How To Engage a Security Services Firm

By John Moore  |  Posted 2007-03-09

An enterprise aiming for airtight infor-mation security typically establishes data protection policies, installs layers of technology insulation and trains employees to be on guard.

But even an organization sophisticated in the ways of security may bring in an outsider to review its measures. Specialized consultants perform assessments that aim to identity weaknesses in customers' security approaches. In some cases, industry regulations may require these third-party assessments, sometimes referred to as security audits. In other cases, I.T. managers just want another pair of eyes to check the company's security posture.

"Nobody is good at finding their own typos," says Johannes Ullrich, chief research officer at the Bethesda, Md.-based SANS Institute, which provides information security training and teaches security auditing. "It's the same thing with network design and writing code. You expect it to work in certain ways, and you may not find the holes in-house."

Gartner predicts that the North American security consulting market will reach $3.39 billion in 2010, up from $2.56 billion in 2006. The research firm pegs the market's compound annual growth rate at 7.5%.

"A significant driver for network, host and application assessments, vulnerability scanning, [penetration] testing and audits is regulatory compliance," says Kelly Kavanagh, Gartner's lead analyst on security services.

When hiring a security services firm, enterprises must exercise considerable due diligence and carefully define the scope of the project, according to security managers and industry experts who recommend the following four steps for picking and working with security services firms.

a firm">

Use caution when choosing a firm

When it's time to evaluate vendors, the most fundamental attribute is integrity. After all, the company hired to perform the assessment will be gaining keen insights into an organization's security mechanisms.

"First and foremost, are they reputable?" asks Dave Morrow, chief security and privacy officer at Electronic Data Systems, which occasionally hires outsiders to perform penetration tests, security assessments and vendor-specific technical consulting and also serves as a security adviser to customers. "You want to make sure whoever it is, is totally trustworthy."

To determine a vendor's trustworthiness, check its customer references and track record. Obtaining references can be tough, however, because assessment customers may be guarded about disclosing security issues. But ultimately, I.T. peer networks drive much of the business. A technology manager may ask his or her counterpart at a business partner for the name of a reputable security auditor.

The ADP/SIS division of Automatic Data Processing's Brokerage Services Group based its decision to hire BSI Americas, in part, on the word of another consultant retained to advise ADP/SIS on a security certification project, says Lisa Carpenter, lead information security specialist at ADP/SIS.

BSI Americas, based in Reston, Va., is a testing and certification firm that offers security assessment services. Carpenter's past experience also played a role: She had previously worked in the aerospace industry, in which a number of firms use BSI.

"A lot of the audit work we get is through word-of-mouth and recommendations," adds Jennifer Mack, product management director at Cybertrust, an information security firm in Herndon, Va.

A buyer should consider whether the vendor has experience within its industry and has dealt with customers with a similarly sized technical infrastructure. "Match the size of your network and industry to the kind of consultant you hire," SANS' Ullrich advises.

Industry alignment is important because some sectors have specialized auditing requirements. That's the case for the Payment Card Industry Security Standards Council's data security standard, which establishes guidelines for retailers' handling of credit card data. Among other things, the standard calls for the transmission of card-holder data across public networks using encryption techniques such as Secure Sockets Layer and Point-to-Point Tunneling Protocol.

Another important factor: the vendor's deliverables. The report that emerges as the end product of a security assessment can range from sketchy to highly detailed.

"We look at the quality of the report they actually give you," says Eric Guerrino, head of information security at the Bank of New York. "Some vendors will provide you a report of findings—we tested the application using these methods and found these issues. Other vendors will actually highlight where in the code they detected the issue, and go a step further and recommend how the application team should resolve that issue."

Customers may request a sample report to get a sense of what the deliverable will look like beforehand. Jeff Cassidy, vice president of business development at Core Security, a Boston-based company that provides penetration testing tools and services, says most requests for proposals he receives call for vendors to provide an example of what the deliverable will look like. A vendor might include a sample report on a fictitious company to give customers a flavor for what the report will entail. Or the vendor might offer an outline with subject headings describing the main parts of the report.

A sample report from ERE Information Security Auditors, a Toronto security auditing firm, includes an executive summary, risk assessment and cost justification, project scope, and findings and recommendations. The report also has a task list based on a client's vulnerabilities.

According to Cassidy, customers consider these report examples "a pretty important piece of the evaluation process."

