Security consultants - Help! I need somebody

Who can you trust with your company's security? Are external experts, even hackers, a viable option? Sally Whittle finds out.

GIVING outsiders access to your systems and confidential data requires a huge leap of faith - and a lot of trust. It's like opening your doors and rolling out the welcome mat. But to quote Laurence Olivier in Marathon Man: 'Is it safe?'

Security consulting typically costs about £20,000 a week, a hefty sum to pay if you end up as yet another consulting horror story. And there are plenty of horror stories in circulation that may convince you to steer clear of external experts.

Yet if you follow some basic ground rules, the chances of your ending up with a successful relationship and a secure network will be a lot higher.

Choosing a consultant can be every bit as complex as choosing the technology. Sources include large consulting houses such as KPMG and Cap Gemini, or specialist security vendors such as Axent. There is also the shadowy spectre of the 'ethical' or reformed hacker, who knows the weak points of a network better than most, but who may not be trustworthy.

First and foremost, you should ask a consultant for references from previous customers and take the time to check them. If a consultant can't provide you with the names of happy customers, the chances of you being one of them are greatly reduced.

Membership of a recognised trade association can also increase the feel-good factor, says Gerry Penfold, a partner in KPMG's information risk and management division.

Look for accreditation from bodies such as the Information Systems Audit and Control (ISAC) or membership of the International Security Forum, he says.

The ISAC has more than 20,000 members globally. Its CISA Accreditation requires that a consultant has passed CISA examinations, complies with an ethics policy and has five years' experience. Other reputable organisations include the I4 Forum or the European Security Forum.

You should also ensure that a consultant has experience with your particular platforms and network set-up, advises Rosch. 'Ask what their biggest success and biggest screw-up was,' he says. 'The answers can give you a lot of insight into the character of the person across the table.'

For most companies, consulting is a necessary evil, says Caroline Martin of researcher Datamonitor. 'The immaturity of the market has resulted in poor user knowledge and education,' she says. 'This is particularly true for new products such as public key infrastructure and virtual private networks.'

When Eurostar decided to revamp its networks in preparation for selling over the Internet, the company's network staff did not have the relevant knowledge to assess Internet security products.

Using consultants allowed them to exploit someone else's knowledge, and minimise the risk of costly mistakes.

'The consultant helped us through the whole process, from handling tender responses to assessing products and deploying them,' says Rod Fife, general manager of networks and services at Eurostar UK. 'We could use their greater knowledge of the industry and technology to evaluate each supplier.'

Even organisations with a chief security officer can benefit from the advice of an external specialist. 'Knowledgeable staff are expensive and rare,' says Colin Milton-Haynes, senior consultant with Network Associates.

This is particularly true in the area of ecommerce, which requires a whole new skill set. 'Consultancy is like a tap you can turn on and off as needed,' he adds. You get access to the most up-to-date information, and it costs less.'

But should companies turn to reformed hackers to find out about the most up-to-date threats? These 'experts' may help find all the hidden entry points to your system, but will they abuse your trust?

'Hackers are the last people you want to do business with,' says Penfold. 'You can't trust their integrity and you can't be sure that your business will not be compromised.'

Trade body membership and references are unlikely to play a big part in the hacker's portfolio.

For this reason, most commercial consulting houses steer clear of using hackers, although most do carry out penetration testing. This is essentially legal hacking, where a team of consultants attempts to breach a network to highlight weak spots.

This is a particularly sensitive area for companies, says KPMG's Penfold. The customer is effectively setting themselves up for an attack. KPMG has a strict policy of not employing hackers, relying instead on ex-systems administrators and network managers.

Some hackers, however, argue that they are in a better position than consultants when it comes to penetration testing.

FlawLight is a member of NetBastards, a hacking group based in the US. 'We have a definite moral code,' he insists.

'The difference between a hacker and a cracker is huge; the hacker operates not for destruction but for knowledge.' FlawLight began consulting because he wanted to work with people who cared about security. 'I'm doing my thing, and learning something new. It's a dream,' he says.

Amar became a consultant when his part-time interest in hacking came to the attention of his employers. 'The company noticed I was getting through a lot more tech support calls than anyone else,' he says. 'They found out that I had most of the company passwords and was using them to do my job better, and after that I became the resident security expert.'

Amar now works for companies, carrying out penetration testing, systems testing and general security evaluations. 'The money is nice, but it's definitely a learning experience,' he says.

The hackers' knowledge of security systems makes them a valuable addition to a consulting team, argues FlawLight. 'We make better consultants because hackers are happy to accept that modern security lacks real security. In other words, there is no security,' he says.

