security scanner flagged our staging database as critical vulnerability. its literally not accessible from internet

[-]

Katerina_Branding@reddit

Scanners do this all the time — they flag “Basic Auth” as *public critical* even when the service is only reachable inside a VPC. They have zero awareness of ALB rules, SGs, or private routing. If they see the header, they assume it’s internet-facing. You’re basically fixing report optics, not security. Most teams eventually separate: * **exposure checks** (what’s actually reachable) * **auth pattern reviews** (acceptable internally vs externally) * **vuln scanning** Mixing everything into one “critical” bucket generates exactly this noise.

Reply

[-]

lemaymayguy@reddit

If I told you to resolve something and you retorted , "its not even on the internet" my jaw would be on the floor

Reply

[-]

hannahranga@reddit

Crys in industrial

Reply

[-]

canyonero7@reddit

As an owner of a small industrial, we're trying, man. Well, some of us are. I can't just replace a $300k machine because the computer inside it is on Windows 7. I wish we could charge prices that would support hospital-level IT but that's a fantasy for us. On the bright side, I agree with everyone that's ripping on the OP. A major priority of mine was eliminating all insecure credentials exchanges and boy was that a battle (with various software vendors who had horrible security). It just takes one employee, vendor, or customer coming in with an infected laptop to harvest/exfil all the credentials on the domain. Your firewall rules won't save you.

Reply

[-]

cybersplice@reddit

Sorry to disappoint you, but MRI and CT scanners can *also* run on XP/7

Reply

[-]

canyonero7@reddit

Oh I'm sure. I have a $3M piece of equipment running on Windows 2000.

Reply

[-]

cybersplice@reddit

I saw a 3-4k voltage injection tester - brand new - on AliExpress the other day. The product demo video with a guy injecting onto a board had the unit powering up. Quite clearly booted XP, went to the desktop then launched a full screen app. Horrifying. Industrial gear is rife with this stuff.

Reply

[-]

jdmillar86@reddit

One of the most famous attacks ever targeted an airgapped network!

Reply

[-]

ASentientRailgun@reddit

And is still out there attempting to do so! I get a giggle when I see it in reports, mostly because I don't support any centrifuges.

Reply

[-]

chakalakasp@reddit

That’s exactly what a hobbyist uranium enricher would say

Reply

[-]

ASentientRailgun@reddit

No flying vehicles that I can ride on, no nuclear material, and no explosives. My wife's given me basically 3 rules, so I feel like I ought to follow them. Seems fair.

Reply

[-]

Ur-Best-Friend@reddit

Oh so you're working on antimatter lasers now? You monster.

Reply

[-]

BeyondAeon@reddit

There is Much Overlap in these Rules ........ Did you request she Optimize them ?

Reply

[-]

pdp10@reddit

See, this is why I'm not married.

Reply

[-]

Platypus_Dundee@reddit

Actually just listened to the Dark Net Diaries podcast episode about that one. What a wild ride!

Reply

[-]

Splatpope@reddit

I did an exposé about it in front of a few industry experts at school and one siemens engineer was not happy about the way I qualified issues with shitty old windows XP+step7 setups

Reply

[-]

its_FORTY@reddit

Link?

Reply

[-]

jdmillar86@reddit

Yeah. And its fair to say, well most orgs don't have anything that would make them a target of a group like that. But then again, look at Maersk. I'm sure government-sponsored attacks weren't really on their radar that much.

Reply

[-]

MiniMica@reddit

Laziness is spreading though our industry unfortunately. If ChatGPT says so they follow

Reply

[-]

cybersplice@reddit

I had an apprentice proudly tell me "I've written this script to gather HWIDs from machines for a client". It had a full comment section and description, every function was commented and it had a lot of ❌✅ etc in the log output. Blatantly written with chatgpt. He denied it. Looked at his CASB log. Sure enough - chatgpt. We only use Copilot, and apprentices don't get a license. He had been tasked to write the script as one of his apprenticeship assignments.

Reply

[-]

iheartrms@reddit

Speaking of ChatGPT, did you see this one from a couple days ago? 🤣 https://www.reddit.com/r/sysadmin/comments/1ojbifu/emergency_help_entire_domain_inacessible/?share_id=7yiHMD0W8Rc9tCdc49nBA&utm_content=1&utm_medium=android_app&utm_name=androidcss&utm_source=share&utm_term=1

Reply

[-]

MiniMica@reddit

Oh wow, that’s a huge LN

Reply

[-]

imnotonreddit2025@reddit

This is why Administration and Security are separate roles. Systems Engineer is to Sysadmin as Sysadmin is to Developer. "The developers just go off and do their own thing with no regard for integration or repeatability" says the Syadmin. "The sysadmins just go off and do their own thing with no regard for the risk or defense in depth" says the Security Engineer. But we must not let any one role feel superior, for "The security engineers have never spent any time in a terminal" says the Developer.

Reply

[-]

Certain-Community438@reddit

I wouldn't be wasting any time on counter explanations either: would speak to the fool's manager & very likely they'd be an unemployed fool soon after. This level of stupidity is dangerous to the org involved, a good manager will recognize that.

Reply

[-]

AmenoFPS@reddit

Pretty much why when I started at my current place I made the MD take complete ownership of security risk. Give him weekly updates on risk. I no longer get given shit excuses cause they know the MD isn't particularly keen on owning risk for shit that will impact CNI. Made my life significantly easier

Reply

[-]

dont_remember_eatin@reddit

We have old salts in here complaining about cyber not knowing their job so often that juniors must think that security is unimportant. No, security is a huge part of OUR job -- maybe the most important part, even, as all other requirements bow to security needs. Cyber teams are just the auditors. If you're doing your job you'll almost never hear from them.

