Network Penetration Scans and Executive Reaction?

LazloToth asks: "I'm sure some of you have had this happen: your company pays the big bucks for a 3rd-party security audit and, when it comes back, you get called on the carpet for all the supposed 'holes' in your network. When you see the report, you recognize that it comes from a well-known open-source security scanner, and that the 'holes' in question are so obscure as to be meaningless. I told our risk management VP that to fix every item cited - - many of which were false positives or completely out of context - - would be next to impossible for our small IT staff, and that some of the fixes, if implemented, might have deleterious effects on an otherwise smoothly running operation. How do you handle these 3rd-party security people who make mountains out of every molehill?"

Its their job

[rovingeyes]

How do you handle these 3rd-party security people who make mountains out of every molehill?

Its their job to be detailed. You have to infer those reports and draw conclusions. They were hired to point out the holes, you have to decide whether its worth covering them

Address The Report

[Rolan]

If the boss wants you to "fix" them all, give him a report of your own. "This is setup this way because of X, and the risk is mitigated by Y." If it's not a risk, explain why it is not. If you can't explain why it's a risk or how you're mitigating the risk, then you should be called out on the carpet. NEVER rely on security by obscurity. There is no such thing as a hole "so obscure as to be meaningless." If you mean that the report is vague in defining what the hole is, then you or your boss should get more information from the person you paid to do it.

In the end, if you can't specify why it SHOULD be that way, then you should make it secure. If you can say it HAS to be that way for a specific reason, then you should say how you are mitigating the risk. If you're not mitigating the risk, well, you better come up with a really good reason your boss is going to like.

Just like every consultant

[gt_swagger]

... they have make huge deals out of everything or risk being found out as mostly useless ;)

you do your job

[smash]

How do you handle these 3rd-party security people who make mountains out of every molehill?"

You address the issues. That means: fix the problem, or provide a reason as to why things are this way, and *why* it is not a problem in your instance. Explain to the manager in question. Explain that to fix issue "x" may result in lost functionality, ease of use, or whatever - or that the risk has already been mitigated by some other precaution.

As someone else said - if you can't do that, there's a problem.

smash.

document

[gbaldwin2]

Document the hell out of everything. And explain why the setup is as it is. It is a real pain when you have some worthless security company telling management that echo, discard, and chargen are major security holes on internal systems. Besides senseless violence directed at the auditors it is a painfull process.

Dollars and sense

[Anonymous Coward]

All that matters to the managerial types is dollars and cents. Show them how much (in their language - money) how much it will cost to fix the "problems" (even break it down and show them the cost of each problem), vs. how much benefit the company will gain (again in terms of money) from the fix. Be sure to include opportunity costs (and gains). Then let them make their decision.

They will decide whatever they think will be best (based, of course, on a money). Then you fix whatever they tell you to. Hopefully they won't tell you to do anything dumb after they've been shown just what it will cost them.

Re:Its their job

[rivaldufus]

Sure, but many executives assume that anything an outside "security" company says is scripture. I think he's looking for the best way to get the point across.

Get a new consultant

[Rob Riggs]

Seriously, you need to work with someone who has a clue. Anyone reviewing these scans should know what they are looking at. If they don't, they have no room to criticize. It is the security consultants job to put the scan and the vulnerabilities in context. They need to explain the risks to management in a manner that management can understand. Their report should come with recommendations on how to correct the problems, and it should at least try to outline the consequences of the fixes. The consultants should have worked with the engineering/admin team to understand the holes before the report went to management. Otherwise you paid for a whole lot of nothing.

Cost

[japhmi]

Take the report, and give costs for covering each hole. Also, give your risk assesment to the company (yes, there is a hole that has a 1% chance of costing the company $5,000 dollars - but it will cost $500 to repair).

Then, let the boss make the budget decisions, and carry them out. Make sure extra staff is included in your report.

Re:Its their job

[rovingeyes]

Actually I had a very different experience so far with my boss. May be I am lucky? I don't know. But my execs never decide on anything unless they consult me. In fact the vendors try to convince me more than my execs. Not to sound too arrogant or cocky, but I have found that if you can convince or prove to your superiors that you are capable, then they will trust you more than any body else.

Re:Its their job

[Anonymous Coward]

Not for long, they are trying to make these type of scans manditory, if you handle Credit Card information at all. This includes all those Mom and Pop hosted sites too. Basically if you sell something on the internet you will be dealing with these 3rd party scans in one form or another.

I would suggest that you find one that gives detailed reports and has a knowledgable customer support department. Making your life that much easier.

