[Previous] [Next] [Index]
[Thread]
Re: Need a Security Consultant
Verily Paul Rarey allegedly did write:
>Hhhmmmm...,
>
>On Jun 26, 11:33, Frank Willoughby wrote:
>> Subject: Re: Need a Security Consultant
>
>[ snip ]
>
>>One of the things which sets us apart from our competitors is that
>>we are the only Information Security consulting company which is
>>staffed with former Information Security Officers (ISOs) who have
>>a proven track of success in implementing highly secure, cost-
>>effective Information Security. Most of our competitors are
>>making textbook recommendations to non-textbook corporations.
>
>Ouch... Rather poignant statement... Not sure I'd bite on an offer that slams
>the competition like that.
Good point. Let me explain.
I think the point I was trying to make is being missed. The intent
was not to slam the competition, but to point out that there is a
large difference between recommending solutions which are based on
one's *opinion* as to how the solutions may be implemented _or_
because one has had experience in solving these same problems with
another organization. The difference becomes more pronounced when
you get to the implementation part.
However, your point is valid and well-taken. FWIW, my reply was
accidently posted to this list instead of its intended recipient.
<humble, humble> When I resent my mail to the person who requested
the info, it had the following text:
"One of the things which sets us apart from our competitors is that
we are the only Information Security consulting company that we
know of where all of their InfoSec consultants are former Information
Security Officers (ISOs) who have a proven track of success in
implementing highly secure, cost-effective Information Security.
Many of our competitors are making textbook recommendations to
non-textbook corporations."
The main reason I added that sentence is about the ISOs is because we
have seen time & time again the results of some other companies (some
ISPs & consulting companies - who have little/no practical experience
in information security) and have had to clean up after their work.
While we enjoy helping people get back on their feet, our emphasis
is on prevention rather than cleanup.
A brief example from our files:
o A well-known ISP (who shall remain namelesss) recommended a firewall
to a company, who called us in to double-check their remote access
connections.
The firewall was the wrong type and not could not protect the
company adequately from the hazards of the Internet.
o As an "added service", the ISP remotely managed the firewall -
by telneting into it (ie - *not* using secure telnet or an encrypted
session).
Any hacker could obtain the root password just by take sniffing the
traffic to/from the firewall.
o As if the above wasn't bad enough, the firewall was also (grossly)
misconfigured (ie - no external rules were defined) by the ISP.
As a result of the misconfiguration, the *entire* corporation was
literally an extension of the Internet (including HR, finance,
logistics, engineering, etc). IOW, anyone connected to the Internet
in any part of the world had the capability of accessing any one of
the company's computers.
I guess what I am trying to say to those on the list is: *please*
check out the information security consulting company's security
& technical expertise (no exceptions) before engaging in a contract.
Also, the fact that a company may have a good reputation in one area
of consulting (auditing, IT, DRP, networks, etc) doesn't necessarily
mean that all of its consultants are adequately trained & highly
skilled in performing information security consulting. It's a fairly
new field & experienced information security consultants don't exactly
grow on trees.
As my experienced colleagues will agree, there is a rather large
difference between recommending something and implementing it.
Proven experience is a definite plus.
Many security consultanting companies have no problems telling a
customer what their security holes are & can make sound recommendations
to solve these problems. However, when the customer wants infosec
integrated throughout his company or wants to achieve a high level
of compliance to their policies, or wants the infosec department
to be a business asset rather than a liability (as is frequently
the case), then there is no substitute for a consultant who is a
former ISO. What I mean by this is that ISOs & infosec departments
are usually thought of as a huge pain in neck and are frequently
seen as a necessary evil. It doesn't have to be this way (I'll
get to this in another mail).
>Would seem more appropriate to offer satisfied
>customers as a reference than how bad the other guys are.
We do offer satisfied customers as references. However, I think it
is rather indiscreet to mention them in a public forum.
>As far as competition - how about Trident (I think that's right)... They're
made
>up of ex NSA security types.
I don't know about them. The important thing is that they are
competent and can do a good job. As far as my attitude toward
competitors goes, I embrace them - rather than slam them (although,
I will admit that I apparently do have a rather low tolerance of
snake-oil).
We are all on the same side & it is a rather big planet out there.
(Look at the size of the market & the number of companies able to
meet the market's needs & do the math).
>Best regards...,
>
>Paul S. Rarey The Clorox Company Ph: 510.271.2160
>Systems Architecture & 1221 Broadway Fx: 510.208.1520
>Electronic Munitions Oakland, Ca. 94607-4309 USA
Best Regards,
Frank
Any sufficiently advanced bug is indistinguishable from a feature.
-- Rich Kulawiec
<standard disclaimer>
The opinions expressed above are of the author and may not
necessarily be representative of Fortified Networks Inc.
Fortified Networks Inc. - Information Security Consulting
http://www.fortified.com Phone: (317) 573-0800 FAX: (317) 573-0817
Home of the Free Internet Firewall Evaluation Checklist