Outsourcing firewalls & InfoSec Ops - Part II/II

[Frank Willoughby <frankw () in net>]

(Continued from Part I/II)


IMPLEMENTATION ISSUES - Non-availability of vendor resources
If multiple customers are being managed from one central
site & that site (or connections to/from that site) goes 
down (storm, flood, tornadoes, etc), then, at the very least,
the customer won't be notified of any attacks in progress.
Worst case, an intruder may be able to penetrate the defenses
and create multiple backdoors to the systems and multiple
access points to the customer's networks.


IMPLEMENTATION ISSUES - Outsourcing creates jobs
Perhaps for the short term - for the vendor.  Sadly, it also gets
people fired or laid off who have been performing these functions.
Further, outsourcing has a VERY demoralizing affect on a company's
infrastructure.  This creates a feeling of distrust and animosity
of the employees about their employer.  This results in a loss of
productivity for those individuals who weren't outsourced or 
"right-sized".  Some employees may then feel that they will "get
back at their employer" by initiating a preemptive strike or 
attack.  The risks of theft & disclosure of proprietary secrets, 
sexual harassment lawsuits, and an escalated occurrences of 
security incidents are significantly higher.  It's important to 
remember that the majority of security incidents are from internal 
sources.


VENDOR LIABILITY ISSUES
Assuming for a moment that multiple customer's networks & systems
are compromised in a scenario like the one above.  What are the 
vendor's liabilities (legal & otherwise)?  

One would assume that their contracts are reasonably robust from 
a legal perspective.  Recognizing that I am NOT a lawyer, it is 
my understanding that the wording of the contract (releasing the 
vendor from any liabilities) offers little protection *IF* it can 
be proven that the vendor was negligent or incompetent.  In the 
above scenario, it would probably be fairly easy to prove negligence 
AND incompetence.  

If multiple companies are attacked from the vendor's site (or any 
common point from the vendor to the multiple companies), this may
result in potential legal actions (lawsuits) filed by EACH of the
victimized companies.  The costs of fighting multiple legal battles 
at the same time could be very costly (particularly if one of the 
companies wins the suit and other companies cite this in their own 
lawsuits against the vendor).  Again, this is a what-if scenario 
which may or not may apply to reality.  It is something to ponder, 
though.

Another thought.  In our legal system, where there is no accuser,
there is no crime.  If the damage to the company were severe enough,
the company would not be financially able to bring a suit to trial
or able to pay the accrued legal costs.  If the company is bankrupt,
they can't file a lawsuit (& there is no accuser).


IT'S NOT IN THE VENDOR'S BEST INTERESTS TO LET SOMETHING HAPPEN 
TO MY COMPANY
Agreed.  But having InfoSec Ops outsourced to a vendor significantly 
increases the probability that something will happen to your company.
Further, the financial losses to the customer will almost certainly 
be much higher than any financial losses that the vendor may have.
The vendor's reputation would indeed be damaged if a serious incident
happened to your company (assuming you made the incident public).  If
an incident were to force your company into bankruptcy, how would you
hope to recoup your losses?


CUSTOMER REPUTATION LIABILITIES
It is difficult to put a dollar value on the damage to one's 
reputation.  However, if the damage to the reputation is 
severe enough, the following results are probable:
o The damage of the reputation results in potential customers being 
   nervous about the company
o This may result in a loss of sales
o The sustained loss of sales may result in a loss of jobs as the company
   will no longer be able to afford the costs of its own employees
o If severe enough, the company goes bankrupt


CUSTOMER LEGAL LIABILITIES
Some companies have additional legal obligations to protect their 
internal data.  As an example, hospitals, health & life insurance 
companies, doctor's offices, and medical laboratories are required 
to protect the patient data.  The liabilities for these companies 
could be substantial if external entities could access medical 
health records (sexually transmitted diseases, catastrophic 
illnesses, etc).  This information could be used to blackmail 
people, or to destroy people's lives.  

I know of one company that used to FTP patient data from a 
southern state to the corporate headquarters - across the 
Internet.  The same company recently had an advertisement 
postcard which potential customers would fill out & send 
to the company.  This might have been harmless, except 
that the postcard requested that potential customers 
provide their Date of Birth, and Social Security Numbers.
Some people never learn.


"BUT WE TRUST THE VENDOR..."
When I managed the Nationwide InfoSec Ops for Digital Equipment's
subsidiary in Germany, I learned that "Vertrauen ist Gut, Kontrolle 
ist Besser".  IOW, Trust is good, but control is better.  The 
company outsourcing security is placing their company completely 
in the hands of the vendor.  If someone who works for the vendor 
happens to also work for a competitor, organized crime, or a 
foreign gov't, or the company gets hacked...

