Re: Outsourcing security scanning (internal and external)

[Greg Francis <francis () GONZAGA EDU>]

On Fri, 7 Oct 2005, Valdis Kletnieks wrote:

> On Fri, 07 Oct 2005 01:00:39 PDT, Greg Francis said:
> > We are currently considering whether or not to outsource penetration
> > testing from off-campus such that testing will be done frequently
> > (monthly?) versus a periodic audit which we have already outsourced in the
>
> Why is it "versus" as opposed to "in addition to"?
>
> Both are needed, especially in today's environment.

You're right. I don't believe there is any intention to stop periodic
audits. This would be in addition to things already in place.

> > past. We're also considering outsourcing the same functionality except on
> > the inside of the firewall.
>
> You *definitely* want "inside the firewall", unless you are *positive* that
> you have full control over everything that could connect to the network.
>
> Otherwise, the first laptop that brings in a worm that uses a vulnerability
> on a port/service that your firewall blocks will kill you....

This is the area where we have been the most aggressively pursuing
scanning since it is fairly easy for us to put the infrastructure in
place. Now it's a matter of developing the policy to ensure that we are
perform the scanning/auditing on a frequent enough basis.

> > At present, we do some scanning with NMAP and Nessus but there are
> > concerns from management that our efforts are inadequate and our
> > reliability is low. We are making improvements but I question how much we
> > should focus into that area if it's going to be outsourced anyway. Our CIO
> > thinks that outsourcing both tasks may be more cost effective and appease
> > management more.
>
> You need to understand *why* management considers the efforts inadequate. Otherwise,
> you have no metric to use to decide if the outsourcing does it any better.

This is something we are working on identifying. I think that we're trying
to overcome some fundamental trust challenges in some of the results that
we produce. That's resulted in the external audit which was great to have
to compare to what we're getting. Now that we have the tools and most of
the human resources we need, we can make a lot more progress than we
already have.

Greg

--
Greg Francis                                Gonzaga University
Sr. System Administrator                    Spokane Washington
francis () gonzaga edu                         509-323-6896