Educause Security Discussion mailing list archives
Re: Outsourcing security scanning (internal and external)
From: Sarah Stevens <sarah () STEVENS-TECHNOLOGIES COM>
Date: Fri, 7 Oct 2005 05:42:12 -0600
Dear Greg, Why are you wondering about whether or not your current scanning program is effective? Do you have a model that you follow for information security within your organization? (i.e. NIST 800 Series, COBIT, ISO17799) I would recommend that before you arbitrarily decide to scan once per month, that you conduct a risk assessment to see the extent of your vulnerabilities. NIST provides a great model with questions that will help you determine the risk of each system. (It's meant for government, so there will be some emphasis on classified systems, but if you do not have "classified" information, you generally do not have to worry about those particular controls.) Once you have rated your systems based upon risk and exposure, you can create a plan that includes which systems needs to be scanned at what frequency. I want to be upfront and tell you that I own a company that performs risk assessments and vulnerability scanning. We prepare the system security packages using NIST as described above for many of our clients. However, many of our clients are able to do this analysis for themselves with minimual or no assistance. The model that we use for scanning is not based upon number of systems to scan. Rather, we base it upon a hybrid approach that looks at what particular kinds of systems that you have, as well as a variety of other factors. So, as always, I am willing to help you with any questions that you may have concerning the process. I will help you find the NIST documents that you need if you decide to go that route, or whatever else you need. I consider my time on the boards answering questions my "public service" time and my efforts are focused simply on improving the information security infrastructure of all of our country's information systems. With this being said, I am happy to give you as much free advice as you need. Sincerely, Sarah E Stevens, CISSP, CISM, GCIH President Stevens Technologies, Inc
On Friday 07 October 2005 01:00, Greg Francis wrote:We are currently considering whether or not to outsource
penetration
testing from off-campus such that testing will be done frequently (monthly?) versus a periodic audit which we have already
outsourced in the
past. We're also considering outsourcing the same functionality
except on
the inside of the firewall. At present, we do some scanning with NMAP and Nessus but there are concerns from management that our efforts are inadequate and our reliability is low. We are making improvements but I question how
much we
should focus into that area if it's going to be outsourced anyway.
Our CIO
thinks that outsourcing both tasks may be more cost effective and
appease
management more. Are there any schools out there that have outsourced either
external
scanning? If so, how frequently is the scanning done? Do you have
a vendor
that you recommend and what is their general cost? Any input is highly appreciated. Thanks, GregI tend to think of the QUALYS service as basically this sort of thing. Probably cheaper and more useful than a consultant, for my 2 cents. Consultants have no stake in your enterprise, and have no upper bound on what they'll charge you. Since the QUALYS model is based on the number of IP addresses that they scan, it can get ugly in terms of pricing if you number of targets is high. So... we're not a customer. But if you fit
their
model, I thought their architecture and r&d was quite solid. -- John G. Kemp ( kemp () network-services uoregon edu ) http://security.uoregon.edu/ mailto:security () uoregon edu pgp:C9BE D1C4 9893 1A9E FF1A B354 77DE E6DC A3CA 7130
--
Current thread:
- Outsourcing security scanning (internal and external) Greg Francis (Oct 07)
- <Possible follow-ups>
- Re: Outsourcing security scanning (internal and external) John Kemp (Oct 07)
- Re: Outsourcing security scanning (internal and external) Sarah Stevens (Oct 07)
- Re: Outsourcing security scanning (internal and external) Greg Francis (Oct 07)
- Re: Outsourcing security scanning (internal and external) Valdis Kletnieks (Oct 07)
- Re: Outsourcing security scanning (internal and external) Valdis Kletnieks (Oct 07)
- Re: Outsourcing security scanning (internal and external) Greg Francis (Oct 08)