Enterprise Security: From In-House Policies to Outsourcing, Security Must Be a Never-Ending Operation

With publicity abounding regarding the latest hacks and cracks, one might assume that everyone would know what it takes to secure an enterprise from damage, denials and disclosures. Examine the value of outsourcing security functions, and gain a better understanding of the concerns surrounding this imperative issue.

The August 22, 2000 InformationWeek headline reads, "Keeping Ahead Of The Cybercrooks – offerings to protect data are more prolific and sophisticated – but, so are cyberthieves." This makes implementing computer security, whether using consulting, firewalls, intrusion detection, or 24x7 monitoring and management services, the price of a connection to the Web. Without regard to the type of activity, an Internet connection opens an organization to just about any illicit activity that can originate from the public. This includes disclosure, illegal transaction initiation, changing and destroying information, denying legitimate service (like the distributed denial-of-service attacks that shut down Yahoo! and CNN), and monitoring or counterfeiting a site. And this list does not even touch the myriad attacks that can originate internally, which must be regarded as at least equal (many would say more than equal) with attacks that can originate externally.

There seems to be a mistaken perception that an organization is safe when the Internet connection is not used with an electronic commerce Web site. Worse, some believe they do not need the highest levels of security, since only their corporate LAN is what is being protected – when, in actuality, that might be their most valuable asset. Furthermore, some believe that if they put in a firewall, they have adequate protection. These perceptions are, unfortunately, not true, even though there might be shades of validity to some of them.

There is a general security axiom that says, given infinite need and infinite resources, anything can be compromised. While regrettably true, conversely, it is important to spend no more to protect the information than the information itself is worth. Thus, security is one of tradeoffs, and determining the value of the corporate LAN assets mentioned earlier can be challenging. Regardless, though, using the Internet for any form of electronic business elevates security from a departmental issue to a core business issue.

This article examines the value of outsourcing security functions: Some one-time consulting services, some ongoing 24x7 services. It tries to dispel myths and establish a proper perspective regarding security and when outsourcing of security functions makes sense. It looks at what you can typically expect to pay for each of the outsourcing services.

With publicity abounding regarding the latest hacks and cracks, one might naturally assume that everyone would automatically know what it takes to secure an enterprise from damage, denials and disclosure. Even if you do, after reading this, you will have a better understanding of the issues surrounding security and outsourcing.

The Threats

If you take the financial industry as a prototypical example of an industry highly concerned about risk, financial institutions depart from the typical because they are regulated and closely audited by the federal government. Extremely high on the government audit list is Internet security. This is because access to systems prior to the advent of the Internet was confined to internal users; the only external access might have been provided for electronic funds transfers. This made areas of potential attack quantifiable. But, ubiquitous access, expanded for legitimate use, also incorporates access by less-than-desirable characters.

Continuing for a moment with a financial theme, Global Integrity Corporation now operates the Financial Services Information Sharing and Analysis Center (FS/ISAC), a cooperative venture launched in the fall of 1999. The FS/ISAC tracks information on computer security threats, vulnerabilities and fixes, and provides its member banks with advance warning of the distributed denial of service attacks.

Bill Marlow, Executive Vice President and cofounder of Global Integrity, estimates that as many as 50 breaches each month of normally secure systems occur within the U.S. financial sector. Other estimates place this figure considerably higher, as high as 500. When considering that many incidents go unreported, the numbers becomes even more worrisome.

To get a real feel for the number of cracks that take place, visit www.attrition.org/mirror/attrition. This site provides the addresses and number of Web page defacements and replacements. On an average day, like Sunday, September 3, 2000, there were 16 sites affected.

Coupling these figures with the following warning could spell a catastrophe for any organization not serious about computer security. In a recent speech to corporate executives, Jeffrey Hunker, Director of the White House’s Critical Infrastructure Assurance Office, states, "At the highest order, we know that there are a number of hostile nation-states that are investing significant sums in offensive cyber-attack capabilities aimed at the U.S." Moreover, if such an attack were launched using something as contagious as the Melissa or LoveLetter virus, which shut down many corporate e-mail systems for several days, serious consequences may lie in the future.

Of course, all this may sound like science fiction. However, all you have to do is look domestically at famous hackers conferences, such as last July’s DEFCON (www.defcon.org) convention held in Las Vegas that regularly draws thousands of attendees. Or check out an example of the popular hackers quarterly at www.2600.com.

