3.6 Outsourcing Options
After
reading
through all the material in this chapter, you may have realized that
your policies and plans are in good shape, or you may have identified
some things to do, or you may be daunted by the whole task. If you
are in that last category, don't decide that the
situation is beyond your ability to cope! There are other approaches
to formulating your policies and plans, and in providing security at
your site: for example, through outsourcing, consultants, and
contractors. Even if you are an individual with a small business at
home, you can take advantage of shared expertise—security firms
that are able to employ a group of highly trained and experienced
personnel who would not be fully utilized at any one site, and share
their talents with a collection of clients whose aggregate needs
match their capabilities.
There are not enough
information security experts available to meet all the needs of
industry and government. Thus, there
has been a boom in the deployment of consultants and outsourced
services to help organizations of all sizes meet their information
security needs. As with many other outsourced services, some are
first-rate and comprehensive, others are overspecialized, and some
are downright deficient. Sadly, the state of the field is such that
some poor offerings are not recognized as such either by the
customers or by the well-intentioned people offering them!
If you have not yet formulated your policies and built up your
disaster recovery and incident response plans, we recommend that you
get outside assistance in formulating them. What follows, then, is
our set of recommendations of organizations that seek to employ
outside security professionals for formulating and implementing
security policies.
3.6.1 Formulating Your Plan of Action
The first thing to do is
decide what services you need:
- Will you provide your own in-house security staff?
-
If so, you may only need consultants to review your operations to
ensure that you haven't missed anything important.
- Perhaps you have some in-house expertise but are worried about demands on their time or their ability to respond to a crisis?
-
Then you may be in the market for an outside firm to place one or
more contractors on site with you, full- or part-time. Or you might
simply want to engage the services of a remote-monitoring and
response firm to watch your security and assist in the event of an
incident.
- Or perhaps you can't afford a full-time staff, or you aren't likely to need such assistance?
-
In this case, having a contract with a full-service consulting and
monitoring firm may be more cost-effective and provide you with what
you need.
The key in each of these cases is to understand what your needs are
and what the services provide. This is not always simple, because
unless you have some experience with security and know your
environment well, you may not really understand your needs.
3.6.2 Choosing a Vendor
Your experience with outsourcing policy
decisions will depend, to a great extent, on the individuals or
organizations that you choose for the job.
3.6.2.1 Get a referral and insist on references
Because of the tremendous
variation among consulting firms, one of the best ways to find a firm
that you like is to ask for a referral from a friendly organization
that is similar to yours. Sadly, it is not always possible to get a
referral. Many organizations engage consulting firms that they first
meet at a trade show, read about in a news article, or even engage
after receiving a "cold call" from
a salesperson.
Clearly, an outsourcing firm is in a position to do a tremendous
amount of damage to your organization. Even if the outsourcing firm
is completely honest and reasonably competent, if you trust them to
perform a function and that function is performed inadequately, you
may not discover that anything is wrong until months later when you
suffer the consequences—and after your relationship with the
firm is long over.
For this reason, when you are considering a firm, you should:
- Check references
-
Ask for professional references that have engaged the firm or
individual to perform services that are similar to those that you are
considering.
- Check people
-
If specific individuals are being proposed for your job, evaluate
them using the techniques that we outline in Section 3.6.2.4. Be wary of large
consulting firms that will not give you the names of specific
individuals who would work on your account until after you sign a
retainer with them.
- Be concerned about corporate stability
-
If you are engaging an
organization for a long-term project, you need to be sure that the
organization will be there in the long term. This is not to say that
you should avoid hiring young firms and startups; you should simply
be sure that the organization has both the management and the
financial backing to fulfill all of its commitments. Beware of
consulting firms whose prices seem too low—if the organization
can't make money selling you the services that you
are buying, then they need to be making the money somewhere else.
3.6.2.2 Beware of soup-to-nuts
Be cautions about
"all-in-one" contracts in which a
single firm provides you with policies and then sells you services
and hardware to implement the policies. We have heard stories of such
services in which the policy and plan needs for every client are
suspiciously alike, and all involve the same basic hardware and
consulting solutions. If you pick a firm that does not lock you into
a long-term exclusive relationship, then there may be a better chance
that the policies they formulate for you will actually match your
needs, rather than the equipment that they are selling.
