Slashdot Mirror
Recommendations for Third Party Security Audits?
palehorse asks: "I am a developer/DBA/etc for a very large State Govt. Agency on the East Coast. We have been subjected to an increasing number of break-ins and website defacements over the past few months. My boss has recently been tasked by our CIO to find a reputable third party (not us or our ISP) to come in and do a complete and independent security assessment/vulnerability analysis for us. Since I'm the guy who usually bugs folks about security, she tasked me to come up w/ a list of firms who could do this for us. and a plan on what to test for and how. I've done the whole Google search/ZD-Net search/etc, which has given me way to many folks who do this kind of stuff, from ISS and IBM on down. Consequently I wanted to get some feedback/suggestions from the Slashdot community on where to go from here."
"Please keep in mind that while we're a large government agency, we have a small and overworked IT staff who have no real experience in internet/web security, and who are just now getting into a serious web presence.
Here are the main questions that I have:
- Who have you used, and were they any good?
- What should we look for in evaluating who to contact and their proposals?
- What would you have done differently?
- What services should we ask for?
- How do we manage the contract to make sure we're not getting a snow-job?
- How do we use the result to get buy-in from management (who will probably need to lay out money for changes) and from the developers (who may be adamantly opposed to changing their systems, either for ego reasons or it's just a lot of work)?
- How often should we re-do these audits?
Anderson!
Worked for Enron.
they've got some sharp people there.
This space for rent.
Definitely get lists of references you can contact to see how much of their advice was followed and how the previous clients are holding up.
A feeling of having made the same mistake before: Deja Foobar
I can't ensure the outcome, but I could sure use the cash.
and IBM on down
They say nobody ever got fired for choosing IBM. Of course, I find that hard to believe. Surely somebody must have chosen IBM technology when it wasn't appropriate, and gotten fired. Anybody have a story?
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
Check out Foundstone. They'll do it and do it right.
The truth about Scientology, Xenu, and you: Operation Clambake
send me 20$, i'll teach you how to use nmap, wrappers and ipchains.
your jesus is another mans xebu. chew on that hypocrites.
You are doing a service to unemployed geeks everywhere.
I hear Microsoft has a lot of recent experience with this! Why not give Bill a call?
Bruce Schneir's company, counterpane can probably help you.
www.@stake.com
You mentioned IBM...want to keep the business in-state?
Bet it's NY...
Karma: Good (despite my invention of the Karma: sig)
http://www.mitre.org
Walk down to your local highschool. Walk over to the kid with the purple hair and the /. tshirt.
Tell him you'll give him or her a free laptop, and 5 cases of Code Red if they can break in and tell you how they did it.
\Drew National Data Director, John Edwards for President
First it depends on what OS you are running, and how you have them configured. Second, ISS is a good security team. I don't know much about them, but they have a very good reputation for security, and are a well advanced team of individuals. When my boss was hacked 2 months ago, he called me, and hired me within 5 minutes of the interview (After I went over his head about replacing RedHat with Slackware).
If you want to spend large bucks, hire a security firm such as ISS. If your agency doesn't want to spend a lot of money, call a bunch of geeks (like me) to come in and audit the system. IE: replacing wu-ftpd with pure-ftpd, IIS with Apache 2.0. Find the services that are full of holes, and replace them with somthing that has a reputation of security.
--------------------------
Is this a sig?
--------------------------
Sun Tzu seemed to be okay. The company I worked for used them when our System Administrator got arrested (and then became a fugitive. :) That mean old Doctor Chaos. heh.
They were pretty thorough in their research of our systems. We also hosted a security seminar (we're an ISP) and they came in and did a presentation. They seem pretty knowledgable. They're based out of Milwaukee, I believe.
http://www.suntzu.net
We had an audit done by ISS about a year ago. They did a good job. They came in, did some interviews, and proceded to test the specified systems. We got back some very good documentation showing any problems as well as things that were not problems.
I don't remember the cost, but I'd use them again.
The 1st rule is never, ever ask anyone who sells security products to do an audit, they will just try to sell you something.
IMHO opinion an audit is not what you need, spend the money employing someone who does know about security to get (and keep) things ship shape. Security is an ongoing issue and can't be solved by a one of check, the audit could be perfect but your still wide open the next time some kiddie finds a hole in your preferred webserver software.
When I was a consultant for the US Army Corps of Engineers, they used KPMG. KPMG would do a monthly scan of the network and send us a report for changes we needed to make on servers and workstations. I think they also used them for the backbone network services, but not 100% sure.
These guys did an audit of one of my website networks once for a bank, not too bad. Guy mostly knew his stuff and was easy to work with. Cute name too:
http://www.wealsowalkdogs.com/
I don't know if counterpane.com does audits, but you should definitely consider their managed security service if you don't have a dedicated on-staff security person.
Finally beware these types of audits, they often don't look at your procedures and policies, which are the root cause of most problems. It's always good to have external cross checks from a different point of view, but be very careful about assigning too much importantace to them.
I recommend Core SDI.
Those people really know what they're doing.
"Luck is my middle name," said Rincewind, indistinctly. "Mind you, my first name is Bad." -- Terry Pratchett
by far the best IT Audit I have ever had done for any company I have worked for was done by Unisys. They did a very thourogh audit of all the systems that we wanted audited and they gave us a very detailed report that included an explaination on how to fix what they found wrong. The best part about the audit was that they gave us the fixes and didn't make us pay them to fix everything and not disclose what was being fixed and why.
"Really, I'm not out to destroy Microsoft. That will just be a completely unintentional side effect." Linus Torvalds
You just have to 1/x whatever security rating they give you ;-)
People in cars cause accidents....accidents in cars cause people
Audits suck in my opinion, I would go with a managed security solution like Counterpane.
I know that the Fed. Govt. Agencies can use the DISA team. From those that I have worked with, they have a decent repuatation.
How about anyone who doesn't read slashdot.org :)
:)
Taking bets on moderation totals now
What about Mitnick...
Oh but he can't access computers...
[My english is better than most other people's Turkish, so please point out mistakes politely. Thank you.]
...are three of the best security consulting firms. They have a lot more talent in security, in my opinion, than the Big 5, which is why I left them and went to one of the above. I suggest you research at least these three and compare them. You can at no cost submit a RFP to them and make your decision based on that.
Counterpane? Bruce Schneier's rep for security is certainly pretty strong. Oh, this is their website.
I've worked both for a big 5 accounting firm and a defense contractor doing these things.
You should look for:
- resumes of staff performing this activity, for the folks who will actually be conducting the work. How experienced are they? Beware of firms that send their people to a one week training class then turn them loose as experts.
- Breadth of experience in OS, server and middleware products. Don't hire a bunch of UNIX bigots if you have WIn 2K servers. Not only will these folks not be familiar with the technology, they will also have a bias towards bad-mouthing it.
- Do they understand how to rank and prioritize the risks based on the needs of *your* environment? Anyone can generate a cookie-cutter report from a packaged tool. To what extent do they apply some human intelligence to this?
- Following from this, what does the report look like? Do you get a cookie-cutter intro with a zillion pages of ISS output, or do you get something meant for a human being to read?
- Breadth of assessment - do they look at routers and switches? Servers? Applications (is that Oracle financial application wide open)? Desktop machines?
- Are results based solely on a network scan, or do they actually look at host configs that may not be visible from an outside scan? Do they interview staff to get some idea of practices?
I mean, almost every Linux howto I have seen on this subject (ipchains, iptables, ipforward) has been written by a man with in-depth knowledge on this matter that works for a company whose name is included in the same HOWTO.
I would look in those first. They knowledge on certain matters has been approved by the whole OS community which has seen their HOWTO and agree with it.
I would look into hiring your firewall company to do an audit. They can usually suggest either an internal or external group to do the audit.... or at least give you a list. Most situations I have seen the firewall company does the audit or they consult another group to do it on your behalf...
Be prepared for the costs involved for a serious analysis.
I work for a Fortune 500 company and we had one of the Big 5 consultants do a 2 day port scan for us. We wanted a third party as well. They wanted $12k for 2 days work.
nuclear iraq bioweapon encryption cocaine korea terrorist
Make sure that who ever leads up the audit/assessment is certified (CISSP, GIAC, CISA).
Many larger companies will charge a fortune but you can use a smaller company as long as the team has a good leader.
Also checkout the http://www.ffiec.gov/ site.
Federal Financial Institutions Examination Council (FFIEC) - prescribes uniform principles, standards, and report forms for the federal examination of financial institutions.
Find them here: www.counterpane.com Excellent reputation.
They primarily do outsourced security management, but I imagine they would do risk assessment too.
The better approach is to research yourself and ask for specific tasks to be completed.
;)
Your IT staff might not have experience but it is unfair to assume they can't do something once you ask them to do it.
Never forget that nobody can read your mind
Perhaps other agencies within your state might already have someone doing this. This someone could come up with recommendations that could be used across the board. Plus it might make writing the contract easier.
Wait.. What am I saying? This is government; agencies don't work together. Nevermind...
The guys that always come to mind for me when talking security is the old l0pht.com (now www.atstake.com, but l0pht.com still works). These are the guys that the media always calls when they have questions about hackers.
"cute name"?? I have to say that I would NEVER use someone with an idiotic name like that. Maybe I shouldn't judge a book by the title, but it just sounds unprofessional.
I would say that first you should think of who NOT to contact. I would definitely say stay away from ISS and @Stake.
Find someone who actually gives back to the community, such as packetstorm or the such.
You might also consider Security Focus and places like that.
I'm not sure what your actual goal is, but if it is to actually secure things instead of having a bunch of monkeys come in and take some money from you, then places like that will have the best results.
And try to stay away from those who will require you to buy something, and subscribe to something else in order for you to be secure. ACLs on routers and removing unnecessary services/daemons, and patching those that you need will do a lot more than a firewall from acme security.
---
"Security is a process, not an event". -Some smart person
I recommend this great company I found out about, called "Poot's Security Shack".
I... um, I mean, we... I MEAN THEY do a great job, and they cost less than all the big fancy companies with offices and business plans!
Email them at poot@dork.com for more info. Sorry, no refunds.
I've never used it, but I noticed this service today, and Netcraft is a reputable company (unless they're hiding something (-: )
http://www.netcraft.com/security/
S
You are a karma whore.
Do not fold, spindle or mutilate.
Sounds like you need some 3Com Embedded Firewall NICs.
Dump Microsoft IIS. Then re-evaluate the situation.
YMMV, but the Big 5 have a bad reputation of pulling people off the street, running them through one week of training, and calling them experts. That and pulling the old bait and switch - the real expert is heavily involved in the sales cycle, then once the project is sold the junior people come in (at outrageous billing rates).
Not discounting your good experience with KPMG, ti is possible to get quality work from these folks. Just be careful of how some of the less ethical ones operate.
Be sure to find out, up front, exactly what the auditors are going to check. Alot of companies I've talked to won't tell you what they plan to do, sighting that you'll try to toughen those areas to get a good report, but it keeps you from knowing if the testing will be thorough. Make sure the company you go with looks at all aspects of security... computer attacks, physical security, and social engineering. The strongest firewall is worthless if someone can just walk in and sit down at a terminal, or call a VP and get his logon/pass.
Hire me dood, I'll do the security audit $$$FOR CHEAP$$$. I GUARANTEE I'll remove more security holes than I create OR YOUR MONEY BACK. Why spend millions of dollars on a high-priced consultant?? I'll work for CHEAP. I'll audit your entire network, no matter how large, for $10,000!! That's nearly $90,000 off the regular price!! So if I fuck up and someone later haxors your boxes then you can just spend the $90,000 on new ones. WHAT A DEAL!!
Also, I'm black, so if you don't hire me then you are racist and I'll have to report you.
l0pht Heavy Industries, now known as @stake, employ top-flight security experts whose reputation should be plain from the quality and depth of presentations made at conferences (such as Mudge of @stake and his detailed presentations at USENIX security conferences).
This is Slashdot. Therefore, the answer to this question is, "just use Linux! Then your network will be magically secure, because we all know that you only have to use Linux to have a magic shield for your company".
Let me do it. I rate at 1000K per hour, minimum two working days. I will analyze your network resources, connection provider and pipe, services, and codebase. I have never failed to find the security holes in a system and lock it all up tight as a drum. Guaranteed that I can secure your network from outside intrusion or money back.