They did their job, now do yours

[winkydink]

They get paid to find every little nitpicky thing. It's in their best interest to make everything sound major (ever heard of the term follow-on engagement?)

Sit down, take the list and prepare a reasonable time & budget to fix each item along with your recommendations of the order to fix them in (based on business risk). Make sure your numbers and hours are realistic, because chances are excellent that he'll ask the consultants for the same info.

Then Mr VP can either allot internal resources to fixing the problem or hire outside consultants, or both. Business risk deals with a lot of things both real and perceived. In some cases, having the perception of risk is just as bad a the real thing (from a liability perspective, thank you Millberg Weiss).

Your VPs job is to determine the acceptable level of risk for the company. Yours is to aid him in that decision, not make it for him.

Re:This is why I love my job

[winkydink]

...what we say goes. No questions asked.

until you want to be a public company.

Don't be so smug and self-righteous.

[Anonymous Coward]

I've seen the managers that this guy is suffering under and your insightful remark won't help him. You see, his boss is likely referring to "holes" reported by Nessus and others that are not holes but, because some outside company said it, then it must be so.

Outside companies are always more authoritive than in house staff. "they're not form here so, they must be the authority on the subject."

By the way, the "holes" he is referring to are likely things like:

Can determine path to host via traceroute. Danger Will Robinson!
SMTP server returns a header. Shock! Horror!
HTTP server returns a header. OMG! This must be fixed!??

As with most potential conflicts with a manager...

[peteforsyth]

Put the focus on your professional relationship; make the technical aspects secondary to that. If you have any history of trust, emphasize that.

"Do you generally trust me to keep the network secure?"
"Do you see the possibility that this company might make mountains out of molehills to demonstrate their value?"
"If we DO find out that I have left some things unattended, will you give me the chance to correct them?"

Etc.

Your boss, more than anything, wants to know he's in good hands. Even though he may not consciously know it, his trust in YOU is the most important thing; his trust in the NETWORK is secondary; his trust in a temporary CONTRACTOR is a fleeting thing.

If you adopt an overly defensive or confrontational posture, you do nothing but hurt your relationship with your boss, and ultimately yourself.

Re:You mean tell the boss the dump windoze?

[Tim C]

If you're an admin and you can't secure a Windows box (or any box you're in charge of) then you shouldn't be admining it, it's that simple.

We run a few sites on IIS and use Exchange for all our corporate email, and haven't had a single incident. Similarly, we've not had a single incident on any of our Linux or Solaris servers, either. You just have to know what you're doing.

Re:Easy solution

[nizo]

This would probably make more sense if I had added, "before they do a follow-up scan of your network".

Re:Just like every consultant

[tacokill]

Not everyone can be an expert in everything. Therefore, consultants have their place. I know they take a lot of flack but to someone who knows VERY LITTLE about a given subject, they are invaluable for filling in the gaps.

Details do matter, despite cries of "making huge deals out of everything"

Re:quit

[Jeremiah Cornelius]

I used to do this work. We always backed the scans up with hand-checks, and examined environments and mitigating circumstances.

The managers and officers we got the attention of had screen captures of payroll-stubs or insurance histories in the report! At least an analysis of weak session obfuscation in cookie-files or the contents of hidden web-forms that exposed site-internals or revealed confidential information.

Also, we re-worded the horrible glut of NASL embedded descriptions, which are not consistent in their use of problem and remedy sections, are produced by hundreds of people with numerous first-languages, etc.

If a third party adds no value to the tools own automation, they are not performing a service.

Re:Get a new consultant

[jd]

I don't see why the parent was marked as a troll. It sounded some of the best advice posted so far. Any "consultant" who says a whole lot but doesn't tell you anything is just sponging a lot of money off you. You might as well base company policy off e-mail spam. If there's no content, there's no content.

Security isn't just a matter of collecting raw data. Anyone can collect raw data. Raw data is like raw sewage - it benefits nobody but can be used to make a big stink.

At the very least, to be usable there needs to be an assessment as to the actual threat level of each vulnerability. For example, you could have an insecure, unpatched Windows 95 box locked in a cupboard with no console or network access. A vulnerability assessment would turn up a bazillion holes, but absolutely none of them would be exploitable.

In crude terms, you can measure risks in terms of two scales. Let's use letters for the first and numbers for the second. The first measure is the ease of reaching that vulnerability, the second is the ease of using that vulnerability to access other systems or data.

Thus, any computer directly reachable from the outside world would be an "A" class risk. A machine placed outside of the firewall which does not have direct access to the inside (not an unusual arrangement for informational webservers) would be relatively low risk for data and might be given a 9. So, a vulnerability on your advertising website would be an A9 risk.

