Re: Outsourcing security scanning (internal and external)

[Sarah Stevens <sarah () STEVENS-TECHNOLOGIES COM>]

Dear Greg,

Why are you wondering about whether or not your current scanning
program is effective?  Do you have a model that you follow for
information security within your organization?  (i.e. NIST 800 Series,
COBIT, ISO17799) I would recommend that before you arbitrarily decide
to scan once per month, that you conduct a risk assessment to see the
extent of your vulnerabilities.  NIST provides a great model with
questions that will help you determine the risk of each system.  (It's
meant for government, so there will be some emphasis on classified
systems, but if you do not have "classified" information, you
generally do not have to worry about those particular controls.)  Once
you have rated your systems based upon risk and exposure, you can
create a plan that includes which systems needs to be scanned at what
frequency.

I want to be upfront and tell you that I own a company that performs
risk assessments and vulnerability scanning.  We prepare the system
security packages using NIST as described above for many of our
clients.  However, many of our clients are able to do this analysis
for themselves with minimual or no assistance.

The model that we use for scanning is not based upon number of systems
to scan.  Rather, we base it upon a hybrid approach that looks at what
particular kinds of systems that you have, as well as a variety of
other factors.

So, as always, I am willing to help you with any questions that you
may have concerning the process.  I will help you find the NIST
documents that you need if you decide to go that route, or whatever
else you need.  I consider my time on the boards answering questions
my "public service" time and my efforts are focused simply on
improving the information security infrastructure of all of our
country's information systems.  With this being said, I am happy to
give you as much free advice as you need.

Sincerely,

Sarah E Stevens, CISSP, CISM, GCIH
President
Stevens Technologies, Inc



> On Friday 07 October 2005 01:00, Greg Francis wrote:
> > We are currently considering whether or not to outsource
penetration
> > testing from off-campus such that testing will be done frequently
> > (monthly?) versus a periodic audit which we have already
outsourced in the
> > past. We're also considering outsourcing the same functionality
except on
> > the inside of the firewall.
> >
> > At present, we do some scanning with NMAP and Nessus but there are
> > concerns from management that our efforts are inadequate and our
> > reliability is low. We are making improvements but I question how
much we
> > should focus into that area if it's going to be outsourced anyway.
Our CIO
> > thinks that outsourcing both tasks may be more cost effective and
appease
> > management more.
> >
> > Are there any schools out there that have outsourced either
external
> > scanning? If so, how frequently is the scanning done? Do you have
a vendor
> > that you recommend and what is their general cost?
> >
> > Any input is highly appreciated.
> >
> > Thanks,
> > Greg
>
> I tend to think of the QUALYS service as basically this
> sort of thing.  Probably cheaper and more useful than a
> consultant, for my 2 cents.  Consultants have
> no stake in your enterprise, and have no upper bound
> on what they'll charge you.
>
> Since the QUALYS model is based on the number of IP addresses
> that they scan, it can get ugly in terms of pricing if you number
> of targets is high.  So... we're not a customer.  But if you fit
their
> model, I thought their architecture and r&d was quite solid.
>
> --
>
> John G. Kemp ( kemp () network-services uoregon edu )
> http://security.uoregon.edu/ mailto:security () uoregon edu
> pgp:C9BE D1C4 9893 1A9E FF1A  B354 77DE E6DC A3CA 7130

--