One problem is that you cannot count on law enforcement as your sole protection or remedy. For example, a now-jailed Russian mathematician, working with inside accomplices, transferred $10 million out of Citibank. Although successfully prosecuted, $400,000 was never recovered.

In an August 2000 attack, a variation of the LoveLetter computer virus targeted customers of the Swiss bank UBS AG, which allowed the virus writer to steal customer account information stored on victims’ PCs. (As an aside, if you bank online, do not store your passwords or PINs unencrypted on your computer.)

Security is like a mathematical proof. In math, unless you prove every single instance, you do not have a proof. (For example, how do you know that for any given integer, N, there is a larger integer, N+1? Just because you demonstrate for the first one million numbers that this is the case, there could still be that elusive single instance you didn’t think of just beyond what you demonstrated, that blows your theory out of the water.) Similarly, in computer security, just because the last 1,000 cyber-attacks never affected you, does not mean the next one will not.

One more analogy. Security is like a river levee: Your organization’s protection is only as strong as its weakest link.

Other serious (and publicized) breaches occur, not as the result of external hackers, but due to internal processing and procedures errors. Because of a series of human and technical errors, in August 2000 it was widely reported that the nation’s largest HMO, Kaiser Permanente, accidentally e-mailed 858 members’ personal information (e.g., PINs, names, addresses) and medical information (e.g., doctor’s appointments, medical data).

Approaching Security

Security is often a problem of perception, the it-can’t-happen-here and security-is-for-the-other-guy syndromes. This means that, unfortunately, the weakest link in the security business is people, which seems diametrically opposed to the security mantra of eternal vigilance. We have probably all heard of the executive who writes his/her passwords on the bottom of the keyboard, or, more seriously, posts them on a Post-It note on the monitor. On a relative scale, though, these are the easy things to fix.

A more subtle problem with broader consequences is recognizing your own (meaning you, your IT department’s, and your co-worker’s) shortcomings when it comes to assessing, architecting, implementing and monitoring a complete security solution for your organization. For example, don’t be caught, as one organization’s IT director was (whom we will leave nameless), installing a firewall without changing the default firewall rule of accept anyone talking to anyone using any service anytime of the day.

The moral of that story is that unless you are well versed (some would say certified) in security technologies, even the best security product can be cracked if not installed in its optimum configuration. Thus, an important piece of advice is to not leave security to the neophyte, because courses only go so far, with experience being the best teacher. The bottom line is that it is increasingly difficult to keep abreast of emerging threats as well as the latest technology and tools designed to safeguard business-critical information from attack.

This brings us to outsourcing of security functions: which ones and when? The best way to begin is by realistically assessing your own organization’s core strengths, weaknesses, capabilities and business goals. The ability to support a 24x7 security operation must also determined. Make no mistake about it, if you are on the Web, a 24x7 security operation is an absolute must. How it is provided is a focus of this article. Before we get into outsourcing, let’s briefly cover descriptions of a few key security components.

Selected Security Technologies

Network security typically focuses on perimeter security, which is what a firewall provides. It is similar to magnets on doors and windows in a home security system, with all network traffic funneled through the firewall. While firewalls are generally used to shield corporate assets from Internet-originated attacks, they can also be used in intranet implementations to shield particularly sensitive data from the general corporate populace. They can also be used in extranet implementations to support partner access and for implementing zone perimeter security, for example, for business units.

Some thoughts on firewalls:

Firewalls must necessarily run on a system by itself to reduce unpredictable interactions between other applications that could expose a security weakness.

Firewalls must, also, operate under a set of rules entered by the security administrator defining who on one side of the firewall can talk to whom on the other. These firewall rules must be custom-developed to support the unique requirements, configuration and IP addressing of the organization, including rules (e.g., for browsing, e-mail and electronic commerce applications).

Web server content is usually made available to Internet browsers through the firewall across a portion of the network called a free trade, or demilitarized zone (DMZ). An e-mail relay is also typically housed in a DMZ.

Many people think they are "done" once they have installed a firewall. However, firewalls do not protect against attacks originating inside the firewall. Furthermore, though unlikely, there is a finite chance that a firewall can be breached. Providing protection in these instances is an intrusion detection system (IDS).

Intrusion detection is analogous to the infrared motion sensors in a home security system, and it is connected on critical LAN segments behind the firewall. Just as every virus has a signature, so do hacker tools (such as SATAN, or Security Administrator Tool for Analyzing Networks) and attempts at cracking a system or network; there are over 150 such signatures. Intrusion detection products monitor network traffic, looking for, and responding to, these signatures of an attack in progress. As with anti-virus tools, IDSs must also be updated when a new signature is added to the list.

Intrusion detection systems suffer from something called false positives, which erroneously indicate an intrusion. This requires an initial stabilization period, during which many false positives are eliminated – although there will always be new false positives that appear in the future.

Although IDSs automate many processes, human interaction is still required for most security decisions to evaluate the significance or severity of events.

There are two fundamental types of intrusion detection systems. The first form is a LAN-based network monitor configured to look for attacks by sniffing packets on the network. Determining where to place the network monitor is important, usually being placed on high-risk LAN segments and gateways and near business-critical servers inside (i.e., on the corporate LAN side of) the firewall.

Intrusion detection network monitors are judged with regards to "adaptive network security," which is an expression coined by Internet Security Systems (ISS). The expression refers to a monitor’s ability to cause firewalls, routers and other devices to take action to interrupt an offending packet. When reacting to a suspected intrusion, an adaptive approach reduces human involvement and improves response time to the incident, the latter being critical.

The other type of IDS is host-system based. While LAN-based intrusion detection tells you that you have had an intrusion, host-based tells you what they did on a given host. This class of software extends the native audit facility of a server. Production servers, domain controllers, administration servers, remote access devices and other critical network-connected systems and devices should all be protected.

Security Policy Outsourcing

Security can be viewed as a lifecycle – a loop. The cycle flows: assessing, designing (architecture), implementing, monitoring, maintaining and responding. During the response phase, a determination must be made as to how the incident occurred, specifically to discover its root cause. This may lead back to an assessment, as part of the forensic activities, but should always lead back to potential revision of the architecture and attendant implementation.

The first step is a written security policy – always start with one, and review it regularly to keep it up to date. A determination must be made as to whether existing policies adequately protect business-critical information, and outsourcing should identify where policy changes and improvements are required.

Security policies describe what to protect and from whom. They must be understandable and capable of being properly implemented. The policies should cover compliance with legal, contractual and regulatory requirements. Information assets must be inventoried, and a classification scheme for protecting them must be included. It should incorporate a business recovery plan, contingency plan and disaster recovery plan. Privacy policies should also be considered.

Many organizations make a mistake separating network security from application security. When application development and network security are developed along separate tracks, problems in usability, scalability and security often result.

A security policy should have guidelines for secure application development and a risk assessment process for evaluating new application security. It should cover Internet, intranet and e-mail usage. Firewalls, intrusion detection and incident response policies must be included. Methods for internally disseminating information on security vulnerabilities should be described.

A typical policy’s table of contents includes: physical, administrative, auditing and audit trail, authentication, remote access, personnel, accountability, authorization, confidentiality, availability, operational (including 24x7 security monitoring), encryption, hardware, network, data (integrity), redundancy, backup and software security. It should include metrics on prevention, detection, authorization (something you are [fingerprint or iris scan], something you have [badge or smart card], and something you know [password]), and hardware and software, development, testing, operation, and maintenance assurances. If you are a financial institution, also check out what requirements the Fed has, such as those defined in the Financial Institution Letter FIL-68-99 titled, "FDIC Issues Paper on Information System Security Issues" and any Office of the Comptroller of the Currency (OCC) rules and regulations.

A typical price range for outsourcing development of a security policy is $30,000 to $75,000. This price range and the others in this article are from the GartnerGroup, as quoted in the August 14, 2000 ZDNet eWEEK article, "Security Checkup," by Lisa Vaas of eWEEK.

You would think that the outsourcing price would be less for smaller organizations versus larger ones. Generally, there is some correlation. However, it varies more by types of devices, activities, applications, etc, rather than by number. Even if you have only one server or one firewall, you still need policies describing acceptable use.

Security Assessment Outsourcing

Once you have your security policy development underway or completed, a security assessment is required to establish a baseline. Security assessments are growing in popularity, partially because organizations embracing e-business are viewing security as more than just a technical fix that you throw network hardware and software at, the positive by-product being that security technology becomes more intertwined with the business.

Assessments are also becoming more common because things change – more specifically, the network architecture changes to accommodate changes in the business environment, and those impacts must be understood and incorporated into the security architecture. Another reason for increased popularity is that, especially when outsourced, an assessment provides independent positive proof that the organization has done its homework.

Basically, a security assessment service examines the existing network and environment to establish a security baseline and gap analysis. The results can be used to determine a course of action to close the security gaps and improve the infrastructure security. The results should identify current vulnerabilities associated with data corruption, security violations and service interruptions to minimize security risks to protect the integrity of business-critical information, whether originating internally or externally.

A security assessment is an administrative and technical review of adherence to the security policy, checking the compliance of actual actions and procedures against what is supposed to happen, determining the synergy and effectiveness of the security policies, controls, standards, procedures and technology – comparing everything against industry-standard best practices and norms. It checks for vulnerabilities, defined as security settings or design flaws, that could allow someone, intentionally or not, to gain unauthorized access to data or to permit disruption of operations.

For an assessment to be effective, a clear understanding of risks (and threats) – an attacker’s view – is important. Perimeter controls, personnel and organizational classifications, asset classifications, system access control, network and remote network access, server-to-server exposures, application security and electronic business and electronic commerce security must all be scrutinized. The assessment must be a nondestructive form of penetration testing using realtime analysis to evaluate definitively the network’s security capacity.

Even though Unisys has performed many security assessments, Unisys, itself chose to outsource the assessment of its 24x7 security monitoring and management facility, the Security Command Center (SCC), located in Blue Bell, Pa.. Unisys selected the International Computer Security Association (ICSA) to obtain the ICSA Labs TruSecure certification seal, which provides impartial proof, as compared with other similar service providers, of Unisys’ network security.

If a security assessment is outsourced, the IT department must consent to outsiders probing their network and network’s security. Security is a trust business, and only reputable firms (i.e., ones you trust) should be selected.

A general network scan and infrastructure review is conducted to expose basic security vulnerabilities a hacker could exploit. More often than not, these security holes pop up when a manufacturer’s security patch has not been applied, either at all, or improperly, to a specific network device. A sampling includes missing system patches, improperly adjusted system configurations, weak password and authentication methods and weak resource access controls for servers.

What occurs during a security assessment begins when a security expert visits the facility to interview personnel and to run vulnerability-testing scanners against the network and attached servers. By relying on these types of assessment tools, systems that have had vulnerabilities identified and eliminated are more secure once the network and systems are properly updated and configured. Scanners should use the latest hacker techniques, such as sniffing, spoofing, cracking, hijacking and leakage. Vulnerability scans should be run periodically, even after fixing the initial set of uncovered vulnerabilities.

An assessment applies security standards relating to network and server hardware and software, connectivity (transports), internal and remote virus attack prevention, firewall product certification, confidential data and authentication procedures. It evaluates routers, firewalls, Web servers, Internet connections, dial-up access and operating system platforms.

You can normally expect to pay $50,000 to $150,000 for outsourcing a security assessment. In contrast to outsourcing security policy development, an assessment’s price does vary with the number of network devices, including servers, and the network’s complexity.

Aside from general security strengths and weaknesses, an assessment report should contain every security exposure ranked by severity to allow prioritizing solution implementations.

As valuable as a security assessment is, there are times when one should not be conducted, such as when the organization is already in the middle of implementing a major change, like moving to electronic business. In these instances, perform one beforehand.

Before starting a security assessment, it is important to determine exactly what the organization will do with the security assessment’s results. Security holes must be plugged. This may include actions as simple as applying designated patches and service packs, to adjusting configurations, all the way up to redesigning a portion or all of the network infrastructure. Further security outsourcing services can be used at these junctures, including architecture and implementation services.

Architecture Outsourcing

Once the security policy and assessment are complete, a network architecture must be developed incorporating security. If started from scratch, this can be quite an endeavor and runs from between $50,000 to $200,000, depending on the scope and network size.

A security architecture service incorporates methodologies to minimize security risks. It assesses security requirements based on the business and IT strategy, as well as the existing infrastructure, including areas already mentioned in previous sections, and areas such as security processes, roles and responsibilities, to make operations more responsive to security issues.

For example, an employee’s or supplier’s access to information should depend on his or her clearance level. Therefore, a layered security architecture is usually built. The architecture should pervade the IT infrastructure and all organizational levels, potentially incorporating partners and their legitimate access.

Areas covered include established networks, Internet connectivity (both internal and external access), virtual private networks (VPNs) and electronic commerce applications. Recommendations should be comprised of server and router configurations, software updates, firewall and intrusion detection technology and monitoring and maintenance practices.

A security architecture that includes a firewall should also include the design of the firewall rules and 24x7 monitoring and management requirements to support Internet, intranet and other security requirements.

Secure electronic commerce environments should also be covered, potentially including payment transaction security, end user authentication, safe e-mail and messaging, protected Web sites and database servers.

Certificate authorities and public key infrastructure (PKI) are examples of technologies used to help create security boundaries within the IT infrastructure to limit access only to authorized persons once cleared for entry.

PKI technology uses a public and (reciprocal) private key to implement data encryption (for confidentiality) and digital signatures (for integrity). PKI requires strong directory services capabilities at an over-arching level. A central component of PKI is the creation of a certificate authority (CA) that issues digital certificates to vouch for the user’s identity, logically connecting users to their public keys. The architecture service should provide information on how to build and utilize a public key infrastructure.

Implementation Outsourcing

This is a rather unglamorous, but important activity with pricing completely dependent on what is being implemented. So to speak, it is where the rubber meets the road, important, because if done incorrectly, a security breach is surely a distinct possibility. This is where detail counts.

Examples include activities as mundane as inventorying containers, unboxing equipment and physical connections, to installing software, and implementing specific firewall rules.

Implementation is the incorporation of the architecture (reflecting the established security policies), into the existing networking infrastructure, involving deployment of new and modifications to existing hardware and software, and configuration of related technologies.

A typical security implementation includes firewall systems, intrusion detection systems, policy development and programming, antivirus protection systems, Internet Web server security, file-server security hardening, VPNs, authentication and encryption technology, PKIs and use, or creation, of certificate authorities, and secure systems for electronic-commerce applications.

One of the advantages of outsourcing security implementation is that multiple security services are integrated to provide the maximum protection. However, be cautious in implementing more than one security technology at a time, just like there are risks in making changes involving multiple technologies in the same timeframe.

Selection of the appropriate technology is important and usually occurs in a previous phase. Depending on the outsourcer you select, they may indicate preferences for one vendor’s products over another. Try to recognize when a vendor is recommending a parent or sibling company’s product to the exclusion of others, which may or may not be a better selection for your organization.

Monitoring Outsourcing

Once security hardware and software such as a firewall and intrusion detection systems are installed and configured, safe Internet connectivity then depends on: realtime firewall and intrusion detection monitoring for immediate response to suspicious activity, and timely security updates of the operating system, firewall, intrusion detection, and utilities to thwart hackers using the latest bugs to probe for and successfully exploit existing vulnerabilities.

Network security monitoring outsourcing is growing at almost 50 percent annually and will account for about one-third of all network security-related services spending. A recent survey stated that almost half of the organizations surveyed plan to use an outside vendor for the design and implementation of their security system, and around two-thirds will outsource the network security monitoring service.

Before we address monitoring outsourcing per se, we need a few definitions. Firewall monitoring is a 24x7 service that detects faults. Usually, the remote side of the firewall is regularly and frequently polled – on the order of every few minutes – to check on its availability. Through this means, proper firewall operation can be continually validated. A denial of service and ISP failure can also be potentially detected through this means. Other traps and errors should also be monitored and detected, such as any firewall policy trap or an interface input or output utilization error.

If a fault is detected in the hardware or software, fault isolation and remedial action needs to occur. It is convenient, when the monitoring center is tied to a nationwide or worldwide maintenance dispatch infrastructure, to provide immediate response to the fault by electronically dispatching a field engineer, if required.

The monitoring center should manage the restoration of service of the device back to an acceptable level. Test criteria should be used to verify that service is, indeed, restored, including that the device is reachable from the monitoring center, all interfaces used are administratively up, and packets can be sent and received over the normally active interfaces.

When a polling request of the firewall fails, often, it is a failure of the Internet service provider (ISP). Some security monitoring centers are owned and operated by ISPs. However, it is frequently helpful to have the monitoring provided by a separate company, since the monitoring center can provide independent proof of an unrecognized problem the ISP might be having and can provide assistance in dealing with those problems. Otherwise, an organization is generally responsible for working directly with their ISP to maintain connectivity to the Internet.

To determine the exact problem, it is helpful to have a secure backdoor to remotely access the firewall and related hardware and software. This can be accomplished with a modem, a hardware encryption device and a switch to toggle between Internet and modem access. When a remote connection is made to the secure modem, this provides direct, albeit slower, access to the firewall cabinet, through which the health of the firewall and other equipment can be directly confirmed.

Management Outsourcing

In addition to 24x7 monitoring, the monitoring center should handle the management of the firewall and intrusion detection systems. This includes watching vendors for the availability of software patches and changes to the firewall operating system, the firewall software, the intrusion detection software (if applicable) and associated operating systems. This is crucial, since hackers are usually the first to read security flaw reports, and then probe sites using the flaws.

The monitoring center should evaluate applicability and correctness of the patches; this includes, not just patches, but also major software releases and software upgrades. For those deemed necessary, the appropriate software should be updated. The monitoring center should notify the client before applying any changes to the firewall or other components, coordinating update activities to minimize impact to the organization’s operation.

Another part of management includes configuration management. At the organization’s request, the monitoring center should design, document and apply requested changes to the configuration via a move-add-change (MAC) process. (The organization must retain ownership of the overall network design and, ultimately, the configuration files for that design.)

MACs might include maintenance MACs, such as those used to maintain the current firewall rule set established at initial installation and/or to add individual users to the rules. MACs can also be more complex, and may require additional design work and compound rules to be implemented. Examples include adding an e-mail server or gateway, adding a new application rule set to access a news service, implementation of secure remote for customer access, and assisting the organization to move to a new facility. The monitoring center should push the changes to the firewall (or other) appliance, and should maintain the current and previous versions of the firewall appliance rules.

If the organization outsources the complete firewall process, from assessment to architecture to implementation to monitoring and management, the monitoring center is then responsible for initially downloading the primary firewalls rules to the firewall during the implementation process to allow management of the firewall.

Intrusion Detection Outsourcing

The next major area of a 24x7 security management service is an intrusion detection service. Intrusion detection events can be monitored from the monitoring center if the organization has an intrusion detection product installed.

The monitoring center should notify the organization’s contact point if there has been an incident of suspicious activity, providing any information found from the intrusion detection system, as well as copies of the firewall log files to assist in investigating the incident.

Unless separately contracted, the monitored organization is responsible for investigating and handling of the incident.

Typical incidents detected include:

• Denial of service attacks, such as the ping of death, smurf attacks, SYN flooding and ping bombing.

• Network probes, such as port scans, SATAN scans and ISS scans.

• Brute force attacks and password crack attempts.

• Windows attacks, including WinNuke, remote registry acceses and anonymous logins

• Java, ActiveX and Shockwave _downloads.

The need to respond realtime to incidents is imperative with respect to a detected intrusion. Consequently, it is important to establish thresholds to avoid false positives, the bane of a monitoring center or of your own organization if handling the monitoring yourself. False positives can cause quite a panic until determination and final resolution has been made.

Intrusion detection systems are usually connected behind the firewall; this way, the number of false positives is reduced. Connected thusly, they detect intrusions that originate, not only outside the firewall that have made it past the firewall, but also ones that originate inside the firewall (i.e., organization).

Monitoring and Management Outsourcing

Information security functions must be managed according to the security policy. The incarnation of the security policy in this case is the firewall policy rules themselves. Their proper implementation is mandatory to detect and allow response to unauthorized activity, track access to computing resources and perform security administration, such as setup and removal of user access for controlling access to resources, privileges and data.

The staffing requirements for a 24x7 "in-house" realtime firewall monitoring operation discourages keeping it in-house, because it mandates four-to-five skilled employees to handle shifts, weekends, holidays, vacations and illness. Conversely, outsourced security monitoring and management is usually available at a moderate fee ranging from $2,000 to $15,000 monthly.

Outsourcing it controls the personnel costs: Skilled in-house information security experts are scarce, difficult to hire, expensive to train internally, and even more expensive to retain, often commanding six-figure salaries on the open market. Furthermore, a mistake by a newly trained, but inexperienced, security "expert" can be costly.

Look for a complete offering that supplies, aside from the proactive realtime 24x7 monitoring, a coordinated security architecture development service, event and attack signature tracking, audit log reviews, alarm notification, intrusion response strategies, multiple redundancies, nightly backup capability, event escalation procedures, regular patch updates and inclusion of market-leading products.

Trying to review logs manually is both time consuming and error prone, requiring periodic and frequent incident and usage profiles and reports. Their access should be through a secure Web server. Other, more uncommon, and specialized features included in the service offerings can be Web filtering (content blocking) and prosecution assistance.

Once you have contracted for 24x7 remote security monitoring, management, configuration and intrusion detection services, you may be wondering whether your monitoring center is really there performing the contracted services. You may be tempted to generate a false alarm, just to test them (such as by running a SATAN scan inside your network). Go ahead and do it! You will sleep better at night when the monitoring center responds promptly, or you might find out that they are not as sharp as their marketing department made them out to be. Don’t be surprised, however, if the monitoring center limits the number of free false alarms, since they do cost the monitoring center real resources.

Incident Response

Many companies lack a comprehensive response program and necessary expertise to respond to critical incidents. Quick response is required, though, because, when an incident occurs, there little time to react, and it is best to have previously thought through the plan when not under the gun.

An incident response service, whether done internally or outsourced, should include a quick assessment of what has occurred, by whom, and its impact. If not confident on what to do, seek advice from your outsourcing vendor.

The incident response plan should focus on quickly restoring the attacked or damaged operation, ensuring you do not destroy evidence for prosecution. A single individual, usually the security officer, should be the one who has the central responsibility for contacting and dealing with appropriate law enforcement officials. Relevant data must be collected and preserved, which can be challenging, due to the often-dispersed nature of where the data reside. This is where a remote monitoring center can assist, saving and supplying the information for you.

Remember that once there has been an incident, consider follow-up enhancements to existing security controls, including improved vulnerability and access controls and greater monitoring, auditing and intrusion detection services to prevent reoccurrence of similar incidents.

Be sure to consider employees, partners, customers, the computer emergency response team, information and business processes, alignment with the corporate security policies, procedures to shorten response time, training of IT staff and executives, reliance on internal versus external response resources, computer forensics and aspects of litigation.

Penetration Testing Outsourcing

The Robert Redford movie "Sneakers" opens with a great example of a penetration test of a bank – albeit, not an IT penetration attempt, but via physical access.

Penetration testing is performed by a tester actually checking security using hacker tools, local tools, commercial tools and manual testing of the existing infrastructure as it appears to an external observer. Although this goes back to the opening discussion on exhaustive mathematical proofs, this proof-by-example method can find problems that may not be obvious or discovered through analysis alone – although it does need to be combined with analysis for a complete result.

Penetration testing is a layered approach, peeling the onion layer by layer to uncover these security flaws.

The service is almost always outsourced, to give it the aura of an independent attack. The individual who performs penetration testing needs good technical skills and must be innovative, since testing is both an art and a science. A good understanding of the implementation is an advantage, since security holes may be unique to the installation.

An infrastructure changes over time, and, thus, security needs to keep pace, which may not always be the case. Therefore, penetration testing can identify cross system and application security problems difficult to be found by "myopic" individuals concentrating on their isolated specialties.

Penetration testing runs $5,000 to $10,000 per scan. Types of penetration testing include mainframe, client/server, war games and dial testing, Internet firewall testing and potentially physical security checks.

Fraud Detection

By implementing fraud detection disciplines in conjunction with other risk management techniques, clients can achieve a definable reduction in credit and market risks. Fraud detection focuses on operational risks including computer security, legal, regulatory, reputation, crime-related, and systemic risks. It should focus on anti-fraud and anti-money laundering containment processes whose solutions encompass computer systems, process improvement, best practice advice and training for compliance programs.

Fraud detection should also provide systems for detecting and presenting risks of money laundering, assistance on soft systems, risk management and practical financial compliance, and consulting and training on financial crime and electronic business security.

Outsourcing reduces the potential for security violations, minimizing the risk of corrupted information and service interruption to establish customer confidence in the organization’s ability to conduct electronic business securely.