Hire a Hessian (Outsourcing) ◾ 265
collected by TippingPoint and Qualsys, SANS concluded, “During the last few years, the number
of vulnerabilities being discovered in applications is far greater than the number of vulnerabilities
discovered in operating systems. As a result, more exploitation attempts are recorded on application
programs.” is shift can be partially attributed to improvements in operating system and network
security controls, but the prevalence of targets and the lack of eff ective application patching are the
more likely culprits. In addition to employing secure development practices, companies will hire
third parties to assess the security of their applications. Pre-deployment assessments may include
security architecture and design reviews, code reviews, and security testing. Outsourcing a penetra-
tion test on a fully staged deployment is a common practice. Penetration testing is also a popular
post-deployment assessment used to verify security controls after system changes are deployed.
Organizations outsource security services in seven distinct areas (auditing, assessment, moni-
toring, consulting, incident support, device management, and facility security) primarily for
defensive purposes. e largest driver is cost savings, followed by compliance mandates, broader
coverage, improved incident response, and a better overall security posture. Cost savings tend to
be more modest because of the narrower scope of the services; small and medium companies real-
ize the best benefi ts from not having to keep in-house expertise.
Challenges to Outsourcing Security Services
Losing in-house expertise can be a downside to outsourcing from two diff erent perspectives. e
fi rst perspective is availability: Vendor resources are shared across multiple customers; you may
need to “wait your turn” to get a qualifi ed resource, especially when you need them the most (e.g.,
when the region is getting hit by a major worm attack). e second perspective is validation: When
changes are made, you don’t have the ability to confi rm they were done correctly. A great example
of this is an assessment Bill did for a law fi rm in Phoenix. e fi rm had a Cisco PIX fi rewall that
was managed by an external provider. e IT director asked him to review the confi guration,
which he did; he found more than 20 confi guration errors, including seven exploitable “holes” in
the fi rewall rules. Some of those holes had been there for years, but the fi rm had no way of know-
ing because no one in-house knew how to evaluate a PIX confi guration. Another issue associated
with outsourcing expertise is, how expert is that expertise? You don’t really have a good way to
assess the knowledge, skills, and abilities of the provider’s staff . During an IT services bid review
for the U.S. Navy, Bill noticed, based on the submitted resumes, that the vendor had assigned a
relatively inexperienced resource to a senior-level task. When he raised the question, the contrac-
tor indicated that the resource was one of their top performers and that one of their most senior
resources (he was sitting in the room at the time) was on call to assist if necessary. e vendor
won the contract, the senior resource was never seen again, the primary resource was completely
overwhelmed, and ultimately the U.S. taxpayers footed the bill for his lack of expertise! Anyone
who has done much outsourcing likely has similar stories. When outsourcing security consulting
and assessment services involving individual contributors, resume and training record reviews are
a good way to assess expertise; interviews are even better. Microsoft contracts resources from a
number of vendors to staff spikes in workloads. While interviewing a potential vendor resource
for a security engagement, Bill asked about his CISSP and his job experience leading up to his
certifi cation. e man had falsifi ed his application! He may have had the requisite skills, but he
certainly didn’t command trust—and without the interview no one would have known the diff er-
ence. When outsourcing to a MSSP for monitoring or system management, the best way to deal
with the question of expertise is to stick with name-brand vendors, check out what the industry
analysts say, or talk with other customers of the service.
TAF-K11348-10-0301-C013.indd 265TAF-K11348-10-0301-C013.indd 265 8/18/10 3:12:26 PM8/18/10 3:12:26 PM