War stories: the vulnerability scanning argument

Over the last couple of decades I have had all sort of different jobs. I have to count myself as rather fortunate for the experiences I have had along the way. They really went a long way to teach me some valuable lessons. Also, in some cases, they taught me how to hold my tongue.

In one such job years ago, I was working on implementing a company wide vulnerability scanning platform. As you might imagine, especially if you have done this sort of project before, there was some land mines I had to contend with in due course.

At this particular job there were all sorts of different business units who acted as individual fiefdoms and had little interest in having their system scanned by anyone. “We have a firewall, we’re fine” one team lead had grouched at me. “We have detection capabilities and we’ll know if you scan our systems.”

I nodded politely and the second my office door closed I started the scan. It was already queued and ready to go before they walked into the room. Damn if those systems didn’t light up like a fireworks display that could be seen from space. I found no less than three trivial remotely exploitable vulnerabilities. I sat back in my chair with my feet up. I sipped my coffee and waited.

No one came running. No phone calls. No emails. Detective controls my arse.

A couple days later I received a call from a “security” person who had been with the company for years in a different division. This person took the time to tell me their history and that they knew where all the bodies were buried. I nodded and waited patiently for them to arrive at their point. “You know, we don’t scan certain teams servers because we have an understanding.” And there it was. This person was trying to gently get me to not scan the aforementioned systems.

This wasn’t the surprising part. That came when this person said, “We only really ever scan up to port 1023 anyway.” Suddenly there was a stabbing pain in my temple. Mostly due to the fact that the pen that had been in my hand was now planted there. “I beg your pardon? Did I hear that correctly? What is the rationale for that decision?”

I bit my tongue at this point and waited as the taste of copper began to pervade. “Well, those are the only registered ports accord to IANA. Anything using a port above 1024 is is not a system port and not permitted on the network.” I was gobsmacked. I could forgive this if it was a non-technical person or someone junior but, this was a person who had been in their role for years. 

“I’m afraid I’m going have to agree to disagree with you on that point.” We went back and forth for a while. Eventually I decided to scan systems regardless of this sort of nonsense despite the threats to “go over my head”. I was not of a mind to play silly games while I was trying to help facilitate the business in a safe and secure fashion.

This is the first of some of my old war stories that I’ll be sharing this month on CSO. I hope that my pain can bring you some comfort that you are not alone.