Chapter 7. Security Outsourcing

At a Glance

Outsourcing is one option for managers in public, private, and non-profit entities who are concerned with their capacity to respond to the security threats discussed in this Handbook. While it may be a good solution for some organizations, the selection of outsourcing firms must be done carefully and the new security partners should be monitored for performance on a regular basis. This chapter covers some of the benefits and drawbacks of security outsourcing and suggests a series of questions that should be asked before an arrangement is finalized.

Outsourcing as an Alternative to “Doing it Yourself”

After reading through all the material in these chapters, you may have realized that your policies and plans are in good shape, or you may have identified some things to do, or you may be daunted by the whole task. If you are in that last category don’t decide that the situation is beyond your ability to cope! There are other approaches to formulating your policies and plans, and in providing security at your site: through outsourcing, consultants, and contractors. Even if you are an individual with a small business at home, or a small firm dependent on ICTs, you can take advantage of shared expertise —security firms that are able to employ a group of highly-trained and experienced personnel who would not be fully utilized at any one site, and share their talents with a collection of clients whose aggregate needs match their capabilities.

On the other hand, if you have strong information technology skills, you may consider starting your own firm to supply expertise and training to others in need of those services. There is significant business potential in such enterprises; as there are not enough information security experts available to meet all the needs of industry and government worldwide.58 Thus, in the West, there has been a boom in the deployment of consultants and outsourced services to help organizations of all sizes meet their information security needs. As with many other outsourced services, some are first-rate and comprehensive, others are overspecialized, and some are downright deficient. Sadly, the state of the field is such that some poor offerings are not recognized as such either by the customers or by the well-intentioned people offering them!

If you have not yet formulated your policies and built up your disaster recovery and incident response plans, we recommend that you get outside assistance in formulating them. What follows, then, is our recommendations for organizations that seek to employ outside security professionals for formulating and implementing security policies. There are a number of international organizations that provide assistance to developing countries in the field of IT deployment; if such expertise is available, it can be valuable in terms of both short-term support and longer term capacity building (education and training) for the local population.

Formulating Your Plan of Action

The first thing to do is decide what services you need:

Will you provide your own in-house security staff?

If so, you may only need consultants to review your operations to ensure that you haven’t missed anything important.

Perhaps you have some in-house expertise, but are worried about demands on their time, or their ability to respond to a crisis?

Then you may be in the market for an outside firm to place one or more contractors on site with you, full or part-time. Or, you might simply want to engage the services of a remote monitoring and response firm to watch your security and assist in the event of an incident.

Or perhaps you can’t afford a full-time staff, or you aren’t likely to need such assistance?

In this case, having a contract with a full-service consulting and monitoring firm may be more cost-effective and provide you with what you need.

The key in each of these cases is to understand what your needs are and what the services provide. This is not always simple, because unless you have some experience with security and know your environment well, you may not really understand your needs.

58 The lack of trained security experts is a result, in part, of the lack of personnel and resources to support infor-mation security education at colleges and universities. Government and industry claim that this is an area of importance, but they have largely failed to put any real resources into play to help build up the field.

Choosing a Vendor

Your experience with outsourcing policy decisions will depend, to a great extent, on the individuals or organizations that you choose for the job.

Get a referral; insist on references

Because of the tremendous variation among consulting firms, one of the best ways to find a firm that you like is to ask for a referral from a friendly organization that is similar to yours. Sadly, it is not always possible to get a referral. Many organizations engage consulting firms that they first meet at a trade show, read about in a news article, or even engage after receiving a “cold-call” from a salesperson.

Clearly, an outsourcing firm is in a position to do a tremendous amount of damage to your organization. Even if the outsourcing firm is completely honest and reasonably competent, if you trust them to perform a function and that function is performed inadequately, you may not discover that anything is wrong until months later when you suffer the consequences — and after your relationship with the firm is long over.

For this reason, when you are considering a firm, you should:

Check references

Ask for professional references that have engaged the firm or individual to perform services that are similar to those that you are considering

Check people

If specific individuals are being proposed for your job, evaluate them using the techniques that we outline in the later “People” section. Be wary of large consulting firms that will not give you the names of specific individuals who would work on your account until after you sign a retainer with them.

Be concerned about corporate stability

If you are engaging an organization for a long-term project, you need to be sure that the organization will be there in the long-term. This is not to say that you should avoid hiring young firms and startups; you should simply be sure that the organization has both the management and the financial backing to fulfill all of its commitments. Beware of consulting firms whose prices seem too low — if the organization can’t make money selling you the services that you are buying, then they need to be making the money somewhere else.

Beware of soup-to-nuts

Be cautions about “all-in-one” contracts where a single firm both provides you policies and then sells you services and hardware to implement the policies. We have heard stories of such services where the policy and plan needs for every client are suspiciously alike, and all involve the same basic hardware and consulting solutions. If you pick a firm that does not lock you into a long-term exclusive relationship, then there may be a better chance that the policies they formulate for you will actually match your needs, rather than the equipment that they are selling.

