Outsourcing information security

The unfamiliar territory and complexity of security often results in a typical human response: make it someone else’s problem

Comments

Outsourcing: Two cents worth

The justification given for outsourcing is often cited as being financial. This is no surprise, as ultimately most company decisions are based on building or conserving finances. A slightly more detailed view is that an organisation will outsource a function for the following reasons:

The outsourcer can do it better for the same cost.
The outsourcer can do it the same for a lower cost.
The outsourcer can't do it as well, but does it at a lower cost.

Just because you can outsource something, doesn't mean that you should. Sometimes it is better to keep certain functions in house. Examples of areas that should not be outsourced include:

Anything deemed to be "core business" should remain in-house to ensure intellectual property is constantly growing. If a desktop services provider outsources it's desktop services, it makes sense for their customers to buy of their outsource partner rather than them.
Anything perceived to be "core business". Perception isreality and to ensure good standing in the marketplace anorganisation must address it.

Examples of outsourcing security

"Security as a Service" is the utopia intended to address the woes of organisations that do not want to be involved at all. Outsourcers promise to take care of information security and often deliver it in the form of a managed firewall and antivirus. The quality of the service is often validated by references from other customers and potentially a site visit. Existing customers praise to the outsourcer for a flawless service backed up with monthly reporting -- in colour. Closer examination however demonstrates the model is flawed.

In such an arrangement, the outsourcer is discouraged from reporting any issue. Why degrade your reputation when it is unlikely that your customers (who have abandoned any internal resource) will be any the wiser. With no trusted resource there is no way to validate any findings (or lack thereof) through testing or an educated review.Security operations are a common area to outsource. The scope is often difficult to define and a dedicated team is often not warranted.

A third party is contracted to process security events from devices such as firewalls, IDS appliances, generic network equipment and infrastructure. The third party is relied on to process (de-duplicate, reconcile and interpret) the events and call attention to any issues. Few however check to see that the provider is providing as promised. Typically, the outsourcer in this case has a central operations room with lots of monitors displaying plenty of monitoring output. Oversubscribed staff attempt to process the barrage of alerts, but focus primarily on the top three to five customers listed on a whiteboard in the corner.

If you aren't on the whiteboard, nobody is looking after your gear. Buying a solution is a way in which security is often inadvertently outsourced.As already mentioned security is a part of all other domains and thus it follows that there is a security component to all solutions. As with security operations, a lack of demand from customers has meant that most integrators do not well cater for security in their solutions. A company trying to outsource it's WAN is likely to purchase private circuits off a telecommunications company.

There is little incentive to go to the expense of dedicated circuits and the WAN may be bundled as part of a package. Typically this means that all inter-branch network security (which often includes telephony) has been outsourced to the telecommunications provider. Assuming that the provider experiences no human error of technical complications, the WAN by design is likely to be insecure. Telcos rarely employ anything more than the inherent nature of multiplexing technologies (for example MPLS, ATM, Ethernet trunking) to divide customers traffic. They, like any other large entity, are susceptible to social engineering that could lead to the unauthorised connection of two customers' networks. Telecommunications providers also have the difficult task of physically protecting their network from attack.

I recently observed a cellular provider's roadside cabinet was labelled with their name and the name of the vendor who supplied the equipment within it. The cabinet was likely monitored, but its physical defence consisted of a padlock holding fast a cheap latch that a small hammer could likely circumvent. Penetration testing is a specialist service that is quite rightly outsourced in a lot of cases. It is a complex service and there is significant value in it being done independently. It also produces a deliverable in the form of a report making justifying it easier.

We must remember however that it isn't the whole picture. Penetration testing can't consider operational practices that may introduce new vulnerabilities as quickly as the old ones are removed. There often isn't evidence that the individual completing testing is adequately skilled to do so, nor is their proof that the majority of vulnerabilities present were discovered. Unfortunately, the reality is most people who commission penetration testing would be satisfied with the doctored report from a freeware scanning tool.

Standards can provide great assistance in improving the security posture of a company. An organisation that relies solely on standards to assure security is, however, likely to experience a gap as is often demonstrated by companies seeking PCI compliance. The PCI standard is intended to be a bare minimum of requirements for protecting cardholder data. It is not intended to be the target state for modern organisations' security programs.

It has become common place for companies running PCI compliance projects to aim to meet the bare minimum of requirements. As much as possible is de-scoped to reduce the cost of the project - a reasonable approach only if there is something else picking up the security shortfall. Some attempt to outsource all payment card functions so they don't need to even meet the minimum requirements.

This report is not intended to comment on PCI, however the author has witnessed the provisioning of a new e-commerce site where card processing was outsourced to avoid troublesome encryption and authentication management. While I am sure it was technically PCI compliant that simply meant customers money was taken securely and effectively. The woeful security in the main site made it trivial to change the deliver address after purchasing, manipulate product prices and monitor what other customers were doing.