A firewall, on the other hand, has direct access to the inside. If the firewall has proxy servers sitting on it, it will likely have a high level of trust. So, a vulnerability on such a system might be given a rating of A2 or A3. (It doesn't have valuable information itself, but it can be used to reach a machine that does.)

A data warehouse, on the other hand, might well sit on a SAN that can only be reached through a firewall which runs to the servers on the corporate LAN, which itself is behind a firewall. Now, an attacker needs to go through between three and five layers of security (depending on how secure the network traffic is). On the other hand, access to the data warehouse would expose critical data. A vulnerability in this case might be given a class of E1.

Managers could look at these ratings - A5, E1, etc. They could then use those to get an idea of how urgent fixing the hole was. A rating of F9 (six layers deep, no information of significance) could safely be ignored at the start. A rating of A1 (reachable from the outside, mission-critical data exposed) would want to be fixed the week before last.

These are the kinds of things managers can understand. Nobody should expect them to have a detailed understanding of TCP/IP stacks, buffer overflows and sniffer technology. They may well have, but no sane consultant should require it of them. Unless said consultant knows that the product they are delivering is so bogus that a technically-competent manager would nail them to the wall for it.

Re:You fix them.

[BakaMark]

I went through a similar thing years ago at my former place of work.

We had a habit of taking services off the computers. Then the Security Auditors came through, and could not find much in the port scan. Except for ICMP, which was claimed to be a "big" security issue because someone could knock out the server with an Ping Flood.

The problem is that disabling the entire ICMP protocol is not a very good idea. I took a "block all but allow specific" rule to this (as most sites would). But still allowed ICMP Echo and Echo Reply.. It still showed on the next report, and I was grilled. Explaining to them that blocking ICMP all together was pointless, because a Ping Flood will still overload the link regardless, and the security of the upstream router was not the concern of the report...

Anyway, because the Port scan was not producing a thick enough "phone book" to begin with, they scanned the security permissions of the entire file system as well. Then went to task about how the computer in it's default installation was so open to abuse by "guest" accounts. For example the "tmp" directory.

It was necessary to tighten up the security of the file system as well. They did not beat us up as much on the 2nd, or subsequent passes, in that area, so they then turned their attention to procedures.

In the end it was more worthwile to simply leave something as simple as ICMP echo and echo reply in the system, so that the quaterly 3rd party audits did not start delving into the social and financial history of the computer operators.

Employees can play this game too.

[Anonymous Coward]

You could always tell the risk-management VP that he's absolutely right and that you need a bigger staff and budget to fix the problem.

Next, tell him that you need to migrate all the Windows users to MacOS because it's a more secure platform.

It seems a wonderful empire you could build - and have a wonderfully large impact at the company.

And anyway, what resume item looks better for you.

• Did a security audit; but realized that all the problems were minor.

Or.

• Lead a $17 million dollar security upgrade for the entire enterprise.

Re:Its their job

[op00to]

Yeah, quit. That's the mature, sensible way to go.

Or, you could not be an asshole, and try to calmly and simply explain the report in WRITTEN FORM. Write your own report about their report. Managers like reports. WRITE ANOTHER REPORT. Écrivez un autre rapport. Escriba otro informe.

Instead of running in there all willy nilly acting like they're complete idiots, just work with them on their level. They're paid to make decisions, and they know that it's dangerous to make a decision if there aren't hard facts on paper. Explain yourself. Give references to your conclusions -- back yourself up! Show that you have a brain in your body instead of just coming off as another annoying, slacker engineer.

Common Sense

[Aliks]

The third party is being paid to spot holes. If they are worth the money they will do more than just a Nessus scan ie they will look at the how the vulnerability might be exploited, and what kind of impact an exploit could have.

Whatever they do, they will not have much info on the real impact on your company of any security breach, nor will they have any clue as to your company priorities. This can only come from inside your company. Some would call this "putting a spin" on the report, but in reality all you are doing is adding the extra columns to the report:

Likelihood of an exploit of this vulnerability

Impact of a successful exploit

Cost to fix

If you can't put numbers to these things then just say Low/Medium/High.

Undoubtedly there will be some things that really do need fixing, but for the low priority items maybe you can batch them together into a work packet and get budget or resource to tackle them properly. Better you guys do this and make sure there are no deleterious effects on live systems than some contractor is pulled in to do it blindly.

