Forgot your password?
typodupeerror
Security Businesses

Network Penetration Scans and Executive Reaction? 434

Posted by Cliff
from the mountains-back-to-molehills dept.
LazloToth asks: "I'm sure some of you have had this happen: your company pays the big bucks for a 3rd-party security audit and, when it comes back, you get called on the carpet for all the supposed 'holes' in your network. When you see the report, you recognize that it comes from a well-known open-source security scanner, and that the 'holes' in question are so obscure as to be meaningless. I told our risk management VP that to fix every item cited - - many of which were false positives or completely out of context - - would be next to impossible for our small IT staff, and that some of the fixes, if implemented, might have deleterious effects on an otherwise smoothly running operation. How do you handle these 3rd-party security people who make mountains out of every molehill?"
This discussion has been archived. No new comments can be posted.

Network Penetration Scans and Executive Reaction?

Comments Filter:
  • quit (Score:5, Funny)

    by s20451 (410424) on Thursday April 14, 2005 @06:16PM (#12239137) Journal
    Quit your job and start a 3rd party security consulting company.
    • Consultants (Score:5, Funny)

      by WD_40 (156877) on Thursday April 14, 2005 @06:23PM (#12239219) Homepage
      If you can't be part of the solution, there is good money to be made in prolonging the problem.
      • by Anonymous Coward on Thursday April 14, 2005 @07:05PM (#12239595)
        You could always tell the risk-management VP that he's absolutely right and that you need a bigger staff and budget to fix the problem.

        Next, tell him that you need to migrate all the Windows users to MacOS because it's a more secure platform.

        It seems a wonderful empire you could build - and have a wonderfully large impact at the company.

        And anyway, what resume item looks better for you.

        • Did a security audit; but realized that all the problems were minor.
        Or.
        • Lead a $17 million dollar security upgrade for the entire enterprise.
        • by the-build-chicken (644253) on Friday April 15, 2005 @12:14AM (#12241401)
          it's surprising how often you can connect two completely unrelated events/actions and make them seem interdependent simply by matter-of-factly asserting that the connection exists.

          Manager: How can we fix all these security holes?
          You: We can fix them no problem, I'll need another unix box for scanning and a 20% pay rise.
          Manager: Ha ha ha...very funny.
          You: I'm deadly serious.
          Manager: What...you're serious...why a 20% pay rise!
          You: Ok...you're right...10% is closer to the reality.
          Manager: That's better...thought you could pull one over on ol' Bill, didn't you eh?
          You: Yeah...sorry about that.
        • by staev (663985) on Friday April 15, 2005 @12:38AM (#12241518)
          I'm remined of a Taxi episode. In it, there's the ultimate corporate flunky. Nobody seems to remember his name, nobody knows exactly what he does. At meetings, he never says a word. The picture of the family on his desk came with the frame.

          Someone convinces him that he has good ideas and he should express them at the next meeting. Spurred by this revelation, he enters the conference room.

          The next scene shows him clearing out his desk.

          It's your job as a corporate drone to rate management's decisions on a scale from good to excellent. Anything less might label you as a bump in the road, a thorn in the side.

          When I'm in a corporate environment, my goal is to steer my superiors into the correct path without compromising their ideas.

          Trust me. I have a large supply of well used cardboard boxes.
      • by TheGratefulNet (143330) on Thursday April 14, 2005 @07:08PM (#12239625)
        If you can't be part of the solution, there is good money to be made in prolonging the problem.

        I always thought if you're not part of the solution, you're part of the precipitate.
    • I'll sell you Nessus for a discounted price of $4000!
      • Re:quit (Score:5, Insightful)

        by Jeremiah Cornelius (137) on Thursday April 14, 2005 @06:41PM (#12239395) Homepage Journal
        I used to do this work. We always backed the scans up with hand-checks, and examined environments and mitigating circumstances.

        The managers and officers we got the attention of had screen captures of payroll-stubs or insurance histories in the report! At least an analysis of weak session obfuscation in cookie-files or the contents of hidden web-forms that exposed site-internals or revealed confidential information.

        Also, we re-worded the horrible glut of NASL embedded descriptions, which are not consistent in their use of problem and remedy sections, are produced by hundreds of people with numerous first-languages, etc.

        If a third party adds no value to the tools own automation, they are not performing a service.

        • If a third party adds no value to the tools own automation,

          Bah, I'm adding value! I'm adding $5000!
          • Re:quit (Score:5, Funny)

            by jd (1658) <imipak@noSPam.yahoo.com> on Thursday April 14, 2005 @06:59PM (#12239563) Homepage Journal
            You don't understand the market, do you? :)


            With the current paranoia, lack of decent security awareness (and therefore the lack of ability to evaluate the results), and the ability to impress a PHB by wearing the "right" suit, you could easily charge $50,000 for a Nessus scan. $5,000 would barely pay for an NMap sweep. For Unix servers, also use SARA and TARA for $10,000 apiece.


            In today's atmosphere, it should not be possible to walk away from a securty contract with less than $75,000. Double, if you use that random paper generator, covered by Slashdot a day or so ago.

          • Re:quit (Score:3, Funny)

            by tomhudson (43916)
            Bah, I'm adding value! I'm adding $5000!
            There's your problem. If you worked for the Liberal Party of Canada, you'd be adding $500,000.00. And billing the government 3 times for the same report. For events at 5 sites in 5 different cities. On the same day. For work that was never done.*

            *NOTE: Yep, that really happened ... , but try adding ANOTHER zero first. And don't forget to kick back 17.5% in "commissions" to your buddies.

            • Re:quit (Score:5, Funny)

              by Rei (128717) on Thursday April 14, 2005 @07:53PM (#12239916) Homepage
              but try adding ANOTHER zero first.

              Okay.

              $0,500,000.00
    • Re:quit (Score:5, Funny)

      by Anonymous Coward on Thursday April 14, 2005 @07:03PM (#12239587)
      Just remember,

      Conning + Insulting = consulting.

