Turning Port Scans Into Something Meaningful

First, be sure to check out the rest of the fall 2013 training schedule right here (CLICK). I have just two more Making Money w/ Security Classes before year end – and the sooner you attend, the sooner you can start applying these principles to growing your business.

This past week I was reviewing port scan results with a group of security experts and a sales team. They had just completed a vulnerability scan ordered by one of the customers. This is a common request – “Scan this set of addresses and let us know you find anything.” The problem is, port scanning is a commodity offering, and without some sales strategy you might find yourself fulfilling these requests, taking several hundred, or perhaps a few thousand dollars in gross profit, but with little long term work or follow-up remediation work. How should you handle this?

1. Up-sell: The first step is to try and up-sell this client on the need to do more than scan some ports. When a request comes in like this, it may be hard to turn down a simple contract that is sure to result in a few dollars of profit, but the truth is, a simple scan just isn’t worth that much. Find out why the client wants this testing done and what they need to get out of it. If it’s a check mark for someone upstairs, perhaps there’s an opportunity to have a higher level conversation about what would be more beneficial, or at least to find out what applications are being looked at within this IP range. In our case the company was lending – the addresses given to us were tied to web serves used to interface with customers. That means – account information, loan information, and of course, sensitive information.

2. In our case the sales team was not able to up-sell, so they were stuck with the simple scan project. After agreeing on price, they did their scan and compiled the results. It was at this point that I got involved in the deal – my first questions centered around the kinds of applications were are dealing with. It’s tempting to go right to the ports that are open, software versions that are out of date, and other anomalies that show up in a scan. But without identify the kinds of applications and level of sensitivity of the data behind these IP addresses, it’s hard to put anything down in a report that speaks to people higher in the organization or on the business side.

3. After reviewing the results it was apparent that this company had some major holes in their armor. Does that mean there is an emergency? Not really. Every company has this – but by looking at how these servers are being used, where the web apps sit, and what kinds of data are created, transmitted, stored, etc. we were able to put together some questions for the client to get them thinking about possible risk and exposure. It is true that things need to be tightened up based on the results of the scans, but how does the client know they have not already been compromised? They don’t. When there are big holes, there is justification for going further.

4. So the final step is to use these results to build a case for going further. To get the client to see that it’s now necessary to check to see if there are back-doors, root kits, and evidence of foul play in their organization. Being a financial institution, it is reasonable to think someone has already taken advantage of these weaknesses in their security architecture.

Security should be a door opener. No matter how small the deal is, consider it a opening and do whatever you can to leverage the small opportunities to find evidence of larger issues. Most of the companies you call on have major holes, but getting them to let you in to look is not always easy. Most are assuming everything is okay – and without finding something that would lead them think otherwise, changes are they will continue to do the minimum in order to pass the audits. Then, one day down the road, they’ll discover some major loss – it will be too late.

In our upcoming Making Money w/ Security workshops I cover several strategies for getting in deeper, accessing higher level people, and gaining access to build the justification you need to do the right thing for your clients.