3.6 Outsourcing Options

After reading through all the material in this chapter, you may have realized that your policies and plans are in good shape, or you may have identified some things to do, or you may be daunted by the whole task. If you are in that last category, don't decide that the situation is beyond your ability to cope! There are other approaches to formulating your policies and plans, and in providing security at your site: for example, through outsourcing, consultants, and contractors. Even if you are an individual with a small business at home, you can take advantage of shared expertise—security firms that are able to employ a group of highly trained and experienced personnel who would not be fully utilized at any one site, and share their talents with a collection of clients whose aggregate needs match their capabilities.

There are not enough information security experts available to meet all the needs of industry and government.^[9] Thus, there has been a boom in the deployment of consultants and outsourced services to help organizations of all sizes meet their information security needs. As with many other outsourced services, some are first-rate and comprehensive, others are overspecialized, and some are downright deficient. Sadly, the state of the field is such that some poor offerings are not recognized as such either by the customers or by the well-intentioned people offering them!

^[9] The lack of trained security experts is a result, in part, of the lack of personnel and resources to support information security education at colleges and universities. Government and industry claim that this is an area of importance, but they have largely failed to put any real resources into play to help build up the field.

If you have not yet formulated your policies and built up your disaster recovery and incident response plans, we recommend that you get outside assistance in formulating them. What follows, then, is our set of recommendations of organizations that seek to employ outside security professionals for formulating and implementing security policies.

3.6.1 Formulating Your Plan of Action

The first thing to do is decide what services you need:

Will you provide your own in-house security staff?

If so, you may only need consultants to review your operations to ensure that you haven't missed anything important.

Perhaps you have some in-house expertise but are worried about demands on their time or their ability to respond to a crisis?

Then you may be in the market for an outside firm to place one or more contractors on site with you, full- or part-time. Or you might simply want to engage the services of a remote-monitoring and response firm to watch your security and assist in the event of an incident.

Or perhaps you can't afford a full-time staff, or you aren't likely to need such assistance?

In this case, having a contract with a full-service consulting and monitoring firm may be more cost-effective and provide you with what you need.

The key in each of these cases is to understand what your needs are and what the services provide. This is not always simple, because unless you have some experience with security and know your environment well, you may not really understand your needs.

3.6.2 Choosing a Vendor

Your experience with outsourcing policy decisions will depend, to a great extent, on the individuals or organizations that you choose for the job.

3.6.2.1 Get a referral and insist on references

Because of the tremendous variation among consulting firms, one of the best ways to find a firm that you like is to ask for a referral from a friendly organization that is similar to yours. Sadly, it is not always possible to get a referral. Many organizations engage consulting firms that they first meet at a trade show, read about in a news article, or even engage after receiving a "cold call" from a salesperson.

Clearly, an outsourcing firm is in a position to do a tremendous amount of damage to your organization. Even if the outsourcing firm is completely honest and reasonably competent, if you trust them to perform a function and that function is performed inadequately, you may not discover that anything is wrong until months later when you suffer the consequences—and after your relationship with the firm is long over.

For this reason, when you are considering a firm, you should:

Check references

Ask for professional references that have engaged the firm or individual to perform services that are similar to those that you are considering.

Check people

If specific individuals are being proposed for your job, evaluate them using the techniques that we outline in Section 3.6.2.4. Be wary of large consulting firms that will not give you the names of specific individuals who would work on your account until after you sign a retainer with them.

Be concerned about corporate stability

If you are engaging an organization for a long-term project, you need to be sure that the organization will be there in the long term. This is not to say that you should avoid hiring young firms and startups; you should simply be sure that the organization has both the management and the financial backing to fulfill all of its commitments. Beware of consulting firms whose prices seem too low—if the organization can't make money selling you the services that you are buying, then they need to be making the money somewhere else.

3.6.2.2 Beware of soup-to-nuts

Be cautions about "all-in-one" contracts in which a single firm provides you with policies and then sells you services and hardware to implement the policies. We have heard stories of such services in which the policy and plan needs for every client are suspiciously alike, and all involve the same basic hardware and consulting solutions. If you pick a firm that does not lock you into a long-term exclusive relationship, then there may be a better chance that the policies they formulate for you will actually match your needs, rather than the equipment that they are selling.