      No problem man...
      • Attribution... (Score:3, Informative)

        by mi (197448)
        This, actually, was a Dilbert cartoon... Dogbert was saying: "I like to con, and I like to insult. I'll be a CONSULTANT!"
  • Its their job (Score:5, Insightful)

    by rovingeyes (575063) on Thursday April 14, 2005 @06:17PM (#12239143)
    How do you handle these 3rd-party security people who make mountains out of every molehill?

    Its their job to be detailed. You have to infer those reports and draw conclusions. They were hired to point out the holes, you have to decide whether its worth covering them

    • Re:Its their job (Score:5, Insightful)

      by rivaldufus (634820) on Thursday April 14, 2005 @06:22PM (#12239209)
      Sure, but many executives assume that anything an outside "security" company says is scripture. I think he's looking for the best way to get the point across.
      • Re:Its their job (Score:5, Insightful)

        by rovingeyes (575063) on Thursday April 14, 2005 @06:28PM (#12239268)
        Actually I had a very different experience so far with my boss. May be I am lucky? I don't know. But my execs never decide on anything unless they consult me. In fact the vendors try to convince me more than my execs. Not to sound too arrogant or cocky, but I have found that if you can convince or prove to your superiors that you are capable, then they will trust you more than any body else.
        • And if your superiors aren't intelligent enough to recognize competence, quit. Go someplace that they will be able to judge you for what you can do.
          • Re:Its their job (Score:5, Insightful)

            by op00to (219949) on Thursday April 14, 2005 @07:06PM (#12239610)
            Yeah, quit. That's the mature, sensible way to go.

            Or, you could not be an asshole, and try to calmly and simply explain the report in WRITTEN FORM. Write your own report about their report. Managers like reports. WRITE ANOTHER REPORT. Écrivez un autre rapport. Escriba otro informe.

            Instead of running in there all willy nilly acting like they're complete idiots, just work with them on their level. They're paid to make decisions, and they know that it's dangerous to make a decision if there aren't hard facts on paper. Explain yourself. Give references to your conclusions -- back yourself up! Show that you have a brain in your body instead of just coming off as another annoying, slacker engineer.
      • Re:Its their job (Score:5, Interesting)

        by tomhudson (43916) <barbara.hudsonNO@SPAMbarbara-hudson.com> on Thursday April 14, 2005 @06:49PM (#12239488) Journal
        the article:
        How do you handle these 3rd-party security people who make mountains out of every molehill?"
        Parent poster:
        I think he's looking for the best way to get the point across.
        The best way to get your point across - hack the consultants' box!

        Second best - sit them down and ask them to demonstrate the problem by breaking into your system NOW. Make sure it's a linux or bsd box, at a console, not a graphical login, and don't give them a user name or password. Most of these weenies are only comfortable with Windows.

        Third best - tell them they were running nmap against your honeypot, not against your real network. They won't know if you're lying or not.

        • Re:Its their job (Score:5, Insightful)

          by dr_dank (472072) on Thursday April 14, 2005 @07:15PM (#12239674) Homepage Journal
          Second best - sit them down and ask them to demonstrate the problem by breaking into your system NOW. Make sure it's a linux or bsd box, at a console, not a graphical login, and don't give them a user name or password. Most of these weenies are only comfortable with Windows.

          If the security holes are on Windows systems and found by security professionals that deal mainly or exclusively with Windows, I fail to see how using an alternate os as a strawman to cast doubt on their technical ability helps anyone.
          • Re:Its their job (Score:4, Insightful)

            by SquadBoy (167263) on Thursday April 14, 2005 @07:23PM (#12239734) Homepage Journal
            Because most of them *claim* to be able to do "security" and do *not* specify Windows, Linux, or any other flavour of Unix. They will then try to claim that your Linux box is "insecure". But when you push them on it they can no more tell you why, how, or when it could be used against you than fly to the moon.

            You would have a point if they claimed to be "Windows Security" people but that's not the way they sell their services or present their results.

            I for one *love* ripping these guys new ones. In particular when I produce the same report in a couple of hours. All kinds of fun.
          • by Lumpy (12016) on Thursday April 14, 2005 @09:25PM (#12240439) Homepage
            We had one of these experts come in and look, he said we had huge security holes and gave us an estimate of how long he would take to fix them... I called him on the carpet and said, demonstrate one... so he did, and failed to..

            The computer security expert sat there for 30 minutes confused as to why simply pressing escape at the login prompt did not get him into the system on our W2K boxes.

            he mentioned to our Director that our systems must be mis-configured and that he noticed that our cisco 2950 switches were also not configured for 1000BaseT and we should enable the gigabit features of that switch.

            I am NOT joking. this was the security expert hired by our company to see if we had security problems and to find any networking bottlenecks.

            we simply let him leave after thanking him for his expertiese, the CTO of the company reccomended this moron and we cant tell the CTO that his brother-in-law is a complete and utter idiot.

            Thankfully this was 3 years ago. and we were owned by a different company then... the executive staff all were sacked during the last merger.... One of the few times I welcomed a merger.
        • Re:Its their job (Score:3, Interesting)

          by ladybugfi (110420)
          >The best way to get your point across - hack the consultants' box!

          Yeah, and that will make you look...co-operative, right?

          I've done security consulting for years: tens of Nessus scans, web app tests, pen. tests etc. From this background I have some points here.

          One clear problem for a third party consultant is that the risk level assignment is not necessarily as clear cut as the Nessus/ISS/whatever report says. We've never given a client a report directly from the tool, but have written our own detail
      • Re:Its their job (Score:3, Interesting)

        by Shimbo (100005)
        Sure, but many executives assume that anything an outside "security" company says is scripture. I think he's looking for the best way to get the point across.

        Maybe I'm being naive here but I would hope that the "risk management VP" knows something about risk management. So, the approach I would take is to categorize the risks: seriousness of vulnerability, difficulty of fixing, priority.

        If you break it into priorities, and put in some effort estimates, and the VP says, "fix all of them", that's tough for
      • Re:Its their job (Score:5, Insightful)

        by dubl-u (51156) * <[2523987012] [at] [pota.to]> on Thursday April 14, 2005 @07:20PM (#12239706)
        I think he's looking for the best way to get the point across.

        I think the very best way is to tie it back to things the boss cares about: money and productivity.