Reply

[-]

lemaymayguy@reddit

Fr, security is a team mindset. Its the attitude if anything. Big Mr workload owner cant see beyond his own bubble One infrastructure configuration change or misdeployment makes it available to the internet and youre done. I find it funny they think the security engineers dont understand the entire scope of what's at play either Im constantly correcting workload owners on misuse of our standard deployment patterns. Their world is their app segment. My world is that app segment and a million other things that need to work together

Reply

[-]

ethansky@reddit

>Is this a new trend or something that's being taught?? Why so many of these posts AI engagement posts and/or vibe-coded SaaS bros, which is probably both for this post looking at OP's account, chatgpt like post organization, and hidden post history. I vaguely feel like I've seen a similar post from this OP before...

Reply

[-]

ThunderGodOrlandu@reddit

You talking about Stuxnet?

Reply

[-]

KC-Slider@reddit

Yes he us

Reply

[-]

bigdaddybodiddly@reddit

I think it's old fashioned. Back in the dark ages before like 2005 you had folks being taught the hard shell and gooey inside model. As long as you had a firewall and no other entry points that was considered "safe" - but it's 2025 now and encryption and crypto-based authentication is computationaly cheap so no reason not to live in a zero-trust world.

Reply

[-]

HoodRattusNorvegicus@reddit

If the services only accept incoming requests from specific IP’s, why does it accept the requests from the security scanner?;) The problem seems to be organizational. To effectively use such tools one should define a scope. If you give the tool full network access, then the reports need to reflect that.

Reply

[-]

Rolex_throwaway@reddit

Oh my god this is so funny.

Reply

[-]

sargetun123@reddit

Anyone who works sysadmin or security that says a device is not accessible publicly so therefore not a risk needs to do some more case studies lmaoo

Reply

[-]

Tiny_Habit5745@reddit

We switched to Upwind which actually sees our runtime traffic patterns and network topology. Went from 600 findings to like 40 that matter; it knows what's internal vs exposed and which code paths are executing.

Reply

[-]

Apecker919@reddit

That sounds like a horrible tool.

Reply

[-]

Skylis@reddit

You like the op fail to understand even basic security.

Reply

[-]

Apecker919@reddit

Not having a direct route to the internet is never a reason to not patch. Adversaries find a way in and then spread out. Admins that think they don’t need to patch for what ever reason just make it easier for the adversary to grow their foothold.

Reply

[-]

GeraldMander@reddit

Yet another sysadmin post complaining about security without understanding risk.

Reply

[-]

buhaytza20055@reddit

But context also matters. I could be running win98 and feel safe about it if the traffic would be internal. Is the attack vector there? Of course it is. But by the time someone pivots to that box Nancy in accounting already downloaded a crypto miner and the DC is in shambles ‘cause the VPN protocol is PPTP. The bigger issue is lack of communication between Opsec and Devops which breeds misconceptions and stereotypes. In my opinion

Reply

[-]

Trif55@reddit

I've tried to argue this with legacy controllers built into manufacturing hardware. They're not able to access the internet and nothing out side their "programmer group" can access them, if someone's burrowing far enough in to find those and connect to them (and then what? They're ancient and slow and probably wouldn't even execute the malware) I think we'll have bigger problems

Reply

[-]

Skylis@reddit

Yeah, its not like stuxnet existed specifically to target this stuff or anything. /facepalm

Reply

[-]

Nagroth@reddit

I spent three hours a few weeks ago arguing with a team of four security engineers about why a device using RFC1918 address space is not "reachable from the internet." They insisted it was, because their off-net hosted scan tool was getting a ping reply. I even provided ACL and firewall rulesets showing that the device is only reachable via a very specific bastion host.

Reply

[-]

ForTenFiveFive@reddit

Unfortunate common problem with security engineers who have no experience outside of security. There's too many of them that just run a vulnerability scan and think prioritization goes from big CVSS number to small CVSS number.

Reply

[-]

pdp10@reddit

> RFC1918 address space is not "reachable from the internet." This is a much worse example than OP's service behind a reverse proxy, to be honest. But neither the OP nor this snippet are the whole story, either. An isolated network behind a reverse proxy, load-balancer or gateway should usually be treated like it was the reverse-proxy, load-balancer, or gateway itself, for purposes of infosec vulnerability. But OP's scanning service found it, and yours may have found your RFC1918 addresses, which tends to mean they weren't effectually "behind" those things. Was their scanner getting an Echo Reply from your asset?

Reply

[-]

Nagroth@reddit

No, they were getting a reply from something in their other network. Specifically it was a software loadbalancer they had in front of one of their scan clusters which was configured to reply to all ICMP on behalf of the endpoints behind it. The call was literally coming from inside their house. There's nothing fancy with this setup on my end, no tunnels or proxies. I was trying to explain to them that RFC1918 doesn't get injected into external BGP (and that if it does, there's gonna be some pretty big and immediate problems.) There are multiple layers of ACLs/rulesets even ignoring the complete inability to directly route, and the host OS itself has an incredibly simple ruleset... it will allow connections from the one specific bastion host and three specific systems which sit in the same broadcast domain. The long and short of it is that had they taken even 30 seconds to look they wouldn't have bothered me. But the box was red and when they typed the IP into an inventory system it said it was mine. So I spent a couple hours on the phone and then had to fill out about a dozen "incident response" forms.