How do I do it?
Simple! I just unplug the incoming pipe from the network. BAM! No more possible security violations. Please note, this works best for *nix based networks, followed by Novell as they are so open to attack it isn't funny.
My boss has recently been tasked by our CIO to find a reputable third party (not us or our ISP) to come in and do a complete and independent security assessment/vulnerability analysis for us.
All of the big accounting firms (KPMG, Deloitte & Touche, Ernst & Young)offer this service. They are fairly reputable and thorough.
I suspect that you might want to pass on Arthur Anderson though, based on their enronic experience...
*** Where are we going? And what's with this handbasket?
Just use WheatoniX and never worry about security concerns again!
er...
Wait...
nevermind.
I'm not a prophet or a stone-age man,
I'm just a mortal with potential of a super man.
I have heard of some security group called "Cult of the Dead Cow." Kind of a strange name, I know, but I hear they will fully check out your secrurity. They just need a few root passwords....
My beliefs do not require that you agree with them.
on my lowrider. I use it to control my switches so I can show off for my bitches.
...those guys from 'Sneakers'? Man they were good. :)
---
Two rights don't make a wrong, but three rights make a left. -Me
#1 Have your organization host DefCon.
:0
#2 Give all participants access to network
#3 Award a prize for the group that finds/creates the most holes.
#4 Go out and hire someone capable of keeping up with security issues and keep them continually trained, informed, and educated.
"Just Smile and Nod." --Huck
Pretty decent for FREE.
--Peter
Red Siren has a pretty good rep: http://www.redsiren.com
If you are a good admin, IIS is far superior to apache, and it can be secured just as tight... the problem is that there are way too many bad admins who don't keep up with things since IIS is so hands off in comparison to apache/linux.
Everybody knows that all the best security folks advertise in the back of 2600 Magazine ;-)
Eve Fairbanks says I drive a hybrid!LOL
I chose PWC for ours and they're pretty professional and know their stuff. Of course it differs from consultant to consultant but the guys we got were easy to work with. They know their checkpoint, cisco, unices, and NT/2k. And each consultant kinda specialized in one or two of those categories and would work with whomever one-on-one to gather data.
I highly recommend Enterprise Consulting. They gave me a 15 minute presentation on security and this included a detailed illustration of methods used by script kiddies and wannabe hackers. They employ ex government network security experts and really know what they are talking about. They have no clue about application security, but I am sure they are not too far off.
http://www.lumeta.com/ We help by performing a scan of your network and show you the holes in it. If you're familiar with the Internet Mapping Project, and Bill Cheswick, then you'll have a good idea of some of the stuff we do here.
Lucky for me I always have Emergency Pants!
There are a couple things you want from an audit (I've seen a couple from the recieving end, both really good and absolutely terrible):
1) you want a complete report, not just a management summary. Make sure there's guidance in the report on how to fix the problems they find, or at least a pointer to where to find the information to fix them.
2) black-box "we can hack anything" audits are sexy, but won't show you the whole picture. Make sure they're looking at both the external settings and any local policy security settings on the machine.
3) Ask to have some of your staff sit in on the audits...you want to learn from this audit as much as possible. If they say "no", ask why. If they're just trying to protect their "script-fu", run...they're probably fake.
4)Get a contract in place that makes it very clear what they are supposed to audit, what they are not supposed to audit, and how they are allowed to do it...get that in place *before* the audit starts. (a "terms of engagement"). This includes what IPs to audit, and what techniques (DoS, social engineering, etc) are allowed.
5) as others have mentioned above, ask for references. If they can't provide them, worry.
I'll stop now. I'm sure there's more, but that's what occurred off the top of my head.
I get Bruce Schneier's CRYPTO-GRAM. He runs a security company www.counterpane.com. The dude knows his stuff and his employees probably aren't slackers either.
Not like I'd choose anyone for name alone. Given the choice between a company that has people with solid skills with a cute name vs. a company with a "professional" name and staff that has just recently graduated with their history degree and have take 4 microsoft MSCE classes, I'll take the company with talented people anyday.
1) Find out if there any restrictions for hire by your state for contracted work for a govt site.
2) Create a form letter and a deadline with which to respond stating the requirements for the company. List a contact number and ask for a bid.
3) Email the form letter to all prospective candidates and wait for a response. Some companies may not meet your criteria, some will not offer a reasonable bid. These you can toss. The ones which are acceptable, do research on and present a formal report to your boss.
Most security companies would love to get a recurring govt contract so play on this desire.
The guys are serious and well known in the hacker community. Check out the site www.l0pht.com.
"always look to the brighter side of life" Monty Python
Ill do it !! Ill do it !! :)
I will bend your mind with my spoon
Michael Loves Me!
Their claim to fame is that they protect the Lab for Computer Science at MIT, the site that gets the most attempted cracks in the world.
In our experience, they were very organized, disciplined and thorough.
http://www.mavensecurity.com/
Black Hat does security consulting now. They are the best cause they employ people who find these exploits not just someone who goes to Black Hat briefings and listens to the talks they tries to apply what they learned. The people who do the briefings are the ones who would audit your site.
Since Black Hat is the number one security conference in the world they would be best for the job. http://www.blackhat.com
Depending on the scope, Systems Experts did a very good job for my company, and we're about 30,000 people. These guys are just what their name states- experts in the field. I've worked with two of them, and they take their job very seriously. Their job is to find vulnerabilities. They will, if you ask them, recommend a fix. See www.systemexperts.com.
Another company that you might find useful is Lumeta. This is Bill Cheswick's company, and they take an innovative approach, in particular relating to networking audits. They map your network and create visualizations. See www.lumeta.com. One of their senior folk is Tom Limoncelli, whose book "The Practice of System and Network Administration" was recently reviewed on SlashDot.
Hi,
I work in this specific industry and you need to be careful how you screen companies. There are a few caveats to watch for:
Ask for references but don't be surprised if they can't give a lot. Why? My company does a lot of work for the Federal Gov't as well as state governments and the work is usually under a NDA. You wouldn't like me to say "sure we audited so and so and found 25 holes" either.
Ask for their methodology and review it. Don't always believe the hype about "custom tools" etc.. Make sure they have some level of redundancy. I worked for one firm that used strobe and ISS and nothing more. Ask what tools they are going to use. Be nervous if they don't want to tell you. You'd be surprised at how many "big players" really are scam artists.
Make sure the resume's you see in the proposal are the people doing the work. You don't want to hire and pay for mudge, only to have Tony the pony come run the scan.
Check the reputation of the finalists. You definitely dont want a fly by night shop doing your work, or a company that might not have good ethics.
dewke
Oderint dum metuant
Here are the main questions that I have:
- Who have you used, and were they any good?
Cisco has used them for their customers.
- What should we look for in evaluating who to contact and their proposals?
Outside referrals from reputable companies
- What services should we ask for?
Penetration testing/site evaluation
How often should we re-do these audits?
Every three-six months isn't a bad cycle.
Most of the Big 5 (KPMG, Andersen, D&T, PWC, etc.) firms have a security / auditing arm. Big $$, lots of paperwork and reports. Works great if you have lots of money and are really into paperwork.
Some anti-virus firms (Symantec, McCaffee) also offer security consulting services. And yes, they will try to sell you their products, too.
One firm I can recommend is Internet Security Systems http://www.iss.net I met one of their top people -- he and I were both security speakers at the last LinuxWorld conference in New York -- and was very impressed with Mike and his company.
You may also want to consider contacting a smaller, local security consulting firm. For a company like that be sure to get references for satisfied customers.
And lastly, Jay Beale (author of Bastille Linux) http://www.bastille-linux.org offers security auditing and consulting. Check out http://www.bastille-linux.org/jay/consulting
Hope that helps!
David Allen
http://www.qaddisin.com/main/services/security-ass essment.html
Qaddisin Services
Security Assessment
As our most thorough (and popular) service, a Security Assessment consists of an in-depth examination of your current networks, security practices and operational procedures. We use commercial, open source and custom written tools (as well as our own expertise) to "case" your network. Qaddisin follows up this exploration with a detailed report and review outlining the strengths and weaknesses of your environment, specific vulnerabilities discovered during the assessment and solutions designed to correct exposures and minimize risk.
The Security Assessment service comes in several formats, chosen to best fit your needs. Work can be done on-site or remotely. We can concentrate on specific targets in your environment, i.e. a firewall, its ruleset and a webserver, or review the entire network. The package can be purchased on a per project basis or by the hour. Additionally, we can perform recurring assessments of your network, quickly reporting on what has changed from previous evaluations.
Qaddisin assessments are the best way to identify your security concerns. Our detailed report and the follow-up meeting provide a roadmap to a secure environment. Contact us for more information.
Back to services.
It's much more important to create good security policies than create a one time audit.
:P What's your policy on wireless?
You want someone that's going to come in and talk to your employees, find out what information needs to be secured, discuss existing policees and create a complete solution.
Most companies hire a security company to just put up a firewall. They have heard the term and think it sounds pretty cool so they decide they need it. A good security consultant will be frustrated with this point of view because he knows that a firewall is a tiny part of complete solution.
A good consultant will check to make sure you are securing everything you need rather than just check to make sure you "secure" computers are secure.
You want someone that is going to check for wireless keyboards and bluetooth. Perhaps someone is just sitting outside your office in a van and changing your website from his wireless van everytime you fix it.
Basically you need someone that is going visit you and teach and create policy more than someone that is just going to check your existing setup.
I work in a fairly large isp/managed service provider and we have had customers hire several different auditors that I have gotten to deal with firsthand.
1. ISS - Did a GREAT job. Very detailed, very honest, and quite courteous.
2. TruSecure - HORRIBLE. Their audit's were nothing more than manufactured scan reports with their logo on it. The 'reports' were also very inaccurate.
SecureTrendz is a company that does exactly this with the benefit of having a lot of expertise in other related areas. (LAN/WAN, Unix/NT SA, Backup/Recovery)
Assessments can range from a simple Internet presence audit, to a full-blown enterprise assessment, including policy review and design. All projects are tailored to the customer's needs, goals and expectations. There are no 'cookie-cutter' solutions. Knowledge-transfer is a key component of ST projects. They really endeavor to educate their clients rather than keep them dependent.
ST's engineers are outstanding. Where many assessments stop at simply finding vulnerabilities, the team at ST are often able to leverage access against other systems on a network to provide a very realistic idea of how vulnerable you may be. From both a network/systems and business perspective, they simply have a deep understanding of weakness, vulnerability and risk management.
I know a few people who work there and I highly recommend them.
www.securetrendz.com
sedawkgrep
Is that a salami in my pants or am I just happy to be me?
Security is a mindset and process at least as much as an implimentation. Therefore you don't just need a good aduit, but you need continuing aduits.
Counterpane and Bruce Schneir are the best known names in cyrptography consulting today, but I don't expect them to know much about much about virus attacks.
You probably need several different audits (or maybe an extensive IBM audit) just to get started. However never allow the same auditors in more than two years in a row. (The first year to find problems, then second to find problems in the fixes) People who know what is going on in detail should be working for you, you want an outside, untainted by prior knowledge and and hard work.
Make it a policy that you hire auditors on a two year contract, and make it clear that it is NOT renewable, and they cannot get further buisness in this audit for two years.
Try everyone. Once all the big guys have been through and given you a stamp of approveal you should allow the common theif to see your entire procedures, and get his recomendataions. (Don't nessicarly follow them of course). Try small companies and big ones. Small companies tend to cover one area very well, big ones broad areas not as deep. You need both.
This isn't an overnight fix. It took openBSD several years to become secure. Today they have a well earned reputation as least breakable system. If I remember right they had to go over the same code 3-6 times before they got most of the secuirty problems out. They were not even looking at security, they were looking for things that were wrong.
If you buy closed source code (nothing wrong with it), make sure you vender works for security. You can't fix the holes in a sieve with confidence that the fix will hold. Open source is a little better, but you might have to pay someone to fix those.
Remember that external audits are an assurance. Most of the work is internal. So make sure management is giving everyone enough time to fix the bugs in their own code/implimentation.
I recommend reading Bruce Schnier's "Secrets and Lies" before you go too far. You can probably pick it up at your local library.
