 |
|
| Recent
Articles |
Information Security As An Open & Closed System
The world of information security is both an open and a closed system in light of the way that we share data. There are few that understand that the sharing of data is a vital component of information security, and there...
Purchasing Refurbished IT Equipment
Businesses spend a lot of money designing, creating and maintaining their information technology infrastructure. When the time comes to purchase additional...
The Risks Of Reuse And Business Rules
Dian over at BPM Enterprise had this post that led me to this piece on The RIsks and Rewards of Reuse by Marcia Kaufman of Hurwitz & Associates. Dian highlighted the problem of "Poor Process" as an issue from a BPM...
2 Faces Of Demand Management
As I continue my journey through the terminology difficulties of modern IT management, one issue that keeps coming up (as recently as this week's...
An Appropriate S, G & A For "IT As A Business"?
Your CMDB budget depends on it...Last of tonight's triple play (I must be feeling inspired). Let's consider the "Run IT as a Business" concept. Let's say your IT budget is $250 million for a $25 billion corporation.
Specializations For Outsourcing
Google's in the press again, and this time about information security, and a host of other "specializations" that can be, and maybe should be outsourced.
Understanding The Basics Of ITIL
In the world of IT management, ITIL is the buzzword being heard around the globe. So what is ITIL and how does it affect your organization? Let's take a closer...
Is IP Your Most Cost Effective Choice?
Too often a business assumes that IP based solutions are the best choice to satisfy their communication requirements. Particulalrly with convergence...
|
|
04.17.07
Ethical Hacking (Finding The Right People)
 By
Dan Morrill
The concept is not an oxymoron, it is better that you find your issues than someone else does and takes your site.
Most of us are familiar with zone-h the defacement web site, in that many companies that appear in these lists just didn't do what they needed to do, or even worst their hosting companies didn't do what they needed to do to keep their subscribers up and running.
Many companies do penetration work, but really, what are you getting for the 160 dollars an hour you will spend on a hack and pen crew? Not all ethical hacking is the same, some companies are better than others, some companies just can not live up to their marketing hype, and others quietly take the entire site out.
The ones that really are truly ethical hackers are the ones you want to hire for your annual compliance statement.
These are companies that have a small select list of people they work with, and will sometimes take on additional projects depending on if they believe they will be listened to, or the challenge is just too enticing.
Like all outsourcing that a company does, getting a good quality hack and pen is just as important as getting any other service.
Ask what their attention to quality is, ask them for a sample report so you know what you are going to get. Always ask for raw attack data, ask what tools were used (and see if you can get them for your own security folks if they are not proprietary to the company), talk to their other clients and get an impression of how well they did.
Have your security folks meet with their security folks over a long lunch and just shoot the technology. See if they can answer your security folk's questions to their satisfaction.
Do not rely on the sales person, ever; try to meet the outsource companies hacking crew doing the work. If necessary, the sales person can come to lunch.
There are some exceptional small companies out there that this is all they do, don't rely on size or "they wrote a book" answers to your questions. Great they wrote a book, I write on multiple blogs a day, that does not make me an expert in anything. It means I can write long enough to get a semi-coherent idea down. And even then that is iffy some days.
Do your homework, rely on word of mouth, talk to your friends at other companies, find the right ethical hacking group or company that suits what you need, and the pricing scheme you are willing to pay.
Comments
About
the Author:
Dan Morrill has been in the information security field for 18 years, both
civilian and military, and is currently working on his Doctor of Management.
Dan shares his insights on the important security issues of today through
his blog, Managing
Intellectual Property & IT Security, and is an active participant in the
ITtoolbox blogging community.
|
|