Reply

[-]

_-pablo-_@reddit

“It’s behind a fucking VPN! It’s secure! What don’t you security idiots understand! I even host the VPN tunnel from my house” No joke, had a sysadmin at a bank tell me he’s self hosting the PAW that can reach the DCs in front of his new CISO

Reply

[-]

LesbianDykeEtc@reddit

>had a sysadmin at a bank tell me he’s self hosting the PAW that can reach the DCs in front of his new CISO WHAT

Reply

[-]

stewie410@reddit

When I learned the other day that the secrets stored in our DB are still using 3DES for encryption, I pulled NIST's updated standards/recommendations and sent that to my boss. To quote him directly: > Good news is that those aren't exposed anyway. But yes we should upgrade the encryption scheme. Every day I find another reason to question if my lifetime sobriety is really worth it.

Reply

[-]

Ssakaa@reddit

This one's pretty middle of the road, the overall issue they're questioning is valid... blindly trusting scan results without considering existing mitigations *does* lead to sidelining higher real risks. That simply means you reclassify things that are mitigated after an informed bit of discussion, not just dismiss them though.

Reply

[-]

fooeyandnuts@reddit

Compensating controls right?

Reply

[-]

ZombiePope@reddit

As a pentester, this shit is why I'll keep scaring boardrooms for the next 3 decades.

Reply

[-]

Dabnician@reddit

Don't worry as a system admin i assure you, there are a couple things you didnt find this audit, maybe next time.

Reply

[-]

1a2b3c4d_1a2b3c4d@reddit

To be fair, risk is a fairly advanced concept. Takes years just to get skills, then experience, then apply the concept of "risk management". IMHO, a 300 level class if I ever had to create an IT SysAdmin degree.

Reply

[-]

kop324324rdsuf9023u@reddit

It’s everyday

Reply

[-]

Gainside@reddit

Been there — had to “remediate” a staging DB that literally had no route to the internet. Sometimes you’ve got to fix the report, not the system. Contextless scanners are the worst compliance theater

Reply

[-]

blazinBSDAgility@reddit

Two words: Capital One.

Reply

[-]

thortgot@reddit

It not being internet accessible doesn't mean it's not an issue. Your internal security should be nearly tight as your prod security. Why? Because if I can compromise your upstream environment I can supply chain attack prod. This is how many, many high profile environments are popped. Document the mitigations (as you outlined above) and fix the problem anyway. I'm not sure why this would take you half a day to demonstrate a service is behind an ALB, that should be obvious in the flow diagram, backed up with actual firewall rule dump. S3 bucket issues can be a real problem, they can also be nothing. It depends on what is in them and how loose the config is.

Reply

[-]

BCIT_Richard@reddit

Isn't that exactly what happened to npm?

Reply

[-]

FullPoet@reddit

>It not being internet accessible doesn't mean it's not an issue Yeah, I had raised a similar issue with some "internal" APIs. They werent so internal when a VPN was breached.

Reply

[-]

Superb_Raccoon@reddit

It's a bastion mentality. Crunchy on the outside, soft and chewy on the inside.

Reply

[-]

Skylis@reddit

Pineapple model of security.

Reply

[-]

Cheomesh@reddit

Zero trust etc

Reply

[-]

Certain-Community438@reddit

Nah, OP prefers the "zero chance of retaining employment" approach.

Reply

[-]

wrtcdevrydy@reddit

Worked at a place where everything talked to everything with no internal security. One compromised EC2 instance and it all folded like a house of cards.

Reply

[-]

Angelworks42@reddit

The other thing as well is a lot of dev and stage environments live on production infrastructure - especially in smaller or even larger but less well funded IT departments. Sure there's security around everything, different vlans, vpns etc but all it takes is one misconfigured service to start moving around and breaking stuff.

Reply

[-]

nodiaque@reddit

Unless you have a 100% airgap network where nothing from outside can reach (no laptop going on another network like home, no external drive, no email, no internet, etc) for everything on it there's no such thing as not accessible from outside. Ever saw a ransomware? You just need 1 infected computer to bring your whole network down.

Reply

[-]

TEOsix@reddit

Yep, lateral movement is the next logical step after a breach. There have been so many critical VPN hacks that I am losing track.

Reply

[-]

nospacebar14@reddit

Also, if it doesn't use the same auth method as prod, it's not even a useful staging environment.

Reply

[-]

gurgle528@reddit

In this context staging is more likely referring to order staging, i.e. reserving an item in inventory for whoever just purchased it

Reply

[-]

Ssakaa@reddit

Yeah, "so you're not testing tthat layer at all before moving it up to a higher environment?" was my first thought.

Reply

[-]

Fuzzy_University_670@reddit

Treat it as a real risk, but don’t let the scanner dictate your roadmap: ship an evidence pack, file a time-bound exception, and add a few cheap hardening wins now. Evidence pack that ends the debate in minutes: AWS Reachability Analyzer from “Internet” to the API ENI (no path = screenshot), ALB listener/rule dump, security group/NACL exports, and 30 days of VPC Flow Logs filtered to show only the order service subnets hitting the API. Include a simple flow diagram (IaC-derived if you can) and a short threat model: data handled, blast radius, and current controls. Quick hardening while you plan OAuth: enforce TLS everywhere, rotate unique creds per caller, add mTLS between services, block egress from the API, and tag dev vs prod so scanners and Security Hub can prioritize correctly. Create a formal exception in Jira/Security Hub with owner, expiry, and review date so it’s not “forever.” We used Okta for OIDC and HashiCorp Vault for secret rotation; DreamFactory helped us front legacy DB-backed services with RBAC and OAuth without a rewrite. Do that, then fix OAuth on your terms while you focus on the real risks like S3 policies.

Reply

[-]

Glue_Filled_Balloons@reddit

This guy cybersecurities.

Reply

[-]

BioHazard357@reddit

Primary attack vector is coming from your internal network from your own clients now, not the internet. Short of poor firewall config or zero days, outside access is sorted for the most part.