3.6.2.3 Insist on breadth of background
You should be equally cautious of firms in
which the bulk of their experience is with a specific kind of
customer or software platform—unless your organization
precisely matches the other organizations that the firm has had as
clients. For example, a consulting firm that primarily offers
outsourced security services to medium-sized police departments
running Microsoft Windows may not be the best choice for a
pharmaceutical firm with a mixed Windows and Unix environment. The
consulting firm may simply lack the breadth to offer truly
comprehensive policy services for your
environment. That isn't to say that people with
diverse backgrounds can't provide you with an
appropriate perspective, but you need to be cautious if there is no
obvious evidence of that "big
picture" view.
At a minimum, their personnel should be familiar with:
Employment law and management issues that may predict conditions
under which insiders may harbor a grudge against their employer
Federal and state computer crime laws
Encryption products, technologies, and limitations
Issues of viruses, worms, and other malicious software, as well as
scanning software
TCP/IP fundamentals and issues of virtual private networks (VPNs) and
firewalls
Awareness and educational issues, materials, and services
Issues of incident response and forensic investigation
Security issues peculiar to your hardware and software
Best practices, formal risk assessment methodologies, and insurance
issues
Any good security policy-consulting service should have personnel who
are willing to talk about (without prompting) the various issues we
have discussed in this part of the book, and this chapter in
particular. If they are not prepared or able to discuss these topics,
they may not be the right service for you.
If you have any concerns, ask to see a policy and procedures document
prepared for another customer. Some firms may be willing to show you
such documentation after it has been sanitized to remove the other
customer's name and other identifying aspects. Other
firms may have clients who have offered to be
"reference clients," although some
firms may insist that you sign a non-disclosure agreement with them
before specific documents will be revealed. Avoid any consulting firm
that shares with you the names and documents of other clients without
those clients' permissions.
3.6.2.4 People
Most importantly, you need to be
concerned about the actual people who are delivering your security
policy and implementation services. In contrast to other consulting
services, you need to be especially cautious of consultants who are
hired for security engagements—because hiring outsiders almost
always means that you are granting them some level of privileged
access to your systems and your information.
As we noted earlier, there aren't enough real
experts to go around. This means that sometimes you have to go with
personnel whose expertise isn't quite as
comprehensive as you would like, but who have as much as you can
afford. Be careful of false claims of expertise, or of the wrong kind
of expertise. It is better to hire an individual or firm that admits
they are "learning on the job"
(and, presumably, lowering their consulting fee as a result), than to
hire one that is attempting to hide employee deficiencies.
Today's security market is filled with people who
have varying amounts of expertise in securing Windows platforms.
Expertise in other platforms, including Unix, is more limited. A
great deal can be learned from books, but that is not enough. Look
for qualifications by the personnel in areas that are of concern. In
particular:
- Certification
-
Look for certifications. In addition, make sure that those
certifications are actually meaningful. Some certifications can
essentially be purchased: one need only attend a series of classes or
online seminars, memorize the material, and take a test. These are
not particularly valuable. Other certifications require more in-depth
expertise.
Certification is an evolving field, so we hesitate to cite current
examples. Although it's not everything we would like
it to be, the CISSP certification is one valid measure of a certain
level of experience and expertise in security.
- Education
-
Check educational backgrounds. Someone with a degree from a
well-known college or university program in computing sciences or
computer engineering is likely to have a broadly-based background.
The National Security Agency has designated a limited number of
educational institutes as "Centers of Educational
Excellence" in the field of information security. In
July 2002, that list included pioneering infosec programs at George
Mason University, James Madison University, Idaho State, Iowa State,
the Naval Postgraduate School, Purdue University, the University of
California at Davis, and the University of Idaho.
- Reputation
-
If someone has written a widely used piece of software or authored a
well-known book on a security topic such as viruses or cryptography,
that does not mean that she knows the security field as a whole. Some
authors really do have a far-ranging and deep background in security.
Others are simply good writers or programmers. Be aware that having a
reputation doesn't necessarily imply competency at
consulting.
- Bonding and insurance
-
Ask if the personnel you want to hire are bonded or insured. This
indicates that an outside agency is willing to back their competency
and behavior. This may not ensure that the consultant is qualified,
but it does provide some assurance that they are not criminals.
- Affiliations
-
Ask what professional organizations they belong to and are in good
standing with. ACM, ASIS, CSI, IEEE, ISSA, and USENIX are all worthy
of note. These organizations provide members with educational
materials and professional development opportunities. Many of them
also promote standards of professional behavior. If your subject
claims membership only in groups like "The 133t
Hax0r Guild" or something similar, you may wish to
look elsewhere for expertise.