Define the engagement

A well-defined project scope ranks as one of the primary success factors in a security assessment. Vendor and customer need a common understanding of what specific networks, subnetworks and applications are to be covered in an audit. Problems occur when a vulnerability surfaces after an assessment, and the parties argue over whether the affected component was within the project's scope.

"The first step, and most important step, is the scoping of the audit," the SANS Institute's Ullrich says.

In this phase, which usually precedes contract negotiations, the customer and vendor meet to discuss the specifics of the investigation. The Bank of New York, for example, holds a scoping meeting for each application a vendor plans to assess.

Scoping, Guerrino says, is important in the case of multi-tiered applications, which may have Web server, application server and database server components, among other elements. Because components exchange data, failure to address one part of the application could result in overlooked vulnerabilities.

"There might be a relationship between a server under scope with a server outside of the scope that has tons of vulnerabilities," says Alberto Soliño, director of security consulting services at Core Security. Some customers may be tempted to narrow the scope of an audit due to budgetary constraints, he adds.

EDS' Morrow, however, emphasizes keeping the assessment on a reasonable scale. "You want to scope it such that it is doable," he says. "You don't want to try to boil the ocean."

Organizations can document their networks, for example, and produce detailed diagrams showing the location of hubs, switches, routers, servers and other devices. "If you can provide accurate network maps … that is very helpful to streamline the scope," Ullrich says.

A statement of work, which generally governs a security assessment project, is a contractual document that sets forth the scope of the work and project deliverables. In short, it defines what specific networks and applications will be tested, and what types of information will be included in the consultant's report.

Ron Lepofsky, chief executive officer of ERE Information Security Auditors, says his company's statements of work provide such service-level agreement details. For example, a sample statement of work provided by the company specifies that a security audit of wireless access points will be performed "from the hallways on floors 2, 3, 4, 7 and 8, plus the lobby."

An assessment contract may also include a proviso intended to get the vendor off the hook should something go awry. Some assessments call for a penetration test, which seeks to exploit vulnerabilities as opposed to documenting their existence. This test may target a customer's network or a specific application. A penetration test can crash a server or bring down a network, Morrow explains; the contract thus may include a disclaimer stating, in effect, "If I knock over a server, you won't sue me."

In How to Cheat at Managing Information Security (Syngress Publishing, 2006), author Mark Osborne agrees it's fair to protect the tester from damages resulting from legitimate testing. "However, if the tester shows incompetence or deviates from the scope, he should be fully liable for resulting direct and indirect loss," he advises.

The scoping/statement of work process also involves a discussion of pricing, project duration and the number of consultants to be involved. A typical assessment takes three to five days of on-site work and is conducted by one or two consultants, says Cybertrust's Mack. ERE's on-site presence can range from one day to two weeks and involve one to three consultants, according to Lepofsky.

Mack says a security assessment may go from $20,000 to $25,000. This price doesn't include penetration testing, which varies according to the size and complexity of the network and can run as high as $100,000.

Because of the cost andtime commitment, assessments are generally a yearly event. Mack suggests that on-site assessments be performed annually; penetration tests, she says, should be done yearly or after a major change in the network. Vulnerability scans should be done at least once a quarter, but monthly scans are more desirable, she adds.

Follow the assessment process

Security assessments take various forms; the type of assessment performed will dictate the steps involved.

Some assessments aim to measure an organization's security posture against a particular baseline. Such efforts generally hew to a security standard. The International Standards Organization's ISO 17799 standard, for example, is widely used as an information security benchmark. An associated standard, ISO 27001, provides a higher degree of technical specificity compared with ISO 17799, according to Lepofsky.

An outside firm conducting an ISO standard audit will arrive with a checklist that covers a wide range of security practices. An ISO 17799 checklist developed by SANS includes basic queries—does your company have a security policy?—and more technical questions—does your company use a firewall to segregate its network?

Morrow says his company has seen more clients referencing the ISO standards, as well as other standards, "as something they want to use as a security benchmark when choosing an outsourcing vendor."  The American Institute of Certified Public Accountants' Statement on Auditing Standards (SAS) No. 70, Service Organizations, also applies to companies in the outsourcing field such as EDS. "We commonly use SAS 70 audits as a mechanism to efficiently allow our client's auditors to assess our safeguards and policies," Morrow says.

From there, the consultant's auditors conduct I.T. staff interviews as they work down the checklist of security practices. An assessment can begin and end with the list, but Ullrich says this approach falls short.

"One way to tell a good auditor is that they go into the network and verify that certain things are true," he says. "You really want them to get their hands dirty."

