Who Can You Trust to Test Your Network Security? 8
sjuels asks: "I am working in a US based company, where we have installed a commercial firewall solution, and now I would like to know how secure we are. I know that a system like ours is never going to be 100% safe from attacks, but I would like to know how vulnerable we are, and I do not trust the company that installed the firewall solution to find the holes in their own product, and the guys that can really do some damage to a system like ours are not exactly in the phone book. How do other people get around this? I cannot believe that it is not a consideration for everyone who tries to secure a network." Anyone out there have recommendations for Security Consultants? Which ones are worth the money that you will spend and which ones should you stay far away from?
a few suggestions (Score:2)
I'm currently in a "network security" grad class (someday I'll take a class where I don't know what's going on), and the instructor, who works for Ernst & Young [ey.com], seems to really know his stuff...
Of course, there's no reason to take my word for it, even though I don't work for them and my grade in the class is already more or less a lock regardless of what I do.
--
Some other choices (Score:1)
I'm not really a salesman, just a techie, but if you're interested or you'd like more info, you can contact me here. [mailto] Good luck in your search
Some tips (Score:1)
As for who to avoid, if you want a good job done, avoid the companies who push themselves off as "security consultants". The bigger the company, the less talent they have.
The best Security consultants are independent. The reason for this is simple economics. They can make more by working for themselves than giving a cut to someone else.
The groups which push themselves off as "Security companies" are mostly amatuers. I've yet to meet one which has impressed me. The common theme is to get some kids who think they are hot-shit because they know a couple things, and try to fawn them off - while the company takes a huge cut of what the customer pays.
Such consultants are a joke.
So one clue is what percentage does the consultant make off of the gig? Generally speaking, the higher the better person is.
It's not an absolute rule, just an important one.
Also, ALWAYS check references. A consultant lives and dies by these. If these aren't impressive, move on. You'll probably save yourself some grief.
It sounds like you really don't want a security consultant, though. If you're placing your trust in a commercial firewall product, you can rest easy knowing that you are likely vulernable. The better crackers have been reverse engineering these for some time. Some of them likely have holes intentionally built into them.
Rather, it sounds like you just want to run nmap and scotty on your firewall, from the inside, and out.
So, go educate yourself, and just do it. Also, Bruce Schneier has a new book out called "Secrets & Lies: Digital Security in a Networked World". It might be a good starting place for both you and your management.
My own horn (Score:2)
If you want to hire a security firm, I would suggest a few different companies: Securify [securify.com], a division of Kroll-O'Gara; Guardent [guardent.com]; Ernst & Young [ey.com]; @Stake [atstake.com]; and Foundstone [foundstone.com].
Also, if you are interested in trying out Hailstorm (which, for the time being, only runs on NT 4.0/W2K, although it can test applications on any OS), shoot me an email (removing the obvious part), and I'll help you out. A trial version can be downloaded at www.ClickToSecure.com [clicktosecure.com].
With an evil grin... (Score:1)
make sure they're not "sponsered"... (Score:1)
"Leave the gun, take the canoli."
Security Consultants (Score:2)
My take (Score:1)
- Are the reports custom written, or merely [Nessus|Cybercop|ISS] piped through a prettifier?
- Do the reports attempt to eliminate false positives and negatives (e.g. sendmail warnings reported against a Microsoft Exchange server)?
- Do the reports correlate disparate exposure points, which, when combined, could result in deeper intrusion?
- Have the consultants a track record of providing criticism of (installations of) products sold by other divisions of the company?
I've spoken with directors of small consultancies and seen reports of mid-to-large consultancies. Often the small consultancies have very talented people amongst their number, but their professionalism is highly variable. Reports from all the mid-to-large consultancies (except our own, naturally!) I have seen have been mediocre pretty versions of scanner reports. I've not seen enough reports from the "big five" to draw any conclusive opnions.