Simon Gardner, of Secure Computing, actively recruits hackers to join his company's penetration testing teams. 'Using hackers allows us to go straight to the source,' he says.

He does not believe that 'ethical' hackers pose a great risk to organisations, though it refuses to hire anyone with a criminal record.

Gardner argues that the widespread mistrust of hackers is naive, believing most companies have hackers on the payroll whether they know it or not.

'Half the systems admin professionals out there have played with hacker tools,' he says. 'They aren't much of an administrator if they haven't.'

This is borne out by FlawLight's experiences in consulting. 'I have met a lot of ex-members of our group consulting,' he says. 'We have a kind of brotherhood.'

For the vast majority of companies the risks of employing hackers, at least knowingly, are too great. 'The scoff-law attitude of these people makes them highly unsuitable,' says Wil Allsopp, managing director of Tiger Team, an Internet security consultancy. 'I'm not saying it doesn't happen, but I would definitely caution against it.'

Allsopp concedes that he probably has employed hackers inadvertently, however. 'Many of our consultants were probably "amateur security enthusiasts" before becoming legitimate specialists.'

Apart from the issue of trust, some analysts argue that hacking skills are too narrow to meet the security needs of many businesses. 'My gut feeling is that reformed hackers will focus on closing holes that present an external threat,' says Martin Canning, services research manager for analyst IDC. 'By far the largest threat comes from within the organisation, and this is where a company such as KPMG or IBM excels.'

Even where companies choose an established consulting firm, there are still pitfalls. 'The general problem is a "zero culpability" relationship,' says Giga's Rosch. 'The risk is that the consultant drops the turd and leaves you stuck with the result.' Rosch recommends that companies set measures for the consulting process in advance, including deadlines and skill transfers.

'Companies that have done the staff work get good results from consulting, those who don't whine and complain,' he says.

Customers are not the only ones who can get burned by a consulting relationship. 'We need a client to commit the time to making the project a success,' says Penfold. 'If this doesn't happen, the danger is that the consultant will take over and replicate his last job, which may not be the best fit for this company.'

Before the consultant starts the meter, ensure you know exactly what you want him to achieve. 'Set clear goals and milestones with criteria for testing,' advises Penfold.

A crucial part of consulting should be the 'cut-out'. This is a trusted employee who is joined at the hip to the consultant, allowing skills to be transferred and the company to be kept informed.

Keeping close to your consultant can also save embarrassment. Last year, a penetration testing team working from a hotel in San Jose was accosted by the FBI.

The customer's diligent IT department had responded to the 'attack' by calling the police, a confusion that took several phone calls and a trip to the FBI's San Francisco office to sort out.

TOP 10 TIPS FROM THE 'DARK SIDE'

- Non-official information is important. Monitor bug tracking lists and hacking news groups. You'll hear it there first. In the security game, if it's over six months old, it's cracked

- Configure, configure, configure. More than 60% of firms, having spent thousands on firewalls, leave default settings in place

- Develop a policy for Usenet groups. Hackers scan listings to look for technical problems posted by network staff

- Change your modem ring count to higher than three

- Take a hard look at generic network accounts. Do you need SYSTEM enabled?

- Monitor logs for usage of generic accounts

- Make it a company-wide policy that 'no one, from any department, will ever need your password'

- The receptionist can be a hacker's best friend - who is the head of IS, who is in the computer room? What time does the office close? The receptionist can answer all of these

- Use a line scanner to check for unauthorised modems. Hackers will randomly ring numbers until they come across an illicit modem - completely bypassing the firewall

- Have prompt access reviews when an employee leaves the firm

Source: Dr Mudge, LightFlaw, Kaos and Amar

TEN QUESTIONS TO ASK A CONSULTANT

Expertise in penetration testing varies greatly, so ask questions before letting the animals loose.

- How many different types of attack can you detect? If the answer's a number, the product is a burglar alarm

- Do you employ hackers?

- How do you keep up to date with the latest threats?

- Does the testing team request a 'cut-out'? If not, look elsewhere

- What information do you need before starting the test? Good testers will need only IP addresses of target systems, as that's all the hacker has

- What system is 'fair game' for the test? Increased test validity may come at the cost of your data warehouse

- What tools will the team use? Custom-built tools may be more effective, and suggest that the consultant has a good understanding of security

- Do they have professional certification? Look for a consultant who has as much to lose as you do

- What do you do other than try to break in? A good team should also offer design and analysis

- What kind of attacker will you emulate? Be cautious if they claim to emulate all types of hacker; this is very unlikely

Source: Computer Security Institute.