With a song like this you know they mean business.
There's even a jungle remix! w00t!
:wq
(Personally, tho, I like IBM's "Ever Onward". Just has that
"1930's cartoon with happy singing cows" feel to it.)
One ring to rule them all. The (_O_) in Goatse.cx
When I was working with the RCMP (via a System Integrator), they were undergoing a complete evaluation of the security of the various public wireless providers that they planned to deploy their police mobile products upon. This required extensive reviews of communications protocols, physical and procedural aspects of security, who was getting access to what/when/how was it controlled, auditing, and physical security of the various locales.
The guys the RCMP had do it were experienced, knowledgeable, and had ties/backgrounds that included work with the Canadian Security Establishment (Canadian NSA) and the Canadian Military. One of the guys I worked with had just finished some serious security work for CSE. I know enough about crypto and comms protocols myself to know when (as far as security)I meet people who are "the real deal". These guys were it. And they opened the eyes of some of the public wireless providers in a big way.
They can be found via the info at the bottom of this link here.
-- Mal: "Well they tell you: never hit a man with a closed fist. But it is, on occasion, hilarious."
"Since I'm the guy who usually bugs folks about security, she tasked me to come up w/ a list of firms who could do this for us"
1. Sucks to be you about now since you're now the guy that could be scapegoated if security isn't handled adequately enough.
2. This should point out another part of the squeaky wheel proverb--The squeaky mechanic gets stuck being the one who puts the grease on the squeaky wheel...
3. Has anyone noticed that the person or persons truly responsible for their systems security isn't actually handling this? Either too much buck passing is going on or that angency truly doesn't have anyone accountable for security issues? Human ignorance, that looks like the number one security issue in this case.
We have a group dedicated to cybersecurity.
To spot the expert, pick the one who predicts the job will take the longest and cost the most.
Most large financial companies use Technology Risk management teams from the larger accounting firms such as KPMG or Price Waterhouse Coopers. From what I've seen, they do a pretty good job as far as auditing is concerned. Very good documentation, and they do a more thurough job than most "Security Consulting Firms". Best bet is to have them do the audit, then get a bunch of geeks to handle implementation.
You are a karma whore.
:) find a job yet?
Been There, done That... karma still in high 40's
I recommend D&T's Secure eBusiness practice. Of course I recommend them because I work for them. ;)
We have done security work for banks, financial institutions, and government bodies. We perform attack and penetration testing, security product integrations, and overall review of security practices and environments.
Send me an email at hacho@deloitte.com if you want to discuss.
Regards.
GO SLASHDOT http://ad.doubleclick.net/ad/N1942.OSDNSlashDot/B9 45236;sz=468x60;ord=101984072101984072
wooooooooo!
G.E. Capital ITS. Fuckin' Fine ex-company there. We used to order soooo much stuff from them (due to a corporate contract with IBM to keep our reseller contract we could only buy from them)
Nothing like damn near 50% markup over IBM's already high prices and the absolute worst shipping times I have ever seen for a company. I swear if we ordered shitpaper from them and it wouldn't get here for weeks.
I patented screwing your mom. But it got revoked for "prior art."
I'm a contractor for the DOD. Periodically we get audits from ISS out of the blue. The information in the past has been informative in pointing out holes and backdoors that I had hidden from our Sys/Admin...ratts;)
-- Probability does not dismiss possibility --
I'm in there right now! ... and abc123 is not a very good administrator password.
/is/. It will likely pay off in the long run compared to the fees doled out to outside contractors. You'll have someone who (eventually) knows your system inside and out, and will thereby have a better idea of both network and physical security issues.
Seriously, however - if you are having continual troubles with this and an admittedly overworked IT staff unfamiliar with system security issues, get someone who
How about Harris?
1) When screening auditors, let them know that you will only be purchasing auditing services from them.
2) You want to establish what your best practices should be and then use the audit to identify the gaps in the current implementation of those practices.
3) Either perform the remedial work yourself under guidance or contract with a third party (not the auditor) to remdiate any needed items from the audit.
4) Set up an internal audit team to perform an internal audit on a much more frequent basis than your external audit (ie quarterly vs annually), but using the same guidelines.
5) Decide what the scope will be, a lot of these audits tend to overlap into business continuity/disaster recover, physical security, etc. Make sure each of these areas is appropriate to your business needs before including them in the engagement.
Good Luck!
Surely you've already contacted Gibson Research to help protect you against script kiddies, armed with the raw sockets in Windows XP, from taking over not only your servers, but the entire internet!
www.grc.com
J
You are going to have to define the scope of the audit. Is it just web servers, desktops, your security policies, legacy or the whole ball of wax? Are you talking a mixed environment (multiple-Unix, Windows, Mac, other?)
How wide is your network area? Multiple locations? Same cities?
How about your network infrastructure itself? Routers, switches, etc.
A complete audit can take a while and cost a lot of $$, especially if you have a wide range of system types and network spread. It also can depend on how deep you want the audit to go.
I work for Lucent doing large scale audits, so can only comment on what I've experienced. Security is as much policy, training and implementation as it is software/hardware.
E-mail me if you want some detailed information.
Charles Hill
Learning HOW to think is more important than learning WHAT to think.
Yeah, check out Danet for your security needs...
http://www.danet.com
@Stake
Remeber that these guys used to be l0pht, and having met several of them they still have my highest and best regards in the security field, in my opinion they still are the best around.
Om, nomnomnom...
In addition to hiring the pros, you can also do a considerable amount of auditing yourself with the right automated tools. Among these is the program MultiProxy allows you to enter the IP addresses of your machines and quickly see if outsiders can use them to mask their identities during an attack. Its definitly not a substitute for a real audit, but it can help you to get a quick overview of potential problems.
In case of fire, do not use elevator. Use water!
Check out CounterPane.com Bruce Schneirer's outfit (Appliend Crypto, etc)
Basically, you're going to spend as much as you discern the value of security to your system. Given that your webserver is repeatedly being compromised, your needs and concerns have been raised due to the nature of being hacked. You can elect to pay a run-of-the-mill techie to do a security audit for your system, but in the end you are going to get what you pay for. If you take the cheap route out, you are going to end up with an incomplete solution. I'm not saying every layman out there is going to do a shoddy job, but unless they do security analysis for a living, then their experience is going to be quite limited.
You could take your car to the neighborhood mechanic, and he might fix the problem you're having, but if you take it to the dealership, they are going to have an intricate knowledge of all of the parts in the car and how they work together. Their narrower focus allows them to have a deeper knowledge of the subject.
I checked with these people about a year ago. From what I saw and the people I spoke with, they are very much on the ball and quite thorough. They have some real talent working for them and techies from every discipline. Worth a look.
Do you want to remove linux?
The Cult of the Dead Cow spun off L0pht Heavy Industries, a security consultancy, which then changed its name to @Stake. @Stake is well-respected, and produces good papers on the the theory and practice of security holes. But then, so did CdC.
Try the demo of this STAT software. It was orginally developed for the US Military. The downloadable demo was able to find several security problems on my system. It's a start, that will give you an idea of where your weaknesses are, and probably fix them all. It can be used with Windows, UNIX and Linux.
(posted as code to circumvent Lameness Filter)
n dex.asp)
(link: http://www.statonline.com/solutions/vuln_assess/i
STAT® SCANNER
Automatically detect and correct security threats
STAT® Scanner Professional Edition
Using the most comprehensive Windows® vulnerability database on the market, and an extensive UNIX database, STAT® Scanner Professional Edition performs a complete security analysis of Windows NT®, Windows® 2000/XP and Sun(TM) Solaris(TM) UNIX , RedHat(TM) Linux®, and Mandrake(TM) Linux® resources. Enables users to accurately identify and eliminate network security deficiencies that can allow hacker intrusion. STAT Scanner Professional automatically detects over 1,600 vulnerabilities and corrects a large percentage of them with the exclusive AutoFix feature. Reporting capabilities range from high-level, consolidated management reports to detailed reports used by network administrators.
The STAT vulnerabilities database arms users with the tools they need to combat the escalating hacker environment through monthly updates, available for convenient download on the STAT Premier Customer site.
STAT® Scanner Discovery Edition
Interested in experiencing the power of STAT Scanner? Try STAT Scanner Discovery Edition, a FREE limited-time product with many of the features of STAT Scanner Professional:
* Automatically detects over 1,600 vulnerabilities
* Corrects 20 of the most common vulnerabilities with the exclusive AutoFix feature
Try STAT Scanner Discovery Edition today for FREE!
I know a few of the folks there. They know their stuff and, most important, they know how to talk to everyone in the organization. Don't forget, if the audit turns up stuff that'll need to be fixed (and it will), that'll require spending money and convincing a manager or v.p. is a whole lot easier when the consultants speak their language.
I recommend www.securityfocus.com
My recommendation would be to look at Interhack as a possible security audit firm. They specialize in this sort of thing, aren't biased to one OS over another, and can provide detailed information on where to go and what to do following your assessment.
It's truly a class organization.
Rule #1 -- Politics always trumps technology.
Think about who you need to protect yourself from. If you're a one person shop, you probably don't need to pretect yourself from internal threats. If you have very limited public facing systems, then scripts kiddiez might not be too important.
:) Techs are more likely to understand what is wrong when their management is not looking over their shoulder asking why it wasn't correct in the first place. Management is also more likely to understand when the auditor can talk solely in management-speek.
Next, find an auditing company that can think like each of the attackers you need to protect against. Let them social engineer. Give them non-privileged internal user accounts. Let them see your assets from the view of the attacker.
When the audit is complete, let them present the results to both management and techs, and let them do it separately.
Look for auditors that can (and will) devote people with the proper skills for your audit. Smaller companies may not have skills in every area, larger companies might not devote all their senior experts to your account. Find that balance to ensure you're getting the best auditors you can get.
<plug type="shameless">That all said, Backwatcher is an awesome company.</plug>
As a rule, use the same company that performs your financial audits. All of the big auditing firms have substantial experience in this area, and while they are not necessarily the best out there their audits are more believable then those conducted by a company that does not have the same relationship. Their pre-existing relationship also give them a better understanding of what systems present the greatest financial risk to your firm.
The people of e-fense (http://www.e-fense.com) are really great. They are all former Government Agents who started their own company. They know what to look for and Don't cost as much as the Big 5. We had a similar requirement and they did a great job for us.
There are a lot of folks who will come out and run scans and check machine/firewall configurations but completely miss the process issues that caused the problems in the first place. It isn't enough to get someone with just a technical background. You also need a business/security analyst who can identify where process are ineffective and where things are falling through the cracks. For example, do you have a written security policy?
I'd also check out Counterpane for the obvious reasons.
--rick
Try contacting Maryville Technologies . Their offices are mainly in the Midwest, but they likely would be willing to take a project out on the East Coast. They focus on ESM and infrastructure assessments (including security), design, and implementation, and their knowledge transfer during and after the project is superb. They have a long list of large high profile clients and partner with many top vendors. I think you'll find them reasonable priced and, in the end, you'd probably find you'd get the most and best quality for your money. JMHO.
There are several large, well-known companies that do contract work. SAIC (my employer), CSC, Booz-Allen Hamilton, etc. Many of the companies out there specialize in government contracts, but they most likely also do commercial work.
Check out Counterpane Internet Security. Bruce Schneier's company. I believe they will do an audit. http://www.counterpane.com/
I hear Bernard Shifman is looking for some consulting work. Just watch out as he may only take an audit of email addresses.
www.counterpane.com
-- dieman - Scott Dier
The Cisco SPA (Security Posture Assesment) team is incredible! They are used by some of the biggest names in banking and other industries.
I would be very careful about this situation. Most
people not familiar with computer security
seem to think that all you need to do is put
bigger locks on the doors and hire more guards.
Or that the problem can fixed in one simple visit.
As painless as a visit to the doctor.
An outside company coming in to tell you what to
do to secure your company's network sounds like a
recipe for you getting fired when something goes
wrong.
Point is, if the managers are clueless about
computer security, no outside company is going to
be able to set up protocols that will be effective.
Hire someone that knows security and who has
enough clout to enforce the changes. AND go to the
bookstore and buy copies of security books to
train people in house how to secure networks so
that somebody on site knows how to handle problems
after the outside 'expert' has left the scene.
