After reading through all the material in this chapter, you may have realized that your policies and plans are in good shape, or you may have identified some things to do, or you may be daunted by the whole task. If you are in that last category, don't decide that the situation is beyond your ability to cope! There are other approaches to formulating your policies and plans, and in providing security at your site: for example, through outsourcing, consultants , and contractors. Even if you are an individual with a small business at home, you can take advantage of shared expertise ”security firms that are able to employ a group of highly trained and experienced personnel who would not be fully utilized at any one site, and share their talents with a collection of clients whose aggregate needs match their capabilities. There are not enough information security experts available to meet all the needs of industry and government. [9] Thus, there has been a boom in the deployment of consultants and outsourced services to help organizations of all sizes meet their information security needs. As with many other outsourced services, some are first-rate and comprehensive, others are overspecialized, and some are downright deficient . Sadly, the state of the field is such that some poor offerings are not recognized as such either by the customers or by the well-intentioned people offering them!
If you have not yet formulated your policies and built up your disaster recovery and incident response plans, we recommend that you get outside assistance in formulating them. What follows , then, is our set of recommendations of organizations that seek to employ outside security professionals for formulating and implementing security policies. 3.6.1 Formulating Your Plan of ActionThe first thing to do is decide what services you need:
The key in each of these cases is to understand what your needs are and what the services provide. This is not always simple, because unless you have some experience with security and know your environment well, you may not really understand your needs. 3.6.2 Choosing a VendorYour experience with outsourcing policy decisions will depend, to a great extent, on the individuals or organizations that you choose for the job. 3.6.2.1 Get a referral and insist on referencesBecause of the tremendous variation among consulting firms, one of the best ways to find a firm that you like is to ask for a referral from a friendly organization that is similar to yours. Sadly, it is not always possible to get a referral. Many organizations engage consulting firms that they first meet at a trade show, read about in a news article, or even engage after receiving a "cold call" from a salesperson. Clearly, an outsourcing firm is in a position to do a tremendous amount of damage to your organization. Even if the outsourcing firm is completely honest and reasonably competent, if you trust them to perform a function and that function is performed inadequately, you may not discover that anything is wrong until months later when you suffer the consequences ”and after your relationship with the firm is long over. For this reason, when you are considering a firm, you should:
3.6.2.2 Beware of soup-to-nutsBe cautions about "all-in-one" contracts in which a single firm provides you with policies and then sells you services and hardware to implement the policies. We have heard stories of such services in which the policy and plan needs for every client are suspiciously alike, and all involve the same basic hardware and consulting solutions. If you pick a firm that does not lock you into a long-term exclusive relationship, then there may be a better chance that the policies they formulate for you will actually match your needs, rather than the equipment that they are selling. 3.6.2.3 Insist on breadth of backgroundYou should be equally cautious of firms in which the bulk of their experience is with a specific kind of customer or software platform ”unless your organization precisely matches the other organizations that the firm has had as clients. For example, a consulting firm that primarily offers outsourced security services to medium- sized police departments running Microsoft Windows may not be the best choice for a pharmaceutical firm with a mixed Windows and Unix environment. The consulting firm may simply lack the breadth to offer truly comprehensive policy services for your environment. That isn't to say that people with diverse backgrounds can't provide you with an appropriate perspective, but you need to be cautious if there is no obvious evidence of that "big picture" view. At a minimum, their personnel should be familiar with:
Any good security policy-consulting service should have personnel who are willing to talk about (without prompting) the various issues we have discussed in this part of the book, and this chapter in particular. If they are not prepared or able to discuss these topics, they may not be the right service for you. If you have any concerns, ask to see a policy and procedures document prepared for another customer. Some firms may be willing to show you such documentation after it has been sanitized to remove the other customer's name and other identifying aspects. Other firms may have clients who have offered to be "reference clients," although some firms may insist that you sign a non-disclosure agreement with them before specific documents will be revealed. Avoid any consulting firm that shares with you the names and documents of other clients without those clients' permissions. 3.6.2.4 PeopleMost importantly, you need to be concerned about the actual people who are delivering your security policy and implementation services. In contrast to other consulting services, you need to be especially cautious of consultants who are hired for security engagements ”because hiring outsiders almost always means that you are granting them some level of privileged access to your systems and your information. As we noted earlier, there aren't enough real experts to go around. This means that sometimes you have to go with personnel whose expertise isn't quite as comprehensive as you would like, but who have as much as you can afford. Be careful of false claims of expertise, or of the wrong kind of expertise. It is better to hire an individual or firm that admits they are "learning on the job" (and, presumably, lowering their consulting fee as a result), than to hire one that is attempting to hide employee deficiencies. Today's security market is filled with people who have varying amounts of expertise in securing Windows platforms. Expertise in other platforms, including Unix, is more limited. A great deal can be learned from books, but that is not enough. Look for qualifications by the personnel in areas that are of concern. In particular:
3.6.2.5 "Reformed" hackersWe recommend against hiring individuals and organizations who boast that they employ "reformed hackers" as security consultants. Although it is true that some people who once engaged in computer misdeeds (either "black hat" or "grey hat") can turn their lives around and become productive members of society, you should be immediately suspicious of individuals who tout previous criminal activity as a job qualification and badge of honor . Specifically:
3.6.3 Monitoring ServicesMonitoring services can be a good investment if your overall situation warrants it. Common services provided on an ongoing basis include on-site administration via contractors, both on-site and off-site monitoring of security, on-call incident response and forensics, and maintenance of a hot-spare/fallback site to be used in the event of a site disaster. But in addition to being concerned about the individuals who provide consulting services, you also need to be cautious about what hardware and software they intend to use. Many of the monitoring and response firms have hardware and software they will want to install on your network. They use this to collect audit data and manipulate security settings. You need to be cautious about this technology because it is placed in a privileged position inside your security perimeter. In particular, you should:
3.6.4 Final Words on OutsourcingUsing outside experts can be a smart move to protect yourself. The skills needed to write policies, monitor your intrusion detection systems and firewalls, and prepare and execute a disaster recovery plan are specialized and uncommon. They may not be available among your current staff. Performing these tasks correctly can be the difference between staying in business or having some flashy and exciting failures. At the same time, the field of security consulting is fraught with danger because it is new and not well understood . Charlatans, frauds, naifs, and novices are present and sometimes difficult to distinguish from the many reliable professionals who are working diligently in the field. Time will help sort out the issues, but in the meantime it pays to invest some time and effort in making the right selection. We suggest that one way to help protect yourself and take advantage of the growth of the field is to avoid entering into long-term contracts unless you are very confident in your supplier. The security-consulting landscape is likely to change a great deal over the next few years , and having the ability to explore other options as those changes occur will likely be to your benefit. Last of all, simply because you contract for services to monitor your systems for misuse, don't lose sight of the need to be vigilant to the extent possible, and to build your systems to be stronger. As the threats become more sophisticated, so do the defenders . . . and potential victims. |