Slashdot Mirror
Recommendations for Third Party Security Audits?
palehorse asks: "I am a developer/DBA/etc for a very large State Govt. Agency on the East Coast. We have been subjected to an increasing number of break-ins and website defacements over the past few months. My boss has recently been tasked by our CIO to find a reputable third party (not us or our ISP) to come in and do a complete and independent security assessment/vulnerability analysis for us. Since I'm the guy who usually bugs folks about security, she tasked me to come up w/ a list of firms who could do this for us. and a plan on what to test for and how. I've done the whole Google search/ZD-Net search/etc, which has given me way to many folks who do this kind of stuff, from ISS and IBM on down. Consequently I wanted to get some feedback/suggestions from the Slashdot community on where to go from here."
"Please keep in mind that while we're a large government agency, we have a small and overworked IT staff who have no real experience in internet/web security, and who are just now getting into a serious web presence.
Here are the main questions that I have:
- Who have you used, and were they any good?
- What should we look for in evaluating who to contact and their proposals?
- What would you have done differently?
- What services should we ask for?
- How do we manage the contract to make sure we're not getting a snow-job?
- How do we use the result to get buy-in from management (who will probably need to lay out money for changes) and from the developers (who may be adamantly opposed to changing their systems, either for ego reasons or it's just a lot of work)?
- How often should we re-do these audits?
The 1st rule is never, ever ask anyone who sells security products to do an audit, they will just try to sell you something.
IMHO opinion an audit is not what you need, spend the money employing someone who does know about security to get (and keep) things ship shape. Security is an ongoing issue and can't be solved by a one of check, the audit could be perfect but your still wide open the next time some kiddie finds a hole in your preferred webserver software.
Perhaps other agencies within your state might already have someone doing this. This someone could come up with recommendations that could be used across the board. Plus it might make writing the contract easier.
Wait.. What am I saying? This is government; agencies don't work together. Nevermind...
The guys that always come to mind for me when talking security is the old l0pht.com (now www.atstake.com, but l0pht.com still works). These are the guys that the media always calls when they have questions about hackers.
I would say that first you should think of who NOT to contact. I would definitely say stay away from ISS and @Stake.
Find someone who actually gives back to the community, such as packetstorm or the such.
You might also consider Security Focus and places like that.
I'm not sure what your actual goal is, but if it is to actually secure things instead of having a bunch of monkeys come in and take some money from you, then places like that will have the best results.
And try to stay away from those who will require you to buy something, and subscribe to something else in order for you to be secure. ACLs on routers and removing unnecessary services/daemons, and patching those that you need will do a lot more than a firewall from acme security.
---
"Security is a process, not an event". -Some smart person
You are going to have to define the scope of the audit. Is it just web servers, desktops, your security policies, legacy or the whole ball of wax? Are you talking a mixed environment (multiple-Unix, Windows, Mac, other?)
How wide is your network area? Multiple locations? Same cities?
How about your network infrastructure itself? Routers, switches, etc.
A complete audit can take a while and cost a lot of $$, especially if you have a wide range of system types and network spread. It also can depend on how deep you want the audit to go.
I work for Lucent doing large scale audits, so can only comment on what I've experienced. Security is as much policy, training and implementation as it is software/hardware.
E-mail me if you want some detailed information.
Charles Hill
Learning HOW to think is more important than learning WHAT to think.
"Don't hire a bunch of UNIX bigots if you have WIn 2K servers. Not only will these folks not be familiar with the technology, they will also have a bias towards bad-mouthing it."
And vice-versa. Geez.
LEXX
"Gold still represents the ultimate form of payment in the world." - Alan Greenspan, 1999
Having read a few books here and there on various types of computer crimes, there are a lot of cases where access to a system was gained through a person giving out confidential information to an unauthorized person? In this light, any security audit should include tests of how easy it is to get confidential information from employees and any third party services. For example, there are many small businesses out there in my town that use dialup accounts for internet access and email. Most of these companies will give out the user name and password over tech support if you only supply the account holder's name. This leads to anyone being able to access the company's email. In a big corporation, I'm guessing a few users would give out name/passwords to a call claiming to be from the IT department, if the company has a modem pool, I'm sure its trivial to get that number too ("Hello, Jane Doe? Its John from the IT department. Were doing some work with the phone company, and we're wondering, what number do you use for dialing up? Is it 555-1111? No, you use, 555-1234? Thank you!"
Any good audit should include the social engineering factor.