As someone once said, securiy is a process.
you can find info on them at berbee.com they are strongly recomended by cisco
As a Gov't agency, the NSA will probably do a security audit for you for free. They have intelligent, competent people working the audits, and while they aren't comprehensive in finding specific holes in specific boxes (they focus more on IT security features than patches and hacks) it'll be a great starting point.
Think outside the... Hey, where'd the friggin' box go?
Well fine, if you can find someone with a cute name and a competent staff. But in my experience, companies with clown names have clowns for the staff.
Lots of people here have suggested hiring any 16 year old with a laptop and nmap to do your job, and if you just want to know what you have open to the Net, that's fine.
;)
However, a security audit can look at much more such as,
* Configuration / change control of routers, firewalls, etc
* Default access rights to staff - Procedures for adding / revoking rights to email, DBs, etc
* Authentication methods - Password policy, tokens, etc
* Procedures for dealing with attacks
* Application vulnerabilities
..and so on. I recommend KPMG Consulting but then I'm biased.
If you go down the consultant route, I'd
Check Resumes of the consultants working on the project
Agree on definite milestones and deadlines before project kickoff
Arrange a fixed cost project (rather than paying per hour/day)
If you want more info or a contact for KPMG Consulting, mail me: slashdot @ isoga.net
Obviously, all the above is just my personal opinion
Make sure the company you choose does a complete audit. Find someone who will not only audit your servers, but also your network, and physical location. Make sure you find a company large enough to handle this. Smaller firms may not have the personnel necessary to evaluate a very large data center.
Remember, a good security audit is going to point out flaws. Try to make it well known that this audit is going on, and that suggestions will be made for improvement. Try not to emphasize any one problem, and do NOT make anything accusitory. This will soften the blow somewhat.
Getting the boss to pay out can be hard. My best advice is to write up a business cost analysis. Clearly list actions suggested, their costs, what risks they mitigate, and the potential damage of these risks. A good manager may not sign off on everything, but will at least make improvement.
Most state governments and companies I have worked with have an enterprise security division. Does your organization? This group should be independant of everyone else, and should have some power to enforce security policies (you do have a standard security policy, right?)
If you don't have a stated security policy, write one up. This is one thing that a good security firm will want to review, (or help you create.)
Audits should be performed regularly, and should be integrated with the change control process. Any changes to a production system should result in a new security audit of that system. This is another reason it is wise to have an enterprise security group, they can offload that work.
If you have any of this in place, you are absolutely ahead of an unnamed Midwestern State government for whom I am currently working. One company I can recommend is EDS they do a lot of government work, have a massive army of people, and can evaluate not just security, but other parts of your enterprise that tie in. Good luck on this undertaking, you have a lot of work ahead.
Go away, or I will replace you with a very small shell script.
Too often you'll get auditors that have a 'workplan' that is basically a checklist of questions they ask the sysadmins and other IT guys. That's a joke... what you want is a company that will send in real security practitioners that will really evaluate your security infrastructure.
KPMG used to be the first type of 'auditor'. They've changed their approach though and we recently had a KPMG team out for 2 weeks doing our annual security audit. (Only independant is annual, we constantly audit ourselves) They did a wonderful job and their deliverables come in two levels....one set for the managers and another set of deliverables for the IT / Security staff.
Another company that is very good and gets a lot of government contracts is SAIC. I would readily recommend either one.
One thing to look out for in other companies: Often the proposal they send you will list several bios of their technical staff. These usually sound great, but often these are not the people that actually perform your audit. Sometimes companies will even switch on you at the last minute. Make sure you insist that you see the bios and references of the people that will actually perform your audit.
Just about anyone in the business -- from Joe and Sam's discount security outsourcing down the street to Foundstone/ISS/IBM will sell you vulnerability assessments. These are good things but only part of the process.
What you need:
1. Before you hire anyone, determine what you as a firm are ready to fix, what you are willing to do once the outside company tells you about your problems. Most security issues are based as much in process as in software. If you are being hit a lot and have no idea what to do about it, then you have process problems. The idea that websites are vulnerable is not new. Your firm entered a process without adequate internal ability to support that process. That is not a technical problem and it does not have a technical solution. If you are not going to be willing to change that stance, you will be throwing your money out the window. Outsource the whole web process and find someone who does know how to do what you are doing on the web (comparatively) securely. Firms spend bundles getting bad news and ignoring it. Software and assessments cannot fix process issues.
2. Quick and dirty review of your web presence -- do that first. That should be done by a firm that specializes in web presence assessment. Everyone will tell you they offer that service because the market for security work is stone dead and everyone in the business is desperate. Web site security is different from internal document security is different from extranet security when doing assessments. **BE PREPARED TO FOLLOW RECOMMENDATIONS** Following recommendations may be expensive.
3. Once you have identified whether you are ready to fix your process issues, get someone in who knows both tech and process. This should not, I am very sorry to say, be one of the big auditing firms. Theoretically, it should be. Process is their stock in trade. Unfortunately, real tech response is not. Their business process model does not allow for the specificity that fixing the technical or procedural side of a distributed system installation requires. Their business model requires that at least part of your review can be done by someone fresh out of college depending on a checklist. Or by a software tool. It really can't, unless you have already set up good processes and just need an outside pair of eyes to check on it.
4. Hire someone to handle security for your entire system and **LISTEN TO THAT PERSON.** It will save you thousands in the long run.
End of rant
Both excellent security companies.
Small company, know what they are doing. Lot's of experience. http://www.qaddisin.com
Ernst and Young are very sharp and thorough.
If unauthorized software and access to it are at issue, I think the BSA would be *thrilled* at the chance to evaluate you, and your departmental procedures. Plus, its very likely they'll be able to offer concrete suggestions for upgrading your license security model.
Money fixes everything.
First, nothing begins if not opening
Hello,
I ran into Microsolved ( http://www.microsolved.com ) back when I was PM for a firewall product (that's now part of Sun via Cobalt). Their resume impressed me, it included at least one State Treasury Department.
"oohhh... I didn't know Schopenhauer was a philosopher!"
First Pale Horsey post.
www.us.integralis.com
In the Ohio area, there is a small consulting company called KiZAN. They have people who specialize in security on the Windows platform (IIS, Windows NT/2000/XP/.NET, SQL, etc.) If that is the target platform, they may be a good choice. They do alot of government work, too (IRS, etc.).
I highly suggest getting a detailed proposal of the analysis to be performed and make sure it is what you want. If you are concerned about security from the internet, you may only want a border analysis from the outside in. If your concern is general security, you may want an all around audit. Basically, figure out what you want to be secure (data, apps, websites, systems, network traffic, etc.) and make sure that is what is audited. (Many may try to sell a complete audit when you may not need it.)
It also may be important to note who a likely attacker would be based on your business. You (the client) will know better than the independent auditor what attackers may be likely to target you. An audit of a website can easily expose threats exploitable by script kiddies, but may not necessarily expose a vulnerability exploitable by skilled attacker or an internal staffer. Make sure that the person(s) performing the audit has no information about your network beyond what an attacker would have.
Most important:
-what must be secure?
-from whom must it be secure?
-what is the impact if the security is breached?
Answer these questions and the needs of your audit will probably become much clearer. Then, find an audit proposal that covers what you need and does not cover what you don't.
I work at a Fortune 500 company, I'm on the security team for the IS contracting division. I work in the regional office that services the District of Columbia, and I have done security work for the government before. Our recent independent audit was done by Verzion. They used Nessus, and some of the staff were project conritbuters. I found them, for the most part, as knowledgable as our staff. They made both an internal and external audit independently. Their reports and data analysis was good, and they provided us with the raw data. We use ISS as our primary vunlnerablity detection tool so a requirement for our audit was analysis by another system.
It sounds like you will also need some help securing your system. Your biggest problem with security will be policy. In a civilian government agency, if you do not already have a policy in place, you will waste at least half of your contracted man hours in politics. More over the project will NEVER get completed. I would recommend getting a signed security policy, by the director or secretary, before your hired guns even set foot in the office.
Feel free to contact me, I'm just an idealist with a packet analyser. I'd be happy to give some friendly advice.
Spyder
He's right. If you don't understand security, it is likely you won't have it, no matter how much advice you have.
Other things in life are like this. If you don't understand women, it is likely you won't have one, no matter how much advice you have.
Just to cover the 'who': I've used QinetiQ (www.qinetiq.com) IT Health Check a lot. These guys spend a lot of time researching.
;-) and you'll end up with a report that says 'issue found - fixed' instead of just a list of fires.
However, know these two things, though:
1) a penetration test only proves that a certain (very skilled) group can't (or can) break in at a certain point in time. This doesn't account for smarter people and changes to your setup, and a PEN test is an expensive way to get a to-do list. Rather get some tools (and/or capable people) in first and set a baseline against which to improve. Then tackle what you've found, and PEN test after that to see if you got it right. Shadow the pen testers so you can jump on anything that comes up (especially if it's a fire
2) I'm going to shout now: ALL OF THIS IS COMPLETELY POINTLESS UNLESS YOU HAVE A DECENT SECURITY MANAGEMENT FRAMEWORK . In English: unless you have policies, standards and procedures in place you're only creating a secure snapshot. The next time a security vulnerability is found (and you don't have an update process) you're back to square one. And who says that your current systems aren't already trojaned to the hilt? Default build and change control etc etc.
I can go on, but there's a lot more to it than technology 'sniff and scratch' and not taking care of it means you're half wasting your time.
Good luck. It's not the easiest thing to do, but it's not impossible either (I've done it many times 8-).
Insert
Up front I want to point out that I don't want to make a completely shameless plug for my company and what I do. I did leave some contact info available in case the person in question wanted to contact me. The comments here are my own and not that of my employer, etc. If the person who submitted this Ask Slashdot is happy with another firm, that is fine with me, I'm an engineer _not_ a salesman.
:)
Here are the main questions that I have:
Who have you used, and were they any good?
I work for a company that does full service security penetration testing, secure network architecture design and implementation, remote monitoring of IDS and other logs. You can email me through my slashdot user name link if you wish or hit our website www.caci-nsg.com. Therefore I use my own knowledge and that of my co-workers (some of whom work for Attrition.org btw) and yes, we are very good.
What should we look for in evaluating who to contact and their proposals?
You should make sure they have experience with the various OSes you run. People who know how to knock over a UNIX system may not do well against Microsoft and vice versa. Make sure they tell you what needs fixing AND how to fix it.
Some companies I've had to compete with only showed up with one system to run the ISS scanner, generated a _very_ thick report of what was wrong, and left.
No single scanner is perfect and if you don't have human intelligence to interpret the results the test may be meaningless. I've seen the ISS scanner tell people they had a Windows NT system that needed to be fixed. When we checked out the system in question it turned out to be HP-UX!
What would you have done differently?
There are things our team learns at every pen-test we do. Some things I want to do differently would be to standardize our methodology more. One problem is that every network has something about it that makes it unique. This is where you can either go cheap for an "off the rack" solution to your testing or pay for a "tailored suit". Be sure that the team has some real experience behind them though. You don't want the tailor fresh out of tailoring school.
What services should we ask for?
You should ask for a complete report of what the team is able to access on your network. You want to know what can they break into from the internet and what can they break into if they were sitting internally. You need to understand the difference between a theoretical exploit based on how your network is configured and a real vulnerability based on a missing service pack. This tells you about what external attackers can do as well as what disgruntled employees can do. It may also tell you how bad a Sys Admin you have running things. I've gotten one Sys Admin fired because of what I found and his poor reaction to my findings. You'll want a report that explains in detail why you are vulnerable, what to do to fix it, and if possible the impact this may have on your day to day operations.
How do we manage the contract to make sure we're not getting a snow-job?
You can have the team demonstrate for you how they got in. Have them leave a file behind, pull down a password file and crack it, etc. Any team should be willing to discuss things very honestly with you. You may wish to start small. An external test only for a small amount of $$ and time. This lets you evaluate them without being burned too badly.
How do we use the result to get buy-in from management (who will probably need to lay out money for changes) and from the developers (who may be adamantly opposed to changing their systems, either for ego reasons or it's just a lot of work)?
When I broke into a customer that was a credit union and got customer account data, it got their attention. If the test team steals emails or other things from the CEO or other big-wigs, etc. and it doesn't get proper attention with management, I'd look for a new place to work.