Re:Its their job

[dr_dank]

Second best - sit them down and ask them to demonstrate the problem by breaking into your system NOW. Make sure it's a linux or bsd box, at a console, not a graphical login, and don't give them a user name or password. Most of these weenies are only comfortable with Windows.

If the security holes are on Windows systems and found by security professionals that deal mainly or exclusively with Windows, I fail to see how using an alternate os as a strawman to cast doubt on their technical ability helps anyone.

Re:Its their job

[dubl-u]

I think he's looking for the best way to get the point across.

I think the very best way is to tie it back to things the boss cares about: money and productivity.

Go through the report and come up with solutions that cover all the points, at least the ones that aren't bogus. Explain what each solution will cost (both in cash and in business impact), and what, in business terms, the benefits are.

If your instincts are right, your boss will say something like "Better security is well and good, but I'm not doubling the IT budget and inconveniencing our staff for so little improvement." And if it turns out there are some things that they're willing to pay extra for, then that's great: you get more budget and new toys.

Note that if they suggest you do more stuff without changing the budget, then you should be ready to say, "Oh, ok! Which things were you thinking of cutting? I recommend X, Y, and Z." Never let them get the idea that they can just heap unfunded mandates on you. That's not an option, just like haggling with the clerk at WalMart isn't an option. It's not that you refuse; it's just that it isn't an option.

Re:Its their job

[SquadBoy]

Because most of them *claim* to be able to do "security" and do *not* specify Windows, Linux, or any other flavour of Unix. They will then try to claim that your Linux box is "insecure". But when you push them on it they can no more tell you why, how, or when it could be used against you than fly to the moon.

You would have a point if they claimed to be "Windows Security" people but that's not the way they sell their services or present their results.

I for one *love* ripping these guys new ones. In particular when I produce the same report in a couple of hours. All kinds of fun.

Re:Its their job

[Anonymous Coward]

Or possibly realize that you'll never get ahead by playing their game, and you can deprive them of your ability and provide it to a competitor, probably increasing your compensation in the process.

Of course, this plan only works if you're good. If you're just a mediocre employee, kiss their ass and play their game.

Re:Its their job

[xs650]

His job is to take his boss solutions, not problems.

Tell him what in that report what you think is worth fixing and why and how much it would cost and tell him what you think isn't worth fixing and why and how much you will save by not fixing things that don't need fixing.

If the security check was a waste of company money and your time, make recommendations on how to do/get a security check more effectively next time. Might be best to not say it was a complete waste of money, since your boss may have been involved in buying the security check.

Mountains are nothing....

[mr_z_beeblebrox]

How do you handle these 3rd-party security people who make mountains out of every molehill?

I am currently dealing with this. I work in a very small IT shop (by small I mean me) in a not so small company (100+ million $ in revenue). We also have MIS, but they are just users in the network context. We recently were blessed with a new COO who very much wants to control all departments... can you say burnout in progress. Anyway, he wanted to get a third party audit. We (MIS who has control of me) turned it into a major project and accepted proposals from many companys (this burned a lot of hours). Then when a vendor was selected I took the audit report and thoroughly documented each hole and its risk to us. The amount of work and risk caused by fixing it as well as the cost. Then, when it is done I prepared a cost benefit analysis of the various actions. My goal was to teach them a lesson. Instead, I learned one. Because my documentation was able to show them the complexity of the network I work with and the technology which we take for granted. They agreed to hire me a technician. Also, they allowed me to decide what in the security was worthwhile to address and source out a chunk of it as a project. The lesson is, use this to your advantage. How many times do you feel excluded from decisions because it is "a business matter", I do frequently. This showed them that I understood my job from the point of view of adding value to the organization and that is very important in business. In short, as my subject read, mountains are nothing make it into a mountainrange. Once they see it and they see you willing to conquer it for them, you all win.

Re:Its their job

[Rimbo]

Bingo.

Never say, "It can't be done."

Say, "We can and will do it; here are the resources required to do it." Remember Scotty's Rule to double-double the resources you think it will take; once because it always takes twice as many resources as you think it will, and a second time because sometimes it takes more than twice as long.

I never tell my superiors that something can't be done, because any technical problem is solvable given infinite resources. The key is to assess the number of resources and make sure they're informed of the resources required. Once they know that, then it's up to them to make the decision.

Re:Make an ass out of them in front of your Execs.

[JakiChan]

Just be sure who ends up looking like the ass....

