Network Penetration Scans and Executive Reaction? 434
LazloToth asks: "I'm sure some of you have had this happen: your company pays the big bucks for a 3rd-party security audit and, when it comes back, you get called on the carpet for all the supposed 'holes' in your network. When you see the report, you recognize that it comes from a well-known open-source security scanner, and that the 'holes' in question are so obscure as to be meaningless. I told our risk management VP that to fix every item cited - - many of which were false positives or completely out of context - - would be next to impossible for our small IT staff, and that some of the fixes, if implemented, might have deleterious effects on an otherwise smoothly running operation. How do you handle these 3rd-party security people who make mountains out of every molehill?"
quit (Score:5, Funny)
Deal With Them (Score:5, Funny)
Post the company name and URL on slashdot and let them have a 'specialised security audit'...
We can help (Score:5, Funny)
I think we need more details on the severity of your security holes. Give us your company's IP range, and if we find anything significant we'll leave a note for you on your desktop.
Consultants (Score:5, Funny)
Re:quit (Score:3, Funny)
One word... (Score:2, Funny)
Re:Deal With Them (Score:5, Funny)
Re:Deal With Them (Score:2, Funny)
Easy solution (Score:5, Funny)
See where they did the scan from and drop all packets at the firewall from that domain?
Next to worthless (Score:5, Funny)
At one point, some of the staffers got the idea that network performance might not be optimal, and it was decided that we should do a performance audit. A contractor was brought in to spend a few hours sniffing our network, then go away and do a thorough, in-depth protocol analysis. The result of this analysis was a 20-page report detailing their findings.
The conclusion was that there was, indeed, a lot of unnecessary packets of traffic flying around the network. Their solution?
"Eliminate the Appletalk networking protocol."
Uh, yeah. Thanks guys, here's your $2,500.
(Maybe the best solution is to do whatever you can to educate management and set expectations at appropriate levels.)
Re:Just like every consultant (Score:2, Funny)
Excuse for new equipment (Score:5, Funny)
You should be the V.P. (Score:3, Funny)
"How do you handle these 3rd-party security people who make mountains out of every molehill?"
That's not the first step. The first step is for your company to make you VP of risk management.
Re:quit (Score:5, Funny)
With the current paranoia, lack of decent security awareness (and therefore the lack of ability to evaluate the results), and the ability to impress a PHB by wearing the "right" suit, you could easily charge $50,000 for a Nessus scan. $5,000 would barely pay for an NMap sweep. For Unix servers, also use SARA and TARA for $10,000 apiece.
In today's atmosphere, it should not be possible to walk away from a securty contract with less than $75,000. Double, if you use that random paper generator, covered by Slashdot a day or so ago.
Re:quit (Score:5, Funny)
Conning + Insulting = consulting.
No problem man...
Re:quit (Score:2, Funny)
Re:Consultants (Score:5, Funny)
I always thought if you're not part of the solution, you're part of the precipitate.
Re:quit (Score:3, Funny)
*NOTE: Yep, that really happened ... , but try adding ANOTHER zero first. And don't forget to kick back 17.5% in "commissions" to your buddies.
Re:Easy solution (Score:5, Funny)
Thank you again for the opportunity to conduct a security audit on your organization. We would like to let you know that you failed your security audit because none of your systems passed a simple availability test and all of them had the same issues the last time we conducted our scans. When we started this scan, all of your systems appeared to be down when we tested your company from a known IP address. Suspecting that your staff thought they could block the scan, we simply changed our IP, and were able to test your servers. Our tests show a number of things:
1) You show no improvement in security. All the old holes are still there, and we found some new warez servers, along with numerous bots, spam engines and several IRC servers. These make for an excellent addition to the old warez and IRC servers, spam engines and zombies that make up your organization.
2) Your IT staff is clearly made up some stupid people. How they could have thought blocking IPs would keep us from testing their servers is beyond belief. They really are a piece of work.
3) Your employees can not be trusted because they are trying to cover up this cluelessness in the most incompetent manner possible.
