So, we had a conference call regarding security on a webserver…
Conference call is at 10:00 AM local. My first thought:
We sit down and start the discussion. It immediately goes to vulnerabilities and open ports discovered on the web server. We initially scanned the machine using OpenVAS and nmap to gain a baseline view of the overall security of the machine. The results weren’t encouraging. There were 6 issues with a CVSS > 4.0. One in particular that stands out to me is the server has the the HP System Management Homepage exposed to the world. The server also reports no support for SSLv2 or v3.
A little history here first. Once I was provided the URL for this server, I ran these scans. I caught hell from them, but not from my bosses. My bosses got it, and backed me consistently. I ran one OpenVAS scan, and a few nmap scans. Among the open ports I discovered on this box, RDP was exposed, and there is apparently a FreeCIV server running on this box. I saw that, and this is how I imagined their admins:
Then I see port 8081, which nmap reports as BlackICE-IceCap. Ok, they have an IDS with the management interface exposed to the web.
Shortly after running these scans, I was bored and re-enabled Snort on our perimeter firewall. I shit you not, two hours after activating Snort, I caught a port scan from an IP address in the same range as our web server. It made me wonder if their “InfoSec” geeks wanted to see a firewall that actually does it’s job! None the less, this was my response to them.
Back to the phone call. We start laying it out for them, we found X, Y, and Z, and according to PCI-DSS, this server is not PCI compliant. Cue waffling from their “Director of Information Security” (John Kerry could take lessons from this dude) about how they’re working on becoming PCI compliant, and how they have this really, really expensive firewall that is “application aware”, and how they have an IDS to protect the server. (It just gets better and better!)
Then their “InfoSec” director proceeds to tell me that the server that is hosting our site is outside the firewall. His actual words were “It’s in the DMZ.” At this point, I have my cell phone out and I’m surreptitiously cruising gunbroker.com (I keed, I keed!). Then he proceeds to tell me that they have blocked access to everything except HTTP traffic and associated applications at the firewall. While this moron is saying this, I bring up the HP SMH on the box we’re discussing and show it to my manager, and my manager’s boss.
Then, to make things even better, we tell this fool at least a dozen times that because they’re using our merchant account to process payments, we need to have scans done by our bank’s ASV, and he demands that we do not scan their computers, because, I quote, “They send exploit packets to check for vulnerable applications and services, and it might bring our servers down.” That’s news to me. I’ve scanned our internal systems, including a wheezing old server. This machine was a P4 2.8GHz box with a gig of RAM, acting as a domain controller, routing and remote access server, file server, WSUS server, etc. and it didn’t croak under a heavy scan from our OpenVAS install. This guy thinks that a modern HP server running IIS is going to act like this:
Throughout the conversation, I felt like I was the dude on the left, and their InfoSec director is the guy on the right:
So, without further ado, here is my recommended remediation plan for their developers, admins, and “InfoSec” people:
In closing, if you laughed, cried, puked from the stupid, thanks for reading. If you hated this rant because it describes you perfectly, here’s my response to you: