[2341] in WWW Security List Archive
RE: Need a Security Consultant
daemon@ATHENA.MIT.EDU (Paul G. Seldes)
Sun Jul 7 20:35:45 1996
From: "Paul G. Seldes" <pgs@tisny.com>
To: "www-security@ns2.rutgers.edu" <www-security@ns2.rutgers.edu>
Date: Sun, 7 Jul 1996 18:23:39 -0400
Errors-To: owner-www-security@ns2.rutgers.edu
Security has become a hot issue for those seeking to "get on the 'net". =
Our company, Transaction Information Systems (TIS) has been providing =
consulting services to Fortune 500 companies since 1988. Our security =
services practice is not advertised as we provide those services in the =
context of our customer relationship. What I've seen is that many =
consulting firms have sprouted up doing "internet" stuff but have little =
grasp of the true issues, traps and problems when it comes to creating =
truly secure systems. Of course, that is a good thing for me. We =
usually can charge a lot more to fix others mistakes. And we even fix =
mistakes made by former ISOs.
---------------------------------------------------------------
Paul G. Seldes, VP - SWAT (Special Weapons and Technology)
Transaction Information Systems
212-962-1550
http://www.tisny.com
----------
From: Frank Willoughby[SMTP:frankw@in.net]
Sent: Wednesday, July 03, 1996 8:13 AM
To: www-security@ns2.rutgers.edu
Subject: Re: Need a Security Consultant
Verily Paul Rarey allegedly did write:
>Hhhmmmm...,
>
>On Jun 26, 11:33, Frank Willoughby wrote:
>> Subject: Re: Need a Security Consultant
>
>[ snip ]
>
>>One of the things which sets us apart from our competitors is that=20
>>we are the only Information Security consulting company which is=20
>>staffed with former Information Security Officers (ISOs) who have
>>a proven track of success in implementing highly secure, cost-
>>effective Information Security. Most of our competitors are=20
>>making textbook recommendations to non-textbook corporations.
>
>Ouch... Rather poignant statement... Not sure I'd bite on an offer that =
slams=20
>the competition like that.=20
Good point. Let me explain.
I think the point I was trying to make is being missed. The intent=20
was not to slam the competition, but to point out that there is a=20
large difference between recommending solutions which are based on=20
one's *opinion* as to how the solutions may be implemented _or_=20
because one has had experience in solving these same problems with=20
another organization. The difference becomes more pronounced when=20
you get to the implementation part. =20
However, your point is valid and well-taken. FWIW, my reply was=20
accidently posted to this list instead of its intended recipient. =20
<humble, humble> When I resent my mail to the person who requested=20
the info, it had the following text:
"One of the things which sets us apart from our competitors is that=20
we are the only Information Security consulting company that we=20
know of where all of their InfoSec consultants are former Information=20
Security Officers (ISOs) who have a proven track of success in=20
implementing highly secure, cost-effective Information Security. =20
Many of our competitors are making textbook recommendations to=20
non-textbook corporations."
The main reason I added that sentence is about the ISOs is because we
have seen time & time again the results of some other companies (some=20
ISPs & consulting companies - who have little/no practical experience=20
in information security) and have had to clean up after their work. =20
While we enjoy helping people get back on their feet, our emphasis
is on prevention rather than cleanup.
A brief example from our files:
o A well-known ISP (who shall remain namelesss) recommended a firewall=20
to a company, who called us in to double-check their remote access
connections.
The firewall was the wrong type and not could not protect the=20
company adequately from the hazards of the Internet.
o As an "added service", the ISP remotely managed the firewall -
by telneting into it (ie - *not* using secure telnet or an encrypted=20
session).
Any hacker could obtain the root password just by take sniffing the=20
traffic to/from the firewall.
o As if the above wasn't bad enough, the firewall was also (grossly)=20
misconfigured (ie - no external rules were defined) by the ISP. =20
As a result of the misconfiguration, the *entire* corporation was=20
literally an extension of the Internet (including HR, finance,=20
logistics, engineering, etc). IOW, anyone connected to the Internet=20
in any part of the world had the capability of accessing any one of=20
the company's computers.
I guess what I am trying to say to those on the list is: *please*=20
check out the information security consulting company's security=20
& technical expertise (no exceptions) before engaging in a contract.
Also, the fact that a company may have a good reputation in one area=20
of consulting (auditing, IT, DRP, networks, etc) doesn't necessarily=20
mean that all of its consultants are adequately trained & highly=20
skilled in performing information security consulting. It's a fairly=20
new field & experienced information security consultants don't exactly=20
grow on trees. =20
As my experienced colleagues will agree, there is a rather large=20
difference between recommending something and implementing it. =20
Proven experience is a definite plus.
Many security consultanting companies have no problems telling a=20
customer what their security holes are & can make sound recommendations=20
to solve these problems. However, when the customer wants infosec
integrated throughout his company or wants to achieve a high level=20
of compliance to their policies, or wants the infosec department=20
to be a business asset rather than a liability (as is frequently=20
the case), then there is no substitute for a consultant who is a=20
former ISO. What I mean by this is that ISOs & infosec departments
are usually thought of as a huge pain in neck and are frequently
seen as a necessary evil. It doesn't have to be this way (I'll
get to this in another mail).
>Would seem more appropriate to offer satisfied=20
>customers as a reference than how bad the other guys are.
We do offer satisfied customers as references. However, I think it
is rather indiscreet to mention them in a public forum. =20
>As far as competition - how about Trident (I think that's right)... =
They're
made=20
>up of ex NSA security types.=20
I don't know about them. The important thing is that they are=20
competent and can do a good job. As far as my attitude toward=20
competitors goes, I embrace them - rather than slam them (although,
I will admit that I apparently do have a rather low tolerance of=20
snake-oil). =20
We are all on the same side & it is a rather big planet out there. =20
(Look at the size of the market & the number of companies able to=20
meet the market's needs & do the math).
>Best regards...,
>
>Paul S. Rarey The Clorox Company Ph: 510.271.2160
>Systems Architecture & 1221 Broadway Fx: 510.208.1520
>Electronic Munitions Oakland, Ca. 94607-4309 USA
Best Regards,
Frank
Any sufficiently advanced bug is indistinguishable from a feature.
-- Rich Kulawiec
<standard disclaimer>
The opinions expressed above are of the author and may not=20
necessarily be representative of Fortified Networks Inc.
Fortified Networks Inc. - Information Security Consulting=20
http://www.fortified.com Phone: (317) 573-0800 FAX: (317) =
573-0817 =20
Home of the Free Internet Firewall Evaluation Checklist