        Go through the report and come up with solutions that cover all the points, at least the ones that aren't bogus. Explain what each solution will cost (both in cash and in business impact), and what, in business terms, the benefits are.

        If your instincts are right, your boss will say something like "Better security is well and good, but I'm not doubling the IT budget and inconveniencing our staff for so little improvement." And if it turns out there are some things that they're willing to pay extra for, then that's great: you get more budget and new toys.

        Note that if they suggest you do more stuff without changing the budget, then you should be ready to say, "Oh, ok! Which things were you thinking of cutting? I recommend X, Y, and Z." Never let them get the idea that they can just heap unfunded mandates on you. That's not an option, just like haggling with the clerk at WalMart isn't an option. It's not that you refuse; it's just that it isn't an option.
        • Re:Its their job (Score:5, Insightful)

          by xs650 (741277) on Thursday April 14, 2005 @08:28PM (#12240132)
          His job is to take his boss solutions, not problems.

          Tell him what in that report what you think is worth fixing and why and how much it would cost and tell him what you think isn't worth fixing and why and how much you will save by not fixing things that don't need fixing.

          If the security check was a waste of company money and your time, make recommendations on how to do/get a security check more effectively next time. Might be best to not say it was a complete waste of money, since your boss may have been involved in buying the security check.
        • Re:Its their job (Score:4, Insightful)

          by Rimbo (139781) <rimbosity AT sbcglobal DOT net> on Thursday April 14, 2005 @08:56PM (#12240279) Homepage Journal
          Bingo.

          Never say, "It can't be done."

          Say, "We can and will do it; here are the resources required to do it." Remember Scotty's Rule to double-double the resources you think it will take; once because it always takes twice as many resources as you think it will, and a second time because sometimes it takes more than twice as long.

          I never tell my superiors that something can't be done, because any technical problem is solvable given infinite resources. The key is to assess the number of resources and make sure they're informed of the resources required. Once they know that, then it's up to them to make the decision.
      • Re:Its their job (Score:3, Interesting)

        When I worked for a mid sized company that used to do this I had a little game I used to play to defuse these issues.

        I set up monitoring on the network so that if anyone started to do anything funky on the network my terminals would beep.

        I would then printout a piece of clip art with hand cuffs on it.

        Trace down the ip address. Then walk to the correct office an say "Hi, are you doing something strange on the network?"

        When they said the were, I would hand them the paper with cuffs and ask them to let
    • Re:Its their job (Score:5, Interesting)

      by austad (22163) on Thursday April 14, 2005 @06:38PM (#12239380) Homepage
      Additionally, the security person that did the audit needs to sit down with you and go over every item determining whether or not there is a threat, explaining why certain things might be a threat, and detailing any possible way to mitigate the risk if there is any.

      If they just handed you a report from Nessus and a bill, they are not doing their job. The security scanner output needs to be accompanied by another separate report which discusses the TRUE risk.

      Every security company out there uses an open-source or commercial security scanner to get a general overview of any weaknesses, but sadly, many take the output at face value and just attach an invoice. You need to see what the scanner found, so I don't think it's right for them to omit anything from it. But, like I said above, they really need to evaluate the data that comes out of whatever product they use, investigate more by hand, ask questions, etc.

      I currently work for a company that does this sort of thing. We use a variety of methods, depending on how in depth the customer wants to go. But in all cases, they get the raw output from any tools we use, and they get a thorough report and followup meeting detailing what was found and whether or not it's an actual threat. We make product and methodology suggestions, and even stick around to help them out.

      My suggestion is, if you're looking for someone to do a security assessment or pen testing, shop around and find someone with excellent references. Finding someone good isn't going to be cheap, but then again, if you're concerned about price, fire up Nessus or ISS and run it yourself.
      • Finding someone good isn't going to be cheap, but then again, if you're concerned about price, fire up Nessus or ISS and run it yourself.

        Whoah... I'm all for good security, but don't you think using the International Space Station is a bit overkill? ;-)
      • Re:Its their job (Score:3, Interesting)

        by znu (31198)
        These automated security reports really do more harm than good, a lot of the time. At least in the wrong hands. I had to deal with a lot of stress over such a report from an internal source. I was running an OS X server and a bunch of clients on a private subnet, for a department which needed some things that the IT department couldn't be bothered to set up for them. I had authorization at the highest levels, but the IT guys always hated me for going around them.

        So, one day I get a call that there's a seri
      • Cowboys (Score:3, Interesting)

        by anticypher (48312)
        If they just handed you a report from Nessus and a bill

        . . . then they are quite similar to most of the fly-by-night security companies in existance today.

        They really are a plague. Typically a small number of university students, or recent graduates, trying their hand at "start-up dotcom". There are two or three guys who know linux, a little about cisco routers, maybe had a course where they learned about Nessus. There will be fast talking marketing and sales slime involved as well. They are all very you
    • Re:Its their job (Score:3, Interesting)

      by Shoten (260439)

      Its their job to be detailed...

      Yes...and this is why they should be providing context whenever possible to the "holes" they find, and verifying false positives (or qualifying them). I work for a security company, and we're very careful about this. For example, on many systems when a daemon is patched, the banners are not updated and so we'll see fully patched servers that flag on having vulnerable versions of software. We've seen this time and time again, and know that it could be the case each time w

  • Address The Report (Score:5, Insightful)

    by Rolan (20257) * on Thursday April 14, 2005 @06:17PM (#12239144) Homepage Journal
    If the boss wants you to "fix" them all, give him a report of your own. "This is setup this way because of X, and the risk is mitigated by Y." If it's not a risk, explain why it is not. If you can't explain why it's a risk or how you're mitigating the risk, then you should be called out on the carpet. NEVER rely on security by obscurity. There is no such thing as a hole "so obscure as to be meaningless." If you mean that the report is vague in defining what the hole is, then you or your boss should get more information from the person you paid to do it.

