Firewall Wizards mailing list archives
Outsourcing firewalls & InfoSec Ops - Part II/II
From: Frank Willoughby <frankw () in net>
Date: Tue, 09 Dec 1997 13:10:16 -0500
(Continued from Part I/II) IMPLEMENTATION ISSUES - Non-availability of vendor resources If multiple customers are being managed from one central site & that site (or connections to/from that site) goes down (storm, flood, tornadoes, etc), then, at the very least, the customer won't be notified of any attacks in progress. Worst case, an intruder may be able to penetrate the defenses and create multiple backdoors to the systems and multiple access points to the customer's networks. IMPLEMENTATION ISSUES - Outsourcing creates jobs Perhaps for the short term - for the vendor. Sadly, it also gets people fired or laid off who have been performing these functions. Further, outsourcing has a VERY demoralizing affect on a company's infrastructure. This creates a feeling of distrust and animosity of the employees about their employer. This results in a loss of productivity for those individuals who weren't outsourced or "right-sized". Some employees may then feel that they will "get back at their employer" by initiating a preemptive strike or attack. The risks of theft & disclosure of proprietary secrets, sexual harassment lawsuits, and an escalated occurrences of security incidents are significantly higher. It's important to remember that the majority of security incidents are from internal sources. VENDOR LIABILITY ISSUES Assuming for a moment that multiple customer's networks & systems are compromised in a scenario like the one above. What are the vendor's liabilities (legal & otherwise)? One would assume that their contracts are reasonably robust from a legal perspective. Recognizing that I am NOT a lawyer, it is my understanding that the wording of the contract (releasing the vendor from any liabilities) offers little protection *IF* it can be proven that the vendor was negligent or incompetent. In the above scenario, it would probably be fairly easy to prove negligence AND incompetence. If multiple companies are attacked from the vendor's site (or any common point from the vendor to the multiple companies), this may result in potential legal actions (lawsuits) filed by EACH of the victimized companies. The costs of fighting multiple legal battles at the same time could be very costly (particularly if one of the companies wins the suit and other companies cite this in their own lawsuits against the vendor). Again, this is a what-if scenario which may or not may apply to reality. It is something to ponder, though. Another thought. In our legal system, where there is no accuser, there is no crime. If the damage to the company were severe enough, the company would not be financially able to bring a suit to trial or able to pay the accrued legal costs. If the company is bankrupt, they can't file a lawsuit (& there is no accuser). IT'S NOT IN THE VENDOR'S BEST INTERESTS TO LET SOMETHING HAPPEN TO MY COMPANY Agreed. But having InfoSec Ops outsourced to a vendor significantly increases the probability that something will happen to your company. Further, the financial losses to the customer will almost certainly be much higher than any financial losses that the vendor may have. The vendor's reputation would indeed be damaged if a serious incident happened to your company (assuming you made the incident public). If an incident were to force your company into bankruptcy, how would you hope to recoup your losses? CUSTOMER REPUTATION LIABILITIES It is difficult to put a dollar value on the damage to one's reputation. However, if the damage to the reputation is severe enough, the following results are probable: o The damage of the reputation results in potential customers being nervous about the company o This may result in a loss of sales o The sustained loss of sales may result in a loss of jobs as the company will no longer be able to afford the costs of its own employees o If severe enough, the company goes bankrupt CUSTOMER LEGAL LIABILITIES Some companies have additional legal obligations to protect their internal data. As an example, hospitals, health & life insurance companies, doctor's offices, and medical laboratories are required to protect the patient data. The liabilities for these companies could be substantial if external entities could access medical health records (sexually transmitted diseases, catastrophic illnesses, etc). This information could be used to blackmail people, or to destroy people's lives. I know of one company that used to FTP patient data from a southern state to the corporate headquarters - across the Internet. The same company recently had an advertisement postcard which potential customers would fill out & send to the company. This might have been harmless, except that the postcard requested that potential customers provide their Date of Birth, and Social Security Numbers. Some people never learn. "BUT WE TRUST THE VENDOR..." When I managed the Nationwide InfoSec Ops for Digital Equipment's subsidiary in Germany, I learned that "Vertrauen ist Gut, Kontrolle ist Besser". IOW, Trust is good, but