Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Stop Admiring The Problem. Start Addressing The Problem. - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Stop Admiring The Problem. Start Addressing The Problem.
How much energy do you spending admiring your problems? It does not matter what the problem is - asset inventory, vulnerability management or security awareness. You do have problems. What are you doing to make your current problem less of a problem? Set your problems aside for just a minute and take a brief journey to explore how your problems can be viewed as an opportunity. 
 
I have been guilty of this behavior in the area of vulnerability management. I was so focused on making sure that everything was scanned on a regular basis that I failed to work with the system and application administrators to help them remediate the vulnerabilities the scanners had identified. A much better alternative to just scanning everything on your network is to scan for a brief amount of time and then stop. Stop long enough to fix some issues the scanner identified and then go back and confirm they really were fixed. It does not have to be complicated. Perhaps you can use a simple chart that shows what was found, what was corrected and what still needs to be corrected. 
 
Collecting a bunch of "High" rated vulnerabilities adds no value. Correcting "High" rated vulnerabilities adds tremendous value. Instead of throwing missing patches over the fence to your administrators, offer help to them in their time of need. Maybe there is a valid business reason the administrators are not responding as quickly as you would like. Maybe they need extra support from your security or compliance teams to make progress in this area. Maybe they could use your help to focus on a solution to this problem. 
 
Every person should take time to make undeniable progress on one of their security problems because of the positive impact it will make on the security posture of their organization. Make progress, even if it is just baby steps. Make a move in the right direction to become the change agent that is desperately needed. 
 
What can you do right now to be the catalyst for the positive change your organization so desperately needs? 
 
What can you do right now to stop admiring the problem?
 
Russell Eubanks
@russelleubanks
securityeverafter at gmail dot com
I will be teaching next: Security Strategic Planning, Policy, and Leadership - SANS Rocky Mountain 2019

Russell

97 Posts
ISC Handler
More and more companies outsource operations. So the scanning is just a check that they are doing their job.

Often they hate the reports, as it basicly shows massive breach of contract. They are the ones that pick the tools, and in a company like IBM, when the people in the USA says hammer, everybody complies and uses the hammer to drive the screw into the wood.

When you outsource operations, you can't help them get tools that works. You just have to hit them with not a list of findings, but you need to prioritize yourself, and make tasks they can see are created by humans on the must critical servers. And when the are at the server, get them to fix the medium as well. We know they are not doing their job too good. When you outsource, the IT guys no longer has any feelings for the business side, they are not part of the companys failure or success, they are only part of that on the IBM side.
Povl H.

71 Posts
The biggest issue when it comes to VA management, is the validation of the results and what that means in risk to the organization. Just because a VA scanner rates a vulnerability as "High" does not always mean that the vulnerability and its remediation will bring about the risk-reduction you are looking for. Alot of times I have found non-technical (Process/Proceedure) aspects with administrators/engineers that are driving risk into the equation and that you aren't going to find on a VA Scan. Spending time understanding the whole process and then understanding the risk(s) involved, is time better spent.
Edward

8 Posts
Quoting Povl H.:More and more companies outsource operations. So the scanning is just a check that they are doing their job.


Yes, in some fashion.. my home TZ catches @ least 12 times a day. 23-212-250-177.deploy.static.akamaitechnologies.com, (not posting the report)

Quote:Often they hate the reports,
They not only hate report, but prevention and $$ to make it right, then add the children from playing. I lost a job because I refused to give the keys to the kingdom to the VP of Sales, who was the owners daughter that every time she would TURN OFF ALL countermeasures (@ server) and my Trend would ring off the hook. After all, it is much more important to have weatherbug, shop at Needless Markup, play FBook games instead of doing her job, to make matters worse, they are Corporate Officers who should lead by example. Her retort, I only did it for a minute, shouldn't have created that much of a problem. <CLUELESS>

Oddly enough, when I was offered the job, they wanted to get secure, well that did not include of taking the toys away. The same exact Target Breach I warned about years earlier since my past company dealt with HVAC they would send techs with poisoned PC's to the job, cracked software, ect. They would fight me during the bidding process, add a virgin laptop, load, never sees the net, only config and is locked up before and after the tech comes, but I was the weird one. (Yes I am still biter) since we ALL see this over and over, frustrating. Then add the level of they also have ALL of my personal data makes it worse, only saving grace I froze my credit and yes, they were breached a year later. Another enduring story, another VP daughter wanted a job with the USSS and her PC was riddled with viruses and malware, she had SS#'s of the entire family, back accounts but her ILoons was up to date.

Quote:When you outsource operations, you can't help them get tools that works.
Yep, but their egos do not want those tools either. They are sold a vaporware and if they yield it shows weakness.

The only way this will change is HUGE fines to MS, Oracle, Adobe and companies that prevent people from their jobs, endanger customers and employees. $$$ talks!

Too bad I was not able to walk into the fleebs office and say, "told you"
ICI2Eye

52 Posts
Edward,

You are right - it is very important to not just take the word of the VA scanning vendor on what is a "High", but to personalize their rankings based on your own environment. It may very well be that what they call a "High" is actually a "Low" or "Does not apply here".

Russell
Russell

97 Posts
ISC Handler
Remember that it also works in the other direction: often Vulns that are only rated important or medium may be a higher risk in your environment. It also makes a difference if the lower rated vuln is being exploited in the wild - that should immediately make it high. So, you need to have Security notification systems in place that will update you if something begins being exploited.

Hands-on helping the Operations folks is usually (and rightly) prohibited. Often, The best you can do, in cases where remediation is not just 'apply the patch' is to provide some 'translation' of the reports to help Operations understand the tasks needed to fix things.
Russell
1 Posts
Having a good WORKING policy that is fluid as well as stable makes this process fairly seamless.

Regular meetings to go over the security agenda to discuss the priority of threat and review the accomplishments of eliminating another help keep the team focused and brings a sense of accountability.

If the emergence of a critical threat arises there should always be at least a couple of members who may be watching forums or vendors pages for such info and initiate a reaction. The reaction could be a meeting to asses how soon the business should patch and the impacts it will have or to plan an in depth assessment of the environment to verify its not a threat.

These two practices are a high up view of course but in my experience have made all the difference in the companies culture to address security issues.
Alex

6 Posts
We always do our own ratings of each MS patch to reflect our environment. So a Medium could be High for us etc. Once we set the ratings, every administrator has to comply with the ratings we have set.

We also run monthly reports to check on missing patches and ensure the administrators are on top of it.
Zain Khan

4 Posts

Sign Up for Free or Log In to start participating in the conversation!