    In the end, if you can't specify why it SHOULD be that way, then you should make it secure. If you can say it HAS to be that way for a specific reason, then you should say how you are mitigating the risk. If you're not mitigating the risk, well, you better come up with a really good reason your boss is going to like.
    • Of course many of the tools are popular open-source material - they work well, and they're extensible for people who want to add capabilities or connect them to report generators or other tools or whatever. You should be running these things yourself on occasion - perhaps regularly if there's a convenient way to do so, but certainly when you do major changes. Some of the things they'll find really are minor (e.g. somebody could cause a denial of service attack by sending a gigabit per second of UDP traffi
    • by Anonymous Coward on Thursday April 14, 2005 @06:36PM (#12239357)
      I've seen the managers that this guy is suffering under and your insightful remark won't help him. You see, his boss is likely referring to "holes" reported by Nessus and others that are not holes but, because some outside company said it, then it must be so.

      Outside companies are always more authoritive than in house staff. "they're not form here so, they must be the authority on the subject."

      By the way, the "holes" he is referring to are likely things like:

      Can determine path to host via traceroute. Danger Will Robinson!
      SMTP server returns a header. Shock! Horror!
      HTTP server returns a header. OMG! This must be fixed!??
    • The well known security scanner in question is probably Nessus.

      It reports _truly_ obscure things, as it should, but which security consluttants has a tendency to blow out of proportion.

      One of the points of security consluttants is to use tools to MAP the network. Then they should determine what your network SHOULD do, and which services SHOULD be running - and doing _what_.

      Then they should check this against the map of the network, and remove all items which are irrelevant, and interpret the facts.

      THEN
  • by gt_swagger (799065) on Thursday April 14, 2005 @06:17PM (#12239148) Homepage
    ... they have make huge deals out of everything or risk being found out as mostly useless ;)
  • You need to... (Score:4, Informative)

    by Atlantis-Rising (857278) on Thursday April 14, 2005 @06:18PM (#12239155) Homepage
    present your own report, detailing those same holes and why it's not worth it to fix them. Preferably first.
    • The important thing is that you are not the one to say that it's not worth fixing. You leave that up to (mis)?management to decide.

      Your basic risk analysis takes a look at all of the vulnerabilities on the system. For each one, you list the following:
      • the likelihood of that vulnerability being realized
      • the impact if that vulnerability were realized
      • any mitigation that has been done to reduce the chance of it being fully realized and exploited.

      Of course, management likes numbers, so you rank each item f

  • by RobertTaylor (444958) <roberttaylor1234 AT gmail DOT com> on Thursday April 14, 2005 @06:18PM (#12239162) Homepage Journal
    How do you handle these 3rd-party security people who make mountains out of every molehill?

    Post the company name and URL on slashdot and let them have a 'specialised security audit'...
  • by UndyingShadow (867720) on Thursday April 14, 2005 @06:20PM (#12239188)
    One of two ways:

    Sit down with your boss and explain what each open port is and why it is open. Then explain what happens if you close that port.

    Lock everything down tighter than fort knox, starting with your bosses machine (Yes sir, Im sorry you can't surf the internet, we closed that outgoing port because it was a security risk)

    One of these should work (or get you fired) either way, you don't have to deal with employees upset because their VPN or Remote Access doesn't work.
  • you do your job (Score:5, Insightful)

    by smash (1351) on Thursday April 14, 2005 @06:21PM (#12239193) Homepage Journal
    How do you handle these 3rd-party security people who make mountains out of every molehill?"
    You address the issues. That means: fix the problem, or provide a reason as to why things are this way, and *why* it is not a problem in your instance. Explain to the manager in question. Explain that to fix issue "x" may result in lost functionality, ease of use, or whatever - or that the risk has already been mitigated by some other precaution.

    As someone else said - if you can't do that, there's a problem.

    smash.

  • We can help (Score:5, Funny)

    by Lev13than (581686) on Thursday April 14, 2005 @06:21PM (#12239197) Homepage
    LazloToth asks: "...How do you handle these 3rd-party security people who make mountains out of every molehill?"

    I think we need more details on the severity of your security holes. Give us your company's IP range, and if we find anything significant we'll leave a note for you on your desktop.
  • document (Score:2, Insightful)

    by gbaldwin2 (548362)
    Document the hell out of everything. And explain why the setup is as it is. It is a real pain when you have some worthless security company telling management that echo, discard, and chargen are major security holes on internal systems. Besides senseless violence directed at the auditors it is a painfull process.
  • by Rob Riggs (6418) on Thursday April 14, 2005 @06:22PM (#12239213) Homepage Journal
    Seriously, you need to work with someone who has a clue. Anyone reviewing these scans should know what they are looking at. If they don't, they have no room to criticize. It is the security consultants job to put the scan and the vulnerabilities in context. They need to explain the risks to management in a manner that management can understand. Their report should come with recommendations on how to correct the problems, and it should at least try to outline the consequences of the fixes. The consultants should have worked with the engineering/admin team to understand the holes before the report went to management. Otherwise you paid for a whole lot of nothing.
    • Pretty much, yeah, that sums it up. Anyone can walk through the door, do a port scan, and list open ports, etc... Looks to me like they treat security as a commodity, not like the process that it is.

      They only did half their job.
    • You are 100% correct.

      It's not doing the company nor the consultants any good to provide a report that isn't valuable. I've done I'd guess more than 50 vuln/pen assessments, and when I've spent the time to understand the environments and evaluate the security issues presented, the client always reacted wonderfully to the reports and commented on what a great value they were.

      Before I was seasoned enough to do that, reports were largely ignored; vulnerabilities rarely fixed.

      It's disappointing to see. I am
    • by jd (1658) <imipak@noSPam.yahoo.com> on Thursday April 14, 2005 @06:51PM (#12239505) Homepage Journal
      I don't see why the parent was marked as a troll. It sounded some of the best advice posted so far. Any "consultant" who says a whole lot but doesn't tell you anything is just sponging a lot of money off you. You might as well base company policy off e-mail spam. If there's no content, there's no content.


      Security isn't just a matter of collecting raw data. Anyone can collect raw data. Raw data is like raw sewage - it benefits nobody but can be used to make a big stink.


      At the very least, to be usable there needs to be an assessment as to the actual threat level of each vulnerability. For example, you could have an insecure, unpatched Windows 95 box locked in a cupboard with no console or network access. A vulnerability assessment would turn up a bazillion holes, but absolutely none of them would be exploitable.


