|
|
By Bob Violino,
Network Computing
When to bring in outside help and how to find it
Enterprises are spending billions of dollars on information security services for everything from creating security policies and integrating technologies to testing the strength of the network perimeter with staged attacks. The global market for information security services--consulting, integration and implementation, managed services, response services, and education and training--will grow to $21.7 billion in 2007, up from $8.5 billion in 2002, according to an IDC study released in August. That's a compound annual growth rate of 21 percent. But are companies spending wisely?
Information security is a positive development. Businesses that suffer security breaches stand to lose critical data and incur financial losses. But it doesn't make sense to hire a consultant or integrator, or to buy services like penetration testing, vulnerability scanning and security auditing, as a knee-jerk reaction to an overblown sense of vulnerability.
Before you consider an outside security service, assess your current security infrastructure and future needs, experts say. Also determine whether your staff is qualified to make security decisions and do the actual work, or if it makes more sense to outsource. Take inventory of IT resources throughout the organization, including remote offices, and identify which devices need constant access to the Internet or other outside networks.
Part of your assessment should focus on risk: that is, how much the organization stands to lose--from damaged or stolen data, network downtime or bad publicity--in the event of a security breach. For some companies, especially large ones, even this initial assessment might require outside help.
Hiring a Consultant
That depends on your budget and level of in-house expertise. Small and midsize organizations that can't afford to staff their own security teams may need to hire an experienced individual or firm to help create a security policy, develop a strategy, and select and integrate products. Large organizations planning massive security overhauls also may want to bring in outside help. An organization with many distributed locations and network nodes, for example, might need an outside expert to help secure its multiple sites.
Battening Down the Hatches
click to enlarge
If the security assessment shows that your internal staff doesn't have the expertise to handle existing or potential security holes, for instance, or that your organization has grown such that your internal security experts can no longer provide adequate support, the next step is to find a specialized consultant who can address your needs and work within your budget.
When hiring a consultant to evaluate or integrate security products, make sure the individual or firm has a broad knowledge of the available technology and isn't just some Johnny-come-lately in security. Ask to see the consultant's resume. And review samples of his or her recent security projects.
The recent focus on information security has brought security 'experts' out of the woodwork, says Craig Walker, security administrator at West Bend Mutual Insurance Co. in West Bend, Wis. Everyone claims to have a new security product or service they're willing to sell you.
It's important that consultants be independent and unbiased, Walker adds. But this can be tricky because a consultant or researcher could have ties to vendors, or a consultant may not have broad exposure to many products, he says. We put more credence in government analysis or university studies, which tend to have a less biased opinion.
Don't select a consultant who tends to recommend only a single vendor's products when there are more available, or who seems only interested in selling products.
When hiring consultants to look for security holes in corporate applications, check their references to make sure they can advise on how to improve security in your applications. Security managers say some consultants provide only general recommendations, such as making sure the network admin doesn't leave his or her password on the computer--common-sense activities that should be part of the corporate security policy already. Ask if the consultant plans to conduct analyses, such as black-box testing, code reviews or live testing.
Companies must have focused goals when hiring a security consultant, says Laura Koetzle, an analyst at Forrester Research. Have a clear idea of what you want before the consultant shows up, Koetzle says. Otherwise, he'll try to sell you the Cadillac of security programs, which you may not be able to afford.
Penetration Testing
Hiring individuals or firms to test the resiliency of network perimeters has gained popularity over the past decade. With penetration testing, a team of specialists employs bad-guy techniques to attack a network. Penetration testing can be a one-time, detailed analysis that tests all or some network and system vulnerabilities, or a subscription service involving periodic tests.
The service can help a company determine how secure its network really is in the face of an attack, and find specific weaknesses that might be exploited. Some organizations use penetration-testing services regularly so they can evaluate network security over time.
The results of penetration tests should include a walk-through of what the consultant performed, step by step, to compromise the environment, says Nicholas Percoco, associate partner at Ambiron, an information security advisory firm in Chicago.
And companies should ensure that what a provider calls a penetration test is actually that. I've talked with many companies that have told me they had a penetration test performed, Percoco says. After examining one such report, Percoco found that the security firm ran a commercial vulnerability tool, printed out the canned reports and put on a cover page, for $50,000, he says. They should have charged $5,000 at most.
Although penetration testing shows how an attacker can exploit specific vulnerabilities, it doesn't evaluate an organization's overall information security strategy. All it tells you is that given a certain set of circumstances, this is how someone got in, Koetzle says. It doesn't tell you anything large about your network.
Losses By Type
click to enlarge
Penetration testing is also sometimes used as a scare tactic by consultants or executives having trouble getting funding for security technologies.
A consultant will sometimes offer to do a test at a nominal fee because he can scare the heck out of you with results, Koetzle says. It's a useful instrumental tool if there's a specific thing you want to test, or if you want to see how long it takes someone to get in. But as a general-purpose measure of security posture, it's not very useful.
Vulnerability Scanning
With this type of service, systems and networks are tested for security weaknesses from the inside using vulnerability scanning software. Many companies hire outsiders to perform the scanning because they lack personnel or time.
Analyzing how a vulnerability scan relates to the business and to the specific IT components and environment is key. Knowing that a certain percentage of the company's servers are vulnerable to a SQL Slammer attack, for example, is useful. But more important is knowing whether those systems need to be as secure as others, or whether they're the most likely targets for intrusions. That way, companies can avoid overspending on patches that may not be necessary (see Secure to the Core).
Percoco agrees that vulnerability scanning by itself won't bolster security. The vulnerability scan reports alone should never be used to signify a clean bill of health or to certify that a site is or is not secure, he says. There are many false positives and negatives that can appear. Companies should be sure the vulnerability scanning service includes some advisory services to help them understand its report.
In addition, vulnerability scans will detect only known vulnerabilities, such as buffer overflows, HTTP input validation vulnerabilities and default passwords, rather than new or unknown threats.
To learn your network traffic patterns and the types of data coming into the network before using vulnerability assessment or intrusion-detection services, you first have to analyze the data and understand what's not business-related so you can have the service provider filter that out, says Theresa Grant, director of information security at Dow Chemical Co. in Midland, Mich.
internetweek
|
|
|
 |
| "Editorials: How-To: When To Hire Security Experts" | Login/Create an Account | 0 comments |
|
| | The comments are owned by the poster. We aren't responsible for their content. |
|
|
|
No Comments Allowed for Anonymous, please register |
|
| |
|
Login |
|
 |
|
|
|
|
· New User? · Click here to create a registered account.
|
|
|
Article Rating |
|
|
|
|
|
|
Average Score: 5
Votes: 1
|
|
|