How often should we re-do these audits?
Generally twice a year. The main thing is that after the first one you may have a ton of work to do to fix things. You don't want another test until you have had reasonable time to complete your changes. I've had some customers take a year to get fixed up for another test.
Again, I know there's a lot out there by the security firms themselves about this, but I'm really looking for a 'keyboarder-in-the-trenches' view as well. Horror stories are appreciated, since they may give us an idea what to watch out for."
I just hope I was helpful with what I mentioned here. Keep in mind that if you are a government agency you probably have to put the contract out for a bidding process. Write up your expectations as clearly as possible and leave time for a question/response period from the bidding companies. The intelligence of their questioning will tell you a lot. If they don't ask many questions it probably means they don't know what to ask and won't be very good.
Do really dense people warp space more than others?
I have a slightly different question.
Suppose you have very little experience, but want to focus your career on security.
Where's the best place to learn?
Who have you used, and were they any good?
:) ).
I've used ISS in the past. I liked their service, they came up with a decent proposal, and in the end provided good documentation of what they did (and what they found).
They will try and sell you their product (ISS) -- which you might find useful if you don't have any internet security staff. Just be ready for the sales pitch.
How often should we re-do these audits?
Well, if you buy their software, do a monthly internal audit yourselves with that software. Then, depending on how dynamic your environment is (in terms of either changes to software, hardware, or network infrastructure), it would be a good idea to have them come in for an annual audit -- if you make alot of changes -- make it bi-annual audit (or is it semi-annually? I mean every 6 months
I don't remember the cost of these audits or the cost their software...check it out -- and if it turns out to be more than $60-70k a year (which is shouldn't be by a longshot) -- you may find it valuable to either hire a fulltime security person, replace one of your sysadmins with someone who is familiar with security auditing.
Lastly, regardless of the cost of the contract audit, it may be a good idea to start providing training for one of your current admins in security (and cheaper than getting a new hire).
Hope this helps.
-Turkey
-Turkey
I've heard that IBM's services organization has a pretty good security audit division.
That's first thing you should subscribe to.c ribe. pl
http://online.securityfocus.com/cgi-bin/subs
My company provides Manged Network Security Monitoring and often times our clients will use an assessement as a chance to "test" our services. Afterwards they will also ask our opinion on how well the assessment was performed. Generally, I have found it's best to stay away from the Big 5 accounting firms (KPMG, E&Y,PWC, etc), Telcos, IBM, and other big businesses whose specialty isn't doing security assessments. These types of businesses tend to be way overpriced and provide a cookie cutter approach to security. At the same time watch out for the local "security consultant" who claims to be able to do everything in security as well as the local "hax0r" who has Nessus installed on his laptop (finally). Probably the worst assessments I have ever seen came from these types. (BTW, I am NOT bashing Nessus.)
In my opinion, your best bet is to go with a reputable company who only does security auditing and has a proven customer base (get and check references!!). In my opinion, these guys stand out as a group of people who know what they are doing, and do it well.
www.sguil.net
The Analyst Console for NSM
Look at the bright side. If they don't do good security, you can have them walk your dog.
www.technicaldefense.com
They are made up of most of the SDI guys. They are product independant so they didn't try to force certain technologies down our throat.
I would definitely use them again.
External audits are good because they bring in experts who focus on finding vulnerabilities in your network. These experts will come armed with a variety of vulnerability assessment tools to perform their audit. The only problem is that it will almost always happen less frequently than vulnerabilities are discovered, so this should only be 1 part of the overall solution.
:( Here is a review
You should adopt this practice internally, because if the tools are set up to check for vulnerabilities, you can be much more proactive about finding them than simply by scheduling consultants to come every few weeks, months, year. There are a variety of tools available, both freely and commercially.
A good tool will be updated frequently, check a lot of bugs, including the most critical (SANS Top 20, BugTraq, CERT.
Free Tools
SATAN -- Security Administrator Tool for Analyzing Networks
SAINT -- Security Administrator's Integrated Network Tool -- based on SATAN, GNU
SARA -- Security Auditor's Research Assistant -- similar to SATAN/SAINT check the Freshmeat page
NESSUS -- another free tool
Commercial Tools
ISS has a variety of tools avaiable depending on your needs
NeXpose -- try the free demo, great ui, demo only lets you assess 1 IP at a time though
A Networking Computing article on Vulnerability Assessment tools. Reviews many of the major vendors (so I won't list them all). Includes some of the free tools.
Here is another overview of security tools to get you started.
What you are really asking for is an Information Security Program. Check out is group. They are strong in strategic and tactical security issues.
www.nscsecure.com
I can suggest two sites you can check out for focussed information on this topic:
securityfocus.com
antionline.com
Having read a few books here and there on various types of computer crimes, there are a lot of cases where access to a system was gained through a person giving out confidential information to an unauthorized person? In this light, any security audit should include tests of how easy it is to get confidential information from employees and any third party services. For example, there are many small businesses out there in my town that use dialup accounts for internet access and email. Most of these companies will give out the user name and password over tech support if you only supply the account holder's name. This leads to anyone being able to access the company's email. In a big corporation, I'm guessing a few users would give out name/passwords to a call claiming to be from the IT department, if the company has a modem pool, I'm sure its trivial to get that number too ("Hello, Jane Doe? Its John from the IT department. Were doing some work with the phone company, and we're wondering, what number do you use for dialing up? Is it 555-1111? No, you use, 555-1234? Thank you!"
Any good audit should include the social engineering factor.
Just my $.02
My company used Network Presence for our 3rd party testing. They did a great jot, actually too good of a job. They found things we are still trying to fix. They have a web site: http://www.netpr.com
Their reports are easy to read and they worked one-on-one with us during the entire process.
I'm a L337 H4X0R and I'll take care of all your security needs just hook me up with some mountain dew and get me out of chemistry class!
-Chinese Karma whore
http://mixter.void.ru
Never learn by your mistakes, if you do you may never dare to try again
Just post a bunch of messages about how Chinese hackers "c0uldnt g3t r00t 0n a mS-d0s b0x." That should piss them off enough for them to actively test your network. Just sit back and see if/how they get in.
(They also don't like it when you make fun of their fighter pilot who ran into our plane, so throw some of those insults in there as well.)
I'd go with Counterpane Security. Bruce Schneier is one of the most respected individuals in the security world.
shameless_plug
Check out Backbone Security. We've got a variety of credentials, & experience in the State & Federal govt.
Some sample credentials are:
Follow the National Security Agency's Infosec Assessment Methodology (IAM), & are one of 7 companies certified to perform thes audits. (We ranked third by the NSA's certification team, while in competition w/ such companies as Lucent, Booz-Allen, etc.)
All personnel have Secret or above security clearances from the US Govt.
80% of personnel have CISSP certifications.
Policy of *not* hiring known hackers (for a variety of reasons).
I won't bore anyone else with marketing-speak, but check us out
/shameless_plug
I'm curious. What software does your web host use?
I just found it quite interesting, the way the article was posted here to slashdot. It's obvious that if you had been using Microsoft IIS that would have been included in the details, along with a little comment from the slashbot editors.
But I dont' see that mentioned. I don't see any reference to how evil Microsoft is.
Weird. Are you perhaps learning that Linux/Apache isn't secure by default out of the box and also has issues that need to be addressed? It's nice to see some maturity coming back into the IT world.
A smart move would be to engage the auditors in a limited scope capacity to evaluate their work before you hand them the keys to the castle. BTW, I do own a network security company, and no, I will not use the
Our product was running on Solaris.
We had quite the time convincing the auditor that our application was not vulnerable and that we had removed various .dlls from the installation (I quite honestly claimed they would never find the dvwssr.dll on our server :-)
Put into the contract that the auditors will have extensive experience in your OS, your web application environment, your type of network and, if possible, type of business. Too many times I've been "audited" by people who knew far less than my junior sys-admins and my company paid top dollar for the privledge.
Then make sure that you get to stay close to the auditors and make sure the technology guys really do have the advertised skills. Be ready to pull the plug and have an agreed upon mechanism for pulling the plug.
Technica Corporation
We're located in VA right outside of D.C.
Co-founder and designer at Music Nearby: http://musicnearby.com
Our firm a "undisclosed" NYC financial services firm used the services of a outfit in NJ known as FEDSYSGRP.COM
We very happy with the firm, the military approach and the suggested corrective action on security items that were discovered
New York? For Security?
Definitely look at Razorpoint Security Technologies in New York City (http://www.razorpointsecurity.com). They did an incredible job assessing (and penetrating) our network infrastructure. We learned A LOT from these guys, and all their deliverables were customized for us, NOTHING CANNED from some stupid scan tool. Definitely give Razorpoint Security a look.
The first step (really!) is to get a security policy in place. This really doesn't have to be anything special-- but it does need the buy-in of ALL groups affected (sysadmins, developers, marketing, sales, executives, etc.) That's really the only hard part.
Probably the quickest way to get started is to head to the SANS security policy project and adapt their sample policies to your company. This is one of those rare cases where it's more important to get something in than it is to get it right the first time. Policies can be changed fairly easily-- but you don't want to go to all the trouble to implement a secure environment only to have someone on the inside fighting you every step of the way.
Now the fun part-- actually securing your systems. Here are some pointers on places to start:
1) Review the SANS "top 10" security vulnerabilities and make sure they're covered.
2) Review Lance Spitz's excellent collection of host security information and make sure to follow his recommendations.
3) Make sure your firewall rules are set up with the security best practice of "minimum access to get the job done". Far too many firewalls allow traffic they shouldn't.
4) Get NMAP, a network mapper, port scanner, and OS identifier and run it from the Internet to your exposed (i.e. DMZ) hosts. Also run it from your exposed hosts to your internal network to validate that only the traffic that should get in can get in. (The traffic allowed back in from your DMZ should be very little, preferably none.) If you find anything that is inconsistent with what you think should be happening, check your firewall rules again.
5) Grab a copy of the Nessus security scanner and run it against your newly secured systems. If it finds anything, read the description of the problem and see if it's something you can fix. You can bet that everything you find here will also show up on your "security audit" since most "audits" are just someone running a tool like this and then feeding the output to the consultants to make it all pretty for management.
6) You should have most of the obvious, widespread holes plugged by now. This would be a good time to get some sysadmins out to some classes. Verisign has a number of excellent general Internet security classes. I'm sure there are lots of other good places, too. I was pleased with Verisign because of their Internet focus. Too many security classes only concentrate on host security and neglect network security.
7) Get the application developers at your site to read and follow Dave Wheeler's writing secure programs guidelines. This is a lower priority than OS/network security since these holes are likely to be specific to your site only. Only a determined hacker is likely to find and exploit them-- however exploiting application bugs/holes can severely disrupt your business. What happens when an electronic data interchange transaction gets bogus data inserted? How far will that bogus information make it in before it's detected? In the worst case these bugs could result in people getting free products/subscriptions, stealing credit card info, or destroying data inside your systems.
8) Now it's time to get that audit. They will be able to tell you what you missed in the previous 7 steps. Why wait so long? Most places will keep looking until they find something to report. If you do this too soon, the subtle security problems will be lost in the noise of all the obvious problems the previous 7 steps would have fixed. If you do this last, only the "hard" problems are left for them to find.
Remember above all that this is an ongoing process. Keep current on your patches, and repeat all the above steps regularly to keep all the bad guys away.
I do security audits all the time. I have done security audits for Banks, Colleges, manufacturing plants, and yes - even government institiutions. I can give you all the detail you need on what to look for in an auditor and more. Feel free to email me directly at jrhelgeson@hotmail.com.
Good security is based upon reality and common sense. Common sense is a function of having common knowledge.
I have used SPAWAR (Space and Naval Warfare division). They are based out of south carolina and will service state,local government agencies. as for intrusion detection I use Asgard, www.asgardgroup.com Both are excellent , asgard uses a linux system for IDS
You might look into Tiger Testing. They seem to have a more respectable approach -- they don't hire "reformed hackers" and they don't sell security products, thus they avoid a common conflict of interest. I like the fact that they take a low key, no hype, no clients list type of approach.
