I myself have not used anyone in the past to perform an independent security assessment. I have always done them my self.
What should we look for in evaluating who to contact and their proposals?
What I would possibly look for, in a security assessment, is someone that has a vast knowledge in computer security, for breaking in and protecting systems. I would make sure they are not basing things off of security scanners, (ie. ISS, Retina, Nessus, or even Cybercop.) A lot of people will use just these tools on a network and find a lot of false positives, and slap down paperwork that may not completely pertain to your network properly. You would need to look for someone that will do an assessment on each individual system, and do an audit on every little thing that there is. You don't necessarily want to have a BIG 5, company come in and do the assessment for the simple reason, that they have many clients, and they do not dedicate there entire time on one company. You would more than likely want to have an individual or a small company come in and do an assessment for you. The reason being is that for the most part they will dedicate there time to it, and recommend a product that will meet your specific needs. They treat every client they have as if it was there only one because they can not afford to lose business or credibility.
What would you have done differently?
I don't think I quite understand this question.
What services should we ask for?
It depends on what kind of network setup you have, and what you are looking for exactly.
How do we manage the contract to make sure we're not getting a snow-job?
The best way is to again go for a smaller company, which will send in one person, therefore making it easier for management to keep track of what is going on.
How do we use the result to get buy-in from management (who will probably need to lay out money for changes) and from the developers (who may be adamantly opposed to changing their systems, either for ego reasons or it's just a lot of work)?
If something is too much work for a systems administrator, or they don't want to change something because of ego reasons, that you should probably look into finding another systems administrator that has more concern for the company and security. You more or less have to find someone that has a passion for their job, and not think of it as just a job.
How often should we re-do these audits?
I would recommend at least a minimum of once a month. The bad thing is that you need to keep track of security situations every day. With a smaller company or an Individual (at least in my experience with what I do) is they will keep a record, of your network, and servers and keep it in a database, and when a security vulnerability comes up, they notify you and make you aware of a possible situation. At that point you are given the option to bring them back in to do an assessment again. At the same token, to preform reoccurring audits can be come costly. You may want to focus more on finding a solution with some type of secured web appliance that does not require any maintenance, and that has not had any security vulnerabilities.
If you have any questions or comments please feel free to contact me.
Slashdot Mirror
The main questions you had were...
Who have you used, and were they any good?
I myself have not used anyone in the past to perform an independent security assessment. I have always done them my self.
What should we look for in evaluating who to contact and their proposals?
What I would possibly look for, in a security assessment, is someone that has a vast knowledge in computer security, for breaking in and protecting systems. I would make sure they are not basing things off of security scanners, (ie. ISS, Retina, Nessus, or even Cybercop.) A lot of people will use just these tools on a network and find a lot of false positives, and slap down paperwork that may not completely pertain to your network properly. You would need to look for someone that will do an assessment on each individual system, and do an audit on every little thing that there is. You don't necessarily want to have a BIG 5, company come in and do the assessment for the simple reason, that they have many clients, and they do not dedicate there entire time on one company. You would more than likely want to have an individual or a small company come in and do an assessment for you. The reason being is that for the most part they will dedicate there time to it, and recommend a product that will meet your specific needs. They treat every client they have as if it was there only one because they can not afford to lose business or credibility.
What would you have done differently?
I don't think I quite understand this question.
What services should we ask for?
It depends on what kind of network setup you have, and what you are looking for exactly.
How do we manage the contract to make sure we're not getting a snow-job?
The best way is to again go for a smaller company, which will send in one person, therefore making it easier for management to keep track of what is going on.
How do we use the result to get buy-in from management (who will probably need to lay out money for changes) and from the developers (who may be adamantly opposed to changing their systems, either for ego reasons or it's just a lot of work)?
If something is too much work for a systems administrator, or they don't want to change something because of ego reasons, that you should probably look into finding another systems administrator that has more concern for the company and security. You more or less have to find someone that has a passion for their job, and not think of it as just a job.
How often should we re-do these audits?
I would recommend at least a minimum of once a month. The bad thing is that you need to keep track of security situations every day. With a smaller company or an Individual (at least in my experience with what I do) is they will keep a record, of your network, and servers and keep it in a database, and when a security vulnerability comes up, they notify you and make you aware of a possible situation. At that point you are given the option to bring them back in to do an assessment again. At the same token, to preform reoccurring audits can be come costly. You may want to focus more on finding a solution with some type of secured web appliance that does not require any maintenance, and that has not had any security vulnerabilities.
If you have any questions or comments please feel free to contact me.
- Bill Marchand
bill@sage-inc.com