Network Penetration Scans and Executive Reaction? 434
LazloToth asks: "I'm sure some of you have had this happen: your company pays the big bucks for a 3rd-party security audit and, when it comes back, you get called on the carpet for all the supposed 'holes' in your network. When you see the report, you recognize that it comes from a well-known open-source security scanner, and that the 'holes' in question are so obscure as to be meaningless. I told our risk management VP that to fix every item cited - - many of which were false positives or completely out of context - - would be next to impossible for our small IT staff, and that some of the fixes, if implemented, might have deleterious effects on an otherwise smoothly running operation. How do you handle these 3rd-party security people who make mountains out of every molehill?"
Its their job (Score:5, Insightful)
Its their job to be detailed. You have to infer those reports and draw conclusions. They were hired to point out the holes, you have to decide whether its worth covering them
Address The Report (Score:5, Insightful)
In the end, if you can't specify why it SHOULD be that way, then you should make it secure. If you can say it HAS to be that way for a specific reason, then you should say how you are mitigating the risk. If you're not mitigating the risk, well, you better come up with a really good reason your boss is going to like.
Just like every consultant (Score:3, Insightful)
you do your job (Score:5, Insightful)
As someone else said - if you can't do that, there's a problem.
smash.
document (Score:2, Insightful)
Dollars and sense (Score:1, Insightful)
They will decide whatever they think will be best (based, of course, on a money). Then you fix whatever they tell you to. Hopefully they won't tell you to do anything dumb after they've been shown just what it will cost them.
Re:Its their job (Score:5, Insightful)
Get a new consultant (Score:5, Insightful)
Cost (Score:5, Insightful)
Then, let the boss make the budget decisions, and carry them out. Make sure extra staff is included in your report.
Re:Its their job (Score:5, Insightful)
Re:Its their job (Score:1, Insightful)
I would suggest that you find one that gives detailed reports and has a knowledgable customer support department. Making your life that much easier.
They did their job, now do yours (Score:5, Insightful)
Sit down, take the list and prepare a reasonable time & budget to fix each item along with your recommendations of the order to fix them in (based on business risk). Make sure your numbers and hours are realistic, because chances are excellent that he'll ask the consultants for the same info.
Then Mr VP can either allot internal resources to fixing the problem or hire outside consultants, or both. Business risk deals with a lot of things both real and perceived. In some cases, having the perception of risk is just as bad a the real thing (from a liability perspective, thank you Millberg Weiss).
Your VPs job is to determine the acceptable level of risk for the company. Yours is to aid him in that decision, not make it for him.
Re:This is why I love my job (Score:4, Insightful)
until you want to be a public company.
Don't be so smug and self-righteous. (Score:5, Insightful)
Outside companies are always more authoritive than in house staff. "they're not form here so, they must be the authority on the subject."
By the way, the "holes" he is referring to are likely things like:
Can determine path to host via traceroute. Danger Will Robinson!
SMTP server returns a header. Shock! Horror!
HTTP server returns a header. OMG! This must be fixed!??
As with most potential conflicts with a manager... (Score:4, Insightful)
"Do you generally trust me to keep the network secure?"
"Do you see the possibility that this company might make mountains out of molehills to demonstrate their value?"
"If we DO find out that I have left some things unattended, will you give me the chance to correct them?"
Etc.
Your boss, more than anything, wants to know he's in good hands. Even though he may not consciously know it, his trust in YOU is the most important thing; his trust in the NETWORK is secondary; his trust in a temporary CONTRACTOR is a fleeting thing.
If you adopt an overly defensive or confrontational posture, you do nothing but hurt your relationship with your boss, and ultimately yourself.
Re:You mean tell the boss the dump windoze? (Score:5, Insightful)
We run a few sites on IIS and use Exchange for all our corporate email, and haven't had a single incident. Similarly, we've not had a single incident on any of our Linux or Solaris servers, either. You just have to know what you're doing.
