Educause Security Discussion mailing list archives
Re: Outsourcing security scanning (internal and external)
From: Greg Francis <francis () GONZAGA EDU>
Date: Sat, 8 Oct 2005 10:03:07 -0700
On Fri, 7 Oct 2005, Valdis Kletnieks wrote:
On Fri, 07 Oct 2005 01:00:39 PDT, Greg Francis said:We are currently considering whether or not to outsource penetration testing from off-campus such that testing will be done frequently (monthly?) versus a periodic audit which we have already outsourced in theWhy is it "versus" as opposed to "in addition to"? Both are needed, especially in today's environment.
You're right. I don't believe there is any intention to stop periodic audits. This would be in addition to things already in place.
past. We're also considering outsourcing the same functionality except on the inside of the firewall.You *definitely* want "inside the firewall", unless you are *positive* that you have full control over everything that could connect to the network. Otherwise, the first laptop that brings in a worm that uses a vulnerability on a port/service that your firewall blocks will kill you....
This is the area where we have been the most aggressively pursuing scanning since it is fairly easy for us to put the infrastructure in place. Now it's a matter of developing the policy to ensure that we are perform the scanning/auditing on a frequent enough basis.
At present, we do some scanning with NMAP and Nessus but there are concerns from management that our efforts are inadequate and our reliability is low. We are making improvements but I question how much we should focus into that area if it's going to be outsourced anyway. Our CIO thinks that outsourcing both tasks may be more cost effective and appease management more.You need to understand *why* management considers the efforts inadequate. Otherwise, you have no metric to use to decide if the outsourcing does it any better.
This is something we are working on identifying. I think that we're trying to overcome some fundamental trust challenges in some of the results that we produce. That's resulted in the external audit which was great to have to compare to what we're getting. Now that we have the tools and most of the human resources we need, we can make a lot more progress than we already have. Greg -- Greg Francis Gonzaga University Sr. System Administrator Spokane Washington francis () gonzaga edu 509-323-6896
Current thread:
- Outsourcing security scanning (internal and external) Greg Francis (Oct 07)
- <Possible follow-ups>
- Re: Outsourcing security scanning (internal and external) John Kemp (Oct 07)
- Re: Outsourcing security scanning (internal and external) Sarah Stevens (Oct 07)
- Re: Outsourcing security scanning (internal and external) Greg Francis (Oct 07)
- Re: Outsourcing security scanning (internal and external) Valdis Kletnieks (Oct 07)
- Re: Outsourcing security scanning (internal and external) Valdis Kletnieks (Oct 07)
- Re: Outsourcing security scanning (internal and external) Greg Francis (Oct 08)