Basically, there are three types: penetration tests (ethical hacking), assessments (white box technical reviews), and audits (process/procedure reviews). These are very different from one another, as (typically) are the firms who perform each type. Ira Winkler wrote a good article on this subject.
Although a pen test is sexy, you almost certainly want an assessment based on your description.
Unfortunately, much of this market is driven by "Good Housekeeping Seals of Approval" -- inexpensive rubber stamp reviews designed to limit liability and make partners feel good (e.g., we followed the best practices and even had 3rd party auditors, they just didn't find this hole). Unfortunately, this creates a disincentive to actually finding problems since that's not what the customer ordered.
If you're really concerned about your security, you want a confidential report for your internal consumption that takes a good hard look at your real security and is clear about all of the problems, even less critical ones (though of course you want them prioritized). Stay far away from "certification" oriented reviews.
If your organization is structured such that this works (and in this case — a state agency — it may not be), it can be useful to have the report be protected by attorney-client privilege, to manage the legal liability caused by the findings in the report. You especially want this if you follow the previous step and get a good, hard look.
This was already mentioned in another post, but bears repeating. Don't get a review from a company whose primary business involves selling anything other than security reviews. First, they often consciously try to sell you their product (or service). Second, they are generally unconsciously biased by their own efforts on their product and are looking at problems from a more limited perspective. Same goes from companies who resell network and security products for other vendors, taking a cut of every sale. Get an independent review from someone who's earning their keep based on their professional opinion, not leveraging follow-on sales.
Also, look out for the one-two punch from auditing firms: a cheap initial pen test to prove how insecure you are (typically with lots of grandstanding to upper management), follwed by a really expensive audit where they actually make their money.
There are good people at mediocre companies and vice versa. The quality of the output depends most on who did the work and least on what company employs them. Although the larger firms have more structure and quality control, the odds of getting a great reviewer rather than a room full of talking heads from a Big 5 are less.
This doesn't mean don't hire a Big 5, it means hire a specific team from a reputable company.
If at all possible, make the hiring decision based on face-to-face discussions with the actual team that will do the work, and ensure the contract allows you to approve changes in the team. Look for people who five or more years technical experience outside security before they started doing security (e.g., was a hard-core sys admin for five years before they started consulting others on systems security).
This also means evaluating potential firms like a job interview, to some degree. The most effective, yet cooperative way to accomplish this is to invite them over and start describing a couple of your problems that you've already carefully considered. If the potential team rolls up their sleeves and starts solving your problems — in the sales call — with good, obviously experienced approaches, then they're worth considering. If they only talk in broad generalities or don't grasp issues that are widely understood, then they're not worth your time.
On the other hand, ensure that they are bi-lingual. Not English and Hindi, but Technical and Management. They need to be able to find problems, propose practical solutions. Then they have to document this in the report, so that the technical staff understands the problem and solution well enough to fix it and the management team can grasp the level of risk, cost of remediation, and gauge priorities.
Try to get a sanitized report from a job performed by the same team for review. Evaluate whether you would be happy with those results and, if so, ensure they know that you expect even better.
When developing the scope of work, be specific about what is and is not included in the review. Don't accept a vague statement of work that isn't clear which or how many systems will be reviewed, the structure of the report, or other details. Ensure you know what you're paying for and what will be performed.
Although you're overworked and have a hard enough time keeping up with your day-to-day tasks, the results also depend on your preparation, responsiveness, and organization. Have network diagrams, org charts, and device/system configs ready for the reviewers. When they need more information, get it too them in a timely fashion — it'll keep your costs down and result in a more detailed report with fewer guesses on the part of the reviewer.
Although it may be tempting to not tell them about things you know are a problem to gauge how long it takes them to find the problem, this approach is simply a waste of your own money during the review. If you evaluated the team well before hiring them, tell them everything you already know is a problem so they don't spend time rediscovering those issues. Sure, they'll end up in the report even though you already knew about them, but it'll again save money and result in a better more detailed product.
It's quite likely that you'll get better results getting several smaller reviews from carefully chosen teams than one single large review. This is especially true if you choose well rounded teams with different backgrounds. While they should all be competent across the board, if one team comes from an application development background while another team comes from a system administration background, they're likely to find different results.
Opinions vary. Accept the report as one person's opinion on how they would prioritize the issues and fix them. After you receive the report, review it and then prioritize the issues and develop fixes based on your knowledge of the environment and business goals.
If you've done you're homework, your prioritization and solutions will match those in the report. If they clash, then figure out what went wrong an know to look for those indicators next time.
A good security policy would isolate public servers so that if they get hacked it's not a major problem and it's easy to diagnose.
In my opinion you should hire a security consulting firm to come help you design a scurity policy. It doesn't sound as if you have a DMZ set up and that's a good place to start.
Actually the first place to start is identifying what information needs to be protected. A lot of times companies don't protect everything they need to.
But really you need to look at the whole picture: passwords, email clients, wireless, back ups, recoverry after attack, etc.
A good security policy will help you understand what things you need to worry about and what things don't matter. This will help you sleep better and benifit your whole company.
This is definitily biased, as my company utilizes their services fairly regularly. We are the top firm in the NJ E & S insurance market. We have had organizations in the healthcare, financial and technology markets include their Data as assets needed to be insured. How can you insure Data? We quickly realized risk assesment based on employee records, penetration testing, internal and external security auditing, provided our firm with the clearest assessment of an organizations information risk. We dealt with Federated Systems Group (http://www.fedsysgrp.com, they are secure members of Infragard with great references. They have uncovered vulnerabilities KMPG and Price Waterhouse missed(we get 3 independet audits at a time), and provided us with training for the tools they implement as well as general security training upon completion of corrective action. They used Eeye and Niksun Tools at one of our customers and saved them many thousands of dollars in risk insurance. I think when data is what is being protected the relationship with the protector(security firm) is important, because they should be apart of your organizations security team. We actually use Federated because they continue contact with our insurees, so we feel more secure insuring them. Check them out: http://www.fedsysgrp.com
The government is asking for defense support. Isn't it supposed to be the other way around?
If aspiration is a virtue, achievement cannot be a vice.
I prefered StrongHoldNet over their competitors because their audit reports are more complete and easier to read. I think they were a bit cheaper also.
It might be cheaper to hire a contractor/employee that specifically audits security over 3 months. Security is such a broad field that I would not trust any one or two day "audit". The contractor should start to produce a check list of "things to check" and follow recent cert advisories. Then you'd need to start enumerating your technologies and look for holes. Here are some examples from experience:
1) user accounts and domain security
2) database security (Yes son, how many SYSTEM MANAGER Oracle databases are exposed through the net)
3) router security (is a hacker living in your router? many smart devices have telnet interfaces for configuration)
4) application server security (did you know I can dump the JNDI tree from many a Java application server and people tend to bind in account names and passwords?)
5) service security (from FTP to NFS - guest accounds are bad, is rwhod or fingerd running?)
6) firewall security (what is filtered, what is logged, which ports are open, is WINS open?)
7) LDAP security (a topic unto itself)
8) physical security (what, you mean I can hit reset on this solaris sun box and reboot with kdb?)
...and the list goes on.
/\/\icro/\/\uncher
First off, the reason your security is broken is that you probably don't have a policy and if you do nobody understands it and if they do there's no QA ensuring that they follow it.
Good security starts with the establishment of a security policy followed by education and regular awareness events. Please be aware that paying someone a ton of money to pen. test and inventory your assets will *not* result in a stronger security posture all on it's own. You must have a policy in place and you must compel your users to abide by it (primarily through education, secondarily through threat of penalty). Consider hiring a CISSP or other certified professional to help you through this process. You might be able to find one in your area by using the ISC2 directory. SANS is doing some ISO certification as part of the GIAC program now and they may be able to point you towards some appropriate people as well. The ISSA might be able to help as well. As has been mentioned already, you probably don't want to entrust this to someone selling countermeasures or management services.
Understand, however, that you don't need a firewall engineer right now and you don't need some krad ex-hacker to pen test either. You need someone to help you get your house in order on the administrative side and then you can look into some detailed engineering and assessment. That someone should probably be an independent consultant or at least one working with an infosec specializing firm. If you want a couple bigger names there's @Stake, Booz Allen Hamilton, and Predictive, however, I would encourage you to seek out a local independent with good references.
Any knucklehead can run Nessus and patch systems. This alone does not equal information security. If you want a secure environment, start by defining what "secure" means within your environment.
Secifically the CSRC department. They have developed an extensive self audit checklist and perform standards development for Gov, IE
Bulletins, FIPS and S-800 docs
Doing this will get you past 80-90% of the obvious things a 3rd party auditor would come up with. This saves money as you took care of the low hanging fruit and they will have to reaaly dig up something to earn their fees. Read S-800-26
The best thing you can do, if you really need to be online, is to TRAIN YOUR PEOPLE. First in IT, if necessary, then in security.
Doing anything else is a waste of resources that will lead only to a false sense of... well, security.
That is all.
First things first - if you are using a commercial OS, make sure you have the latest updates and security patches and at least have made the attempt to fix the problem in-house. Getting your IT staff into a security mindset will help prevent future trouble. If you leave it to a 'white knight who's going to ride in and fix all your problems' he'll soon need to be a permanent resident.
http://www.nmi.net
They've audited quite a few companies and have been producing very high quality reports (not just some ISS scanner output with annotations).
check out http://www.guardent.com
This is exactly the sort of thing that they do, and they're East Coast too, in Boston.
I don't usually respond to
Choosing a big consulting firm usually means you get stuck with whoever services your area- be they good or lousy.
I've noticed that the big however many there are right now usually employ people who can read the manuals for the ISS scanner pretty well, but have no clue about what it's all about. Passing an exam for a certification is one thing- understanding the intricacies of security in general and detail is something completely different.
Go with a small specialized firm... they usually know what they're doing a lot better, and produce much higher quelity results for the same price.
If you can't tell I'm a big proponent of ISS. But then again I'm also a student at GA Tech! Not a big fan of their BlackICE product but a big fan of their R&D and Corp Security Audit abilities. You may want to also check out your "local" chapter of Infragard and ISSA. These are both very reputable INFOSEC SIGs with members who are actively involved in INFOSEC issues of all varieties.
Of course aside from auditing your systems and "finding" problems. You'd also have to make sure the vendor that you pick will provide "solutions" (as many have stated above).
One good benchmark to base their work off is Orange Book certification for your systems. If they (auditor) don't know what this is, I'd stay away from them like the plague. Especially if you're trying to get in good graces with government agencies.
If it's good enough for the Pentagon, I'd guess it'd be a good reference for others. Though for a system to be truly "Orange" I think it needs to be unplugged from the network or something. :)
Unfortunately no one understands women, even women...
I work for a state agency that regulates financial institutions. I am the guy they hired to do IT Exams on these people. I can tell you right now that if they don't have policies and procedures, IN WRITING, they're hosed. They don't know WHAT they are doing, they don't know HOW they are doing it, and they don't know WHY they should be doing something. Most of these places don't have enough staff either.
/. and IRC doesn't work....waaaahhhhhhh!"). Tell them to shove it, this is a security issue.
Management buy-in to my exams only comes around due to the fact that I am a state regulator and I say they HAVE to do it. As we all know, IT usually gets the short-end of the stick in decision making at these levels. In the last case I just worked on, the V.P. of I.T. has been trying to hire someone for the last 15 months and requested actions from non-I.T. personnel were done before policy was composed. In the 3 weeks since I left, they have now hired the person he has been asking for and policy is composed BEFORE someone's request is acted upon.
In your case, figure out all the connections from the outside world, then re-configure down to minimum connections needed, and get a strong firewall in place. Cut that crap off at the border. Be prepared for complaints ("My
-Announce that there will be no more special exceptions issued for now ("But I need to access AOL over the Internet for...uhh, research." Bullshit! they just want their email).
-Then get the big guns and do some serious network scanning for vulnerabilities to get those shut down as fast as possible.
-Last, but not least, document all the problems found on the network, fix the problems, make up new policies/procedures that say I.T. has the power to sign off on items to allow/disallow.
What sort of fee did these security people charge for a full analysis of your situation?
>What should we look for in evaluating who to contact and their proposals?
I would suggest looking at a large consulting/auditing firm (ie EDS or ISS). They will most likely be able to not only evaluate, but also implement any changes needed. Also, many larger firms are able to use both open and proprietary solutions, depending on what you already have in place and the knowledge of your staff.