Reply

[-]

kuahara@reddit

Spoken like a man after my own heart.

Reply

[-]

0verstim@reddit

Please go read about lateral movement before speaking.

Reply

[-]

GlitteringAd9289@reddit

Good reply, it's like that term was completely forgotten in this post.

Reply

[-]

DellR610@reddit

lol please tell me the (assumed local) password based accounts from the staging DB doesn't replicate to production >\_<. A better approach is for staging to mirror production as close as possible - especially with low hanging fruit like authentication.

Reply

[-]

colonelmattyman@reddit

Is this defender?

Reply

[-]

themastermatt@reddit

Risk Analysis isnt done enough IMHO. Yes, there may be some critical internal vuln to address. But is it actually important and where does it fall in priority. Thats what i think is missing from all these scanning tools and honestly Cybersecurity in general these days. It often misses the Security part and goes too hard on audit. Before all the security people start dogpiling.... Im not suggesting ignoring Tenable, just understanding it better from both sides and working together to find a solution or accept the risk and prioritizing the work. "because the scanner marked it critical" and "public even though it only accepts stripe IPs" give the same energy. Thats a public resource, just filtered a bit.

Reply

[-]

melbourne_giant@reddit

Agreed. Im getting sick of the tick the box exercises by some piece of software that isn't context aware and an idiot consultant bring paid out the arse who lacks the comprehensive skills to understand what theyre looking at. Such a waste of time. The most priceless one I had, was a no follow HTML tag on a login page, everything secured behind creds. I asked the question, "How's a robot gets AAD creds and login?" No response. Add the tag, tick the box. Logs clearly showed no robots ever hit that login, why? Because it was locked down and that was never going to change. Absolute waste of time.

Reply

[-]

danekan@reddit

Those are compliance frameworks that would require that though and unless you want to be studying compliance frameworks all day, that's exactly what should have happened here. An expert told you to fix something and you did.

Reply

[-]

themastermatt@reddit

One time, we had applications hosted on Server 2003 - only a couple years ago. These were those special snowflake apps that the vendor disappeared years ago or whatever. They could not move to a new OS and the biz didnt want to pay for some data conversion. So security asked me to isolate them. NBD. I setup a VLAN, spin up a host in it, and go about setting up ACLs and such. How does one validate what ports are available? Running nMap, taking screenshots for my documentation. All is going well when a wild Security appears. Asked if i ran nMap to which i responded that i did and im working on that isolation they asked for. OMG they lost their damn minds. No way the IT Director could be running nMap from his workstation with his creds in the middle of the day AND then admit to it like its no big deal?!?! Either compromised creds or maybe he's compromised. They were always looking for "big game" hunts in between their conferences and audits.

Reply

[-]

donith913@reddit

A lot of teams and tools are working on exactly this. The industry term I was hearing from analysts before I left a vendor is exposure management. Understanding the context of an endpoint and what its purpose is. Tools like Bloodhound or Tanium Impact can assess lateral movement risk from endpoint compromise based on creds on the endpoint. I wouldn’t call it a solved problem, but it’s something the vendors are hearing loud and clear. It’s just, as you may expect, hard to find data sources to tease out the context.

Reply

[-]

themastermatt@reddit

Im glad that message is getting across, but its not happening fast enough. There are already a TON of burned bridges and others actively on fire because of all these apps just spewing "findings". If its so hard to find data sources to tease out the context, maybe the tools should not so confidently proclaim that North Korea is coming for the CEO if we dont fix this right now.

Reply

[-]

donith913@reddit

I think it’s part of the maturity curve, sadly. I’ve seen some large, complex orgs that threw shit into data lakes and figured out how to do it themselves. I’ve seen a few mid-size enterprises do reasonably well with things like ServiceNow VR and a strong CMDB. Others… it’s more like what you’re talking about. I think just as important is the tooling is the culture. A vuln scanner returns a list of vulns and its metadata, it’s up to the org to figure out what that means to them. Some orgs its security teams that just think ops aren’t doing their jobs or are incompetent and they just keep throwing shit on the pile. That never works. Other orgs the teams collaborate pretty well and share data and it’s just another boring business process.

Reply

[-]

danekan@reddit

Publicly accessible for a backend anything isn't what is relevant. Goww does the database get used, by what? Zero inputs to your database come from an outside source?

Reply

[-]

iheartrms@reddit

Reachable from the internet doesn't matter. You've never heard of "lateral movement"?

Reply

[-]

ForTenFiveFive@reddit

And how do you establish a foothold to then move laterally? Secure everything, but you should prioritize the things that present the easiest and largest attack surface.

Reply

[-]

noncon21@reddit

This is a bad take. Securing the perimeter is important sure but I’d Dave in accounting clicks a phishing email and a threat actor gets a foothold in your environment, the first thing they are going to do is look for vulnerabilities to move laterally

Reply

[-]