Re:Easy solution (Score:3, Insightful)
Re:Just like every consultant (Score:3, Insightful)
Details do matter, despite cries of "making huge deals out of everything"
Re:quit (Score:5, Insightful)
The managers and officers we got the attention of had screen captures of payroll-stubs or insurance histories in the report! At least an analysis of weak session obfuscation in cookie-files or the contents of hidden web-forms that exposed site-internals or revealed confidential information.
Also, we re-worded the horrible glut of NASL embedded descriptions, which are not consistent in their use of problem and remedy sections, are produced by hundreds of people with numerous first-languages, etc.
If a third party adds no value to the tools own automation, they are not performing a service.
Re:Get a new consultant (Score:5, Insightful)
Security isn't just a matter of collecting raw data. Anyone can collect raw data. Raw data is like raw sewage - it benefits nobody but can be used to make a big stink.
At the very least, to be usable there needs to be an assessment as to the actual threat level of each vulnerability. For example, you could have an insecure, unpatched Windows 95 box locked in a cupboard with no console or network access. A vulnerability assessment would turn up a bazillion holes, but absolutely none of them would be exploitable.
In crude terms, you can measure risks in terms of two scales. Let's use letters for the first and numbers for the second. The first measure is the ease of reaching that vulnerability, the second is the ease of using that vulnerability to access other systems or data.
Thus, any computer directly reachable from the outside world would be an "A" class risk. A machine placed outside of the firewall which does not have direct access to the inside (not an unusual arrangement for informational webservers) would be relatively low risk for data and might be given a 9. So, a vulnerability on your advertising website would be an A9 risk.
A firewall, on the other hand, has direct access to the inside. If the firewall has proxy servers sitting on it, it will likely have a high level of trust. So, a vulnerability on such a system might be given a rating of A2 or A3. (It doesn't have valuable information itself, but it can be used to reach a machine that does.)
A data warehouse, on the other hand, might well sit on a SAN that can only be reached through a firewall which runs to the servers on the corporate LAN, which itself is behind a firewall. Now, an attacker needs to go through between three and five layers of security (depending on how secure the network traffic is). On the other hand, access to the data warehouse would expose critical data. A vulnerability in this case might be given a class of E1.
Managers could look at these ratings - A5, E1, etc. They could then use those to get an idea of how urgent fixing the hole was. A rating of F9 (six layers deep, no information of significance) could safely be ignored at the start. A rating of A1 (reachable from the outside, mission-critical data exposed) would want to be fixed the week before last.
These are the kinds of things managers can understand. Nobody should expect them to have a detailed understanding of TCP/IP stacks, buffer overflows and sniffer technology. They may well have, but no sane consultant should require it of them. Unless said consultant knows that the product they are delivering is so bogus that a technically-competent manager would nail them to the wall for it.
Re:You fix them. (Score:2, Insightful)
We had a habit of taking services off the computers. Then the Security Auditors came through, and could not find much in the port scan. Except for ICMP, which was claimed to be a "big" security issue because someone could knock out the server with an Ping Flood.
The problem is that disabling the entire ICMP protocol is not a very good idea. I took a "block all but allow specific" rule to this (as most sites would). But still allowed ICMP Echo and Echo Reply.. It still showed on the next report, and I was grilled. Explaining to them that blocking ICMP all together was pointless, because a Ping Flood will still overload the link regardless, and the security of the upstream router was not the concern of the report...
Anyway, because the Port scan was not producing a thick enough "phone book" to begin with, they scanned the security permissions of the entire file system as well. Then went to task about how the computer in it's default installation was so open to abuse by "guest" accounts. For example the "tmp" directory.
It was necessary to tighten up the security of the file system as well. They did not beat us up as much on the 2nd, or subsequent passes, in that area, so they then turned their attention to procedures.
In the end it was more worthwile to simply leave something as simple as ICMP echo and echo reply in the system, so that the quaterly 3rd party audits did not start delving into the social and financial history of the computer operators.
Employees can play this game too. (Score:5, Insightful)
Next, tell him that you need to migrate all the Windows users to MacOS because it's a more secure platform.
It seems a wonderful empire you could build - and have a wonderfully large impact at the company.
And anyway, what resume item looks better for you.
