In this blog post I’m going to outline some of the failures that we often see. I’ll also give you some specific things that you can do to prepare for having consultants come on-site.
Why Bring in a Consultant?
To begin, let’s look at a couple of the reasons that security consultants are hired.
- Not Enough People/Time: Many organizations know what they need to do, but they don’t have the resources to really do the job well.
- 3rd Party Review: An outsider can openly assess a system without the inherent blindness that always creeps into a culture.
- Lack of Internal Skills: Some organizations just don’t have the specific skill-sets required to complete specific tasks.
- Compliance Requirements: PCI, HIPAA, etc may require that certain tasks be performed by an outside team.
- Management Attention: Sometimes it just takes an outside consultant to ring the bell loudly enough to get light focused on certain issues.
All of these reasons are valid uses of consultants. Unfortunately the reason for the hiring consultants is often misunderstood, miscommunicated, or just poorly planned. This can cause a “circling of the wagons” approach where your internal team binds together to repel the “attackers.” So that leads us to the most important thing you can do…
The number one thing you can do in your organization before your consultants arrive is to COMMUICATE! Bring in your whole team and make sure they understand what’s going on. Bring in representatives from adjacent teams that may be affected. Bring in management who may be called on to approve policy exceptions. Get everyone involved from the very beginning. Don’t wait for us to get onsite to tell everyone what’s going to happen.
The goal should be to avoid an “us versus them” mentality that will destroy your project. Explain that this is a collaborative, team effort, with the ultimate purpose of benefiting the organization. Nobody likes confrontations or being called out for mistakes. Let everyone know that a primary goal of the assessment is to find areas for improvement, not to place blame.
Get Approvals – Ask Early, Ask Often
Bringing in consultants almost always requires exceptions to standard policies. We may need access to information not commonly shared outside the organization. We may need network access that requires firewall or ACL changes. We may need to view system configurations or vulnerability scans. Start making a list as early as possible and get the appropriate sign-off from system owners and managers. When possible, specific written authorization can make the process go very smoothly later on.
Begin making a file of all the documentation that the consultants may need. If you can provide it on the first day we get on site then it will greatly increase our effectiveness. Of course this will vary greatly on the type of engagement, but here’s a list of some of the most common things we may ask for:
- Network map(s) & similar documentation
- IP ranges and domains to be tested or excluded
- User names to test as (At least 2 different users for each role type to be tested.)
- Policies, procedures, manuals, etc, that are to be reviewed
- Source code for any applications or sites in scope
- Firewall, IPS, router, configurations or rule-sets
- Department organizational chart
- Policy exception lists
- Contact list of involved employees (including email addresses and phone numbers)
- Anything you want us to know. If there are specific concerns, or known issues, spell that out ahead of time.
While on-site, we usually base our activities out of a conference room. It must be lockable and should be big enough to comfortably seat 4-5 people and 4-5 laptops. We’ll also need a landline telephone and at least one Internet connection, though additional connections can be helpful. Take the time to make sure that the room is reserved for the entire duration of the engagement. If we’ll be conducting interviews or meetings in other rooms, make sure those are reserved as well. Often for a kick-off or review meeting, there may be 5-10 people in the room.
If the engagement includes interviewing members of your team, do some preliminary scheduling ahead of time. It’s always frustrating to get on-site for a 5-day assessment and find out that someone isn’t available until Thursday. Of course you should also be flexible and understand that things may change as the assessment proceeds.
Every organization is unique and presents different challenges, but by planning ahead you can ward off most delays. So get your whole team involved and set the stage for a great engagement.
Nathan Sweaney is a Senior Security Consultant with Secure Ideas. If you are in need of a penetration test or other security consulting services you can contact him at firstname.lastname@example.org or visit the Secure Ideas – Professionally Evil site for services provided.