control is better. The company outsourcing security is placing their company completely in the hands of the vendor. If someone who works for the vendor happens to also work for a competitor, organized crime, or a foreign gov't, or the company gets hacked... Even if there is trust between two parties, there is the old adage of Management: "You can delegate authority, not responsibility". Outsourcing will not relieve someone of their responsibilities in providing adequate security for their company. If someone is going to put their job on the line (by outsourcing), wouldn't it be better to maintain control themselves so that they can take active measures to protect their job? I suspect that the only thing worse than being fired is being fired for something you didn't do. Also, the old adage "Out of sight, out of mind" also applies. If InfoSec Ops are outsourced, the company may get complacent and forget that what their responsibilities are. Each entity thinks that the other entity is taking care of InfoSec, ... until something happens. "BUT THE COMPANY CAN PROVIDE US WITH AN ACCURATE REPORT OF POLICY COMPLIANCE WHICH IS FREE FROM INTERNAL PRESSURES" Or they may tell the customer what they think the customer may want to hear. Will the outsourcing vendor admit that a hacker just took out their client (while the vendor was supposed to be managing their security)? I doubt it. The lack of notification by the vendor could cause the customer to not take certain actions in a timely manner. Overall this may be even more damaging to the customer than if the customer was immediately aware of the breakin. Independent verification of the implementation of security (such as an audit) is a good thing (as in the case of an audit of a company by an outside vendor). However, this is just a (1x or 2x/year) snapshot in time of the company's security. What if the compliance happens to look good when they are being audited (or the reverse). This is completely different than managing the day-to-day infosec operations of the company. While the snapshot may give some pointers as to what the problems are, I found it particularly useful to monitor the compliance on a daily basis & then plot the trends. If a Cost Center starts to drift away from compliance, the support (or pressure) can be brought to bear to resolve the problem & the compliance then returns to its expected high level. RISKS vs REWARDS (PROFIT) Business is a matter of risks vs rewards. IMO, when one weighs the potential liabilities & the setup & fixed costs in performing remote security management against the potential profit, I hardly think that the rewards outweigh the risks. YMMV. FWIW, I suspect that the vendor's managers who are making these strategic decisions probably aren't fully aware of the ramifications of their actions (what they may be getting themselves & their company into). We have received frequent requests to manage the security of our customers' firewalls. The answer has always been a resounding NO. It's not in our best interests, nor is it in our customer's best interests. We'll "teach them correct principles and let them govern themselves". This is a business decision that I made for Fortified Networks. YMMV. IT IS LIKELY THAT INFOSEC MAY BE OUTSOURCED - JUST LIKE OTHER SERVICES This is quite possible. Although I don't like it & people will probably still do it regardless of anything I may say. However, just because something is popular doesn't make it right. Conversely, just because one is doing the right thing, won't necessarily make one popular. YMMV. 8^) FWIW, I've been harping on the (lack of) wisdom of using JIT (Just In Time) manufacturing techniques for a while. Some people started to rethink the value of JIT when the UPS strike happened. Sadly, people will probably only begin to seriously look at the pros & cons of outsourcing InfoSec Ops after a serious incident has occurred. WHAT'S THE DIFFERENCE BETWEEN REMOTE MANAGEMENT OF INFOSEC OPS & THE REMOTE MANAGEMENT OF ALARMS (LIKE HONEYWELL & ADT)? People who are remotely managing alarms can't use their connection to get at your personal or proprietary data, trade secrets, etc. This capability *is* possible when someone is remotely managing the InfoSec Ops of a company. We can only advise people what they should & shouldn't do. People have to decide for themselves whether they will or won't take this advice. Regardless of what they decide, they will have to live with the consequences of their decision - for better or worse. "We are free to choose our actions, but not the consequences of those actions." In closing, I would like to suggest that companies *not* outsource InfoSec Ops. I don't think this is particularly prudent for the customer or for the vendor. (c) 1997 Fortified Networks, Inc. The opinions of the author of this mail may not necessarily be representative of the opinions of Fortifed Networks, Inc. Fortified Networks, Inc. - http://www.fortified.com/ Expert (vendor-neutral) Computer and Network Security Solutions Phone: (317) 573-0800 Fax: (317) 573-0817
Current thread:
- Outsourcing firewalls & InfoSec Ops - Part II/II Frank Willoughby (Dec 09)