From: Frank Willoughby <frankw@in.net>
Date: Thu, 31 Oct 1996 17:01:27 -0800 (PST)
To: cypherpunks@toad.com
Subject: Re: Computer Security Risk Assessment Software?
Message-ID: <9611010101.AA15878@su1.in.net>
MIME-Version: 1.0
Content-Type: text/plain


Methinks "Ross Wright" <rwright@adnetsol.com> wrote:

>On or About 31 Oct 96 at 12:19, Dr.Dimitri Vulis KOTM wrote:
>
>> which I assume is NOT what you have in mind :-) Do you mean
>> something that'll take a survey of a company's computer security 
>
>Boom.  Nail, head, one shot!!!!  What's on the market now in that 
>area?
>
>> and
>> assess the risk (like Stan) or something more global? 
>
>The issues are:
>
>Information Risk Assessment and Management
>and also Information Security Assessment.
>
>> AFAIK, there's
>> no tool on the market to help in all aspects of risk management even
>> for a small outfit, because there are so many sources of risk. There
>> are many good specialized packages.
>

I beg to disagree.

Tools, like checklists, are ok as far as a memory jogger goes (to make 
sure that you haven't overlooked something) but there is no way they 
can replace an assessment or audit by a seasoned Information Security 
Officer or professional.  ISOs have eyes, ears, fingers, and a mind.
Tools don't.  

Further, assessments & audits require a mindset - usually  based on 
experience.  A tool in the hands of an inexperienced person (be they 
consultant, or whatever) will more than likely result in major 
vulnerabilities being overlooked.  There is no way a tool or checklist 
can have every possibility on it. (They don't make laptop hard drives 
big enough)  8^)  As Murphy's Law goes, the vulnerability that isn't 
mentioned in the tool will be the one that a hacker will use to crack 
the systems and start peeling the corporation like a grape.

Frequently, a reason people buy these tools are that they feel that 
the tools are more cost-effective than bringing in a consultant for
the engagement.  Their reasons for doing this are based on the fears
that that the consultant's fee will be too high, and that when the 
consultant leaves, so does the knowledge he used to perform the 
assessment.  In many cases, these fears are justified.  (There are
exceptions, however).

The solutions to the above-mentioned problems are:

o Shop around.  Find out which consultants are qualified and what 
   they charge.

o Make sure the consultant caps his cost.  You should know the maximum
   price tag associated with the consulting engagement BEFORE the 
   consultant walks in the front door.  This helps to avoid having the
   consultant camp on your doorstep at $XXX dollars per hour for days,
   weeks, or months on end.

o Check the consultants to see if they have ever worked as an Information
   Security Officer.  (Would you want to have eye surgery performed by 
   someone who read a book about it, or by someone who had is experienced
   at the trade.  IMHO, supplying textbook answers to non-textbook 
   corporations is for the birds.

o If the consultant is worth anything at all, they will walk the customer
   through the engagement (before the engagement is over) and TEACH them
   how to become self-sufficient in the areas of InfoSec which were part
   of the engagement.  (Sounds counter-productive for business, but the 
   word-of-mouth references are worth it.  It is also more honest than
   milking the client as some people do.  When the consultant leaves the 
   site, the customer should know what the consultant did, and be able to 
   follow the consultant's train-of-thought that led him to the recommend
   the particular solutions that he did.

o Last, but not least, it also wouldn't hurt if they were professional 
   enough to be a member of a consumer protection group (such as the 
   Better Business Bureau, etc).  This helps to keep the good guys 
   honest and helps customers differentiate between the professionals 
   and those who are out for a quick buck or just learned how to spell
   Information Security.

Food for thought.


Best Regards,


Frank
Any sufficiently advanced bug is indistinguishable from a feature.
	-- Rich Kulawiec

<standard disclaimer>
The opinions expressed above are of the author and may not 
necessarily be representative of Fortified Networks Inc.

Fortified Networks Inc. - Information Security Consulting 
http://www.fortified.com     Phone: (317) 573-0800     FAX: (317) 573-0817     
Home of the Free Internet Firewall Evaluation Checklist