Educause Security Discussion mailing list archives
Re: Outsourcing security scanning (internal and external)
From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Fri, 7 Oct 2005 13:07:56 -0400
On Fri, 07 Oct 2005 01:00:39 PDT, Greg Francis said:
We are currently considering whether or not to outsource penetration testing from off-campus such that testing will be done frequently (monthly?) versus a periodic audit which we have already outsourced in the
Why is it "versus" as opposed to "in addition to"? Both are needed, especially in today's environment.
past. We're also considering outsourcing the same functionality except on the inside of the firewall.
You *definitely* want "inside the firewall", unless you are *positive* that you have full control over everything that could connect to the network. Otherwise, the first laptop that brings in a worm that uses a vulnerability on a port/service that your firewall blocks will kill you....
At present, we do some scanning with NMAP and Nessus but there are concerns from management that our efforts are inadequate and our reliability is low. We are making improvements but I question how much we should focus into that area if it's going to be outsourced anyway. Our CIO thinks that outsourcing both tasks may be more cost effective and appease management more.
You need to understand *why* management considers the efforts inadequate. Otherwise, you have no metric to use to decide if the outsourcing does it any better.
Attachment:
_bin
Description:
Current thread:
- Outsourcing security scanning (internal and external) Greg Francis (Oct 07)
- <Possible follow-ups>
- Re: Outsourcing security scanning (internal and external) John Kemp (Oct 07)
- Re: Outsourcing security scanning (internal and external) Sarah Stevens (Oct 07)
- Re: Outsourcing security scanning (internal and external) Greg Francis (Oct 07)
- Re: Outsourcing security scanning (internal and external) Valdis Kletnieks (Oct 07)
- Re: Outsourcing security scanning (internal and external) Valdis Kletnieks (Oct 07)
- Re: Outsourcing security scanning (internal and external) Greg Francis (Oct 08)