      In crude terms, you can measure risks in terms of two scales. Let's use letters for the first and numbers for the second. The first measure is the ease of reaching that vulnerability, the second is the ease of using that vulnerability to access other systems or data.


      Thus, any computer directly reachable from the outside world would be an "A" class risk. A machine placed outside of the firewall which does not have direct access to the inside (not an unusual arrangement for informational webservers) would be relatively low risk for data and might be given a 9. So, a vulnerability on your advertising website would be an A9 risk.


      A firewall, on the other hand, has direct access to the inside. If the firewall has proxy servers sitting on it, it will likely have a high level of trust. So, a vulnerability on such a system might be given a rating of A2 or A3. (It doesn't have valuable information itself, but it can be used to reach a machine that does.)


      A data warehouse, on the other hand, might well sit on a SAN that can only be reached through a firewall which runs to the servers on the corporate LAN, which itself is behind a firewall. Now, an attacker needs to go through between three and five layers of security (depending on how secure the network traffic is). On the other hand, access to the data warehouse would expose critical data. A vulnerability in this case might be given a class of E1.


      Managers could look at these ratings - A5, E1, etc. They could then use those to get an idea of how urgent fixing the hole was. A rating of F9 (six layers deep, no information of significance) could safely be ignored at the start. A rating of A1 (reachable from the outside, mission-critical data exposed) would want to be fixed the week before last.


      These are the kinds of things managers can understand. Nobody should expect them to have a detailed understanding of TCP/IP stacks, buffer overflows and sniffer technology. They may well have, but no sane consultant should require it of them. Unless said consultant knows that the product they are delivering is so bogus that a technically-competent manager would nail them to the wall for it.

      • by jschrod (172610) <jschrod AT acm DOT org> on Thursday April 14, 2005 @08:49PM (#12240246) Homepage
        Yes, the parent ain't no troll; but it ain't no good advice either.

        The poster obviously is not in the position to `get a new consultant'. His problem is how he can hit his management with the clue stick.

        Let me tell you a story that happened just a few weeks ago: I'm the CEO of a consulting company that does quite some security work. We were brought into the following situation: A customer of an outsourcer got an `independent' security audit by HP. The HP folks took the (actually very good) CIS benchmarks and demanded that each and every item of that benchmark is followed to the letter. As part of that, they demanded that the NFS and Samba servers are turned off.

        There's just one small problem -- the actual service the outsourcer was providing to the customer is -- tada! -- file service over NFS and CIFS! The outsourcer pointed this out to their customer's management. That management is a bunch of morons and just told them back: But this is a security audit of HP, they know their thing! So they had to bring us in, to give their opinion `management cloud' by creating pretty PPTs.

        Even though we earned quite some money on that job; I would have prefered to work on really improving the security, in particular the processes, instead of fencing unprofessional HP security `consultants' and idiotic management PHBs.

    • ...will tell your company one and only one thing, and that is your network is unsecurable unless you outsource all your network security and administrating to them because you company's own I.T. crew is too incompetant to do it themselves.

      My employer recently went thru one of these and I prepared for it (I am the network admin) by writing a list of everything the consultants would find, and why they would find it and what could or could not be done about it short of completely unplugging the affected bunch
  • You've already played Devil's Advocate, so document what you think the risks are/may be, then do *exactly* what he says. Once it breaks, whip out the risks you documented and explain how you did exactly what was asked of you over your stated objections. It's the only real way to do it--and rather satisfying, gotta admit.
  • Cost (Score:5, Insightful)

    by japhmi (225606) on Thursday April 14, 2005 @06:25PM (#12239239)
    Take the report, and give costs for covering each hole. Also, give your risk assesment to the company (yes, there is a hole that has a 1% chance of costing the company $5,000 dollars - but it will cost $500 to repair).

    Then, let the boss make the budget decisions, and carry them out. Make sure extra staff is included in your report.
  • One word... (Score:2, Funny)

    by LeJoueur (766021)
    BOFH [theregister.co.uk]
  • The weakest link... (Score:5, Interesting)

    by cpghost (719344) on Thursday April 14, 2005 @06:27PM (#12239264) Homepage

    Every chain is only as strong as its weakest link.

    This holds true in the military area, more than everywhere else. I work in environments that are very sensitive to security, and we take such external reviews extremely seriously. There's no such thing as an "obscure" or "irrelevant" weakness.

    Unlike most vanilla companies, we can't afford to let things slide, security-wise. Knowing that your clients are prime target for highly professional black hats and (not only industrial) spies is highly motivating. This includes (of course) penetration testing (conducted both internally and by independant contractors), but also exclusive use of open source code and internal code auditing. As an aside: personnel (HR) auditing is also very important, if not even more so than technical aspects!

    Sure, most companies don't need this level of security awareness and can get away with being "pragmatic", but don't complain when your client database (with all the goodies like credit card data etc.) gets compromized!

  • by nizo (81281) * on Thursday April 14, 2005 @06:30PM (#12239291) Homepage Journal
    How do you handle these 3rd-party security people who make mountains out of every molehill?

    See where they did the scan from and drop all packets at the firewall from that domain?

    • Re:Easy solution (Score:3, Insightful)

      by nizo (81281) *
      This would probably make more sense if I had added, "before they do a follow-up scan of your network".
      • by Anonymous Coward on Thursday April 14, 2005 @07:11PM (#12239644)
        Dear Manager of Clueless Company,

        Thank you again for the opportunity to conduct a security audit on your organization. We would like to let you know that you failed your security audit because none of your systems passed a simple availability test and all of them had the same issues the last time we conducted our scans. When we started this scan, all of your systems appeared to be down when we tested your company from a known IP address. Suspecting that your staff thought they could block the scan, we simply changed our IP, and were able to test your servers. Our tests show a number of things:

        1) You show no improvement in security. All the old holes are still there, and we found some new warez servers, along with numerous bots, spam engines and several IRC servers. These make for an excellent addition to the old warez and IRC servers, spam engines and zombies that make up your organization.
        2) Your IT staff is clearly made up some stupid people. How they could have thought blocking IPs would keep us from testing their servers is beyond belief. They really are a piece of work.
        3) Your employees can not be trusted because they are trying to cover up this cluelessness in the most incompetent manner possible.
        4) You are oblivious to the cluelessness on your employees part.
        5) You're company really is dumb if they think they can block the source of an audit from a security company. Come on, we do this for a living, did your IT people really think they could stop us? Seriously, what moron thought this would work? Did they read this on slashdot or something?