Even if there is trust between two parties, there is the old adage 
of Management: "You can delegate authority, not responsibility".  
Outsourcing will not relieve someone of their responsibilities in 
providing adequate security for their company.  If someone is going 
to put their job on the line (by outsourcing), wouldn't it be better 
to maintain control themselves so that they can take active measures 
to protect their job?  I suspect that the only thing worse than being 
fired is being fired for something you didn't do.  Also, the old adage
"Out of sight, out of mind" also applies.  If InfoSec Ops are outsourced,
the company may get complacent and forget that what their responsibilities
are.  Each entity thinks that the other entity is taking care of InfoSec,
... until something happens. 
 

"BUT THE COMPANY CAN PROVIDE US WITH AN ACCURATE REPORT OF POLICY 
COMPLIANCE WHICH IS FREE FROM INTERNAL PRESSURES"
Or they may tell the customer what they think the customer may want 
to hear.  Will the outsourcing vendor admit that a hacker just took 
out their client (while the vendor was supposed to be managing their 
security)?  I doubt it.  The lack of notification by the vendor could 
cause the customer to not take certain actions in a timely manner.  
Overall this may be even more damaging to the customer than if the 
customer was immediately aware of the breakin.

Independent verification of the implementation of security (such
as an audit) is a good thing (as in the case of an audit of a 
company by an outside vendor).  However, this is just a (1x or 
2x/year) snapshot in time of the company's security.  What if the 
compliance happens to look good when they are being audited (or 
the reverse).  This is completely different than managing the 
day-to-day infosec operations of the company.  While the snapshot 
may give some pointers as to what the problems are, I found it 
particularly useful to monitor the compliance on a daily basis & 
then plot the trends.  If a Cost Center starts to drift away from 
compliance, the support (or pressure) can be brought to bear to 
resolve the problem & the compliance then returns to its expected 
high level.


RISKS vs REWARDS (PROFIT)
Business is a matter of risks vs rewards.  IMO, when one weighs 
the potential liabilities & the setup & fixed costs in performing 
remote security management against the potential profit, I hardly 
think that the rewards outweigh the risks.  YMMV.  FWIW, I suspect 
that the vendor's managers who are making these strategic decisions 
probably aren't fully aware of the ramifications of their actions 
(what they may be getting themselves & their company into).

We have received frequent requests to manage the security of our 
customers' firewalls.  The answer has always been a resounding NO.  
It's not in our best interests, nor is it in our customer's best 
interests.  We'll "teach them correct principles and let them govern 
themselves".  This is a business decision that I made for Fortified 
Networks.  YMMV.


IT IS LIKELY THAT INFOSEC MAY BE OUTSOURCED - JUST LIKE OTHER SERVICES 
This is quite possible.  Although I don't like it & people will probably 
still do it regardless of anything I may say.  However, just because 
something is popular doesn't make it right.  Conversely, just because 
one is doing the right thing, won't necessarily make one popular.  YMMV.  8^)

FWIW, I've been harping on the (lack of) wisdom of using JIT (Just In 
Time) manufacturing techniques for a while.  Some people started to 
rethink the value of JIT when the UPS strike happened.  Sadly, people
will probably only begin to seriously look at the pros & cons of 
outsourcing InfoSec Ops after a serious incident has occurred.


WHAT'S THE DIFFERENCE BETWEEN REMOTE MANAGEMENT OF INFOSEC OPS &
THE REMOTE MANAGEMENT OF ALARMS (LIKE HONEYWELL & ADT)?
People who are remotely managing alarms can't use their connection
to get at your personal or proprietary data, trade secrets, etc.
This capability *is* possible when someone is remotely managing 
the InfoSec Ops of a company.

We can only advise people what they should & shouldn't do.  People 
have to decide for themselves whether they will or won't take this 
advice.  Regardless of what they decide, they will have to live with 
the consequences of their decision - for better or worse.  "We are 
free to choose our actions, but not the consequences of those actions."

In closing, I would like to suggest that companies *not* outsource
InfoSec Ops.  I don't think this is particularly prudent for the 
customer or for the vendor.

(c) 1997 Fortified Networks, Inc.

The opinions of the author of this mail may not necessarily be 
representative of the opinions of Fortifed Networks, Inc.

Fortified Networks, Inc. - http://www.fortified.com/
Expert (vendor-neutral) Computer and Network Security Solutions
Phone: (317) 573-0800     Fax: (317) 573-0817