Until three years ago, CIO Chris Holbert of North American Scientific Inc. felt information security assessments were something he could take care of himself.
But then the 210-person, Chatsworth, Calif., maker of medical equipment hired its own sales force, which needed access to sensitive customer and product information. The company grew in size and complexity. Holbert no longer had the time to assess every aspect of his security at once.
In came outsourcer Avnet Enterprise Solutions in Tempe, Ariz., which provides Holbert with a "point-in-time snapshot" of his security status every 12 months, or any time changes in the business or his IT infrastructure call for it.
Consider an Outside Assessment If:
- Your staff lacks the time or skill to do thorough, annual security reviews.
- You need an objective security evaluation for regulatory or budget reasons.
- Your business could be crippled by the disclosure of sensitive information.
The outside firm brings expertise and objectivity that's difficult to find in-house. "So much changes so often, whether it's in application development, network connectivity, wide-area networking, security architectures and approaches, [that] if it wasn't somebody's job to know all of that, there's no way they would know if they're secure," Holbert says.
Holbert is typical of midmarket CIOs who look to outsiders when it's time to evaluate the security of their information systems, ranging from networks to servers to client PCs and databases. An outsourced assessment can take as long as a month and cost $30,000 or more. Holbert, for example, spends between 6% and 10% of his security budget, and about 1% to 2% of his overall IT budget, on such assessments. So clearly, they aren't for everyone.
But they are worthwhile at least once a year, proponents say, when a midmarket company lacks the time or skill to do them internally; when major changes may have created new risks; when external regulations require them; or when political or budget pressures call for an outside expert to prove the state of your security.
"If you've never done one, you need to do one," says Laura Koetzle, an analyst at Forrester Research Inc. in Cambridge, Mass. "If it's been more than a year since you've done one, you sure as heck need to do one. In the last five months, if you've grown by more than 50%, you need to step back" and assess whether your security has kept pace.
At North American Scientific, Holbert learned that wasn't the case. His first two assessments showed that, despite efforts to improve, the company still wasn't doing patch management correctly. One assessment also showed that he needed to segment his network into virtual LANs to improve application performance and to protect the systems on which software developers work.
A Sampling of Security Assessment Services
Insiders vs. Outsourcers
Midsized companies are in some ways more, and in some ways less, vulnerable to security concerns than larger companies. A larger company may have a larger staff to devote to security issues, but it will also have more applications, networks and users through which a hacker could gain access. And some industry segments are more concerned than others. A survey by Forrester Research, released last year, showed finance and insurance, manufacturing and public services the most likely to purchase security technologies this year, with retailers and wholesalers least likely.
Security assessments involve a review of an organization's security infrastructure (such as firewalls, antivirus software, and server and network configuration), as well as policies and procedures governing such things as passwords and firewall settings. Penetration tests then attempt to find vulnerabilities in the customer's systems so they can be patched. Depending on their needs, companies may perform one or both types of these tests, and have them performed by a mix of inside and outside staff.
Choosing when and what to outsource is a company-specific decision. "If you're in a more information-sensitive business, such as a small credit union, or local bank, or a boutique pharmaceutical company -- where the stakes are really high and industrial espionage happens -- or if you're regulated, then you definitely want to hire some security-savvy people and have an outside entity do some work for you," Koetzle says.
Even if your internal IT staff members are skilled in security, they can be so close to day-to-day operations "that they often can't see security issues staring them right in the face," says Kevin Beaver, founder and principal consultant of Principle Logic LLC, an information security services firm in Kennesaw, Ga. He often finds misconfigured file-sharing settings, as well as protocols and applications that could give hackers unauthorized access to sensitive information. "I see even more nontechnical vulnerabilities involving areas such as physical security, data backup procedures and policy enforcement -- or the lack thereof," he says.
Hiring an outsider also prevents conflicts of interest, says Beaver, such as "a network administrator who thinks he has secured everything, yet doesn't want to test too deeply for fear of incriminating himself."
