. They could then use those to get an idea of how urgent fixing the hole was. A rating of F9 (six layers deep, no information of significance) could safely be ignored at the start. A rating of A1 (reachable from the outside, mission-critical data exposed) would want to be fixed the week before last.
These are the kinds of things managers can understand. Nobody should expect them to have a detailed understanding of TCP/IP stacks, buffer overflows and sniffer technology. They may well have, but no sane consultant should require it of them. Unless said consultant knows that the product they are delivering is so bogus that a technically-competent manager would nail them to the wall for it.
Re:Get a new consultant (Score:5, Interesting)
The poster obviously is not in the position to `get a new consultant'. His problem is how he can hit his management with the clue stick.
Let me tell you a story that happened just a few weeks ago: I'm the CEO of a consulting company that does quite some security work. We were brought into the following situation: A customer of an outsourcer got an `independent' security audit by HP. The HP folks took the (actually very good) CIS benchmarks and demanded that each and every item of that benchmark is followed to the letter. As part of that, they demanded that the NFS and Samba servers are turned off.
There's just one small problem -- the actual service the outsourcer was providing to the customer is -- tada! -- file service over NFS and CIFS! The outsourcer pointed this out to their customer's management. That management is a bunch of morons and just told them back: But this is a security audit of HP, they know their thing! So they had to bring us in, to give their opinion `management cloud' by creating pretty PPTs.
Even though we earned quite some money on that job; I would have prefered to work on really improving the security, in particular the processes, instead of fencing unprofessional HP security `consultants' and idiotic management PHBs.
Most so-called "Net Security Consultants"... (Score:3, Interesting)
My employer recently went thru one of these and I prepared for it (I am the network admin) by writing a list of everything the consultants would find, and why they would find it and what could or could not be done about it short of completely unplugging the affected bunch
Do exactly what he says (Score:2)
Cost (Score:5, Insightful)
Then, let the boss make the budget decisions, and carry them out. Make sure extra staff is included in your report.
Re:Cost (Score:3, Funny)
Then you can hire another consultant to analyze the risk analyst's analysis to see how much it should cost you to clean those things up.
Then you'll have to hire some technical writers or some such to write up what you've done.
Like, duh!
(you'd think I were a consultant still! But no, I'm not anymore!)
One word... (Score:2, Funny)
The weakest link... (Score:5, Interesting)
Every chain is only as strong as its weakest link.
This holds true in the military area, more than everywhere else. I work in environments that are very sensitive to security, and we take such external reviews extremely seriously. There's no such thing as an "obscure" or "irrelevant" weakness.
Unlike most vanilla companies, we can't afford to let things slide, security-wise. Knowing that your clients are prime target for highly professional black hats and (not only industrial) spies is highly motivating. This includes (of course) penetration testing (conducted both internally and by independant contractors), but also exclusive use of open source code and internal code auditing. As an aside: personnel (HR) auditing is also very important, if not even more so than technical aspects!
Sure, most companies don't need this level of security awareness and can get away with being "pragmatic", but don't complain when your client database (with all the goodies like credit card data etc.) gets compromized!
Easy solution (Score:5, Funny)
See where they did the scan from and drop all packets at the firewall from that domain?
Re:Easy solution (Score:3, Insightful)
Re:Easy solution (Score:5, Funny)
Thank you again for the opportunity to conduct a security audit on your organization. We would like to let you know that you failed your security audit because none of your systems passed a simple availability test and all of them had the same issues the last time we conducted our scans. When we started this scan, all of your systems appeared to be down when we tested your company from a known IP address. Suspecting that your staff thought they could block the scan, we simply changed our IP, and were able to test your servers. Our tests show a number of things:
1) You show no improvement in security. All the old holes are still there, and we found some new warez servers, along with numerous bots, spam engines and several IRC servers. These make for an excellent addition to the old warez and IRC servers, spam engines and zombies that make up your organization.
2) Your IT staff is clearly made up some stupid people. How they could have thought blocking IPs would keep us from testing their servers is beyond belief. They really are a piece of work.
3) Your employees can not be trusted because they are trying to cover up this cluelessness in the most incompetent manner possible.
4) You are oblivious to the cluelessness on your employees part.