Sounds like it may be your fault

[angryty]

Having been through this numerous times I have to say it sounds like you got yourself into this mess. By not explaining what "deliverables" you wanted from the consultant you set yourself up.
If you said "give me a report card" and that's what you got then you have a serious problem.
Tell the consultant what you want the report to look like. Tell him that all results should be placed in context to a) risk; b) ease of attack and c) liklihood of attack. Tell them that you want a concrete list of what to do and when to do it. If he can't do that then his firm needs someone else to write the final report.
You should also have been sitting sidecar during the whole VA so you could help them understand the risks and your environment. Most of the time it makes their VA more accurate because you can point out where you know you are weak and they give you credit for at least being aware of your shortcomings. You've got to tell them what they don't know. If you don't help them contextualize their results then they have to cover their a** and spit out the raw data.
Finally, you should meet with the consultants to view the draft of the report so you get a heads up and they get to polish the deliverable.

What do you really want out of the VA? The VA is a tool to help you determine where to focus your limited resources. It is not a report card.

Tell your bosses to use real security specialists.

[Phil_at_EvilNET]

Specialists like Jay Beale, Ed Skoudis and Mike Poor. My firm meets with them for a security audit once a year every January.It takes them a few days to audit our systems and they report to us with a draft and final report. We usually have everythign buttoned down by the time the final report arrives.

Re:Its their job

[op00to]

Oh, you're right. I forgot that being able to document your thought process is totally kissing ass. Real Men shoot from the hip, and expect managers to treat their engineers like cowboys, free to roam the datacenter and do their job as they see fit with no accountability at all.

Yup, sorry. My mistake.

Isn't it Obvious?

[nathanh]

How do you handle these 3rd-party security people who make mountains out of every molehill?

They've done nothing wrong. It's their job to point out every molehill. It's your job to perform a threat/risk assessment for each molehill and present a range of mitigations to your boss. For example:

Consultick: Your froobnabbit has a zingle rating of -1.4582 which we consider to be a serious security hole as documented in Babbage's Grand Compendium of Security Risks.
You: The likelihood of an intrusion via the froobnabbit is negligible for the following reasons. Even if the froobnabbit is compromised, the impact is minimal and to non-core services. Our group considers the overall risk to our organisation to be low. However we can further mitigate the risk with the following options that will cost you $X, $Y and $Z respectively.
Boss: Nah, stuffit, we'll leave the froobnabbit as is. I thank both of you for looking into this problem and giving me the information I need to make an informed decision.

This honestly isn't rocket science. The consultick isn't out to destroy you. He's just doing his job. And yes, it's amusing that the consulticks charge huge amounts of money to run nmap and Nessus, but they were only brought in because you obviously don't have the time to do it yourself.

I get the impression that you've taken this as a personal slight. I think that you believe the consultick's report has made you look bad. Get over it. Maybe you have made a mistake. Maybe you haven't. Your boss doesn't know yet because he isn't informed. Informing your boss of the risks and the costs raised by the consultick's report should be your #1 priority. If you do a good job, you and the consultick will both look good.

Re:Employees can play this game too.

[staev]

I'm remined of a Taxi episode. In it, there's the ultimate corporate flunky. Nobody seems to remember his name, nobody knows exactly what he does. At meetings, he never says a word. The picture of the family on his desk came with the frame.

Someone convinces him that he has good ideas and he should express them at the next meeting. Spurred by this revelation, he enters the conference room.

The next scene shows him clearing out his desk.

It's your job as a corporate drone to rate management's decisions on a scale from good to excellent. Anything less might label you as a bump in the road, a thorn in the side.

When I'm in a corporate environment, my goal is to steer my superiors into the correct path without compromising their ideas.

Trust me. I have a large supply of well used cardboard boxes.

Trust in your skills

[dustmite]

There is an issue of trust in the ability of your engineers though. I had this problem at my previous employer (which I left). If the manager consistently does not listen to your advice (however presented), think about it a bit: It means he/she actually does not have much faith in your skills, and does not trust your advice. This is inherently going to be a problem for you, regardless of whether or not you are able to 'document your thought processes'. What kind of reference are you going to get from a manager who doesn't trust your capabilities and thinks you're probably mediocre? What kind of opportunities for promotion, salary increases, increased responsibility etc. are you going to get from a manager who doesn't recognize or trust your capabilities? If this is what is going on, you need to get out anyway, because you're going to hit a "glass ceiling" very soon in your career.

IMO, good managers recognize skills, and place trust in their employees, giving them enough 'free rein' to 'work their magic' and not preventing them from doing so.

Re:Employees can play this game too.

[BaudKarma]

Lead a $17 million dollar security upgrade for the entire enterprise.

"Very impressive. Are you still employed there?"

"No, they went bankrupt shortly thereafter."