        To summarize, your systems are wide open and compromised, your staff is incompetent and untrainable and your attempts to block our scans were additional fruitless indicators of your staffs pathetic grasp on even basic IT concepts. Frankly, we'd like to thank you for the free money, and to pass on our thanks to your clueless staff for making this process trivially easy. If we only had more idiotic customers like you, it would make our jobs so much easier.

        Looking forward to your next follow up scan. Please be sure to promote everyone in your IT department as we are thrilled with their work so far!

  • by PCM2 (4486) on Thursday April 14, 2005 @06:30PM (#12239296) Homepage
    In the mid-1990s, I ran IT for a graphic design firm, which consisted of some 50-75 Macintosh computers. Pretty much everything ran on Macs; even the accounting systems used Great Plains for Mac.

    At one point, some of the staffers got the idea that network performance might not be optimal, and it was decided that we should do a performance audit. A contractor was brought in to spend a few hours sniffing our network, then go away and do a thorough, in-depth protocol analysis. The result of this analysis was a 20-page report detailing their findings.

    The conclusion was that there was, indeed, a lot of unnecessary packets of traffic flying around the network. Their solution?

    "Eliminate the Appletalk networking protocol."

    Uh, yeah. Thanks guys, here's your $2,500.

    (Maybe the best solution is to do whatever you can to educate management and set expectations at appropriate levels.)
    • by prockcore (543967) on Friday April 15, 2005 @01:54AM (#12241844)

      "Eliminate the Appletalk networking protocol."


      A worthy and noble goal. Chattiest protocol ever.

      "Are you there printer?"

      "Yeah, I'm still here."

      "Sweet.. just checking"

      "So.. uh.. what's new with you?"

      "Not much, did you see the file share that moved in down the block?"

      "Yeah, he was talking to me earlier"

      "Nice guy. I like him. He shares files you know"

      "So I gathered. As a printer, I don't think I need to talk to him"

      "Heh, yeah, that's probably true. But hey, never hurts to keep in contact with everyone, even if you have nothing in common"

      "I hear you brother! So, um.. did you need to print something?"

      "Me? Oh no.. I'm just keeping tabs on everyone"

      "Yeah... I do that too"
  • by winkydink (650484) * <sv.dude@gmail.com> on Thursday April 14, 2005 @06:32PM (#12239317) Homepage Journal
    They get paid to find every little nitpicky thing. It's in their best interest to make everything sound major (ever heard of the term follow-on engagement?)

    Sit down, take the list and prepare a reasonable time & budget to fix each item along with your recommendations of the order to fix them in (based on business risk). Make sure your numbers and hours are realistic, because chances are excellent that he'll ask the consultants for the same info.

    Then Mr VP can either allot internal resources to fixing the problem or hire outside consultants, or both. Business risk deals with a lot of things both real and perceived. In some cases, having the perception of risk is just as bad a the real thing (from a liability perspective, thank you Millberg Weiss).

    Your VPs job is to determine the acceptable level of risk for the company. Yours is to aid him in that decision, not make it for him.
  • it's haaaard work (Score:5, Interesting)

    by humankind (704050) on Thursday April 14, 2005 @06:33PM (#12239327) Journal
    How do you handle these 3rd-party security people who make mountains out of every molehill?"

    Since you don't cite any examples of these issues, I would bet you're one of these people who think running PHP with register_globals on is a "molehill?"

    Cite some examples, or else this looks like you're complaining that tightening security holes would be /whine "hard work." Well, it'll be harder after some n00b takes my personal information off your insecure system. Fix it, or consider changing careers instead of being yet another BOFH.
    • Re:it's haaaard work (Score:5, Interesting)

      by DA-MAN (17442) on Thursday April 14, 2005 @09:04PM (#12240324) Homepage
      Cite some examples, or else this looks like you're complaining that tightening security holes would be /whine "hard work." Well, it'll be harder after some n00b takes my personal information off your insecure system. Fix it, or consider changing careers instead of being yet another BOFH.

      The poster had stated that the report came from "well-known open-source security scanner" which I can only assume means that it was generated from Nessus. As someone who runs Nessus on a regular basis for my company I have to say that the reports generated from nessus can be next to useless if not properly interpretted.

      For example it will flag our RHEL boxes for running Apache 2.0.46 due to some obscure DoS or bug. Recommendation: Upgrade to latest. However it doesn't take into account that Red Hat has backported the fix into 2.0.46 and that RH Apache 2.0.46 is not vulnerable.

      In addition, Nessus bitches about everything it sees, such as mail.domain.com is listening in on port 25. This is not a security risk, but rather intended behaviour.

      I found myself in a similar position last year when a user brought in his home laptop and scanned the internal net with Nessus. This user brought the results to upper management at my company without even talking to us sysadmin folks. The manager freaked when she saw her servers so "vulnerable" and asked the sysadmin manager "what the hell is going on?".

      Fortunately I had been conducting weekly Nessus scans myself. I showed my manager our archive dating back for months, and explained how this is prone to false positives. Explained how we had taken care of the real problems, and what can show as a false positive. He was impressed, went back to the other manager and explained the rest. In addition he had the user suspended for a week without pay for violating the terms of service for our network.

      Long story short, cover your ass and run your own scans. Take care of issues as they come up. If a consulting company comes in and just runs a Nessus scan on your network, explain to your managers how the company is not offering anything new and how they haven't put any effort into interpretting the results.