5) You're company really is dumb if they think they can block the source of an audit from a security company. Come on, we do this for a living, did your IT people really think they could stop us? Seriously, what moron thought this would work? Did they read this on slashdot or something?
To summarize, your systems are wide open and compromised, your staff is incompetent and untrainable and your attempts to block our scans were additional fruitless indicators of your staffs pathetic grasp on even basic IT concepts. Frankly, we'd like to thank you for the free money, and to pass on our thanks to your clueless staff for making this process trivially easy. If we only had more idiotic customers like you, it would make our jobs so much easier.
Looking forward to your next follow up scan. Please be sure to promote everyone in your IT department as we are thrilled with their work so far!
Next to worthless (Score:5, Funny)
At one point, some of the staffers got the idea that network performance might not be optimal, and it was decided that we should do a performance audit. A contractor was brought in to spend a few hours sniffing our network, then go away and do a thorough, in-depth protocol analysis. The result of this analysis was a 20-page report detailing their findings.
The conclusion was that there was, indeed, a lot of unnecessary packets of traffic flying around the network. Their solution?
"Eliminate the Appletalk networking protocol."
Uh, yeah. Thanks guys, here's your $2,500.
(Maybe the best solution is to do whatever you can to educate management and set expectations at appropriate levels.)
Re:Next to worthless (Score:5, Funny)
"Eliminate the Appletalk networking protocol."
A worthy and noble goal. Chattiest protocol ever.
"Are you there printer?"
"Yeah, I'm still here."
"Sweet.. just checking"
"So.. uh.. what's new with you?"
"Not much, did you see the file share that moved in down the block?"
"Yeah, he was talking to me earlier"
"Nice guy. I like him. He shares files you know"
"So I gathered. As a printer, I don't think I need to talk to him"
"Heh, yeah, that's probably true. But hey, never hurts to keep in contact with everyone, even if you have nothing in common"
"I hear you brother! So, um.. did you need to print something?"
"Me? Oh no.. I'm just keeping tabs on everyone"
"Yeah... I do that too"
They did their job, now do yours (Score:5, Insightful)
Sit down, take the list and prepare a reasonable time & budget to fix each item along with your recommendations of the order to fix them in (based on business risk). Make sure your numbers and hours are realistic, because chances are excellent that he'll ask the consultants for the same info.
Then Mr VP can either allot internal resources to fixing the problem or hire outside consultants, or both. Business risk deals with a lot of things both real and perceived. In some cases, having the perception of risk is just as bad a the real thing (from a liability perspective, thank you Millberg Weiss).
Your VPs job is to determine the acceptable level of risk for the company. Yours is to aid him in that decision, not make it for him.
it's haaaard work (Score:5, Interesting)
Since you don't cite any examples of these issues, I would bet you're one of these people who think running PHP with register_globals on is a "molehill?"
Cite some examples, or else this looks like you're complaining that tightening security holes would be
Re:it's haaaard work (Score:5, Interesting)
The poster had stated that the report came from "well-known open-source security scanner" which I can only assume means that it was generated from Nessus. As someone who runs Nessus on a regular basis for my company I have to say that the reports generated from nessus can be next to useless if not properly interpretted.
For example it will flag our RHEL boxes for running Apache 2.0.46 due to some obscure DoS or bug. Recommendation: Upgrade to latest. However it doesn't take into account that Red Hat has backported the fix into 2.0.46 and that RH Apache 2.0.46 is not vulnerable.
In addition, Nessus bitches about everything it sees, such as mail.domain.com is listening in on port 25. This is not a security risk, but rather intended behaviour.
I found myself in a similar position last year when a user brought in his home laptop and scanned the internal net with Nessus. This user brought the results to upper management at my company without even talking to us sysadmin folks. The manager freaked when she saw her servers so "vulnerable" and asked the sysadmin manager "what the hell is going on?".
Fortunately I had been conducting weekly Nessus scans myself. I showed my manager our archive dating back for months, and explained how this is prone to false positives. Explained how we had taken care of the real problems, and what can show as a false positive. He was impressed, went back to the other manager and explained the rest. In addition he had the user suspended for a week without pay for violating the terms of service for our network.
Long story short, cover your ass and run your own scans. Take care of issues as they come up. If a consulting company comes in and just runs a Nessus scan on your network, explain to your managers how the company is not offering anything new and how they haven't put any effort into interpretting the results.