Re:Its their job (Score:5, Insightful)
Or, you could not be an asshole, and try to calmly and simply explain the report in WRITTEN FORM. Write your own report about their report. Managers like reports. WRITE ANOTHER REPORT. Écrivez un autre rapport. Escriba otro informe.
Instead of running in there all willy nilly acting like they're complete idiots, just work with them on their level. They're paid to make decisions, and they know that it's dangerous to make a decision if there aren't hard facts on paper. Explain yourself. Give references to your conclusions -- back yourself up! Show that you have a brain in your body instead of just coming off as another annoying, slacker engineer.
Common Sense (Score:3, Insightful)
Whatever they do, they will not have much info on the real impact on your company of any security breach, nor will they have any clue as to your company priorities. This can only come from inside your company. Some would call this "putting a spin" on the report, but in reality all you are doing is adding the extra columns to the report:
Likelihood of an exploit of this vulnerability
Impact of a successful exploit
Cost to fix
If you can't put numbers to these things then just say Low/Medium/High.
Undoubtedly there will be some things that really do need fixing, but for the low priority items maybe you can batch them together into a work packet and get budget or resource to tackle them properly. Better you guys do this and make sure there are no deleterious effects on live systems than some contractor is pulled in to do it blindly.
Re:Its their job (Score:5, Insightful)
If the security holes are on Windows systems and found by security professionals that deal mainly or exclusively with Windows, I fail to see how using an alternate os as a strawman to cast doubt on their technical ability helps anyone.
Re:Its their job (Score:5, Insightful)
I think the very best way is to tie it back to things the boss cares about: money and productivity.
Go through the report and come up with solutions that cover all the points, at least the ones that aren't bogus. Explain what each solution will cost (both in cash and in business impact), and what, in business terms, the benefits are.
If your instincts are right, your boss will say something like "Better security is well and good, but I'm not doubling the IT budget and inconveniencing our staff for so little improvement." And if it turns out there are some things that they're willing to pay extra for, then that's great: you get more budget and new toys.
Note that if they suggest you do more stuff without changing the budget, then you should be ready to say, "Oh, ok! Which things were you thinking of cutting? I recommend X, Y, and Z." Never let them get the idea that they can just heap unfunded mandates on you. That's not an option, just like haggling with the clerk at WalMart isn't an option. It's not that you refuse; it's just that it isn't an option.
Re:Its their job (Score:4, Insightful)
You would have a point if they claimed to be "Windows Security" people but that's not the way they sell their services or present their results.
I for one *love* ripping these guys new ones. In particular when I produce the same report in a couple of hours. All kinds of fun.
Re:Its their job (Score:1, Insightful)
Of course, this plan only works if you're good. If you're just a mediocre employee, kiss their ass and play their game.
Re:Its their job (Score:5, Insightful)
Tell him what in that report what you think is worth fixing and why and how much it would cost and tell him what you think isn't worth fixing and why and how much you will save by not fixing things that don't need fixing.
If the security check was a waste of company money and your time, make recommendations on how to do/get a security check more effectively next time. Might be best to not say it was a complete waste of money, since your boss may have been involved in buying the security check.
Mountains are nothing.... (Score:3, Insightful)
I am currently dealing with this. I work in a very small IT shop (by small I mean me) in a not so small company (100+ million $ in revenue). We also have MIS, but they are just users in the network context. We recently were blessed with a new COO who very much wants to control all departments... can you say burnout in progress. Anyway, he wanted to get a third party audit. We (MIS who has control of me) turned it into a major project and accepted proposals from many companys (this burned a lot of hours). Then when a vendor was selected I took the audit report and thoroughly documented each hole and its risk to us. The amount of work and risk caused by fixing it as well as the cost. Then, when it is done I prepared a cost benefit analysis of the various actions. My goal was to teach them a lesson. Instead, I learned one. Because my documentation was able to show them the complexity of the network I work with and the technology which we take for granted. They agreed to hire me a technician. Also, they allowed me to decide what in the security was worthwhile to address and source out a chunk of it as a project. The lesson is, use this to your advantage. How many times do you feel excluded from decisions because it is "a business matter", I do frequently. This showed them that I understood my job from the point of view of adding value to the organization and that is very important in business. In short, as my subject read, mountains are nothing make it into a mountainrange. Once they see it and they see you willing to conquer it for them, you all win.