ForTenFiveFive@reddit

So what you're saying is, "What if someone takes advantage of the largest attack surfaces that a company has." Firstly, my point was simple, you should consider the attack surface when prioritizing remediation. So obviously the large attack surface on prevelance of phishing should way into how you prioritize addressing threats. So what your saying isn't contrary to what I said at all. Secondly, I would say users ARE the perimeter. As you said yourself, "and a threat actor gets a foothold in your environment." Users are an initial attack vector and in fact the most common one so we should think of them as a perimeter. I'd go further and say that right now orgs should be aiming for users being the only perimeter and completely closing off internet facing systems where possible. We've never had as many tools to do this as we do now. Thirdly, and this is a bit irrelevant but it's worth talking about. I know it's possible for phishing to lead to gaining a foothold in a network and moving from there but overwhelmingly phishing is used financial fraud, it's far easier, it's much more profitable and it isn't completely thwarted by fairly basic EDR. I mean that's why you see the cases where phishing leads to actual network access usually involving the attackers leveraging stolen credentials to log into an internet facing service like a VPN endpoint. Just phishing a password alone isn't much use if you can't plug it into something. So talking about phishing as if it's a common path to network access is a bit off to me. Like you generally aren't going to get phished and then have the attackers move lateraly leveraging vulnerabilities. Phishing attacks almost always result in data breaches of whatever (usually third party) system credentials were stolen for. Like you don't get your email or CRM account phished and then suddenly end up with hackers hitting your internal servers. Fourth, considering the OP is talking about an inventory management system that has an API that's apparently vulnerable because of basic authentication, if the attacker is already in your network I don't see why they'd start targetting an inventory management system's API. Okay if your hypervisor has a vulnerability that's a real problem because anyone with a foothold could then elevate their access to something more important. But the basic auth on the API of an inventory management system? Why? That's the sort of vulnerability you'd hit if you were looking to gain a foothold, not if you were already in their network. You probably wouldn't even be able to access the API endpoint from the internal network anyway. Anyway, this ended up being much longer than expected but now that I've thought about it more, I actually back the OP even more. They seem to have some very strong security controls to mitigate the risks associated with basic auth on the API since they're blocking access to the endpoint unless it's specifically from the system that needs the access. I think it's fine to knock that vulnerability down the list of priorities compared to open S3 buckets the OP mentioned.

Reply

[-]

Skylis@reddit

More words just make you sound dumber, not more right.

Reply

[-]

ForTenFiveFive@reddit

I understood from the beggining that most people here aren't going to like what I say, but in the last couple years the people here don't seem to really know much of anything, not sure if it's been flooded with laymen or what. If I sound dumb to people on /r/sysadmin these days, especially when it comes to cybersecurity it isn't really a bad sign at all. The guy I replied to seems to think phishing is going to lead to the bad guys getting a "foothold in your environment". I didn't want to be rude but he sounds completely clueless and he has a bunch of upvotes. These are the people I sound dumb to? That's fine.

Reply

[-]

Skylis@reddit

No one is obligated to teach you the basics of security when you're so sure you already know them. We're just pointing and laughing this is reddit and a sub where some basic professional understanding is expected. You can take away from that some self reflection or not.

Reply

[-]

ForTenFiveFive@reddit

Riiiight. So you don't have any response to anything I said. I figured so much honestly.

Reply

[-]

Skylis@reddit

> Yeah that's the thing, your understanding seems very basic. Do you mind if I show this screenshot next time I present at defcon?

Reply

[-]

ForTenFiveFive@reddit

Stop dodging, address the issue or go away.

Reply

[-]

TeddyBrukkshot23@reddit

New to cyber security….uhm could it be a port issue?

Reply

[-]

SpecialRespect7235@reddit

If the scanner can get to it, then it is vulnerable. That is the whole point of the scan. It might not have direct access to or from the internet but that is irrelevant. Something does.

Reply

[-]

ForTenFiveFive@reddit

Internet accessibility is very relevant. There's a massive difference in likelihood of a system being compromised depending on exposure. There's a reason why internet facing and internal only are entirely different categories for msot of the controls in Essential 8 and ISM compliance. NIST CSF also is explicit on it, a risk based approach to security where exposure is a key factor.

Reply

[-]

HanSolo71@reddit

Bro you can't even think ahead enough to think about HIPAA, jesus I can't image the other shit you do. [https://www.reddit.com/r/SaaS/comments/1mbv04w/built\_a\_sexual\_wellness\_app\_with\_ai\_tools\_and/](https://www.reddit.com/r/SaaS/comments/1mbv04w/built_a_sexual_wellness_app_with_ai_tools_and/)

Reply

[-]

ilearnshit@reddit

Woof..... This comment should be higher. I wasn't sure how I felt about OP until I found this comment. He's nuts.

Reply

[-]

No_Resolution_9252@reddit

Think this is supposed to be in r/ShittySysadmin the hard shell gooey center model was quaint 20 years ago and now its totally and hopelessly obsolete.

Reply

[-]

flepdrol@reddit

Its like having a castle with a moat in a time when adversaries drop in with parachutes

Reply

[-]

Loupreme@reddit

As a bug bounty hacker, ive reached many things that werent “accessible from the internet” lol it may be low risk now and but as infrastructure changes, that may get exposed at a future time through another channel, attackers can and always will pivot to whatever is juicy

Reply

[-]

BinaryWanderer@reddit

It wasn’t accessible from the internet. But easily reached from that compromised laptop that contractor just plugged into your network. Why do people argue about keeping things updated?!

Reply

[-]

Skylis@reddit

Because it means they have to do something, and their terrible management hasn't given them actual expectations of quality in years.

Reply

[-]

cybersplice@reddit

It's always networking guys. I swear to God they will tie logic into a non euclidean nightmare rather than accept that switches need to be patched sometimes.

Reply

[-]

ZealousidealFudge851@reddit

Pivot into all the things.

Reply

[-]

QuerulousPanda@reddit

Yeah everything that isn't accessible from the Internet is one fatfingered firewall rule or one LTE equipped raspberry pi away from being accessible to the internet.

Reply

[-]

Podalirius@reddit

How do people like this still have a job in 2025

Reply

[-]

Skylis@reddit

There's lots of equally unqualified mgmt for them to report to

Reply

[-]

Ordinary_Musician_76@reddit

This must be a troll post

Reply

[-]

Skylis@reddit

Nah, look at the history, op is legitimately this bad.