>What services should we ask for?
It appears you need (better) intrusion detection, preferrably both inside and outside of the firewall.
>How do we manage the contract to make sure we're not getting a snow-job?
Get a good lawyer.
>How do we use the result to get buy-in from management (who will probably need to lay out money for changes) and from the developers (who may be adamantly opposed to changing their systems, either for ego reasons or it's just a lot of work)?
Your developers should not have to change systems. If they are windows programmers, you can effectively stay in windows, if linux then linux. Whatever method should be unseen to most end users (with the exception of some change in procedure if that is what the problem is).
If you go to cdc.com (cult of the dead cow) (hacker group you will or should find about the @Stake/L0pht group they have many offices and do these things.. www.l0pht.com
I work for one of those contractors that do that kind of work. While the blackhat/hacker community might give you alot of good vulnerbility info, they cannot help you meet all your obligations under Federal regs. You want to look for a company that has done agencies or systems similar in scope to your own. GSA has a contract vehicle called SAFEGUARD which is specificlaly geared to Information Security activities. As a Federal agency, you have many ways to get shut down that don't involve vulnerabilites (ask DOI or EPA). You have to keep all your bases covered, if only for your own career!
Okay, so I want to start with all of the cards on the table: I work for Qualys. Having said that:
Consider *self-service* Vulnerability Assessment using a third-part provider. It's quicker, can be run more frequently, is more up-to-date and less costly.
Instead of running quarterly audits, run them weekly, or even daily. Better yet: schedule scans to run automatically and get alerted via email if something new pops up.
Using consultants is messy, expensive, and consultants want to drive more consulting.
Using tools is time consuming, and they quickly get out of date. Producing reports that your managers can comprehend is a pain in the ass too.
Things to look for from a self service, third party scanner:
1. Frequency of signature updates. The lifetime from when a hack is discovered to when it is commonly exploited is getting smaller. Look for weekly, or even daily updates.
2. Number of vulnerabilities. Beware of marketing math: a php vulnerabilitity that can be exploited on every linux build, nt, solaris, hp, etc. isn't 20 vulnerabilties, it's one.
3. Scanning speed. How fast for one IP, a class C, a class B.
4. Non-damaging. Make sure the scanner doesn't damage production systems. What about bandwidth throttling?
5. Network mapping. Can you do network discovery to find all the servers? Are there some boxes in your DMZ you didn't know about.
6. Fixes. Okay, so you found stuff that is broken. How do you fix it? Look for the vendor to validate fixes and provide links, patches, etc. right in their tool.
7. Reporting. Besides the tech-view, is their a CIO report--particularly with trend graphs to show that you're staying on top of vulns as they get discovered.
8. Pricing. All you can eat is best. If you can't scan at-will, but only a few times a year then you're pretty well screwed.
9. OS Detection. How good is the scanner at identifying the OS? nmap is about 50% accurate. qualys about 85%.
10. DoS. How does the service check DoS without actually denying service?
11. Standards support. Is the system CVE compliant?
12. Where do they get their signatures? Do they have professional data feeds from Security Focus/BugTraq? Vigilinx? How are their signature labs organized?
13. Trial. Is there a free trial, or do you have to buy to get started?
Okay, that's all I can think of at the moment. Like I said, I work for Qualys. I think we do this well. Obviously I'd like you to check it out. Visit http://www.qualys.com for a free trial.
I monitor gov. computers for a living(As a contractor). You need to have trained people on staff to audit your machines constantly ie scan, ids, pw security, etc. If you don't have these things in place now, I would say that you have been compromised more than you think. Using open source tools with trained people, well written policies, standards and procedures, you can keep your site secure and solve other head-aches to boot.
Sie ist tunbar!
I've had nothing but good experiences with Applied Trust Engineering (http://www.atrust.com/). It's a small shop, but their technical acumen is stellar.
I would strongly recommend iss.net as a solution. If nothing, just attend one of their seminars! One company I would NOT recommend is counterpayne... as Bruce is an illeducated idiot.
One of the things that needs to be understood about women is how confused they are.
For all you completely linear thinkers out there: Yes, this is off topic. So, mod it down to -5.
I have to agree with several of the other posts. You really need to hire a security competent network administrator, AND have third party audits. If the audits don't pass, perhaps you don't have the right person in the job.
Rotate between auditing companies, discarding the ones that don't give you the level of service you need until you have three that you can count on.
There are a number of "managed internet security" companies out there that can provide the expertise if you can't hire it internally. One of them is SecurePipe. They do provide a range of internet security services, including audits and managed firewall products.
I have some limited experience using SAIC for security audits and penetration testing.
They seemed to have their shit well and truly together.
Fiid - Ryhmes with Squid. Software Engineer
You should take a look at Strictly Business Computer Systems, www.sbcs.com. Their lead security consultant made the cover of EWeek Business magazine last week for bringing to light a major flaw in a recent Windows security roll-up patch. They have been ranked in the top 5% of small software development firms in the US.
I can highly recommend Steve Gibson and his company Gibson Research Corporation for doing your audit. He is clearly the expert you and your company needs.
Yeah....our customers tell us they used to use them, too.
Because otherwise you will audit according to your own policies using whatever gaps in your policies you already have. That is, if you do it yourself you can be 100% compliant and still have very poor security if what you are auditing to is a flawed policy.
http://www.sentor.se/
We've used the Tricryption Engine to secure the DataBase behind our product. It has incredible key management features. It protects your data at the datalevel.
We are Galaxy Computer Services, Inc. http://www.gcsi.com.
We do this type of work everyday for gov't agencies, banks, hospitals, and other folks who desire assistance navigating the shifting maze of security practice and threats. We do independent 3rd party security audits, assessments, etc. per statutory mandate and accepted industry practice. We specialize in East Coast work.
Everyone is telling you to run lots of great free tools yourself, but that is not the independent audit you desire (or may be required to obtain by statute).
We love our work and would love to help. We can provide references from gov't customers and others upon request.
We try to assist/augment the efforts of the client IT staff in a helpful nonthreatening nonintrusive way.
We're not a product-fixated company, but to give you an idea of our technical capability, one of our teams invented the only device certified for connecting classified networks to other networks.
Our phone number is on the website and we'd be happy to hear your call. Ask for the director of technical solutions and you will be speaking to a precticing security engineer. Tell him you saw us on slashdot. : )
Good luck!!
</shameless pride-in-work plug>
There is a company out of Princeton that does excellent work for us at MBNA. They are called Icons and their URL is www.iconsinc.com
The main questions you had were...
Who have you used, and were they any good?
I myself have not used anyone in the past to perform an independent security assessment. I have always done them my self.
What should we look for in evaluating who to contact and their proposals?
What I would possibly look for, in a security assessment, is someone that has a vast knowledge in computer security, for breaking in and protecting systems. I would make sure they are not basing things off of security scanners, (ie. ISS, Retina, Nessus, or even Cybercop.) A lot of people will use just these tools on a network and find a lot of false positives, and slap down paperwork that may not completely pertain to your network properly. You would need to look for someone that will do an assessment on each individual system, and do an audit on every little thing that there is. You don't necessarily want to have a BIG 5, company come in and do the assessment for the simple reason, that they have many clients, and they do not dedicate there entire time on one company. You would more than likely want to have an individual or a small company come in and do an assessment for you. The reason being is that for the most part they will dedicate there time to it, and recommend a product that will meet your specific needs. They treat every client they have as if it was there only one because they can not afford to lose business or credibility.
What would you have done differently?
I don't think I quite understand this question.
What services should we ask for?
It depends on what kind of network setup you have, and what you are looking for exactly.
How do we manage the contract to make sure we're not getting a snow-job?
The best way is to again go for a smaller company, which will send in one person, therefore making it easier for management to keep track of what is going on.
How do we use the result to get buy-in from management (who will probably need to lay out money for changes) and from the developers (who may be adamantly opposed to changing their systems, either for ego reasons or it's just a lot of work)?
If something is too much work for a systems administrator, or they don't want to change something because of ego reasons, that you should probably look into finding another systems administrator that has more concern for the company and security. You more or less have to find someone that has a passion for their job, and not think of it as just a job.
How often should we re-do these audits?
I would recommend at least a minimum of once a month. The bad thing is that you need to keep track of security situations every day. With a smaller company or an Individual (at least in my experience with what I do) is they will keep a record, of your network, and servers and keep it in a database, and when a security vulnerability comes up, they notify you and make you aware of a possible situation. At that point you are given the option to bring them back in to do an assessment again. At the same token, to preform reoccurring audits can be come costly. You may want to focus more on finding a solution with some type of secured web appliance that does not require any maintenance, and that has not had any security vulnerabilities.
If you have any questions or comments please feel free to contact me.
- Bill Marchand
bill@sage-inc.com
Before you bring the auditors in, learn more about your systems first. Go to http://www.cisecurity.org/ They provide benchmarks and best practices for system security and administration. These are available for a free download. When executed on your servers, they provide you with the current state of your systems as well as a list of suggested tasks for improvement. While I take exception to some of their suggestions, on the whole I found the Solaris benchmark very good.
http://www.cert.org is also a good resource.
These guys are good. I've used them several times in the past year. Reasonable (fixed) prices for external and internal pen-tests... the quality of work is very high, and they came in a lot lower than ISS, @stake, Cisco, and of course below all of the Big 4 (they charge you hourly).
http://www.psiframe.com
They're a small shop, but with some very reputable references. Email or call them, very friendly folks..
Joe Duhan
Try RipTech....
A couple of years ago the company I worked
:-).
:-)
for got IBM Global Services to come in and
do an audit. I was pretty happy with the
results. This was about $11K for two days
worth of stuff. They were very clear about
the goals of the audit: what they would
and would not do, i.e. tell you the scope
of the thing.
They were professional, knew their stuff,
had Linux laptops
They wrote us a nice report that would have
been a good basis for making concrete proposals
to get us off our butts and do some
process improvement.
Sure, many people can come in and do
an nmap scan and charge no bucks at all.
But management buy-in needs the kind
of report that they drew up. Basically,
those IBM guys were our allies: our
main sysadmin and myself were trying for
ages to try to get improvements in process
and in paying attention to bugs. The report
helped us.
A happy IBM customer...
(P.S. My old company went under, but
at least they never experienced a breakin...)
I work for Icons and we do info security assessments for large and small, public and private organizations. We review network security and also have experts in application security. You can find more details at our website or send me email.
To briefly answer your questions from my perspective:
-look for certified experts (i.e. CISSP, CISA) who have significant experience in security and distributed computing with tech and management expertise
-penetration testing is necessary but not sufficient; look for folks who thoroughly review the security/app architecture
-make sure the assessment team has knowledge of your business/organization so they understand the criticality of various information/data
-we try to present our assessment findings to high level management(sometimes the board) to gain buy-in
-our team suggests performing quarterly assessments
Hope that helps -best of luck
Back when the internet was young, I worked with some good folks who were doing this sort of audit, and researching for the answers, for the US Govt only. Many of them are now in private practice. (I'm no longer in government work nor primarily in Security these days, but I've kept track of the field as it's gotten relevant to everyone.) Pre-Enron, most businesses would use their Auditor's consulting arm. The security specialists were more for the Government and folks with particular problems. These days, I'd think everyone would want their audit done by specialists, but then, I thought that before.
.COM (before the bust) to discuss audits: AGCS Inc. They're east coast alright. One of their founders was the editor of the Orange Book. They've embraced the web and commercial networks while staying connected to government clients and research.
;-)
...
Anyway, the original questioner was asking for someone to help his East Coast State Goverment agency. There is one firm that grew out of the government consulting that I've both considered working for when I was consulting and also brought into my own
(-: As a kindness I won't slash-dot the smaller ones that meet the same criteria
The other top consultants to governments, large and small, will be among the presenters and organizers at New Security Paradigms Workshop (ref coverage).
-- Bill Ricker aka n1vux
Thanks to SUDO, no longer Root@anywhere
www.counterpane.com - Bruce Schneier is a god.
I've dealt with some of these folks and they're all top notch. Compaq, IBM, and Unisys have some excellent people, but it varies by locale and who gets assigned to your project. To some extent it depends on what you're running machine- and software-wise ... no point hiring top level UNIX people to look at your IBM mainframes running OS/390.
