Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
The Internet

Who Can You Trust to Test Your Network Security? 8

Posted by Cliff from the white-hat-hackers dept.
sjuels asks: "I am working in a US based company, where we have installed a commercial firewall solution, and now I would like to know how secure we are. I know that a system like ours is never going to be 100% safe from attacks, but I would like to know how vulnerable we are, and I do not trust the company that installed the firewall solution to find the holes in their own product, and the guys that can really do some damage to a system like ours are not exactly in the phone book. How do other people get around this? I cannot believe that it is not a consideration for everyone who tries to secure a network." Anyone out there have recommendations for Security Consultants? Which ones are worth the money that you will spend and which ones should you stay far away from?
This discussion has been archived. No new comments can be posted.

Who Can You Trust to Test Your Network Security? More

Who Can You Trust to Test Your Network Security?

Comments Filter:
  • Well, for personal stuff, I usually hit places like secure-me [secure-me.net].

    I'm currently in a "network security" grad class (someday I'll take a class where I don't know what's going on), and the instructor, who works for Ernst & Young [ey.com], seems to really know his stuff...

    Of course, there's no reason to take my word for it, even though I don't work for them and my grade in the class is already more or less a lock regardless of what I do.

    --
  • I work for a company called Backbone Security, and we provide vulnerability assessment services. We do audits of not only the external network, but also the internal network, the physical security aspects, and workstation security vulnerabilities.

    I'm not really a salesman, just a techie, but if you're interested or you'd like more info, you can contact me here. [mailto] Good luck in your search

  • Some tips (Score:1)

    by Anonymous Coward
    First of all, as for the Security consultants whom you can trust. Don't trust any of them. Educate yourself. That's about how far your trust should go, and that's pushing it.

    As for who to avoid, if you want a good job done, avoid the companies who push themselves off as "security consultants". The bigger the company, the less talent they have.

    The best Security consultants are independent. The reason for this is simple economics. They can make more by working for themselves than giving a cut to someone else.

    The groups which push themselves off as "Security companies" are mostly amatuers. I've yet to meet one which has impressed me. The common theme is to get some kids who think they are hot-shit because they know a couple things, and try to fawn them off - while the company takes a huge cut of what the customer pays.

    Such consultants are a joke.

    So one clue is what percentage does the consultant make off of the gig? Generally speaking, the higher the better person is.

    It's not an absolute rule, just an important one.

    Also, ALWAYS check references. A consultant lives and dies by these. If these aren't impressive, move on. You'll probably save yourself some grief.

    It sounds like you really don't want a security consultant, though. If you're placing your trust in a commercial firewall product, you can rest easy knowing that you are likely vulernable. The better crackers have been reverse engineering these for some time. Some of them likely have holes intentionally built into them.

    Rather, it sounds like you just want to run nmap and scotty on your firewall, from the inside, and out.

    So, go educate yourself, and just do it. Also, Bruce Schneier has a new book out called "Secrets & Lies: Digital Security in a Networked World". It might be a good starting place for both you and your management.

  • This will come off as a bit biased (which it is), but I work for a company that has written some software called Hailstorm that's very good at helping you test your own security. It's especially good in situations where you have written something custom, whether it be a CGI script or some sort of server program. It succeeds where security scanners fail, because it can help you find problems that are previously unknown. To see it in action analyzing IDS systems, check out the article at SecurityFocus [securityfocus.com]. Good security consulting firms are VERY expenseive, so Hailstorm may be a good choice depending on what you are really looking for.

    If you want to hire a security firm, I would suggest a few different companies: Securify [securify.com], a division of Kroll-O'Gara; Guardent [guardent.com]; Ernst & Young [ey.com]; @Stake [atstake.com]; and Foundstone [foundstone.com].

    Also, if you are interested in trying out Hailstorm (which, for the time being, only runs on NT 4.0/W2K, although it can test applications on any OS), shoot me an email (removing the obvious part), and I'll help you out. A trial version can be downloaded at www.ClickToSecure.com [clicktosecure.com].
  • Why, me of course!
  • i.e. that they aren't affiliated with one particular firewall solution (that they'll be trying to sell you once they've finished testing you, "well, this system that we happen to sell protects you against all these exploits we found on your network"). i would also recomend a company that only checks you for vulnerablities and then lets you know what you found, leading you to fix them yourself.
    "Leave the gun, take the canoli."
  • Well, the good folks over at www.securityfocus.com have compiled a list of Penetration testing companies. You could go look them up (or search in the pen-test mailing list archives at security focus)
  • [ Declaration of interest: I work for the UK S3 group of Articon Integralis AG [integralis.com]. Add salt to taste. These opinions are my own and are NOT to be associated with those of my employer. ]

    - Are the reports custom written, or merely [Nessus|Cybercop|ISS] piped through a prettifier?

    - Do the reports attempt to eliminate false positives and negatives (e.g. sendmail warnings reported against a Microsoft Exchange server)?

    - Do the reports correlate disparate exposure points, which, when combined, could result in deeper intrusion?

    - Have the consultants a track record of providing criticism of (installations of) products sold by other divisions of the company?

    I've spoken with directors of small consultancies and seen reports of mid-to-large consultancies. Often the small consultancies have very talented people amongst their number, but their professionalism is highly variable. Reports from all the mid-to-large consultancies (except our own, naturally!) I have seen have been mediocre pretty versions of scanner reports. I've not seen enough reports from the "big five" to draw any conclusive opnions.

Slashdot Top Deals

If a subordinate asks you a pertinent question, look at him as if he had lost his senses. When he looks down, paraphrase the question back at him.

Close