Reply

[-]

Superb_Raccoon@reddit

Information wants to be free... and there are people willing to help it along

Reply

[-]

waynemr@reddit

Perimeter security is dead! Long live perimeter security! Profit?

Reply

[-]

bageloid@reddit

Always brings me back to https://github.com/JohnLaTwC/Shared/blob/master/Defenders%20think%20in%20lists.%20Attackers%20think%20in%20graphs.%20As%20long%20as%20this%20is%20true%2C%20attackers%20win.md

Reply

[-]

Ssakaa@reddit

It took me a looong time to realize that gap in mindset when talking to colleagues about things like inventory spreadsheets. "That'll be wrong within the week, probably the hour" always got deer in the headlights looks, while I was pulling lists as needed from every management tool we had access to and cross checking those for "In A/D and logged in this month but doesn't have antivirus", etc... and then tasking out remediation efforts based on those, rather than trying to go off of a year old financial asset inventory spreadsheet.

Reply

[-]

urjuhh@reddit

Ask yourself this: "what's the worst that could happen if it was accessible from the internet"

Reply

[-]

Drakinor85@reddit

Senior cybersec guy here so hopefully I can help clarify. Not bring internet facing is a good thing, BUT, let's say i gain access to another system in your internal network, at via a comprised workstation, now I can see and access that system too. This is quite common in enterprise level attacks. Quietly gain access to workstations on the network and probe for vulnerable machines from behind the firewall. The goal is simple, quietly get internal access, look for vulnerability, catalog everything and then when ready launch a real attack hard and fast with exfil. So yes I can't get to it directly from outside but I can indirectly making it still a critical vulnerability. Most attackers have no interest in your base users or workstations beyond an entry point to critical systems.

Reply

[-]

Certain-Community438@reddit

Way to say "I'm definitely not qualified to do my job and just waiting to be fired now" 👏👏👏

Reply

[-]

Indecisive-one@reddit

As a security guy, I love dealing with admins that say stuff like “it’s on the internal network, nobody can touch it” and I point out that his entire department failed the last crappy phishing test.

Reply

[-]

extraspectre@reddit

Here is the cynical path: Drop it. Just wait for the next breach and watch their soft white underbelly get tore up. When the c suite goes looking for someone to blame, print out your email and hand it to them.

Reply

[-]

Conscious_Pound5522@reddit

I am so tired of app peeps saying "not internet accessible, doesn't count". I wish every developer understood this simple fact: if your edge gets breached all of those vulnerabilities you didn't address are now hot spots for a malicious actors once they are inside. Fucking stupid. I'm dealing with this right now - "Its a false positive because..." NO MOTHERFUCKER, IT'S A DAMN VERIFIED RISK. WHY ARE YOU RUNNING BAD SOFTWARE. FIX YOUR SHIT. They always say "its going to take months. We've got to test it, Reverse test it, make sure it doesn't break". It's a minor release update that resolves a vulnerability. Go deploy it in dev see what happens. Why are you 100+ minor release versions behind? Why don't you keep up with your software? One I'm dealing with right now - customer facing. Lots of complaining. My tools are actively blocking a known critical vulnerability. Im not opening it up. Go fix your shit. Not my fault you have to go from x.9 to x.145 to resolve it. Should have kept up with your shit. Pardon my rant.

Reply

[-]

MaTOntes@reddit

Two words. Assume breach. We are having an internal pentest at the moment and I'm 100% looking forward to all the things they identify. If an attacker can't get anywhere even if they are inside the network then I feel good about security. "it's not accessible from the internet" is just another way of saying "I don't understand or care about security"

Reply

[-]

kuahara@reddit

I have a DCS team wanting me to open up SNMP on my domain controllers (and all other Windows servers) for the sake of SevOne monitoring. Microsoft didn't integrate SNMP v3 into Windows, so if something supports v3, but requires SNMP enabled in Windows, it's still depending on v1/v2 and broadcasting community strings in clear text. The DCS team is managing a shared datacenter and by policy, also wants all customers to keep Windows Firewall disabled "because we have a network firewall". I fought hard and won that fight. I popped open wireshark, listened for traffic on udp 161, and captured their clear text SevOne password and know that most of the customers in this datacenter have their Windows firewalls disabled because they didn't fight back. So now I'm aware that I'm just one layer 3 screw up away from being able to map out the internal networks of nearly all their customers. I'm not looking for legal trouble, so of course I am not going to do this, but it's scary how they're running things.

Reply

[-]

melbourne_giant@reddit

Eh.. except in this instance, the "vulnerability" is; 1. Locked down by ip allow list 2. Encrypted tunnel via tls 3. Requires credentials to access data The real rant of the OP is shitty security scanning software and terrible cyber sec folk telling porkies and getting away with it because mgmt and c levels have nfi what they're doing.

Reply

[-]

Conscious_Pound5522@reddit

I think it's debatable. My app teams think I have no idea. But i have evidence they are wrong. Thing is, i got into security because i hated the "no" people when i was general IT. They drove me nuts. I take a concerted effort to help mitigate risk. But some things just can't be mitigated - only resolved. Saying "it's not accessible because of xyz" isn't really relevant. Layered security and zero trust are what count these days. Just because they can reasonably argue one attack vector is mitigated from one direction doesn't mean there isn't another known or currently unknown attack vector. For everyone of these dev guys saying "idiot security folks" i can give you 50 "idiot devs" who are actually being stupid or don't understand security. I genuinely believe every mid and senior dev should be required to maintain certs in sec dev ops before getting promoted to those positions.

Reply

[-]

thortgot@reddit

Because their CICD systems either dont exist or are shit. Its a real major effort to have effective automated testing. Personally I think everyone needs to do it, but I understand why people dont.