Insist on breadth of background

You should be equally cautious of firms in which the bulk of their experience is with a specific kind of customer or software platform — unless your organization precisely matches the other organizations that the firm has had as clients. For example, a consulting firm that primarily offers outsourced security services to medium-sized police departments running Microsoft Windows may not be the best choice for a pharmaceutical firm with a mixed Windows and Unix environment. The consulting firm may simply lack the breadth to offer truly comprehensive policy services for your environment. That isn’t to say that people with diverse background can’t provide you with an appropriate perspective, but you need to be cautious if there is no obvious evidence of that “big picture” view.

At a minimum, their personnel should be familiar with:

1. Employment law and management issues that may predict conditions under which insiders may harbor a grudge against their employer

2. National and local computer crime laws

3. Encryption products, technologies, and limitations

4. Issues of viruses, worms, and other malicious software, as well as scanning software

5. TCP/IP fundamentals and issues of virtual private networks (VPNs) and firewalls

6. Awareness and educational issues, materials and services

7. Issues of incident response and forensic investigation

8. Security issues peculiar to your hardware and software

9. Best practices, formal risk assessment methodologies, and insurance issues

Any good security policy consulting service should have personnel who are willing to talk about (without prompting) the various issues we have discussed in this Handbook, and this chapter in particular. If they are not prepared or able to discuss these topics, they may not be the right service for you.

If you have any concerns, ask to see a policy and procedures document prepared for another customer. Some firms may be willing to show you such documentation after it has been sanitized to remove the other customer’s name and other identifying aspects. Other firms may have clients who have offered to be “reference clients,” although some firms may insist that you sign a non-disclosure agreement with them before specific documents will be revealed. Avoid any consulting firm that shares with you the names and documents of other clients without those clients’ permission. Finally, if you have hired outside experts, one of the conditions of your contract should be that they will help develop local capacity at your organization and, possibly, in your area. It is quite natural that foreign expertise may be needed during transitional periods of learning in developing countries. Ideally, you will capitalize on these relationships to transfer knowledge and build local capacity and national expertise when possible.

Qualifications of IT Security Personnel

Most importantly, you need to be concerned about the actual people who are delivering your security policy and implementation services. In contrast to other consulting services, you need to be especially cautious of consultants who are hired for security engagements — because hiring outsiders almost always means that you are granting them some level of privileged access to your systems and your information.

As we noted earlier, there aren’t enough real experts to go around. This means that sometimes you have to go with personnel whose expertise isn’t quite as comprehensive as you would like, but who have as much as you can afford. Be careful of false claims of expertise, or of the wrong kind of expertise. It is better to hire an individual or firm that admits they are “learning on the job” (and, presumably, lowering their fee as a result), than to hire one that is attempting to hide employee deficiencies.

In the developed world, today’s security market is filled with people who have varying amounts of expertise in securing Windows platforms. Expertise in other platforms, including Unix, is more limited. A great deal can be learned from books, but that is not enough. Look for qualifications by the personnel in areas that are of concern. In particular:

Certification

Look for certifications. In addition, make sure that those certifications are actually meaningful. Some certifications can essentially be purchased: one need only attend a series of classes or online seminars, memorize the material, and take a test. These are not particularly valuable. Other certifications require more in-depth expertise.

Certification is an evolving field, so we hesitate to cite current examples. Although it’s not everything we would like it to be, the CISSP certification59 is one valid measure of a certain level of experience and expertise in security.60

59 See the web portal for CISSP at: http://www.cissps.com/

60 See also, CISA (Certified Information Systems Auditor) and CISM (Certified Information Security Manager) designations from ISACA at: www.isaca.org

Education

Check educational backgrounds. Some people with excellent computer skills are self-taught and others will have degrees from colleges or university programs in computing sciences or computer engineering. In the global context, the level of skill may be more important that degrees received. However, honesty about educational achievement is important; as we mentioned previously in the personnel section, do check to see that claims of education match reality. In the U.S., the National Security Agency has designated a limited number of educational institutes as “Centers of Educational Excellence” in the field of information security. In July 2002, that list included pioneering infosec programs at George Mason University; James Madison University; Idaho State; Iowa State; the Naval Postgraduate School; Purdue University, the University of California at Davis; and the University of Idaho. There are many IT initiatives underway around the world; check your local resources, including universities, to see where similar centers may be located. In addition, select organization references have been provided in the Annexes of this Handbook.

Reputation

If someone has written a widely-used piece of software or authored a well-known book on a security topic such as viruses or cryptography, that does not mean that he or she knows the security field as a whole. Some authors really do have a far-rang-ing and deep background in security. Others are simply good writers or programmers. Be aware that having a reputation doesn’t necessarily imply competency at consulting.

Bonding and insurance

Ask if the personnel you want to hire are bonded or insured. This indicates that an outside agency is willing to back the competency and behavior of the people. This may not ensure that the consultant is qualified, but it does provide some assurance that they are not criminals.

