|
Home > Archive > Security+ > March 2003 > Third party security infrastructure analysis
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Third party security infrastructure analysis
|
|
| chodan 2003-03-17, 7:32 pm |
| How do you guys feel about hiring a 3rd party company to come in to do a IS security assesment on your network systems.
I am somewhat torn between reluctance at having people poking around "my" network and having a good knowledge of the network as a reference point.
The company I am looking at has an excellent reputation in this field and being an IS manager with a small staff and alot of responsibility to go around doesn't leave alot of time to keep up with security measures.
I think they might help in a number of areas.
1. To see how I am doing so far.
2. To see what areas need to be addressed
3. Help to develope a security policy which I may not have the clout to do without a 3rd party to back me up.
4. To see a risk assesment based on our objectives and uptime requirements.
What do you guys think? | |
|
| Sometimes an outsider can see glaring holes in ones defenses so I guess they can be a good idea. However as a longtime manager in various different industries I am always loathe having 'consultants' come in to my area as past experiences have shown that an awful lot of very expensive consultants are people who are great salespersons, but really know squat about the overall picture - and in fact some I would even consider unemployable in their chosen fields.
With my VERY limited experience in the IT security field I am however shocked to see some of the things I have come across lately in the way of systems and personnel management. It is a wonder that some places even have a working network  | |
|
| I have to strongly agree with RussS.
It is a double edged sword. One one side, the bean counter will never see his own entry error (which is why most use double entry to catch mistakes).
And in my years of observation, the truely inept at anything but the give of gab run from one new thing to another looking for a quick buck before they are caught.
Security is the current place to run to.
It is good the firm you are looking at has good background check. And the expenses can be very painful. As an alternative, is their someone you know where you can team up to check each others network? Double teaming would made sure you don't have obvious holes while insureing no one is poking where they shouldn't be.
I don't you're industry, so I cannot say what is enough... Generally speaking however, I am blown away at the gaping holes most have. By picking off the Low Hanging Fruit, if you're not in say, banking, oil, or health care, you have tipped the scales in your favor without too much time/expense.
One of the cheapest things you can do is print the first chapter from the beta pdf I did and pass out copies to every employee. Just getting them to be aware of changing passwords and being alert to social engineering really puts a few stiches in the flap on the back side of the pajamas. | |
| rlrouns 2003-03-19, 3:22 pm |
| Another thing, do not hire a company that sells software or hardware. Use the company that just does threat assessments, etc. Also check out your local ISSA (www.issa.org) and talk to some of the security people there as there are some usually some pretty senior level people who can help guide you as well. If you do hire out a company that sells hardware and/or software you might get an assessment that you need a certain security product, and they just so happen to carry it... Remember: Vendors are evil! (and I work for one even though it is not security specific). Also check out CISecurity.org and look at the top 20 threats, free security guidelines, and some of the baseline tools out there. That should help you get a good start. Good luck and let us know what you decide to do! | |
| chodan 2003-03-19, 8:15 pm |
| I work here http://www.centertech.com
We deal with alot of federally funded grant projects.
I have gotten upper management onboard with the notion of increasing security and have taken many steps toward securing our network systems.
The biggest hurdle is the human factor, most are careless or lazy about security and a few are so paranoid that they send false alarms out every few days.
In both cases education will be the key.
I have done OK with the recources I have but I feel I have much room for improvement.
I'll keep everyone posted on my progress. | |
|
| I have family in your general area of the SE. I wish I could report from my experience that you are dealing with either side of the coin that is unusual. If I did, I would be lying. :-(
The hardest job for any of us it 'selling' reasonable precautions, on an ongoing basis.
If you can get top brass to buy off on the concept, then come basic CTT+ skills come into play. Selling is the game, as much as it isn't our primary job.
Maybe I can see you in a road tour. I have some airline "bump" money to burn or lose.
Tcat | |
| rlrouns 2003-03-20, 9:27 am |
| When I said, "Vendors are evil" I didn't really mean that they are bad people, or evil, or mal-intentioned. Sometimes it is just difficult to get an accurate assessment from someone who is selling a hardware or software solutions. Money permitting, it is nice to have a person come in who is an unbiased 3rd party who can look at the network.... Another thing you can do, depending on your time/money situation is go take the SANS training. If you want to be truly paranoid, and get effective hands on in how to lock down your network, that is a great investment. I took the security essentials course, and on day one, I wanted to call my boss, and tell him to just unplug the network. it will get you nice and paranoid. I would highly recommend the security essentials course, but if you are in an all windows environment or all unix environment, take those individual tracks. I hope that helps!
Rob |
|
|
|
|