Unguarded moments - why cyber security is on the rise

[InfoSec News <isn () c4i org>]

http://www.theage.com.au/articles/2002/09/24/1032734104214.html

By Kim Zetter
September 24 2002
Next

The spike in computer crime in the past two years has been matched by
a parallel spike in the number of security consultants and companies
popping up to relieve organisations of their worries and their
budgets.

With promises to plug holes, monitor traffic and chase down criminals,
Managed Security Services can appeal to IT departments too taxed with
administration to maintain security and to companies too small to hire
specialist staff.

Knowing what to do yourself - and what to contract out and to whom -
is a common difficulty.

The advantages of outsourcing are many. It's less expensive to pay a
fee for expert services than to hire and train dedicated staff.  
Security providers are aware of the latest vulnerabilities, patches
and products. And if they're monitoring your traffic full-time, they
can respond to attacks in progress rather than a day or week later
when your regular administrators get around to analysing the network
logs.

What's more, MSS providers have more experience to respond to attacks
against your system since they are more likely to have seen similar
attacks on others.

But not all offer the same services or quality and not all are
financially stable.

According to industry researchers at Giga Information Group, there are
more than 80 MSS providers in the United States operating nationally -
down from 125 last year - a figure that analysts expect to drop to 60.  
So you should choose wisely if your security provider goes belly-up.

When it comes to picking a provider, the managed security label can be
misleading since it encompasses a variety of services, from one-time
vulnerability assessments to 24-hour network monitoring.

Some companies that call themselves MSS providers are actually only
product resellers.

Steve Hunt, a research analyst with Giga, says there are six
categories of MSS:

* On-site consulting to develop a security plan and infrastructure.

* Vulnerability testing.

* Product sales of security hardware and software.

* Remote perimeter management, which involves installing, configuring
  and managing a virtual private network.

* Network monitoring, a 24x7 service to watch network traffic for
  suspicious activity and intrusions.

* Compliance monitoring to ensure employees comply with company
  policies.

Some providers offer a single service, others a smorgasbord. Costs can
range from $US250 ($A474) a day for consulting to $US12,000 a month
for network monitoring.

Small Sydney provider Kyberguard, for instance, has 50 clients
including Nippon Telephone and Telegraph and international engineering
group Montgomery Watson Harza.

It charges $250 a month for small companies, which includes the cost
and installation of a firewall and IDS hardware as well as 24-hour
monitoring of perimeter activity. For 100 to 150 employees they charge
$950 a month for hardware and monitoring of internal-external traffic.  
They also install and configure VPNs.

Canberra-based 90East, which has offices around the country, charges
$7000 to $10,000 a month for network monitoring. It also offers server
hosting and VPN services.

The company is new to the commercial market after securing government
systems for several years. The founders were government contractors
who built a complex firewall system for federal agencies, then formed
90East when the government decided to outsource security.

Their clients include 35 federal departments, state governments and
legal firm Minter Ellison.

The company recently acquired Application Service Provider Peakhour.

Giga's Steve Hunt says that before choosing any MSS, you should assess
your business risks and needs to decide what you can do in-house and
what you should outsource. But no company should hand over all
security to an outsider.

Greg Nelson, information security manager for chip maker Advanced
Micro Devices, says companies should retain control of security
management.

"You can outsource specific tasks but you can't outsource
responsibility for the security of your company," he says.

Bruce Schneier, founder of United States network monitoring service
Counterpane, recommends outsourcing labour-intensive tasks such as
vulnerability assessment, network monitoring, consulting and
forensics.

Schneier says companies cannot effectively monitor their own networks.

"Security monitoring is inherently erratic: six weeks of boredom
followed by eight hours of panic," Schneier says. "Attacks against a
single organisation don't happen often enough to keep (staff) engaged
and interested.

"The choice is not outsourcing or doing it yourself. Goldman Sachs can
do it themselves. But nobody else can."

AMD, which has 14,000 employees worldwide but only three security
staff in the US, hired Counterpane after trying unsuccessfully to
track more than 100 Internet servers.

"We were always a day behind in analysing results and we could never
catch anything as it was happening," AMD's Nelson says.

Counterpane monitors AMD's systems around the clock, while another
undisclosed company runs penetration tests twice a month. Nelson says
the decision was also an economic one.

Counterpane charges about $US12,000 a month, as opposed to the
$100,000 to $200,000 a month it would cost most companies to hire five
or six specially trained employees to monitor their systems around the
clock.

AMD at least recognised the need to monitor their networks. But
according to Tim Cranny, senior consulting engineer with 90East, many
companies do not even make the attempt.

"You'd be astonished at the number of companies that have an
intrusion-detection system or firewall but no one watching them," he
says.

Although it might be tempting to hire an all-in-one MSS for your
needs, Counterpane's Schneier says you should avoid companies that
have a conflict of interest, such as those that sell products and
offer to manage them or those that offer device management plus
monitoring.

If the monitoring staff discover an intrusion to a system that the
device-management team should have secured, they're likely to fix it
quietly without telling you about the mistake. Companies that sell
products and do vulnerability assessments also have an obvious
interest in finding problems their products will solve.

He believes it is better to hire a company that does one thing well
and to hire others for separate tasks.

Giga's Hunt says that penetration tests can sometimes be useless as
they can be used to get an organisation to sign on for other services
or by IT departments to justify larger budgets.

"And all the reports say the same thing," Hunt says. "You have crappy
passwords, you have open ports, your operating system lacks the latest
patches."

Hunt says before authorising a test you should shore up your network
with basic steps such as secure passwords and closed ports and then
test only to find serious problems you would have missed on your own.

In the end, the best providers are leaders in their field and have a
good history behind them. Hunt suggests talking to other companies
with security needs similar to yours and asking analysts for solid
security consultants and companies that will be around for a while.

Before hiring Counterpane, Nelson narrowed AMD's choices to five
companies but by the time they came to make a final decision three of
them were already out of business.




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.