Affiliations

Ask what professional organizations they belong to and are in good standing with. ACM, ASIS, CSI, IEEE, and USENIX are all worthy of note. These organizations provide members with educational materials and professional development opportunities. Many of them also promote standards of professional behavior that are worthy of note. If your subject claims membership only in groups like “The 133t Hax0r Guild” or similar, you may wish to look elsewhere for expertise.

“Reformed” hackers

We recommend against hiring individuals and organizations who boast that they employ “reformed hackers” as security consultants.61 Although it is true that some people who once engaged in computer misdeeds (either “black hat” or “gray hat”) can turn their lives around and become productive members of society, you should be immediately suspicious of individuals who tout previous criminal activity as a job qualification and badge of honor.

Specifically:

1. Individuals with a record of flaunting laws, property ownership, and privacy rights do not seem to be good prospects for protecting property, privacy, and safeguarding your resources. Would you hire a convicted arsonist to design your fire alarm system? Would you hire a convicted (but “reformed”) pedophile to run your company daycare center? Not only are these bad ideas, but they potentially open you up to civil liability should a problem occur — after all, you knew the history and hired them anyway. The same is true for hiring “darkside but reformed” hackers.

2. Likewise, we believe that you should be concerned about individuals who refuse to provide you with their legal names in the course of the interview process, but instead use consulting handles such as “HackExpert” and “Demon Dialer.” Mr. Dialer may in fact be an expert in how to penetrate an organization using a telephone system. But one of the primary reasons that people use pseudonyms is so that they cannot be held responsible for their actions. It is much easier (and a lot more common) to change a handle if you soil its reputation than it is to change your legal name.

3. Finally, many of today’s “hackers” really aren’t that good, anyway — they are closer in both their manner and their modus operandi to today’s street thugs than they are to today’s computer programmers and system architects. It’s the poor quality of today’s operating systems, the lack of security procedures, and the widespread availability of automated penetration tools that makes it possible for today’s attackers to compromise systems. Just as somebody with a record of carjackings is probably not a skilled race car driver and engine designer, somebody who knows how to scam “warez” and launch denial-of-service attacks probably lacks a fundamental understanding of the security needed to keep systems safe.

61 See statistics on U.S. corporations who would hire reformed hackers in the 2003 CSI/FBI Computer Crime and Security Survey: http://i.cmpnet.com/gocsi/db_area/pdfs/fbi/FBI2003.pdf

Monitoring Services

Monitoring services can be a good investment if your overall situation warrants. Common services provided on an ongoing basis include on-site administration via contractors, both on-site and off-site monitoring of security, on-call incident response and forensics, and maintenance of a hot-spare/fallback site to be used in the event of a site disaster. But in addition to being concerned about the individuals who provide consulting services, you also need to be cautious about what hardware and software they intend to use.

Many of the monitoring and response firms have hardware and software they will want to install on your network. They use this to collect audit data and manipulate security settings. You need to be cautious about this technology because it is placed in a privileged position inside your security perimeter. In particular, you should:

1. Ensure that you are given complete descriptions, in writing, of the functionality of every item placed on your network or equipment. Be certain you understand how it works and what it does.

2. Get a written statement of responsibility for failures. If the inserted hardware or software exposes your data to the outside world or unexpectedly crashes your systems during peak business hours, you should not then discover that you have agreed that the vendor has no liability.

3. Ensure that due care has been taken in developing, testing and deploying the technology being added to your systems, especially if it is proprietary in design. In particular, given Microsoft’s record of software quality and security issues, we would suggest that you give very careful thought to using any company that has decided to base their security technology on Microsoft products, though the company is working to patch flaws in their most popular products.

4. Understand whether their technology actually helps to prevent problems from occurring, or only detects problems after they have happened (e.g., intrusion prevention versus intrusion detection).

Final Words on Outsourcing

Using outside experts can be a smart move to protect yourself. The skills needed to write policies, monitor your intrusion detection systems and firewalls, and prepare and execute a disaster recovery plan are specialized and uncommon. They may not be available among your current staff. Performing these tasks correctly can make the difference between staying in business or having some flashy and exciting failures.

At the same time, the field of security consulting is fraught with danger because it is new and not well understood. Charlatans, frauds, naifs, and novices are present and sometimes difficult to distinguish from the many reliable professionals who are working diligently in the field. Time will help sort out the issues, but in the meantime it pays to invest some time and effort in making the right selection.

We suggest that one way to help protect yourself and take advantage of the growth of the field is to avoid entering into long-term contracts unless you are very confident in your supplier. The security consulting landscape is likely to change a great deal over the next few years, and having the ability to explore other options as those changes occur is likely to be to your benefit.

Last of all, simply because you contract for services to monitor your systems for misuse, don’t lose site of the need to be vigilant to the extent possible, and to build your systems to be stronger. As the threats become more sophisticated, so do the defenders... and potential victims.