Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


internal/external security relationships

Posted on 2011-03-14
Medium Priority
Last Modified: 2012-05-11
As either a security auditor or pen tester, or on the other hand an internal security admin – how does the pen tester / auditor / security pro who is essentially bought in with a  remit of auditing/testing your configurations and setup win you over or form a decent relationship with you? The way I see it, independent 3rd party auditors / pen testers are essentially brought in to find faults/weaknesses in the operations and configuration of apps and infrastructure setup and managed by internal security teams. So there’s already going to be tension between the internal guy and the external tester as the internal guy is going to get all defensive that the external guy is here to just pick faults with his network security and operations – in that case how does the external 3rd party employee win him over, set his mind at ease and demonstrate his worth in conducting this test.

And also, why do internal senior management/directors insist on the independent 3rd party check/pen test? And when they book this 3rd party, how can they book this without offending/demoralising the moral of their internal security guys? At some point they have to say “internal guy A, we have booked company Z to do a thorough IT audit of our network”. To me, an internal guy could take offence as it’s essentially getting these 3rd parties in to criticise my configurations and processes? Especially if they have audit tools like qualysys / nessus. How can management not offend the internal guy by bringing in the external tester, how can they portray the benefits of the independent check in a way that isn’t going to offend the internal guy, or make it seem like a witch hunt to find faults? You really don’t want this conflict or risk demoralising the moral of the internal guy, but at the same time an independent 3rd party check can possibly identify major risks that have been overlooked. It’s a tricky balancing act. I’ve seen comments from internal folk saying “we already run tool, x, y and z ourself why do we need a 3rd party to come in and do the same”.
Question by:pma111
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
LVL 33

Expert Comment

by:Dave Howe
ID: 35127655
Ok, three points really.

One, if the external entity *is* only running automated tools, then don't pay them. You can do the same as easily and much more cheaply. With an external audit, you are paying for skill above and beyond just running off-the-shelf software (note however that it can be hard to tell sometimes. I have seen leading edge pentesters come in and run nessus; however, that is both just the first step (why re-invent the wheel if there is an acceptable tool already) *and* as it is a framework, the modules in *his* nessus look nothing like the ones you would download for free)

Second, a fresh pair of eyes is always a good idea - you are familiar and comfortable with your system, and may not see things that a third party scan would pick up. You can of course address this in-house (have someone not usually on a team audit that team) if your staff is big enough, but in many cases its not practical and getting a third party in for a pinch-hit is.

Third, often compliance requires a third party audit and paperwork to prove you pass the tests - in such cases, you should be testing heavily yourself, as the audit isn't cheap and you want to pass first time. You can either approach this in a hostile fashion (we want the cert, we don't want more work) or a constructive one (you want to not only get the cert, but use the process to find any holes in your defenses, given its money committed that we won't get back anyhow)

But any competent internal security team should see the audit as an additional tool they can run - required staff resource is, if anything minimal, and the results can be used to either fix problems or justify more budget.  Sadly, often such report directly to board level, who then use the report to nit-pick and second guess the security posture - I have had some insane results reported from management-selected 3rd parties ("vulnerability! - dmz hosted webserver HAS PORT 80 OPEN FROM WEB!!!" in large red print) but usually you just have to go though the generated report and mark why a "vulnerability" is actually behavour as designed, and let the board member go back to the scanner and ask why they couldn't have figured that out themselves...

Author Comment

ID: 35127747
Great points Dave,  much appreciated.

Author Comment

ID: 35137426
Just wondered, in the case you were senior management/director, and had to go inform the security team theres a 3rd party coming in in 2 weeks to test/pen test the security controls and operations of the iT environment - how (tactically) would you go about breaking the news to them and answer back any "why are we paying 3rd parties to do the same stuff we do on a daily basis" type questions from the security team? I just worry about morale when it comes to security teams in that it could appear to them that their manager/director doesnt trust their security configs and operations so theyve asked a 3rd party in who does know - its quite a delicate matter
LVL 33

Accepted Solution

Dave Howe earned 1000 total points
ID: 35137745
Well, here is an idea.

You could break it to them that "we are looking to get certified in $FOO". Doesn't matter if you are in fact looking to get certified in $FOO, or even $BAR, it just matters that $FOO has an audit requirement of your security posture.  If they ask why $FOO, tell them that Sales say they are losing opportunities due to the lack.  If you can be vague and just say "a security certification" that works too.

Then, ask them what they would need to be ready for a relatively hostile audit for $FOO, and if they think we would pass it - tell them you have faith in them, but they need to be honest about this as you can't go back to senior management and say you are ready, if you are not. Tell them to think on that for a couple of days, and get back to you.

Finally, tell them you have decided the best bet is to get a non-hostile audit done by a firm of your own choosing, so that you can be prepared for the hostile audit and have a counter-argument to senior management if anything comes up that you weren't expecting in the audit.   At this point, the auditors you WANT are on "their team" and are there to help them prepare for the "other auditors". Once you have the audit, you can cite budgetry constraints - or go to management and suggest that, as you are apparently ready for $FOO, its worth looking into how much it would cost to get certified so you can put that on future tenders and stuff.....  Suggest a cost/benefit analysis on it, any benefit to sales to have the cert as opposed to the ongoing cost of obtaining and maintaining it.

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
This article covers the basics of data encryption, what it is, how it works, and why it's important. If you've ever wondered what goes on when you "encrypt" data, you can look here to build a good foundation for your personal learning.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question