Discussion in 'Business & Enterprise Computing' started by elvis, Jul 1, 2008.
I don't think he really needs to start worrying until he loses an argument with himself.
But which one is the real elvis?
Or is it more that Luke212 fights to the death?
YAY audit day today, being asked obligatory why is port 22 open AGAIN... fuck muppets!
After being told to turn off all ICMP in our network (yes, internally), I asked the auditor if he could give me a list of exploits that backed up his concern for ICMP being allowed internally.
He just looked at me blankly, and said "but it says here on my list..."
Ping is power!
(and it's a car analogy too)
And that my friend is the same fucken answer I got, but I did get a win after 14 months being told OpenVPN couldn't ne installed on Windows laptops, we can now use OpenVPN officially.
You should ask him to explain what ICMP stands for and when he can't explain that your very offended and are making a report to HR..... just for shits and giggles.
Heck I had to google what the acronym stood for again as it has been long forgotten and I only need to understand its purpose and function
International Commission on Missing Persons
Very appropriate for dealing with auditors.
Just do everything they say and then make them man the phones for a couple of days.
I built a product to a specification and no where in the specification did it say I needed to comply with a dumbass bullshit audit that cannot justify why things are done that way because all they know is muppet windows land. Is just internal politicking, someone who has been a hindrance, whats to now feel inclusive because project is green lighted for commercial.
Roll of carpet and a bag of lime?
9 years and I still haven't seen a pen test nor vuln test worth the cost of running it. All have been top and tailed, automated scans with no comprehension of what the report means. I just charge customers to review them now, so that's a win.
actual pen/vuln testing is hard and requires skills.
the noobs the consultancy giants send out are neither. they are expensive though.
the last pen test report I read impressed the hell out of me with the lengths they went to.
I want to get a test done, however it requires the buy in from our U.S and EU offices - I want physical access attempted as well.
Head offices argument is that they know we are all not secure\hardened so lets get to a point where we think we are secure and test. My counter argument is that we don't know how insecure we really are so we may be focusing on securing a low to medium risk issue where are we are ignoring simple high risk issues. From a network point of view I think we are good but again, you don't know what you don't know
I mean like, you can ICMP tunnel, but there's ways you can mitigate that too
Yeah bolded bit is where a lot of people screw up, in my experience. If nothing else, if you're investing x dollars into a program, what's the harm of getting some competent testers in to let you know if the focus is good?
I've seen one mob ever who were worth it. It was when I was working for finance. They charged like a wounded bull, but their test was a full blown "break in to a targeted system and steal valuable things" test, which they did, reported professionally, and then helped us fix.
But yeah, that was literally once ever in 20+ years and hundreds (shit, thousands?) of audits. Every other mob I deal with does the "Nessus scan and print" trick, but to be fair a lot of businesses won't pay for more, because they're not required to.
IT's version of test and tag