      It's not about spin, it's about interpretting what a security risk truly is.
  • by delirium of disorder (701392) on Thursday April 14, 2005 @06:33PM (#12239331) Homepage Journal
    If you want real security, penitration testing is only a small part of the process. Sure, you can pay someone to find valunerabilities....any kid with a copy of nessus, snort, and nmap will do....or you can shell out the big bucks for a Core Impact setup if you get the PHBs paranoid enough. It really won't help fix anything. Even if you do manage to patch every valunerable service and close off everything else that you don't need, you may still be insecure. Policies and procedures are often as important for ensuring security as closing specific holes in software. If your company needs to outsource network security, convince them to get someone who will offer a more complete solution comprising of a specific and custom plan for ensuring the physical, human, and software aspects of security. If you want to get out of your current prediciment, I suggest patching what you can and explaining why other valunerabilities are not relivant. Prove you are smarter then the consultants leeching money that could be yours. If your boss is a real idiot and the security reaserchers he/she hires are dumbasses too, you can safely backdoor the place before you leave!
  • by Infonaut (96956) <infonaut@gmail.com> on Thursday April 14, 2005 @06:34PM (#12239337) Homepage Journal
    In my experience, most of the out of context issues usually come down to someone in management saying something like this at one time or another, "Goddammit! I don't *care* if there's some infinitesmally small chance that we'll have a security problem. I want the ability to IM, and I want it now!"

    Human nature being what it is, pointing this out to the boss is likely to embarass him and make him feel like you're being a smartass. In general I find that explaining the security continuum (where at one end you have low security, low cost, and all the functionality you want, and at the other end you have high security, higher cost, and some curtailing of functionality) is helpful in coaxing them out of the mentality that security is a one-way street. In the real world, high security entails compromises, some budgetary (even if only for more sysad time) and some functional (not every new flashy network app can simply be added to the system without security analysis).

    I've also found that explaining the security process in terms of priorities is helpful. I used to use a top 10 list that showed management exactly what was highest priority, what came next, and so on. This helped them realize that not all threats are equal .

    Best of luck to you.

  • by peteforsyth (730130) on Thursday April 14, 2005 @06:37PM (#12239366) Homepage Journal
    Put the focus on your professional relationship; make the technical aspects secondary to that. If you have any history of trust, emphasize that.

    "Do you generally trust me to keep the network secure?"
    "Do you see the possibility that this company might make mountains out of molehills to demonstrate their value?"
    "If we DO find out that I have left some things unattended, will you give me the chance to correct them?"

    Etc.

    Your boss, more than anything, wants to know he's in good hands. Even though he may not consciously know it, his trust in YOU is the most important thing; his trust in the NETWORK is secondary; his trust in a temporary CONTRACTOR is a fleeting thing.

    If you adopt an overly defensive or confrontational posture, you do nothing but hurt your relationship with your boss, and ultimately yourself.
  • 1 man's molehill... (Score:2, Informative)

    by Zunni (565203)
    is another man's mountain. If you were "hacked" and when you went back to the 3rd party security company and were told "Well, that opening is so obscure that we really didn't think it was an issue." Who would be having their asses handed to them in court?

    Their jobs are to be as thorough as possible, your job is to analyse the data and figure out what it means with the knowledge you have from working within the organization and understanding the quirks that are native to your workplace. Hopefully your b
  • Fr. Guido Sarducci (Score:3, Informative)

    by Nethead (1563) <joe@nethead.com> on Thursday April 14, 2005 @06:41PM (#12239401) Homepage Journal
    LazloToth asks: "I'm sure some of you have had this happen: your company pays the big bucks for a 3rd-party security audit and, when it comes back, you get called on the carpet for all the supposed 'holes' in your network.

    Fr. Guido Sarducci replies: Son, you'll just hafta let it go. These bozos just won't get it anyway. Besides, it IS their network, they just pay you to play with it.

    Don Novello Pipes up: Who are you wankers anyway?

  • How to avoid being called on the carpet over security? Be at least one degree more paranoid about security than your boss.

    How to handle the security report? With the same seriousness as your boss, he signes your paychecks after all.

  • by eyeball (17206)
    Ask for the opportunity to have the 3rd party justify, in writing, what each vulnerability means and assess the severity. If your boss won't go for this, you probably don't want to work for an irrational boss.

    Or if you don't want to make that drastic of a move, tell him or her that you should outsource that security to the company that did the scan. That's probably why they gave such a mountain-molehill report anyway. If your boss is going to believe them, then make them "fix" the network, and then explain
  • All you can do is clarify and explain. I only deal with "Critical," "Major" and sometimes "Medium" risk categories. The rest are usually stupid. "You have a share." "Yeah, it's called user directories or shared data drives." As long as you have answers and can show the risk is minimal, if existent, then you may have done all you can.
  • Without seeing some example vulnerabilities, it would really be hard to give anything but general answers to this problem. That said, there is an abundance of general answers here already and I'll add mine to the pile.

    First: do your homework and get a background (securityfocus.com is a great place to start) on all items listed.

    I know first-hand where we have a dependance on older versions of certain software packages because some custom apps we ahve running break when these older programs are upgraded.
  • by pyrrhonist (701154) on Thursday April 14, 2005 @06:46PM (#12239450)
    Don't look a gift horse in the mouth. This is just the excuse you need to purchase that new equipment you've been lusting over. Just remember to put, "patch security hole", on the purchase req.
  • I handle this situation by working for people who know what they're doing. And who don't know what I do (else why would they employe me), but know they don't know, and leave me alone.

    Seriously, if your boss trusts some outsider consultant more than his own IT people, either you have the wrong boss, or he has the wrong IT people. Or both.

  • "How do you handle these 3rd-party security people who make mountains out of every molehill?"

    That's not the first step. The first step is for your company to make you VP of risk management.
  • Common Sense (Score:3, Insightful)

    by Aliks (530618) on Thursday April 14, 2005 @07:07PM (#12239622)
    The third party is being paid to spot holes. If they are worth the money they will do more than just a Nessus scan ie they will look at the how the vulnerability might be exploited, and what kind of impact an exploit could have.

    Whatever they do, they will not have much info on the real impact on your company of any security breach, nor will they have any clue as to your company priorities. This can only come from inside your company. Some would call this "putting a spin" on the report, but in reality all you are doing is adding the extra columns to the report:

    Likelihood of an exploit of this vulnerability

    Impact of a successful exploit

    Cost to fix

    If you can't put numbers to these things then just say Low/Medium/High.