Just my $.02
The first step (really!) is to get a security policy in place. This really doesn't have to be anything special-- but it does need the buy-in of ALL groups affected (sysadmins, developers, marketing, sales, executives, etc.) That's really the only hard part.
Probably the quickest way to get started is to head to the SANS security policy project and adapt their sample policies to your company. This is one of those rare cases where it's more important to get something in than it is to get it right the first time. Policies can be changed fairly easily-- but you don't want to go to all the trouble to implement a secure environment only to have someone on the inside fighting you every step of the way.
Now the fun part-- actually securing your systems. Here are some pointers on places to start:
1) Review the SANS "top 10" security vulnerabilities and make sure they're covered.
2) Review Lance Spitz's excellent collection of host security information and make sure to follow his recommendations.
3) Make sure your firewall rules are set up with the security best practice of "minimum access to get the job done". Far too many firewalls allow traffic they shouldn't.
4) Get NMAP, a network mapper, port scanner, and OS identifier and run it from the Internet to your exposed (i.e. DMZ) hosts. Also run it from your exposed hosts to your internal network to validate that only the traffic that should get in can get in. (The traffic allowed back in from your DMZ should be very little, preferably none.) If you find anything that is inconsistent with what you think should be happening, check your firewall rules again.
5) Grab a copy of the Nessus security scanner and run it against your newly secured systems. If it finds anything, read the description of the problem and see if it's something you can fix. You can bet that everything you find here will also show up on your "security audit" since most "audits" are just someone running a tool like this and then feeding the output to the consultants to make it all pretty for management.
6) You should have most of the obvious, widespread holes plugged by now. This would be a good time to get some sysadmins out to some classes. Verisign has a number of excellent general Internet security classes. I'm sure there are lots of other good places, too. I was pleased with Verisign because of their Internet focus. Too many security classes only concentrate on host security and neglect network security.
7) Get the application developers at your site to read and follow Dave Wheeler's writing secure programs guidelines. This is a lower priority than OS/network security since these holes are likely to be specific to your site only. Only a determined hacker is likely to find and exploit them-- however exploiting application bugs/holes can severely disrupt your business. What happens when an electronic data interchange transaction gets bogus data inserted? How far will that bogus information make it in before it's detected? In the worst case these bugs could result in people getting free products/subscriptions, stealing credit card info, or destroying data inside your systems.
8) Now it's time to get that audit. They will be able to tell you what you missed in the previous 7 steps. Why wait so long? Most places will keep looking until they find something to report. If you do this too soon, the subtle security problems will be lost in the noise of all the obvious problems the previous 7 steps would have fixed. If you do this last, only the "hard" problems are left for them to find.
Remember above all that this is an ongoing process. Keep current on your patches, and repeat all the above steps regularly to keep all the bad guys away.
First off, the reason your security is broken is that you probably don't have a policy and if you do nobody understands it and if they do there's no QA ensuring that they follow it.
Good security starts with the establishment of a security policy followed by education and regular awareness events. Please be aware that paying someone a ton of money to pen. test and inventory your assets will *not* result in a stronger security posture all on it's own. You must have a policy in place and you must compel your users to abide by it (primarily through education, secondarily through threat of penalty). Consider hiring a CISSP or other certified professional to help you through this process. You might be able to find one in your area by using the ISC2 directory. SANS is doing some ISO certification as part of the GIAC program now and they may be able to point you towards some appropriate people as well. The ISSA might be able to help as well. As has been mentioned already, you probably don't want to entrust this to someone selling countermeasures or management services.
Understand, however, that you don't need a firewall engineer right now and you don't need some krad ex-hacker to pen test either. You need someone to help you get your house in order on the administrative side and then you can look into some detailed engineering and assessment. That someone should probably be an independent consultant or at least one working with an infosec specializing firm. If you want a couple bigger names there's @Stake, Booz Allen Hamilton, and Predictive, however, I would encourage you to seek out a local independent with good references.
Any knucklehead can run Nessus and patch systems. This alone does not equal information security. If you want a secure environment, start by defining what "secure" means within your environment.
Goliath is a company that can perform an audit at various levels for you.
Many companies will use the same tools, but there are less who have the people that can use them effectively. You want a place that has skilled professional security consultants with pratical experience. Ask for credentials. Make sure the company is familiar with the needs of government agencies vs. private sector.
The audit, providing that you implement the recommended changes, can only help you temporarily.
Get your people trained in security best practices to stay secure. Goliath will host a security workshop for any number of employees. They can also assist with security policy and your information security operational plan. These are the services that are valuable to your organization.