Engaging a Team for a Security Analysis

Wednesday, June 29, 2011

Bozidar Spirovski


Being involved in a security project requires lot of resources: a good measure of knowledge, a huge measure of experience, some amount of software and personnel.

Usually time is in short supply, so this is compensated by more computers or more people.

The first option is to use a computer and a piece of software. While there are a lot of automated tools that a security consultant can uses, these are not really smart.

  • For penetration tests - most vulnerability scanning systems are 'loud' as hell and will be immediately detected by any IPS/IDS system. Also, such systems are very rarely successful at any penetration unless properly tweaked and configured by a human operator.
  • For procedural assessment, that software is just a set of questions forming a checklist. The problem is that every organization has specifics in their security organization, and the actual procedural posture of security needs to be understood by an expert operator in order to properly answer the questions in a checklist.

The second option is to hire a freelancer team. Presently, there are a very large number of people looking for a freelance gig as security analysts.

Some of them publish their expertise through social networking sites, others just use job search sites to look for an engagement.

But this is a nightmare in itself for at least two reasons:

  • Unknown amount of expertise - when hiring someone for a security job, unless you know his/her previous work it is very difficult to know whether he/she will deliver the expertise. Please note that the CV of a person can say anything without much means of confirmation - references for previous security engagements are very rarely given by clients.
  • Unknown agenda - even if he/she is a great expert, you will open the doors of a corporation to that person. Unless you are 100% certain of his/her professional agenda, you may find yourself in a lot of legal trouble if there is a disclosure of confidentiality or even malicious attack from someone in your freelancer team.

As Alan Weiss points out, you should only get into partnerships if you can multiply the profit by a hundred, not double it.

And in cases of security analysis, you can easily deplete your profit with a choice of a wrong team, let alone be stuck with some legal issues.

Cross-posted from Short Infosec

Possibly Related Articles:
Service Provider
Penetration Testing Consulting Network Security Assessments IDS/IPS vendors
Post Rating I Like this!
Don Eijndhoven You've excellently described the problem. Now...do you have a solution?
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.