Re: Outsourcing security scanning (internal and external)

[Valdis Kletnieks <Valdis.Kletnieks () VT EDU>]

On Fri, 07 Oct 2005 01:00:39 PDT, Greg Francis said:
> We are currently considering whether or not to outsource penetration
> testing from off-campus such that testing will be done frequently
> (monthly?) versus a periodic audit which we have already outsourced in the

Why is it "versus" as opposed to "in addition to"?

Both are needed, especially in today's environment.

> past. We're also considering outsourcing the same functionality except on
> the inside of the firewall.

You *definitely* want "inside the firewall", unless you are *positive* that
you have full control over everything that could connect to the network.

Otherwise, the first laptop that brings in a worm that uses a vulnerability
on a port/service that your firewall blocks will kill you....

> At present, we do some scanning with NMAP and Nessus but there are
> concerns from management that our efforts are inadequate and our
> reliability is low. We are making improvements but I question how much we
> should focus into that area if it's going to be outsourced anyway. Our CIO
> thinks that outsourcing both tasks may be more cost effective and appease
> management more.

You need to understand *why* management considers the efforts inadequate. Otherwise,
you have no metric to use to decide if the outsourcing does it any better.

Attachment: _bin
Description: