Define the engagementBy John Moore | Posted 2007-03-09 Email Print
An outside consultant can bring fresh insights on a company's security practices. Make sure you establish ground rules first.
Define the engagement
A well-defined project scope ranks as one of the primary success factors in a security assessment. Vendor and customer need a common understanding of what specific networks, subnetworks and applications are to be covered in an audit. Problems occur when a vulnerability surfaces after an assessment, and the parties argue over whether the affected component was within the project's scope.
"The first step, and most important step, is the scoping of the audit," the SANS Institute's Ullrich says.
In this phase, which usually precedes contract negotiations, the customer and vendor meet to discuss the specifics of the investigation. The Bank of New York, for example, holds a scoping meeting for each application a vendor plans to assess.
Scoping, Guerrino says, is important in the case of multi-tiered applications, which may have Web server, application server and database server components, among other elements. Because components exchange data, failure to address one part of the application could result in overlooked vulnerabilities.
"There might be a relationship between a server under scope with a server outside of the scope that has tons of vulnerabilities," says Alberto Soliño, director of security consulting services at Core Security. Some customers may be tempted to narrow the scope of an audit due to budgetary constraints, he adds.
EDS' Morrow, however, emphasizes keeping the assessment on a reasonable scale. "You want to scope it such that it is doable," he says. "You don't want to try to boil the ocean."
Organizations can document their networks, for example, and produce detailed diagrams showing the location of hubs, switches, routers, servers and other devices. "If you can provide accurate network maps that is very helpful to streamline the scope," Ullrich says.
A statement of work, which generally governs a security assessment project, is a contractual document that sets forth the scope of the work and project deliverables. In short, it defines what specific networks and applications will be tested, and what types of information will be included in the consultant's report.
Ron Lepofsky, chief executive officer of ERE Information Security Auditors, says his company's statements of work provide such service-level agreement details. For example, a sample statement of work provided by the company specifies that a security audit of wireless access points will be performed "from the hallways on floors 2, 3, 4, 7 and 8, plus the lobby."
An assessment contract may also include a proviso intended to get the vendor off the hook should something go awry. Some assessments call for a penetration test, which seeks to exploit vulnerabilities as opposed to documenting their existence. This test may target a customer's network or a specific application. A penetration test can crash a server or bring down a network, Morrow explains; the contract thus may include a disclaimer stating, in effect, "If I knock over a server, you won't sue me."
In How to Cheat at Managing Information Security (Syngress Publishing, 2006), author Mark Osborne agrees it's fair to protect the tester from damages resulting from legitimate testing. "However, if the tester shows incompetence or deviates from the scope, he should be fully liable for resulting direct and indirect loss," he advises.
The scoping/statement of work process also involves a discussion of pricing, project duration and the number of consultants to be involved. A typical assessment takes three to five days of on-site work and is conducted by one or two consultants, says Cybertrust's Mack. ERE's on-site presence can range from one day to two weeks and involve one to three consultants, according to Lepofsky.
Mack says a security assessment may go from $20,000 to $25,000. This price doesn't include penetration testing, which varies according to the size and complexity of the network and can run as high as $100,000.
Because of the cost andtime commitment, assessments are generally a yearly event. Mack suggests that on-site assessments be performed annually; penetration tests, she says, should be done yearly or after a major change in the network. Vulnerability scans should be done at least once a quarter, but monthly scans are more desirable, she adds.