The Hybrid Model
Jefferson Wells International Inc., a Brookfield, Wis.-based professional services firm with a risk and security assessment practice, recommends internal staff members use their knowledge of their networks and applications to conduct quarterly assessments of the network perimeter, says Tim Youngblood, director of technology risk management. Such appraisals should include all the systems most likely to face external attack, from routers and firewalls to the so-called demilitarized zone, a fortified part of the network that serves as a barrier between the Internet and your main systems and prevents outsiders from direct access to servers housing company data. He recommends companies use outsourcers, on the other hand, for an annual examination of security policies and procedures, as well as physical security issues such as access to the data center.
For Penetration Tests:
- Assign a project manager to alert users before a test begins.
- Back up critical data.
- Schedule tests for nonpeak hours.
That's the approach taken by the Federation of Canadian Municipalities in Ottawa, a 115-person nonprofit lobbying group. Each quarter, the manager of information services, Sonny Labrie, devotes two to four person-days of internal staff time to check the security of services and applications the organization exposes to the Web. Once a year, he also pays an outsourcer between $5,000 and $10,000 to perform a three-day penetration test, which may include some "social engineering," such as impersonating a help desk staffer to find passwords.
Labrie also recommends documenting the configuration of your network, servers and firewalls, so "in case you think you may have been compromised, you have something to compare against, and you're not just looking for a needle in the haystack." When scoping an assessment, he says, "make a list of the things you need to check. Don't just go and start looking."
Colliers International in San Jose, Calif., a regional affiliate of a $955 million international commercial real estate broker, "wanted to focus initially on perimeter security," says Vic Fischer, vice president of IT. But on the advice of his outsourcer, he decided to assess other areas such as patch management, backup and business continuity, plus examine security at the server, as well as the network, level.
As he expected, the assessment showed that many of the organization's older firewalls, routers and servers needed to be replaced. It also found, unexpectedly, that a number of ports had been left open in firewalls to accommodate older applications no longer in use. Other findings weren't technical but pertained to policies and procedures. The policies of some former employees, for example, hadn't been disabled, and there wasn't enough documentation for the company's security policies and procedures. Fischer admits that's the area he's been slowest to fix.
If he had anything to do over, Fischer says he would have built an annual assessment into his budget. "When talking about doing this with senior management, make sure to implant the idea that this isn't a one-time deal," he says.
Price Tags and Providers
Indeed, an assessment's cost can vary greatly. Pricing starts at about $2,000. It goes up with the number and type of devices and applications to be tested, with those requiring specialized skills costing more. Probing a Web application or a wireless network, for example, "can even require higher-end commercial tools, which can be quite pricey," Beaver says. Another key factor, consultants say, is what you get at the end -- a useful analysis of the tests performed, or just the output from a scan of your systems.
Vendors are plentiful in this space and include everyone from large consulting firms and major technology vendors to local security consultants. On the low end, Hewlett-Packard Co.'s Security Vulnerability Assessment for SMB (Basic), at less than $2,000, includes a review of a customer's security architecture and policy, as well as a penetration test of up to 15 IP addresses in the customer's perimeter. (Testing of up to 50 IP addresses costs $1,000 more.) The findings are presented in a "discovery and recommendations" report that identifies gaps in security, as well as a "best practices sharing session" of up to one hour.
What to Demand in an Assessment Report:
- A detailed list of vulnerabilities and recommendations for fixing them.
- An in-person presentation of the findings with opportunity for Q&A.
- A ranking of vulnerabilities based on importance to the business.
Holbert says he chose Avnet not only for its technical skills, but also because the staff could provide "a good technical analysis and summary of what they found, and a good list of remediation events or tasks." Avnet also tells Holbert how his security practices compare with industry best practices.
Other users recommend insisting on a live presentation of the results, with an opportunity for questions and answers. That helps the internal team understand the results and get buy-in for the need for security from the rest of the organization.
Often, IT or security managers use the results to justify budget requests. Fischer performed his assessment to get a "Good Housekeeping Seal so we could demonstrate to our users that we had good reason" to spend more not only on security, but also the overall IT infrastructure, he says.
Companies use different methods for cost-justifying security assessments, just as they use various methods to cost-justify spending on security itself. North American Scientific funds its security assessments, like all its security spending, based on its estimate of the value of its information assets. Holbert says the company views its security spending almost as a form of insurance against the loss of its valuable information assets. "How do you value the loss of your email system? How do you value the loss of certain electronic assets like price lists or customer lists?" he asks. Compared with traditional insurance, he says, spending on security and security assessment is a bargain.