I'm browsing the twitters as usual and as I follow @GossiTheDog I saw his excellent write ups and advice on why the Pulse VPN vuln was so bad. I read it and start composing an email to our Managed Service Provider (MSP) to get on the case asking are we patched yet etc. First...
-
-
Prikaži ovu nit
-
issue is the MSP's infosec manager flatly denies we even run Pulse VPN or have any Pulse VPN appliances in our datacentres, so we are "not affected" in his email reply over 24hrs later. Even my boss knows this is a crock o'shit & asks me to prove it we do use Pulse. Time for...
Prikaži ovu nit -
some reconnaissance using the standard hacker toolkit of NMAP & SHODAN as the VPN is obviously internet facing and screenshots of the client installed to prove we do use it, get it patched please etc. Armed with the outputs of an NMAP scan (that their SOC didn't notice), SHODAN..
Prikaži ovu nit -
output showing it's on our external IP ranges with a service banner grab to show it's got our business name configured etc, hosted in the datacentres they are supposed to look after plus some screenshots of the client, I thought we'd get now get somewhere. Yeah, nah. The MSPs....
Prikaži ovu nit -
infosec manager now plays the escalation game i.e. unless someone senior chases him for an update, he's going to ignore this until it goes away. Days pass, nothing back from him yet. Boss escalates to senior management that we aren't getting anywhere with this issue and need to..
Prikaži ovu nit -
get this sorted etc. Still nothing. A week passes. Other issues are taking the lead but I still see the ongoing developments, and urge my boss to get it sorted, live attacks, we are vulnerable etc. He does so, using the now standard trick of a cc to our CIO and his counterpart...
Prikaži ovu nit -
at the MSP to basically shame the MSP's infosec manager to doing something about it. He sees who's in on the email thread and makes noises about getting a plan together, apologies etc. Another week passes. Boss asks if any change reqs have come in to fix Pulse, reply none yet....
Prikaži ovu nit -
so another round of email later, we have a change request in to implement the patch. Change comes to approval, no issues our end or with MSP, so expect this to be patched when scheduled, after going via both CABs (Change Advisory Board) ours and the MSPs, it's now over a month...
Prikaži ovu nit -
since I raised the issue. CAB approves the changes and the work is scheduled. Get a notification from their CAB change was implemented successfully, boss asks me to sanity check. Service banner found with NMAP & SHODAN shows, drumroll, same version running. Ask for...
Prikaži ovu nit -
confirmation from one of MSP's firewall engineers I've got a decent relationship with to ask if the patch was installed etc. He answers. Work hasn't been done because the MSP couldn't decide which of their teams was responsible and it got stuck between the SOC & NOC over who....
Prikaži ovu nit -
actually had to do the work, then by the time they'd sorted out that bun fight, the change window to actually patch Pulse was long gone. Change resubmitted but it will take another two weeks via the CAB process. Change to patch Pulse finally gets implemented, 2 months after....
Prikaži ovu nit -
the initial request. Moral: when dealing with MSPs, it's always minimum effort for maximum profit, so you must constantly fight to get basic tasks completed, never mind implementing significant changes. Also, always when vuln managing verify, verify and verify again. EOL.
Prikaži ovu nit
Kraj razgovora
Novi razgovor -
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.