Reply

[-]

Big_Statistician2566@reddit

Perimeter security isn’t enough, these days. What happens when one of your developers opens a phishing email and their credentials and workstation are compromised. You think your database isn’t accessible then?

Reply

[-]

Roanoketrees@reddit

But scanner said bad......must fix

Reply

[-]

Jannorr@reddit

Didn’t realize what sub this was in at first. Pretty sure this belongs in shitty.

Reply

[-]

TheRealLambardi@reddit

I and many other no longer consider non internet facing as mitigation. Consider every connection hostile. Don’t trust the network, don’t trust the other side. That is the basis of zero trust. All that aside the number of times I walk into review cloud environments and I hear it’s all non Internet facing only to find loads of remote access methods, peering, overly permissive accounts that make “non Internet facing, VPC” mean jack squat. Your security term probably knows this. And oh yeah…basic auth needs to die

Reply

[-]

BloodFeastMan@reddit

>security scanner flagged our staging database as critical vulnerability. its literally not accessible from internet Then how was it scanned?

Reply

[-]

GoodLyfe42@reddit

Scanning only quarterly…..

Reply

[-]

burgonies@reddit

If it only accepts traffic from the order processing service then how did the scanner connect to it? Same question about the service that “only accepts traffic from Stripe IPs.”

Reply

[-]

Huth-S0lo@reddit

How exactly did you prove that, since the scan found it. All it takes is one insider threat to wreck your day.

Reply

[-]

NoWhammyAdmin26@reddit

The enterprise I worked for created a risk score, only part of it was the CVE rating. It's importance is going to be based on how damaging it would be for someone to get into this system - is it a pivot point for other information like PII, PHI, PCI, trade secrets or one that could pivot to the domain controller easily, etc. That said, as many other have mentioned, the external IP defense is very weak because all it takes is social engineering, phishing, supply chain vulnerability, etc, etc to get in the network. It's part of a philosophy of defense in depth that if a breach happens then it's contained because the attacker can't pivot elsewhere. Spoofing packet information and daisy chaining it for the attacker to get some information to use to get inside is negligible. You would be extremely surprised how each little piece of information you wouldn't think is damaging creates a mosaic of information that attackers can use to cause a ton of damage.

Reply

[-]

CySecJitz@reddit

Defence in depth is the concept here, would be worth researching.

Reply

[-]

ap1msch@reddit

Uh, think about infection as the attack rather than a swinging sword. Most compromises lead to festering inside and then internally based attacks. If something can be touched at all, it can be vulnerable.

Reply

[-]

dont_remember_eatin@reddit

If you haven't already, go study for and take CompTIA Sec+. I think there's a lot in the material that would be of use to you, and having that cert will make you look better on paper. Your employer might even pay for it if you get an education benefit.

Reply

[-]

dont_remember_eatin@reddit

Yikes, friend. I like to bitch about cyber not knowing a damned thing about the environments they're securing, and while that was partially true here, the vulnerabilities here were real, even if poorly described by the scanning tool. I've found that simply remembering the defense in depth principal and assuming all of my users are active threats are pretty much all you need to get things adequately locked down and keep cyber off your back.

Reply

[-]

Gummyrabbit@reddit

You should lways assume that a compromised device is on the internal network…waiting to pounce on a another vulnerable device.

Reply

[-]

Snowdeo720@reddit

We had a report come back once about an exposed and unsecured Jenkins instance…. We don’t use Jenkins. Turns out the group running the scan had no idea you could host a password protected dev version of a site. Stand your ground.

Reply

[-]

fubes2000@reddit

"Our city walls are strong that there's no need for locks inside of it!" _[cue one silly guy with a ladder opening the gate from the inside]_

Reply

[-]

datOEsigmagrindlife@reddit

It's a critical vulnerability, whether it's directly accessible from the internet or not is irrelevant. Insider threats exist.

Reply

[-]

TehSavior@reddit

Anything accessible from the intranet is accessible from the Internet the moment someone fucks up

Reply

[-]

salty-sheep-bah@reddit

Fix your busted ass database instead of trying to weasel your way out of it. Valuable sprint time lol

Reply

[-]

unseenspecter@reddit

I love when IT people are so confidently won't about security. As if a system not being Internet facing somehow means it's not a risk...

Reply

[-]

1r0n1@reddit

Its about Risk. If the db is available by basic Auth only in one network segment, then the next question should be „What is *in* that db?“ Followed by „what are the possible attacks?“. Basic Auth is mainly vulnerable to MitM attacks, an attacker therefore needs to be inside the network AND has to be in a MitM position. These two question/answers should give an idea about the priotity of the vulnerability. Then people can Take a Look at what other vulnerabilities are present in the Environment and sort the order by priority. In this case (despite having any more Information) my guess would be that an unsecured S3 bucket should have higher priority than an internal API providing basic Auth.

Reply

[-]

ersentenza@reddit

So you are telling me once I manage to break into your order processing service, I have an open highway into everything else? Fix that shit.

Reply

[-]

Glittering_Power6257@reddit

Stuxnet is a good reason to ensure your internal vulnerabilities are patched up. Keep in mind that the infra that Stux hit was effectively air gapped. Granted, this requires the help of some hapless user, though the point gets across that going as far as air gapping isn’t an infallible solution, let alone anything physically connected to the network that is connected to the internet.

Reply

[-]

Careful-Combination7@reddit

How'd they scan it if it's not internet accessible? Check mate.

Reply

[-]

melbourne_giant@reddit

Because they run scanners internally and externally.. :/

Reply

[-]

Public_Fucking_Media@reddit

ah yes those spotless clean and absolutely trustworthy internal networks, you could even build a security model around them and call it "lots of trust"

Reply

[-]

Agentwise@reddit

Good thing no one has ever figured out how laterally moved across a network.