It's not about spin, it's about interpretting what a security risk truly is.
Re:it's haaaard work (Score:3, Interesting)
Because he didn't scan any of the machines that I work on. We are an offsite Gubmint facility, with each project having their own administrators. I, myself, work on a project.
The other administrators did notice, but assumed it was my scan since it came from an internal IP. I did go over IT infrastructure policy where it states that all scans are come from itscan.domain!
Better yet, have security walk i
Tell your boss not to hire penitration testers (Score:3, Informative)
Dealing with "out of context" issues (Score:3, Informative)
Human nature being what it is, pointing this out to the boss is likely to embarass him and make him feel like you're being a smartass. In general I find that explaining the security continuum (where at one end you have low security, low cost, and all the functionality you want, and at the other end you have high security, higher cost, and some curtailing of functionality) is helpful in coaxing them out of the mentality that security is a one-way street. In the real world, high security entails compromises, some budgetary (even if only for more sysad time) and some functional (not every new flashy network app can simply be added to the system without security analysis).
I've also found that explaining the security process in terms of priorities is helpful. I used to use a top 10 list that showed management exactly what was highest priority, what came next, and so on. This helped them realize that not all threats are equal .
Best of luck to you.
As with most potential conflicts with a manager... (Score:4, Insightful)
"Do you generally trust me to keep the network secure?"
"Do you see the possibility that this company might make mountains out of molehills to demonstrate their value?"
"If we DO find out that I have left some things unattended, will you give me the chance to correct them?"
Etc.
Your boss, more than anything, wants to know he's in good hands. Even though he may not consciously know it, his trust in YOU is the most important thing; his trust in the NETWORK is secondary; his trust in a temporary CONTRACTOR is a fleeting thing.
If you adopt an overly defensive or confrontational posture, you do nothing but hurt your relationship with your boss, and ultimately yourself.
1 man's molehill... (Score:2, Informative)
Their jobs are to be as thorough as possible, your job is to analyse the data and figure out what it means with the knowledge you have from working within the organization and understanding the quirks that are native to your workplace. Hopefully your b
Fr. Guido Sarducci (Score:3, Informative)
Fr. Guido Sarducci replies: Son, you'll just hafta let it go. These bozos just won't get it anyway. Besides, it IS their network, they just pay you to play with it.
Don Novello Pipes up: Who are you wankers anyway?
How to handle Security issues? (Score:2, Interesting)
How to handle the security report? With the same seriousness as your boss, he signes your paychecks after all.
Proof (Score:2)
Or if you don't want to make that drastic of a move, tell him or her that you should outsource that security to the company that did the scan. That's probably why they gave such a mountain-molehill report anyway. If your boss is going to believe them, then make them "fix" the network, and then explain
Clarify (Score:2)
Examples? (Score:2)
First: do your homework and get a background (securityfocus.com is a great place to start) on all items listed.
I know first-hand where we have a dependance on older versions of certain software packages because some custom apps we ahve running break when these older programs are upgraded.
Excuse for new equipment (Score:5, Funny)
Easily handled (Score:2)
Seriously, if your boss trusts some outsider consultant more than his own IT people, either you have the wrong boss, or he has the wrong IT people. Or both.
You should be the V.P. (Score:3, Funny)
"How do you handle these 3rd-party security people who make mountains out of every molehill?"
That's not the first step. The first step is for your company to make you VP of risk management.
Common Sense (Score:3, Insightful)
Whatever they do, they will not have much info on the real impact on your company of any security breach, nor will they have any clue as to your company priorities. This can only come from inside your company. Some would call this "putting a spin" on the report, but in reality all you are doing is adding the extra columns to the report:
Likelihood of an exploit of this vulnerability
Impact of a successful exploit
Cost to fix
If you can't put numbers to these things then just say Low/Medium/High.
Undoubtedly there will be some things that really do need fixing, but for the low priority items maybe you can batch them together into a work packet and get budget or resource to tackle them properly. Better you guys do this and make sure there are no deleterious effects on live systems than some contractor is pulled in to do it blindly.
