[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Computer Security Risk Assessment Software?
Methinks "Ross Wright" <[email protected]> wrote:
>On or About 31 Oct 96 at 12:19, Dr.Dimitri Vulis KOTM wrote:
>
>> which I assume is NOT what you have in mind :-) Do you mean
>> something that'll take a survey of a company's computer security
>
>Boom. Nail, head, one shot!!!! What's on the market now in that
>area?
>
>> and
>> assess the risk (like Stan) or something more global?
>
>The issues are:
>
>Information Risk Assessment and Management
>and also Information Security Assessment.
>
>> AFAIK, there's
>> no tool on the market to help in all aspects of risk management even
>> for a small outfit, because there are so many sources of risk. There
>> are many good specialized packages.
>
I beg to disagree.
Tools, like checklists, are ok as far as a memory jogger goes (to make
sure that you haven't overlooked something) but there is no way they
can replace an assessment or audit by a seasoned Information Security
Officer or professional. ISOs have eyes, ears, fingers, and a mind.
Tools don't.
Further, assessments & audits require a mindset - usually based on
experience. A tool in the hands of an inexperienced person (be they
consultant, or whatever) will more than likely result in major
vulnerabilities being overlooked. There is no way a tool or checklist
can have every possibility on it. (They don't make laptop hard drives
big enough) 8^) As Murphy's Law goes, the vulnerability that isn't
mentioned in the tool will be the one that a hacker will use to crack
the systems and start peeling the corporation like a grape.
Frequently, a reason people buy these tools are that they feel that
the tools are more cost-effective than bringing in a consultant for
the engagement. Their reasons for doing this are based on the fears
that that the consultant's fee will be too high, and that when the
consultant leaves, so does the knowledge he used to perform the
assessment. In many cases, these fears are justified. (There are
exceptions, however).
The solutions to the above-mentioned problems are:
o Shop around. Find out which consultants are qualified and what
they charge.
o Make sure the consultant caps his cost. You should know the maximum
price tag associated with the consulting engagement BEFORE the
consultant walks in the front door. This helps to avoid having the
consultant camp on your doorstep at $XXX dollars per hour for days,
weeks, or months on end.
o Check the consultants to see if they have ever worked as an Information
Security Officer. (Would you want to have eye surgery performed by
someone who read a book about it, or by someone who had is experienced
at the trade. IMHO, supplying textbook answers to non-textbook
corporations is for the birds.
o If the consultant is worth anything at all, they will walk the customer
through the engagement (before the engagement is over) and TEACH them
how to become self-sufficient in the areas of InfoSec which were part
of the engagement. (Sounds counter-productive for business, but the
word-of-mouth references are worth it. It is also more honest than
milking the client as some people do. When the consultant leaves the
site, the customer should know what the consultant did, and be able to
follow the consultant's train-of-thought that led him to the recommend
the particular solutions that he did.
o Last, but not least, it also wouldn't hurt if they were professional
enough to be a member of a consumer protection group (such as the
Better Business Bureau, etc). This helps to keep the good guys
honest and helps customers differentiate between the professionals
and those who are out for a quick buck or just learned how to spell
Information Security.
Food for thought.
Best Regards,
Frank
Any sufficiently advanced bug is indistinguishable from a feature.
-- Rich Kulawiec
<standard disclaimer>
The opinions expressed above are of the author and may not
necessarily be representative of Fortified Networks Inc.
Fortified Networks Inc. - Information Security Consulting
http://www.fortified.com Phone: (317) 573-0800 FAX: (317) 573-0817
Home of the Free Internet Firewall Evaluation Checklist