Undercover
The Best Defense Is a Firing Offense
What's a CSO to do when his tech expert says No to a request?
By Anonymous
A conversation with the programming team doesn't help matters either. I explain to them about opening the 2,000 ports and why that might be a problem. Don't they care about my problems with security?
"Not so much," Project Boy tells me. "You should have said something much earlier in the process."
"Really? When?" I wonder to myself. "You've been working on this project for a year. I never heard anything about it until two weeks ago. Where was the security review of the project?" I ask impatiently.
"We didn't do one," he retorts, knowing I'm trapped by a technicality: "This isn't a security product, so no security review. You were supposed to be kept in the loop by Big Boss. Didn't he tell you about it?" He smiles again. It's obvious that I hadn't heard a word from Big Boss. "Guess you need to take this up with him then," says Project Boy. "But if you don't get those ports open, we'll both end up in his office. And my project has more priority," he says. And he's right.
Nothing like being the meat in a crap sandwich. So it's back down to talk to Technology Guy.
"Is there any solution we could use that will solve the problem of the RPCs through the firewall?" I ask politely.
"Absolutely not," he says. "They'll just have to recode the app. It's the only solution."
Secretly, I find it hard to believe. But I persevere. "I'm sure someone has solved this," I say, not knowing anything for sure at this point.
"Nope," he says. "And I'm an expert when it comes to this sort of thing."
Technology Guy may be an expert, but I'm a manager. Not every CSO may be up to snuff when it comes to technology, but we know other managers and their own technical people. And it's a good way to check out the truth from time to time.
So I call my friend, Manager Maven, at a company across town and explain the situation. He says they had the same problem, but one of his guys came up with a firewall that could deal with RPC calls. Seems that applications using RPCs have to negotiate whichever of the 2,000 ports they're going to use on Port 135, and then they use the negotiated port. RPC firewalls that understand how RPCs work shut down all ports except for the ones where the apps have negotiated a common port between the two. That way, there are no open ports without an actual app attached to them. The other ports aren't available to scanners or hackers that come calling.
firing offense
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Upgrading to VMware vSphere with vWire
- Removing Barriers To Better Server Virtualization Efficiency
- Practical Approaches for Securing Web Applications across the Software Delivery Lifecycle
- Staying A Step Ahead of the Hackers: The Importance of Identifying Critical Web Application Vulnerabilities
- Managing A Growing Threat: An Executive's Guide to Web Application Security
- The Forrester Wave™: Web Filtering, Q2 2009
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