3.6.2.5 "Reformed" hackers
We recommend against hiring individuals and
organizations who boast that they employ "reformed
hackers" as security consultants. Although it is
true that some people who once engaged in computer misdeeds (either
"black hat" or
"grey hat") can turn their lives
around and become productive members of society, you should be
immediately suspicious of individuals who tout previous criminal
activity as a job qualification and badge of honor. Specifically:
Individuals with a record of flaunting laws, property ownership, and
privacy rights do not seem to be good prospects for protecting
property, enforcing privacy, and safeguarding your resources. Would
you hire a convicted arsonist to design your fire alarm system? Would
you hire a convicted (but
"reformed") pedophile to run your
company's day-care center? Not only are these bad
ideas, but they potentially open you up to civil liability should a
problem occur—after all, you knew the history and hired them
anyway. The same is true for hiring "darkside but
reformed" hackers.
Likewise, we believe that you should be concerned about individuals
who refuse to provide you with their legal names, but instead use
consulting handles such as "Fluffy
Bunny" and "Demon
Dialer." Mr. Dialer may in fact be an expert in how
to penetrate an organization using a telephone system. But one of the
primary reasons that people use pseudonyms is so that they cannot be
held responsible for their actions. It is much easier (and a lot more
common) to change a handle if you soil its reputation than it is to
change your legal name.
Finally, many of today's
"hackers" really
aren't that good, anyway—they are closer in
both their manner and their modus operandi to
today's street thugs than they are to
today's computer programmers and system architects.
It's the poor quality of today's
operating systems, the lack of security procedures, and the
widespread availability of automated penetration tools that make it
possible for attackers to compromise systems. Exactly as somebody
with a record of carjackings is probably not a skilled race car
driver and engine designer, somebody who knows how to scam
"warez" and launch denial of
service attacks probably lacks a fundamental understanding of the
security needed to keep systems safe.
3.6.3 Monitoring Services
Monitoring services can be a good
investment if your overall situation warrants it. Common services
provided on an ongoing basis include on-site administration via
contractors, both on-site and off-site monitoring of security,
on-call incident response and forensics, and maintenance of a
hot-spare/fallback site to be used in the event of a site disaster.
But in addition to being concerned about the individuals who provide
consulting services, you also need to be cautious about what hardware
and software they intend to use.
Many of the monitoring and response firms have hardware and software
they will want to install on your network. They use this to collect
audit data and manipulate security settings. You need to be cautious
about this technology because it is placed in a privileged position
inside your security perimeter. In particular, you should:
Ensure that you are given complete descriptions, in writing, of the
functionality of every item to be placed on your network or
equipment. Be certain you understand how it works and what it does.
Get a written statement of responsibility for failures. If the
inserted hardware or software exposes your data to the outside world
or unexpectedly crashes your systems during peak business hours, you
should not then discover that you have agreed that the vendor has no
liability.
Ensure that due care has been taken in developing, testing, and
deploying the technology being added to your systems, especially if
it is proprietary in design. In particular, given
Microsoft's record of software quality and security
issues, we would suggest that you give very careful thought to using
any company that has decided to base its security technology on
Microsoft products.
Understand whether its technology actually helps to prevent problems
from occurring, or only detects problems after they have happened
(e.g., intrusion prevention versus intrusion detection).
3.6.4 Final Words on Outsourcing
Using
outside experts can be a smart move to protect yourself. The skills
needed to write policies, monitor your intrusion detection systems
and firewalls, and prepare and execute a disaster recovery plan are
specialized and uncommon. They may not be available among your
current staff. Performing these tasks correctly can be the difference
between staying in business or having some flashy and exciting
failures.
At the same time, the field of security consulting is fraught with
danger because it is new and not well understood. Charlatans, frauds,
naifs, and novices are present and sometimes difficult to distinguish
from the many reliable professionals who are working diligently in
the field. Time will help sort out the issues, but in the meantime it
pays to invest some time and effort in making the right selection.
We suggest that one way to help protect yourself and take advantage
of the growth of the field is to avoid entering into long-term
contracts unless you are very confident in your supplier. The
security-consulting landscape is likely to change a great deal over
the next few years, and having the ability to explore other options
as those changes occur will likely be to your benefit.
Last of all, simply because you contract for services to monitor your
systems for misuse, don't lose sight of the need to
be vigilant to the extent possible, and to build your systems to be
stronger. As the threats become more sophisticated, so do the
defenders . . . and potential victims.
|