|
Insiders vs. Outsourcers
Midsized companies are in some ways more, and in some ways less, vulnerable to security concerns than larger companies. A larger company may have a larger staff to devote to security issues, but it will also have more applications, networks and users through which a hacker could gain access. And some industry segments are more concerned than others. A survey by Forrester Research, released last year, showed finance and insurance, manufacturing and public services the most likely to purchase security technologies this year, with retailers and wholesalers least likely.
Security assessments involve a review of an organization's security infrastructure (such as firewalls, antivirus software, and server and network configuration), as well as policies and procedures governing such things as passwords and firewall settings. Penetration tests then attempt to find vulnerabilities in the customer's systems so they can be patched. Depending on their needs, companies may perform one or both types of these tests, and have them performed by a mix of inside and outside staff.
Choosing when and what to outsource is a company-specific decision. "If you're in a more information-sensitive business, such as a small credit union, or local bank, or a boutique pharmaceutical company -- where the stakes are really high and industrial espionage happens -- or if you're regulated, then you definitely want to hire some security-savvy people and have an outside entity do some work for you," Koetzle says.
Even if your internal IT staff members are skilled in security, they can be so close to day-to-day operations "that they often can't see security issues staring them right in the face," says Kevin Beaver, founder and principal consultant of Principle Logic LLC, an information security services firm in Kennesaw, Ga. He often finds misconfigured file-sharing settings, as well as protocols and applications that could give hackers unauthorized access to sensitive information. "I see even more nontechnical vulnerabilities involving areas such as physical security, data backup procedures and policy enforcement -- or the lack thereof," he says.
Hiring an outsider also prevents conflicts of interest, says Beaver, such as "a network administrator who thinks he has secured everything, yet doesn't want to test too deeply for fear of incriminating himself."
The Hybrid Model
Jefferson Wells International Inc., a Brookfield, Wis.-based professional services firm with a risk and security assessment practice, recommends internal staff members use their knowledge of their networks and applications to conduct quarterly assessments of the network perimeter, says Tim Youngblood, director of technology risk management. Such appraisals should include all the systems most likely to face external attack, from routers and firewalls to the so-called demilitarized zone, a fortified part of the network that serves as a barrier between the Internet and your main systems and prevents outsiders from direct access to servers housing company data. He recommends companies use outsourcers, on the other hand, for an annual examination of security policies and procedures, as well as physical security issues such as access to the data center.
For Penetration Tests: |
- Assign a project manager to alert users before a test begins.
- Back up critical data.
- Schedule tests for nonpeak hours.
|
That's the approach taken by the Federation of Canadian Municipalities in Ottawa, a 115-person nonprofit lobbying group. Each quarter, the manager of information services, Sonny Labrie, devotes two to four person-days of internal staff time to check the security of services and applications the organization exposes to the Web. Once a year, he also pays an outsourcer between $5,000 and $10,000 to perform a three-day penetration test, which may include some "social engineering," such as impersonating a help desk staffer to find passwords.
Labrie also recommends documenting the configuration of your network, servers and firewalls, so "in case you think you may have been compromised, you have something to compare against, and you're not just looking for a needle in the haystack." When scoping an assessment, he says, "make a list of the things you need to check. Don't just go and start looking."
Colliers International in San Jose, Calif., a regional affiliate of a $955 million international commercial real estate broker, "wanted to focus initially on perimeter security," says Vic Fischer, vice president of IT. But on the advice of his outsourcer, he decided to assess other areas such as patch management, backup and business continuity, plus examine security at the server, as well as the network, level.
As he expected, the assessment showed that many of the organization's older firewalls, routers and servers needed to be replaced. It also found, unexpectedly, that a number of ports had been left open in firewalls to accommodate older applications no longer in use. Other findings weren't technical but pertained to policies and procedures. The policies of some former employees, for example, hadn't been disabled, and there wasn't enough documentation for the company's security policies and procedures. Fischer admits that's the area he's been slowest to fix.
If he had anything to do over, Fischer says he would have built an annual assessment into his budget. "When talking about doing this with senior management, make sure to implant the idea that this isn't a one-time deal," he says.
|
 |
|
|