Talk to some of your peers in big insurance companies and financial services companies. They can tell you who they use for these jobs, and who is competent on the types of equipment and networks you have.
Also think about hiring someone to watch the other guys and help critique their work.
I work in the security field, for many first and second tier banks, as well as numerous fortune 100 companies (not in the USA though).
I'm scared by some of these responses! Worst are the ones from people working in this field...
The first and foremost thing you need to concentrate on now is getting together a coherent security policy. Yes, that means at the management level - a good security company WOULD recommend that as the first step.
There are plenty of standards to work from (eg: ISO-17799), which force you to have regular check-ups etc...
From here, you should have automatically an orderly plan of attack for assessing your infrastructure. And yes, it's all about infrastructure, not OS', or applications -> every OS has it's flaws, and every application will have it's holes or exploits. THe only defence here is defence in depth, a complete secure infrastructure.
And for god's sake, don't get any college-kid-hacker types! Get someone who will sign a non disclosure agreement and who has some experience with all aspects of business, from management right down to people who plug in cables.
The big-5 accounting firms are next to useless, unless you want someone fresh from college to go through your computer room with a predefined checklist and present you a pretty report the next day.
Go with a mid sized company for best results. Heck, put an ad in the paper asking for responses!
Kevin Mitnick never had to hack into a computer with script-foo. He used social enginering. Blocking unused services, backing up your data, and loading the latest security updates is fine. Problem are those pesky employees who are stupid enough to give their username/password over the phone. Blocking them from calling out can be a problem, have multiple copies of them is more of a problem, so you are left with "upgrading" them by giving them the boot.
bash-2.04$
bash-2.04$yes "Don't you hate dialup connections?"| write USERNAME
I can't stand this god damn crap anymore!! why do corporate types insist on using stupid terms that aren't words, or not used in the correct context! what follows are a list of phrases and words that I'm sick of!!!
- Paradigm
- synergy
- making words into verbs that aren't verbs! (eg. 'task,' 'tasked' isn't a god damn word!!!!)
- pro-active
- mission statements (alright not really the same thing, but so damn useless!!)
- any women's lib terminology eg. herstory instead of history (please note I'm not sexist and this has nothing to do with my opinion of of this movement, the terminology just gets on my nerves)
- Action item
- bipolar
- Solution (when refering to software or hardware)
- Think outside the box
- outsourcing
- new economy
- re-purposing
I think you get the point...Good things never end "eum" they end in "MANIA" or "teria"
http://www.predictive.com Global Integrity Brand Services by Predictive Systems - the best way to go. We've used them in the past, and they are great. Very professional and discreet. H.
The problem with these security assessment companies is that people believe once they finish there task everything will be "all better now". Security is a continuous job. Invest your money in the same tools these companies will use and learn to use them yourselves. You can by a complete suite of assessment tools and still not come near to cost you would pay a firm to do the assessment. You can also perform future assessments without the added cost. A security assessment company will only check for the known vulnerabilities at the time of the assessment. So in less than a month you could have vulnerabilities that were not coverd in the assesment.
From personal experience, I would stay away from them and any other company that hires questionable personnel. I know that @stake people have been on the SUBJECT: line of a few law enforcement reports..
If you have to work your ass off to keep up with patches, then it's not a good product. sendmail, wuftpd, those are products to stay away from as well.
IIS's main selling points are its ease of admin' and it's speed. If you have to have a 'good' admin in order to keep up with the patches, then it's not in fact easier to admin then apache.
autopr0n is like, down and stuff.
I can vouch for AciDive's recognition of the excellent consulting Unisys provides during its security assessments. As one of the consultants conducting those Unisys assessments with experience in over 200 such engagements I can report we consistently achieve a high level of client satisfaction. This is due to our proven methodologies, skills, experience, research, and serious approach which provides our clients with world class security assessments of their technology, security processes and policies. We provide a full suite of security consulting services which assess, design, implement and monitor a client's enterprise security. From assessments through security policy development, firewall monitoring and management managed services, PKI deployment and beyond Unisys assists its clients to maintain effective security and privacy of business and personal information. Take a look at our web site at www.unisys.com\security., contact us to discuss how we can work together to achieve and maintain your security goals. "Palehorse", I am on the East Coast as well, let's make contact, discuss your questions and work together to effectively protect your agency.
Take a look at TruSecure. They offer certification of business networks. They have a number of big companies. We use them and it's a great way to look at security. Instead of just looking at what the vulnerabilies are, TruSecure looks at your entire org and network based on their essential practices and then puts you on a process to make your security very good based on layered control. It's a very sane approach to security, since it focus on an continous program and is vendor netural!
So that's who they are! Now I know where to forward e-mail.
I own Asguard.com
Thanks.
********* sig: If you don't like the law, get filthy stinking rich, and buy a better one.
Goliath is a company that can perform an audit at various levels for you.
Many companies will use the same tools, but there are less who have the people that can use them effectively. You want a place that has skilled professional security consultants with pratical experience. Ask for credentials. Make sure the company is familiar with the needs of government agencies vs. private sector.
The audit, providing that you implement the recommended changes, can only help you temporarily.
Get your people trained in security best practices to stay secure. Goliath will host a security workshop for any number of employees. They can also assist with security policy and your information security operational plan. These are the services that are valuable to your organization.
We've worked with UNIXSmith, and they do an excelent job securing both UNIX and NT/2k servers, and with security audits. I don't know if they could handle an agency like the one you're talking about, but for an ecommerce site or a medium-sized company like us, they have proven that they are up to the task.
They also have their own line of server appliances, like the Airlock Firewall, and can monitor your servers 24/7 as well.
Overall, I think they do a very good job. I thought someone here might be interested in checking them out.
Disclaimer: I don't work for them, I'm just a happy user of their services.
-.
Our company paid ~$9K for a security audit by TruSecure. I was very disappointed with the work that they did -- their recommendations are basically, upgrade everything to the latest version and try to make it so that people don't know what software you're using. We were seeking their "Site Secure" certification for our server farm. They wouldn't approve me until 1.) our mailserver filtered out nasty types of email attachments (.com, .vbs, etc.) that could hurt MS clients (even though our company & servers are entirely linux), and 2.) I recompiled Apache so that it doesn't report itself as Apache (but it still says it uses mod_ssl, etc... it's totally obvious it's still apache). They had a few other recommendations that were similar. Their on-site inspector was totally wowed by my Linux desktop (it seemed like he'd never seen one before!).
When I expressed my disappointment with the service, they said that they offer much for thorough audits for more in the $50k range. We paid almost $10k and got basically nothing except the thumbs up from a few companies that we were hoping to do "B2B" connections with... (and a cool "stamp" to put on our site)...
I don't know who I'd choose next time, but I'd steer clear of these guys unless you're ready to spend some big bucks and are willing to really check out what they're going to do for you.
how about Steve Gibson from Gibson Research Corporation? http://grc.com
- Security policies and procedures
- Business continuity planning and disaster recovery
- User account management
- Logging and monitoring
- Incident-response plans
- Security relationships with business partners
- Firewall, DMZ, and VPN configuration
- Router configuration
- Wireless network security
- Dial-up security, including unauthorized or unprotected modems and voice mail security
- Remote access architecture
- Internal server and workstation configuration
- Network topology and internal segregation
- Physical security
#2: Ask for the credentials of the people who will do the actual assessment. Is their experience mainly just in configuring firewalls & servers, or have they done assessments? Have they assessed all of the issues above, or just done scans and "ethical hacking"? Do they have CISSP and/or CISA certifications?Also, have they done assessments of large, multi-site enterprises, or just small or medium-sized offices? Have they done work for gov't agencies before, or only the private sector?
#3: Lastly, a shameless plug: The entire Texas state government has been using Sprint's E|Solutions division to assess their agencies and state universities. How many others have that kind of large-scale, state gov't experience? Not many, I'd bet.
I'm sorry that I did not read 300+ replies, but I thought I'd make a suggestion. Having worked in this field for awhile...
CSC = Computer Sciences Corporation
SAIC = Science Applications Internationsl Corp.
BBN = Bolt Baranek and Newman
Booz Allen Hamilton
MITRE = FFRDC
I chose these because I work in a largely federal govt. marketplace and most specificslly within the DoD. To keep this on the ethical level I work for CSC, but all of these during my career have been considered leadership players in the Security Test and Evaluation (ST&E) space.... which most closely describes what you seem to be wanting.
There are certainly others, and they may be better or worse (commercial and others), but these are folks generally trusted with National Defense type ST&E work.
One final caution, you are not talking about an inexpensive effort here, nor one which will be lightly undertaken. Much of what these companies do is possible using publically available tools and technology. Finally, in most cases anyone who does these evaluations is looking for further work in correcting deficiencies, selling infrastructure, building so called security architectures for systems, etc... Just know what you are getting into.
;-)
mdw
www.TheBillGuy.com - Security Auditing from Kansas
We have worked with this guy among others for our client's security audits and such. He has done remote auditing (limited) as well as internal auditing for us. He seems to know is stuff.
As others have mentioned, rules of enguagement and good documentation of the actual audit are important to help you get the most out of your audit.
Here's an excerpt from his services page:
"Internet/Network Security: Penetration Testing, Vulnerability Assessments, Security Policies, Virtual Private Networks (VPN), Firewalls, Intrusion Detection, and more. Have you ever wondered how secure your network REALLY is?"
--
J Klein
www.datility.net
We'll provide free initial security auditing just to scare the crap out of you and let you know what you're up against. Then we'll be glad to sit down and discuss the options, etc.
This is more than simply profit motive. Network security is everyone's responsibility and we see it as doing our part.
See the 'ol homepage for more info.
As a System Adminstrator for a Tier 1 service provider we have had many 3rd party auditors "come through" since 9-11. Most have been either over zealous or totally incompetent! Be prepared for canned scripted type of responses done by folks who really do not know I/T or your systems that were auditted. Some will recommend security adjustments that are only needed for DoD type installations leaving the systems totally useless for real world users. Be prepared to have Help Desk calls double or triple after application of some of the recommended "fixes." Carefully look at every recommendation since many can leave the system unusable (careless removal of "Everyone" group in NT 4, etc.) Your management team may not be technical enough to fully understand the auditors' recommendations and want you to "make it happen now!" Before calling any security auditor, analyze all servers and categorize them based on security level needed (e.g. high, medium, low.) Don't waste precious man hours patching & securing intranet servers that only hold departmental softball team results! Give every recommendation a "sanity check."
I've used MI2G.com who has offices in London and the US. They've been very busy post-9/11 doing some 'hush-hush' type work, but they have a new security audit matrix that they are using with a number of government agencies that is getting pretty good reviews. They also build out secure systems for banks and financial hosues. I think they also have an office in India.
e-mail me if you want some more info on them.
D'oh! I knew that! (CSE != Canadian Security Establishment). I did say they were NSA-like, as I believe comms intercept is one of their jobs. And I know they scare the crap out of some people in the RCMP :)
you make a good point about security being process related and the usual weakness being human. A $5K crack on the local secretary is more effective than a $50K crack on the network and far cheaper. Not only might you get security info, but you might get important info on where things are stored and what is stored.
Another oft forgotten part of security is auditing - not just knowing that you've been compromised, but knowing how badly and for how long. That can be as important (well, nearly) as defending against the (probably inevitable) crack anyway. At least then you know what was compromised and can take mitigating steps that are targeted. If all you know is you've been hacked, you don't know a lot. If you have to change every aspect of your process, that's a huge expense. Having mechanisms in place to help identify what was accessed in an intrusion is more than slightly useful!
-- Mal: "Well they tell you: never hit a man with a closed fist. But it is, on occasion, hilarious."
@Stake. NetCraft. Both do excellent audits. Counterpane does security monitoring. Claims none of their clients have ever had a serious break-in or defacement. Can also hook you up with good partners. Also, higher a good staff on-board. It sounds like your sysadmin is a moron. With a good IT staff, you really shouldn't see this kind of problem, unless it's an internal disgruntled employee (in which case monitoring will help).
They did a very extensive audit - and a much more informative audit than the $$$ we threw away on Deloitte and Touche.
try www.mitretek.org, security and state gov experience..