Reply

[-]

plaid_rabbit@reddit

Until some idiot in sales runs malware, roots his machine, and starts finding internal vulnerabilities in the network, which then starts installing malware on internal machines that aren't updated. No, this isn't something from experience.

Reply

[-]

BitOfDifference@reddit

security people are just box checkers now..... probably ghost the whole org when you get hit by a zero day their scanner couldnt detect.

Reply

[-]

Cheomesh@reddit

What scanner are they using? If they'll sign off on your mitigating controls then the software may allow you to recast the risk.

Reply

[-]

NibeP@reddit

If your payment webhook only accepts Stripe’s IP’s, how is the vulnerability scanner able to connect to your service? I don’t think your scanner is reaching out from Stripe’s network.

Reply

[-]

melbourne_giant@reddit

Because most cyber security companies give you a list of their IPs to allow through for scanning purposes..

Reply

[-]

thortgot@reddit

By definition then it isnt restricted to Stripe IPs.

Reply

[-]

ZombiePope@reddit

So is it not externally accessible, or only externally accessible from specific IPs?

Reply

[-]

CaseClosedEmail@reddit

I just read the title but if you are going with the idea of only protecting internet exposed resources, you are gonna have a bad time

Reply

[-]

ImCaffeinated_Chris@reddit

Every single thing on the network should be secured. Every. Single. Thing.

Reply

[-]

surveysaysno@reddit

Except the MFD on a 10 year old firmware

Reply

[-]

Nanocephalic@reddit

lol you sure put a lot of trust in your perimeter security.

Reply

[-]

NetJnkie@reddit

Mmmmmm.....hard candy security. Hard on the outside...soft and gooey on the inside.....

Reply

[-]

kagato87@reddit

Ask for proof it is externally accessible? You probably should secure it anyway, zero trust and all that. At least you're not getting dinged for a web server offering http that belongs to a different business on the other side of the world...

Reply

[-]

nikdahl@reddit

Why would your staging not be as close to production as possible?

Reply

[-]

dalgeek@reddit

I had a PCI auditor claim his scans picked up an open proxy on a public IP. I checked the IP myself and there was no open port, so I asked him for proof. He sent me a screenshot of a squid proxy error page stating "connection refused". Funny, we didn't have squid anywhere on the network. Turns out that HIS network was redirecting HTTP connections to squid then squid was complaining that the destination on our network was unreachable, and he wasn't smart enough to interpret the error.

Reply

[-]

melbourne_giant@reddit

Brilliant.

Reply

[-]

theHonkiforium@reddit

I think I too dealt with that auditor. 😂

Reply

[-]

Beneficial_Clerk_248@reddit

This can be the stupidity of some security teams - they don't have the basic understanding of the tech they are looking at. Had a similar setup - some device protected by a firewall - all access is via a firewall - based around userid and 2fa if needed. had to run that version of the software and the key point is that the security scanning agent has full access - by passes all security so it sees an open port .. they want it protected and closed or patched yadda yadda - but no one can get there - you have to pass all of these our security measures to there ... FFS

Reply

[-]

melbourne_giant@reddit

This. 100% this.

Reply

[-]

The_Expidition@reddit

When a DBA have breached credentials those internal only sites are accessible

Reply

[-]

melbourne_giant@reddit

The api is locked down to specific ips.. if theyre breached and oauth is breached, he's still screwed. And oauth isn't the complicated to breach if youve got the creds.

Reply

[-]

mauledbyjesus@reddit

I just finished This Is How They Tell Me The World Ends today. Highly recommend for those looking for some terrifying infosec non-fiction. https://www.goodreads.com/book/show/49247043-this-is-how-they-tell-me-the-world-ends

Reply

[-]

Sarduci@reddit

SMH in cyber security

Reply

[-]

SikhGamer@reddit

I'm amazed at the comments here; it's like they didn't bother to read, understand/parse your post. I'm with OP, this is a non-issue.

Reply

[-]

Hynch@reddit

Attack vectors are still attack vectors. You don’t solve a security hole by adding layers on top, you plug the hole. Otherwise you get an exemption on file with the ISO for your security risk, and your ass is toast when you get breached. The only time I would agree with ignoring something like this is if a scanner flags a firewall issue on a cloud hosted system but the attached security groups are properly aligned with their firewall expectations. Even then, I would need an acceptable rationale for why a firewall is detrimental to that system.

Reply

[-]

ForTenFiveFive@reddit

I'm with you OP. You have some issues with appropriate controls to mitigate risks and are saying there's more pressing issues that aren't being addressed because those controls aren't being considered when assessing priorities. Absolutely nothing wrong with that, you're entirely correct. Unfortunately the correct response is likely to just indulge them and comply so you can more quickly move on to something else.

Reply

[-]

coalsack@reddit

So glad to see OP get shredded for this post.

Reply

[-]

DB-CooperOnTheBeach@reddit

They're absolutely correct in demanding this.

Reply

[-]

ObjectiveApartment84@reddit

Can’t wait to see this cross posted to r/shittysysadmin

Reply

[-]

AV1978@reddit

I’m with the it’s a security issue crowed. Have you never heard of attack vectors jumping from one system to the next? This is how it starts. It would take you a couple hours and if that to remediate. I’d be glad security brought it to my attention. Last thing you want is something supposedly secured suddenly being used as a source to dump its next attack

Reply

[-]

BrainWaveCC@reddit

Where is the scanner sitting relative to your infrastructure?

Reply

[-]

Reverse_Quikeh@reddit

What happens if your network is compromised and they compromise something in the staging area prior to it going live?

Reply

Reply to Post

188 Comments