3.6.2.3 Insist on breadth of background

You should be equally cautious of firms in which the bulk of their experience is with a specific kind of customer or software platform—unless your organization precisely matches the other organizations that the firm has had as clients. For example, a consulting firm that primarily offers outsourced security services to medium-sized police departments running Microsoft Windows may not be the best choice for a pharmaceutical firm with a mixed Windows and Unix environment. The consulting firm may simply lack the breadth to offer truly comprehensive policy services for your environment. That isn't to say that people with diverse backgrounds can't provide you with an appropriate perspective, but you need to be cautious if there is no obvious evidence of that "big picture" view.

At a minimum, their personnel should be familiar with:

• Employment law and management issues that may predict conditions under which insiders may harbor a grudge against their employer

• Federal and state computer crime laws

• Encryption products, technologies, and limitations

• Issues of viruses, worms, and other malicious software, as well as scanning software

• TCP/IP fundamentals and issues of virtual private networks (VPNs) and firewalls

• Awareness and educational issues, materials, and services

• Issues of incident response and forensic investigation

• Security issues peculiar to your hardware and software

• Best practices, formal risk assessment methodologies, and insurance issues

Any good security policy-consulting service should have personnel who are willing to talk about (without prompting) the various issues we have discussed in this part of the book, and this chapter in particular. If they are not prepared or able to discuss these topics, they may not be the right service for you.

If you have any concerns, ask to see a policy and procedures document prepared for another customer. Some firms may be willing to show you such documentation after it has been sanitized to remove the other customer's name and other identifying aspects. Other firms may have clients who have offered to be "reference clients," although some firms may insist that you sign a non-disclosure agreement with them before specific documents will be revealed. Avoid any consulting firm that shares with you the names and documents of other clients without those clients' permissions.

3.6.2.4 People

Most importantly, you need to be concerned about the actual people who are delivering your security policy and implementation services. In contrast to other consulting services, you need to be especially cautious of consultants who are hired for security engagements—because hiring outsiders almost always means that you are granting them some level of privileged access to your systems and your information.

As we noted earlier, there aren't enough real experts to go around. This means that sometimes you have to go with personnel whose expertise isn't quite as comprehensive as you would like, but who have as much as you can afford. Be careful of false claims of expertise, or of the wrong kind of expertise. It is better to hire an individual or firm that admits they are "learning on the job" (and, presumably, lowering their consulting fee as a result), than to hire one that is attempting to hide employee deficiencies.

Today's security market is filled with people who have varying amounts of expertise in securing Windows platforms. Expertise in other platforms, including Unix, is more limited. A great deal can be learned from books, but that is not enough. Look for qualifications by the personnel in areas that are of concern. In particular:

Certification

Look for certifications. In addition, make sure that those certifications are actually meaningful. Some certifications can essentially be purchased: one need only attend a series of classes or online seminars, memorize the material, and take a test. These are not particularly valuable. Other certifications require more in-depth expertise.

Certification is an evolving field, so we hesitate to cite current examples. Although it's not everything we would like it to be, the CISSP certification is one valid measure of a certain level of experience and expertise in security.

Education

Check educational backgrounds. Someone with a degree from a well-known college or university program in computing sciences or computer engineering is likely to have a broadly-based background. The National Security Agency has designated a limited number of educational institutes as "Centers of Educational Excellence" in the field of information security. In July 2002, that list included pioneering infosec programs at George Mason University, James Madison University, Idaho State, Iowa State, the Naval Postgraduate School, Purdue University, the University of California at Davis, and the University of Idaho.

Reputation

If someone has written a widely used piece of software or authored a well-known book on a security topic such as viruses or cryptography, that does not mean that she knows the security field as a whole. Some authors really do have a far-ranging and deep background in security. Others are simply good writers or programmers. Be aware that having a reputation doesn't necessarily imply competency at consulting.

Bonding and insurance

Ask if the personnel you want to hire are bonded or insured. This indicates that an outside agency is willing to back their competency and behavior. This may not ensure that the consultant is qualified, but it does provide some assurance that they are not criminals.

Affiliations

Ask what professional organizations they belong to and are in good standing with. ACM, ASIS, CSI, IEEE, ISSA, and USENIX are all worthy of note. These organizations provide members with educational materials and professional development opportunities. Many of them also promote standards of professional behavior. If your subject claims membership only in groups like "The 133t Hax0r Guild" or something similar, you may wish to look elsewhere for expertise.

