[ISN] Unguarded moments - why cyber security is on the rise

From: InfoSec News (isnat_private)
Date: Mon Sep 23 2002 - 23:20:27 PDT

  • Next message: InfoSec News: "RE: [ISN] Warchalking is theft, says Nokia"

    By Kim Zetter
    September 24 2002
    The spike in computer crime in the past two years has been matched by
    a parallel spike in the number of security consultants and companies
    popping up to relieve organisations of their worries and their
    With promises to plug holes, monitor traffic and chase down criminals,
    Managed Security Services can appeal to IT departments too taxed with
    administration to maintain security and to companies too small to hire
    specialist staff.
    Knowing what to do yourself - and what to contract out and to whom -
    is a common difficulty.
    The advantages of outsourcing are many. It's less expensive to pay a
    fee for expert services than to hire and train dedicated staff.  
    Security providers are aware of the latest vulnerabilities, patches
    and products. And if they're monitoring your traffic full-time, they
    can respond to attacks in progress rather than a day or week later
    when your regular administrators get around to analysing the network
    What's more, MSS providers have more experience to respond to attacks
    against your system since they are more likely to have seen similar
    attacks on others.
    But not all offer the same services or quality and not all are
    financially stable.
    According to industry researchers at Giga Information Group, there are
    more than 80 MSS providers in the United States operating nationally -
    down from 125 last year - a figure that analysts expect to drop to 60.  
    So you should choose wisely if your security provider goes belly-up.
    When it comes to picking a provider, the managed security label can be
    misleading since it encompasses a variety of services, from one-time
    vulnerability assessments to 24-hour network monitoring.
    Some companies that call themselves MSS providers are actually only
    product resellers.
    Steve Hunt, a research analyst with Giga, says there are six
    categories of MSS:
    * On-site consulting to develop a security plan and infrastructure.
    * Vulnerability testing.
    * Product sales of security hardware and software.
    * Remote perimeter management, which involves installing, configuring
      and managing a virtual private network.
    * Network monitoring, a 24x7 service to watch network traffic for
      suspicious activity and intrusions.
    * Compliance monitoring to ensure employees comply with company
    Some providers offer a single service, others a smorgasbord. Costs can
    range from $US250 ($A474) a day for consulting to $US12,000 a month
    for network monitoring.
    Small Sydney provider Kyberguard, for instance, has 50 clients
    including Nippon Telephone and Telegraph and international engineering
    group Montgomery Watson Harza.
    It charges $250 a month for small companies, which includes the cost
    and installation of a firewall and IDS hardware as well as 24-hour
    monitoring of perimeter activity. For 100 to 150 employees they charge
    $950 a month for hardware and monitoring of internal-external traffic.  
    They also install and configure VPNs.
    Canberra-based 90East, which has offices around the country, charges
    $7000 to $10,000 a month for network monitoring. It also offers server
    hosting and VPN services.
    The company is new to the commercial market after securing government
    systems for several years. The founders were government contractors
    who built a complex firewall system for federal agencies, then formed
    90East when the government decided to outsource security.
    Their clients include 35 federal departments, state governments and
    legal firm Minter Ellison.
    The company recently acquired Application Service Provider Peakhour.
    Giga's Steve Hunt says that before choosing any MSS, you should assess
    your business risks and needs to decide what you can do in-house and
    what you should outsource. But no company should hand over all
    security to an outsider.
    Greg Nelson, information security manager for chip maker Advanced
    Micro Devices, says companies should retain control of security
    "You can outsource specific tasks but you can't outsource
    responsibility for the security of your company," he says.
    Bruce Schneier, founder of United States network monitoring service
    Counterpane, recommends outsourcing labour-intensive tasks such as
    vulnerability assessment, network monitoring, consulting and
    Schneier says companies cannot effectively monitor their own networks.
    "Security monitoring is inherently erratic: six weeks of boredom
    followed by eight hours of panic," Schneier says. "Attacks against a
    single organisation don't happen often enough to keep (staff) engaged
    and interested.
    "The choice is not outsourcing or doing it yourself. Goldman Sachs can
    do it themselves. But nobody else can."
    AMD, which has 14,000 employees worldwide but only three security
    staff in the US, hired Counterpane after trying unsuccessfully to
    track more than 100 Internet servers.
    "We were always a day behind in analysing results and we could never
    catch anything as it was happening," AMD's Nelson says.
    Counterpane monitors AMD's systems around the clock, while another
    undisclosed company runs penetration tests twice a month. Nelson says
    the decision was also an economic one.
    Counterpane charges about $US12,000 a month, as opposed to the
    $100,000 to $200,000 a month it would cost most companies to hire five
    or six specially trained employees to monitor their systems around the
    AMD at least recognised the need to monitor their networks. But
    according to Tim Cranny, senior consulting engineer with 90East, many
    companies do not even make the attempt.
    "You'd be astonished at the number of companies that have an
    intrusion-detection system or firewall but no one watching them," he
    Although it might be tempting to hire an all-in-one MSS for your
    needs, Counterpane's Schneier says you should avoid companies that
    have a conflict of interest, such as those that sell products and
    offer to manage them or those that offer device management plus
    If the monitoring staff discover an intrusion to a system that the
    device-management team should have secured, they're likely to fix it
    quietly without telling you about the mistake. Companies that sell
    products and do vulnerability assessments also have an obvious
    interest in finding problems their products will solve.
    He believes it is better to hire a company that does one thing well
    and to hire others for separate tasks.
    Giga's Hunt says that penetration tests can sometimes be useless as
    they can be used to get an organisation to sign on for other services
    or by IT departments to justify larger budgets.
    "And all the reports say the same thing," Hunt says. "You have crappy
    passwords, you have open ports, your operating system lacks the latest
    Hunt says before authorising a test you should shore up your network
    with basic steps such as secure passwords and closed ports and then
    test only to find serious problems you would have missed on your own.
    In the end, the best providers are leaders in their field and have a
    good history behind them. Hunt suggests talking to other companies
    with security needs similar to yours and asking analysts for solid
    security consultants and companies that will be around for a while.
    Before hiring Counterpane, Nelson narrowed AMD's choices to five
    companies but by the time they came to make a final decision three of
    them were already out of business.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Sep 24 2002 - 02:32:38 PDT