    Undoubtedly there will be some things that really do need fixing, but for the low priority items maybe you can batch them together into a work packet and get budget or resource to tackle them properly. Better you guys do this and make sure there are no deleterious effects on live systems than some contractor is pulled in to do it blindly.
  • Obscure? (Score:3, Interesting)

    by kd5ujz (640580) <william&ram-gear,com> on Thursday April 14, 2005 @08:04PM (#12239995)
    If it is being detected by a "well known open source" security mapping package, then I would fix any "obsure" hole it finds. If the tool is well known, and detects the hole, then you can bet your ass that all the black hats with that scanner are going to find your obscure hole.
  • by mr_z_beeblebrox (591077) on Thursday April 14, 2005 @08:31PM (#12240149) Journal
    How do you handle these 3rd-party security people who make mountains out of every molehill?

    I am currently dealing with this. I work in a very small IT shop (by small I mean me) in a not so small company (100+ million $ in revenue). We also have MIS, but they are just users in the network context. We recently were blessed with a new COO who very much wants to control all departments... can you say burnout in progress. Anyway, he wanted to get a third party audit. We (MIS who has control of me) turned it into a major project and accepted proposals from many companys (this burned a lot of hours). Then when a vendor was selected I took the audit report and thoroughly documented each hole and its risk to us. The amount of work and risk caused by fixing it as well as the cost. Then, when it is done I prepared a cost benefit analysis of the various actions. My goal was to teach them a lesson. Instead, I learned one. Because my documentation was able to show them the complexity of the network I work with and the technology which we take for granted. They agreed to hire me a technician. Also, they allowed me to decide what in the security was worthwhile to address and source out a chunk of it as a project. The lesson is, use this to your advantage. How many times do you feel excluded from decisions because it is "a business matter", I do frequently. This showed them that I understood my job from the point of view of adding value to the organization and that is very important in business. In short, as my subject read, mountains are nothing make it into a mountainrange. Once they see it and they see you willing to conquer it for them, you all win.
  • by jsimon12 (207119) <tzzhc4 AT yahoo DOT com> on Thursday April 14, 2005 @08:34PM (#12240169) Homepage
    I worked at a company a couple years ago that had some "security experts" come in and run scans. They ended up totally screwing up a bunch of in house applications. Being the lead System Administrator I got in a meeting with these guys and starting grilling them on security (they were using a tool that used nmap and hey I know nmap ;). So I started drilling them and it turned out they new nothing. So I kept hitting em and hitting em (verbally) till management had to pull me off em. I think the company I was working for at the time ended up sueing them ;)
  • Isn't it Obvious? (Score:4, Insightful)

    by nathanh (1214) on Thursday April 14, 2005 @11:57PM (#12241318) Homepage
    How do you handle these 3rd-party security people who make mountains out of every molehill?

    They've done nothing wrong. It's their job to point out every molehill. It's your job to perform a threat/risk assessment for each molehill and present a range of mitigations to your boss. For example:

    Consultick: Your froobnabbit has a zingle rating of -1.4582 which we consider to be a serious security hole as documented in Babbage's Grand Compendium of Security Risks.
    You: The likelihood of an intrusion via the froobnabbit is negligible for the following reasons. Even if the froobnabbit is compromised, the impact is minimal and to non-core services. Our group considers the overall risk to our organisation to be low. However we can further mitigate the risk with the following options that will cost you $X, $Y and $Z respectively.
    Boss: Nah, stuffit, we'll leave the froobnabbit as is. I thank both of you for looking into this problem and giving me the information I need to make an informed decision.

    This honestly isn't rocket science. The consultick isn't out to destroy you. He's just doing his job. And yes, it's amusing that the consulticks charge huge amounts of money to run nmap and Nessus, but they were only brought in because you obviously don't have the time to do it yourself.

    I get the impression that you've taken this as a personal slight. I think that you believe the consultick's report has made you look bad. Get over it. Maybe you have made a mistake. Maybe you haven't. Your boss doesn't know yet because he isn't informed. Informing your boss of the risks and the costs raised by the consultick's report should be your #1 priority. If you do a good job, you and the consultick will both look good.

  • by JWSmythe (446288) * <jwsmytheNO@SPAMjwsmythe.com> on Friday April 15, 2005 @02:41AM (#12242013) Homepage Journal
    I so sympathize with this.

    One of our credit card processing companies got a wild hair up their ass about security. Security is a good thing, I fully believe in it. But they hired their own 3rd party company to scan us. Over, and over, and over again.

    The 3rd party sent them a big list, where we were just on the friendly side of a passing score. I'm not pleased with "just" passing. They sent me the list, and "suggested" that we fix all these obvious holes in our security.

    Some of them were that the sites resolved in DNS. Ummm, you go to example.com, it's gotta resolve.

    Another was that we had a firewall up. Because packets disappeared into our network (dropped, instead of rejected), it was a clue to potential hackers that we had a firewall up.. {sigh} Ok, so our firewall did exactly what we wanted, and we get scored down??

    The remainder of the list were assumptions. They (through fingerprinting) identified that we were using *nix machines, we are running Apache running on the web servers in question. At the time, Apache_SSL was about 2 subrevisions behind Apache itself, which made it impossible to stay with Apache_SSL, and pass their test. Their beef with it was that there was an exploit for Win32 and OS2 for the particular version we were running. I wrote them a nice email and said "Ok, so there's an exploit for Win32 and OS2 for that version, but we're running on *nix".

    The temporary fix for the Apache "warning" was to not display the version of Apache. I later changed over to mod_ssl, and stuck with the current version.

    We still get quarterly reports from them. I sigh every time I see them. They just piss me off. Not that we're getting a security review, but the fact that I have to explain why perfectly acceptable things are listed. I can never get my score to 0 threats. Even if I firewalled off the machine, so they couldn't see it, I'd still get points against me, because they can see there is a black hole, where they know there is a machine. {sigh}

    I glance over the list when it comes in, and look for anything interesting. Do they have anything relevant to tell me? Nope? Ok, put it off til next week to decorate around their mental problems. Most days, I have real work to deal with, and don't feel like doing stupid tricks for their entertainment. Of course, if I have the time, I love messing with them. Let them wonder why I'm running Apache 4.9.1 on an unknown platform. :)

I find you lack of faith in the forth dithturbing. - Darse ("Darth") Vader

Working...