Obscure? (Score:3, Interesting)
Mountains are nothing.... (Score:3, Insightful)
I am currently dealing with this. I work in a very small IT shop (by small I mean me) in a not so small company (100+ million $ in revenue). We also have MIS, but they are just users in the network context. We recently were blessed with a new COO who very much wants to control all departments... can you say burnout in progress. Anyway, he wanted to get a third party audit. We (MIS who has control of me) turned it into a major project and accepted proposals from many companys (this burned a lot of hours). Then when a vendor was selected I took the audit report and thoroughly documented each hole and its risk to us. The amount of work and risk caused by fixing it as well as the cost. Then, when it is done I prepared a cost benefit analysis of the various actions. My goal was to teach them a lesson. Instead, I learned one. Because my documentation was able to show them the complexity of the network I work with and the technology which we take for granted. They agreed to hire me a technician. Also, they allowed me to decide what in the security was worthwhile to address and source out a chunk of it as a project. The lesson is, use this to your advantage. How many times do you feel excluded from decisions because it is "a business matter", I do frequently. This showed them that I understood my job from the point of view of adding value to the organization and that is very important in business. In short, as my subject read, mountains are nothing make it into a mountainrange. Once they see it and they see you willing to conquer it for them, you all win.
Make an ass out of them in front of your Execs.. (Score:3, Interesting)
Re:Make an ass out of them in front of your Execs. (Score:3, Insightful)
Isn't it Obvious? (Score:4, Insightful)
They've done nothing wrong. It's their job to point out every molehill. It's your job to perform a threat/risk assessment for each molehill and present a range of mitigations to your boss. For example:
This honestly isn't rocket science. The consultick isn't out to destroy you. He's just doing his job. And yes, it's amusing that the consulticks charge huge amounts of money to run nmap and Nessus, but they were only brought in because you obviously don't have the time to do it yourself.
I get the impression that you've taken this as a personal slight. I think that you believe the consultick's report has made you look bad. Get over it. Maybe you have made a mistake. Maybe you haven't. Your boss doesn't know yet because he isn't informed. Informing your boss of the risks and the costs raised by the consultick's report should be your #1 priority. If you do a good job, you and the consultick will both look good.
Security Scanners, Inc. (Score:3, Interesting)
One of our credit card processing companies got a wild hair up their ass about security. Security is a good thing, I fully believe in it. But they hired their own 3rd party company to scan us. Over, and over, and over again.
The 3rd party sent them a big list, where we were just on the friendly side of a passing score. I'm not pleased with "just" passing. They sent me the list, and "suggested" that we fix all these obvious holes in our security.
Some of them were that the sites resolved in DNS. Ummm, you go to example.com, it's gotta resolve.
Another was that we had a firewall up. Because packets disappeared into our network (dropped, instead of rejected), it was a clue to potential hackers that we had a firewall up.. {sigh} Ok, so our firewall did exactly what we wanted, and we get scored down??
The remainder of the list were assumptions. They (through fingerprinting) identified that we were using *nix machines, we are running Apache running on the web servers in question. At the time, Apache_SSL was about 2 subrevisions behind Apache itself, which made it impossible to stay with Apache_SSL, and pass their test. Their beef with it was that there was an exploit for Win32 and OS2 for the particular version we were running. I wrote them a nice email and said "Ok, so there's an exploit for Win32 and OS2 for that version, but we're running on *nix".
The temporary fix for the Apache "warning" was to not display the version of Apache. I later changed over to mod_ssl, and stuck with the current version.
We still get quarterly reports from them. I sigh every time I see them. They just piss me off. Not that we're getting a security review, but the fact that I have to explain why perfectly acceptable things are listed. I can never get my score to 0 threats. Even if I firewalled off the machine, so they couldn't see it, I'd still get points against me, because they can see there is a black hole, where they know there is a machine. {sigh}
I glance over the list when it comes in, and look for anything interesting. Do they have anything relevant to tell me? Nope? Ok, put it off til next week to decorate around their mental problems. Most days, I have real work to deal with, and don't feel like doing stupid tricks for their entertainment. Of course, if I have the time, I love messing with them. Let them wonder why I'm running Apache 4.9.1 on an unknown platform.
Re:Hire somebody... (Score:2)
Re:This is why I love my job (Score:4, Insightful)
until you want to be a public company.
Re:Good question (Score:2)