4) You are oblivious to the cluelessness on your employees part.
5) You're company really is dumb if they think they can block the source of an audit from a security company. Come on, we do this for a living, did your IT people really think they could stop us? Seriously, what moron thought this would work? Did they read this on slashdot or something?
To summarize, your systems are wide open and compromised, your staff is incompetent and untrainable and your attempts to block our scans were additional fruitless indicators of your staffs pathetic grasp on even basic IT concepts. Frankly, we'd like to thank you for the free money, and to pass on our thanks to your clueless staff for making this process trivially easy. If we only had more idiotic customers like you, it would make our jobs so much easier.
Looking forward to your next follow up scan. Please be sure to promote everyone in your IT department as we are thrilled with their work so far!
Re:Deal With Them (Score:3, Funny)
Re:quit (Score:5, Funny)
Okay.
$0,500,000.00
Re:BOFH! here's the link (Score:2, Funny)
http://bofh.ntk.net/Bastard_1995.html
Re:Bullshit. (Score:3, Funny)
Change your qmail banner string to read what an exchange server would read - an old, unpatched exchange server - and then watch the consultant's smile disappear after they list all of the vulnerabilities that you've got and you tell them that you were lying.
Re:Cost (Score:3, Funny)
Then you can hire another consultant to analyze the risk analyst's analysis to see how much it should cost you to clean those things up.
Then you'll have to hire some technical writers or some such to write up what you've done.
Like, duh!
(you'd think I were a consultant still! But no, I'm not anymore!)
Re:quit (Score:4, Funny)
(just a joke, Canadians are cool. Literally).
Re:Its their job (Score:3, Funny)
Whoah... I'm all for good security, but don't you think using the International Space Station is a bit overkill?
The BOFH Way (Score:2, Funny)
Re:Its their job (Score:5, Funny)
The computer security expert sat there for 30 minutes confused as to why simply pressing escape at the login prompt did not get him into the system on our W2K boxes.
he mentioned to our Director that our systems must be mis-configured and that he noticed that our cisco 2950 switches were also not configured for 1000BaseT and we should enable the gigabit features of that switch.
I am NOT joking. this was the security expert hired by our company to see if we had security problems and to find any networking bottlenecks.
we simply let him leave after thanking him for his expertiese, the CTO of the company reccomended this moron and we cant tell the CTO that his brother-in-law is a complete and utter idiot.
Thankfully this was 3 years ago. and we were owned by a different company then... the executive staff all were sacked during the last merger.... One of the few times I welcomed a merger.
Re:You mean tell the boss the dump windoze? (Score:2, Funny)
Re:We can help (Score:1, Funny)
connecting two unrelated events in your favour (Score:4, Funny)
Manager: How can we fix all these security holes?
You: We can fix them no problem, I'll need another unix box for scanning and a 20% pay rise.
Manager: Ha ha ha...very funny.
You: I'm deadly serious.
Manager: What...you're serious...why a 20% pay rise!
You: Ok...you're right...10% is closer to the reality.
Manager: That's better...thought you could pull one over on ol' Bill, didn't you eh?
You: Yeah...sorry about that.
Re:Its their job (Score:2, Funny)
Christ, man, you even suck at slacking!
Re:Next to worthless (Score:5, Funny)
"Eliminate the Appletalk networking protocol."
A worthy and noble goal. Chattiest protocol ever.
"Are you there printer?"
"Yeah, I'm still here."
"Sweet.. just checking"
"So.. uh.. what's new with you?"
"Not much, did you see the file share that moved in down the block?"
"Yeah, he was talking to me earlier"
"Nice guy. I like him. He shares files you know"
"So I gathered. As a printer, I don't think I need to talk to him"
"Heh, yeah, that's probably true. But hey, never hurts to keep in contact with everyone, even if you have nothing in common"
"I hear you brother! So, um.. did you need to print something?"
"Me? Oh no.. I'm just keeping tabs on everyone"
"Yeah... I do that too"