Re:Its their job (Score:4, Insightful)
Never say, "It can't be done."
Say, "We can and will do it; here are the resources required to do it." Remember Scotty's Rule to double-double the resources you think it will take; once because it always takes twice as many resources as you think it will, and a second time because sometimes it takes more than twice as long.
I never tell my superiors that something can't be done, because any technical problem is solvable given infinite resources. The key is to assess the number of resources and make sure they're informed of the resources required. Once they know that, then it's up to them to make the decision.
Re:Make an ass out of them in front of your Execs. (Score:3, Insightful)
Sounds like it may be your fault (Score:2, Insightful)
If you said "give me a report card" and that's what you got then you have a serious problem.
Tell the consultant what you want the report to look like. Tell him that all results should be placed in context to a) risk; b) ease of attack and c) liklihood of attack. Tell them that you want a concrete list of what to do and when to do it. If he can't do that then his firm needs someone else to write the final report.
You should also have been sitting sidecar during the whole VA so you could help them understand the risks and your environment. Most of the time it makes their VA more accurate because you can point out where you know you are weak and they give you credit for at least being aware of your shortcomings. You've got to tell them what they don't know. If you don't help them contextualize their results then they have to cover their a** and spit out the raw data.
Finally, you should meet with the consultants to view the draft of the report so you get a heads up and they get to polish the deliverable.
What do you really want out of the VA? The VA is a tool to help you determine where to focus your limited resources. It is not a report card.
Tell your bosses to use real security specialists. (Score:2, Insightful)
Re:Its their job (Score:4, Insightful)
Yup, sorry. My mistake.
Isn't it Obvious? (Score:4, Insightful)
They've done nothing wrong. It's their job to point out every molehill. It's your job to perform a threat/risk assessment for each molehill and present a range of mitigations to your boss. For example:
This honestly isn't rocket science. The consultick isn't out to destroy you. He's just doing his job. And yes, it's amusing that the consulticks charge huge amounts of money to run nmap and Nessus, but they were only brought in because you obviously don't have the time to do it yourself.
I get the impression that you've taken this as a personal slight. I think that you believe the consultick's report has made you look bad. Get over it. Maybe you have made a mistake. Maybe you haven't. Your boss doesn't know yet because he isn't informed. Informing your boss of the risks and the costs raised by the consultick's report should be your #1 priority. If you do a good job, you and the consultick will both look good.
Re:Employees can play this game too. (Score:4, Insightful)
Someone convinces him that he has good ideas and he should express them at the next meeting. Spurred by this revelation, he enters the conference room.
The next scene shows him clearing out his desk.
It's your job as a corporate drone to rate management's decisions on a scale from good to excellent. Anything less might label you as a bump in the road, a thorn in the side.
When I'm in a corporate environment, my goal is to steer my superiors into the correct path without compromising their ideas.
Trust me. I have a large supply of well used cardboard boxes.
Trust in your skills (Score:4, Insightful)
There is an issue of trust in the ability of your engineers though. I had this problem at my previous employer (which I left). If the manager consistently does not listen to your advice (however presented), think about it a bit: It means he/she actually does not have much faith in your skills, and does not trust your advice. This is inherently going to be a problem for you, regardless of whether or not you are able to 'document your thought processes'. What kind of reference are you going to get from a manager who doesn't trust your capabilities and thinks you're probably mediocre? What kind of opportunities for promotion, salary increases, increased responsibility etc. are you going to get from a manager who doesn't recognize or trust your capabilities? If this is what is going on, you need to get out anyway, because you're going to hit a "glass ceiling" very soon in your career.
IMO, good managers recognize skills, and place trust in their employees, giving them enough 'free rein' to 'work their magic' and not preventing them from doing so.
Re:Employees can play this game too. (Score:2, Insightful)
"Very impressive. Are you still employed there?"
"No, they went bankrupt shortly thereafter."