In that regard, the consultant who performs the audit can run a vulnerability scan using commercial or open-source vulnerability management software. Vulnerability scanning tools are designed to discover the devices attached to the network and identify security gaps based on a database of known vulnerabilities.

Instead of merely ticking the firewall box, for instance, an auditor can run a scan to see if the firewall is configured properly. A scan might also flag an operating system on a server that lacks a current security patch.

Moving up a notch from vulnerability scanning, a security audit may include penetration testing. Guerrino says the Bank of New York runs general network penetration tests, but also hires firms to conduct tests that focus on specific applications. He describes the latter tests as "ethical hacking." Consultants performing the hack are given access to the corporate application. The purpose of the hack is to see if a tester, posing as an authorized user, can break into an application and then execute transactions or access information without proper authorization.

This practice, for example, can be used to test whether an application follows the principle of input validation, which restricts users accessing an application to predefined input field values. An online ordering system, for example, may only accept a certain number of digits in the credit-card entry field. Without this measure, an intruder may be able to enter malicious code in the input field.

"An ethical hack will pass unexpected data to the application to see how it reacts," Guerrino says. The tester can see how the application behaves "when it gets something it is not anticipating," he adds.

Each security issue that turns up during an assessment is tracked in a database and then reviewed with application developers to gauge the level of risk, potential impact of a breach and the likelihood that a vulnerability can be remotely exploited, Guerrino says. "Once the level of risk is identified, we work with the application developers to ensure they remediate findings in a timely manner," he explains.

Vulnerability scans, penetration tests and ethical hacking may follow the checklist phase of an audit. They can also be performed independently of each other. While organizations may hire outsiders to conduct the various tests, some opt to conduct them using internal resources.

"We have pretty much taken everything in-house now," says Mark Odiorne, chief information security officer at Scottish Re, a life reinsurance company. He says the in-house approach lets the company schedule penetration tests as needed (see "Taking Charge" next).


Translate reports into action items

The external security assessment culminates with the consul-tant's report, which, in some cases, may be two reports.

A preliminary report, ideally, lists the networks and systems examined, the techniques used in testing, the vulnerabilities encountered and suggestions for remediation. This report becomes the basis for setting remediation priorities. Anywhere from a handful to dozens of vulnerabilities may be uncovered. Consultant and customer work together to determine the order in which lapses will be addressed. "Prioritization is where the real work happens," Ullrich says.

Indeed, the parties may need to reconcile their interpretations of the findings. What a consultant deems a security issue may be a risk the customer is willing to take.

EDS' Morrow says a company may have a solid business reason for not complying with a certain security standard. In the outsourcing business, for instance, a customer may require a vendor to host an application on an older operating system that fails to address the latest security benchmark.

Morrow suggests that close communication between consultant and customer can identify such issues so the auditor doesn't spend time pursuing a dead end. He says auditors should "keep in constant contact" with customers and, if a reason exists for a particular case of noncompliance, "note it and move on."

Once priorities are hammered out, Cybertrust's Mack recommends that customers develop a "mini project plan" to address each vulnerability. In a Payment Card Industry audit, this approach lets customers demonstrate to credit card companies which compliance problems are being addressed and within what time frames. "This gives them a leg to stand on … to show they are actively pursing compliance," Mack says.

After the customer completes the remediation phase, the consultant may be brought back in for a final assessment. This audit verifies that changes have been made and leads to a second report, the final version, which documents the testing of remediated systems.

's Who in Security Services">
Who’s Who in Security Services
Big Four auditors Offer information-technology security reviews, drawing on their background in auditing and management advisory services. Deloitte & Touche, Ernst & Young, KPMG, PricewaterhouseCoopers
Systems integrators A number of integrators operate security consulting practices or embed security within broader service lines. Accenture, BearingPoint, Computer Sciences Corp., Electronic Data Systems, IBM
Security/risk consultants Offer security consulting services including computer forensics. Kroll, Protiviti
Security product vendors Security product vendors may offer services ranging from penetration testing to security posture assessment. Cenzic, Core Security, RSA Security
Managed security services providers Remotely manage security devices such as firewalls and intrusion detection systems, but may also offer security assessments. AT&T, BT Counterpane, CyberTrust, SecureOps, SecureWorks, Symantec, Vanguard Managed Solutions, VeriSign
Testing and certification companies Certify that organizations comply with I.T. security standards such as ISO 27001. BSI Americas, Intertek, SGS