3.6.2.5 "Reformed" hackers

We recommend against hiring individuals and organizations who boast that they employ "reformed hackers" as security consultants. Although it is true that some people who once engaged in computer misdeeds (either "black hat" or "grey hat") can turn their lives around and become productive members of society, you should be immediately suspicious of individuals who tout previous criminal activity as a job qualification and badge of honor. Specifically:

• Individuals with a record of flaunting laws, property ownership, and privacy rights do not seem to be good prospects for protecting property, enforcing privacy, and safeguarding your resources. Would you hire a convicted arsonist to design your fire alarm system? Would you hire a convicted (but "reformed") pedophile to run your company's day-care center? Not only are these bad ideas, but they potentially open you up to civil liability should a problem occur—after all, you knew the history and hired them anyway. The same is true for hiring "darkside but reformed" hackers.

• Likewise, we believe that you should be concerned about individuals who refuse to provide you with their legal names, but instead use consulting handles such as "Fluffy Bunny" and "Demon Dialer." Mr. Dialer may in fact be an expert in how to penetrate an organization using a telephone system. But one of the primary reasons that people use pseudonyms is so that they cannot be held responsible for their actions. It is much easier (and a lot more common) to change a handle if you soil its reputation than it is to change your legal name.

• Finally, many of today's "hackers" really aren't that good, anyway—they are closer in both their manner and their modus operandi to today's street thugs than they are to today's computer programmers and system architects. It's the poor quality of today's operating systems, the lack of security procedures, and the widespread availability of automated penetration tools that make it possible for attackers to compromise systems. Exactly as somebody with a record of carjackings is probably not a skilled race car driver and engine designer, somebody who knows how to scam "warez" and launch denial of service attacks probably lacks a fundamental understanding of the security needed to keep systems safe.

3.6.3 Monitoring Services

Monitoring services can be a good investment if your overall situation warrants it. Common services provided on an ongoing basis include on-site administration via contractors, both on-site and off-site monitoring of security, on-call incident response and forensics, and maintenance of a hot-spare/fallback site to be used in the event of a site disaster. But in addition to being concerned about the individuals who provide consulting services, you also need to be cautious about what hardware and software they intend to use.

Many of the monitoring and response firms have hardware and software they will want to install on your network. They use this to collect audit data and manipulate security settings. You need to be cautious about this technology because it is placed in a privileged position inside your security perimeter. In particular, you should:

• Ensure that you are given complete descriptions, in writing, of the functionality of every item to be placed on your network or equipment. Be certain you understand how it works and what it does.

• Get a written statement of responsibility for failures. If the inserted hardware or software exposes your data to the outside world or unexpectedly crashes your systems during peak business hours, you should not then discover that you have agreed that the vendor has no liability.

• Ensure that due care has been taken in developing, testing, and deploying the technology being added to your systems, especially if it is proprietary in design. In particular, given Microsoft's record of software quality and security issues, we would suggest that you give very careful thought to using any company that has decided to base its security technology on Microsoft products.

• Understand whether its technology actually helps to prevent problems from occurring, or only detects problems after they have happened (e.g., intrusion prevention versus intrusion detection).

3.6.4 Final Words on Outsourcing

Using outside experts can be a smart move to protect yourself. The skills needed to write policies, monitor your intrusion detection systems and firewalls, and prepare and execute a disaster recovery plan are specialized and uncommon. They may not be available among your current staff. Performing these tasks correctly can be the difference between staying in business or having some flashy and exciting failures.

At the same time, the field of security consulting is fraught with danger because it is new and not well understood. Charlatans, frauds, naifs, and novices are present and sometimes difficult to distinguish from the many reliable professionals who are working diligently in the field. Time will help sort out the issues, but in the meantime it pays to invest some time and effort in making the right selection.

We suggest that one way to help protect yourself and take advantage of the growth of the field is to avoid entering into long-term contracts unless you are very confident in your supplier. The security-consulting landscape is likely to change a great deal over the next few years, and having the ability to explore other options as those changes occur will likely be to your benefit.

Last of all, simply because you contract for services to monitor your systems for misuse, don't lose sight of the need to be vigilant to the extent possible, and to build your systems to be stronger. As the threats become more sophisticated, so do the defenders . . . and potential victims.