This is what annoys me about internal security teams. No, this doesn't make us vulnerable because it's in the DMZ, we have ACLs, it's behind a firewall, we have traffic monitoring, process monitoring, MFA, geofences, etc etc. Just because there's a possibility this could be exploited in some convoluted way in a targeted attack doesn't mean all the other walls we have stood up around this are suddenly useless. I'm constantly pestered and forced to waste my time explaining that your little CVE scanner tool is not the end all for our security posture.
Not to snap at you, but I'm forced to deal with these "what if" scenarios weekly and it drives me nuts. I know the security guys have a job to do, but I feel like half of their job is just trying to drum up scary looking things to justify their employment.
Not to snap at you, but I'm forced to deal with these "what if" scenarios weekly and it drives me nuts. I know the security guys have a job to do, but I feel like half of their job is just trying to drum up scary looking things to justify their employment.