From: Frank Willoughby[SMTP:frankw @
Sent: Wednesday, June 19, 1996 11:34 PM
To: firewalls @
Subject: Re: Pilot Network Services
>It has been stated on this list many times that you should not out
>source your security.
Many of the comments were made by me. Also, security is not the only
thing that should NOT be outsourced. Others include IS/IT operations
(including System & Network Management/Administration), or any other
function which would disrupt business operations if it was not running
at peak performance. Typical areas include time-critical or business-
o Outsourcing security puts your company (literally) in the hands of
a 3rd party. This is an incredible amount of control to give to
an outside entity. In the event of a disagreement, it is possible
that the 3rd party could cripple your systems and/or networks until
the dispute was settled - because you have given them access (and
control) over your own systems and networks.
[lots of stuff snipped]
o Who are their personnel? What background do they have? What kind of
checks has the company the made of its employees (Background checks,
drug testing, polygraph, etc.). Are they asked on the poly if they
are a hacker?
At the CSI conference last week, a question in the Birds of a Feather
session to several hackers in New York: "What do you do for a living?".
3 were sysadmins, 2 were *security consultants*, & I believe the other
was a programmer. While I am not saying that any of Pilot's personnel
have any problems in this regard, it is an issue that should be examined
The first point made was followed up by several points that were basically elaborations on the first one. I agree with those, and these are things that must be addressed by both parties (IOW, a "security consulting firm" must be well aware of these issues and address them with the client if they bring it up or not. Professional responsibility...).
The second point, however....
1) As long as it does not interfere with their work, is drug testing really necessary? Furthermore, should a company make it's decision on whether to outsource or not (or make a final decision between two firms) based on whether the consulting firm employs drug testing (screening, invasion of privacy, etc.)? Let's say that John Doe at Fred's Security Consulting really knows his stuff well, has a good reputation, etc., and has also smoke pot. Is this *REALLY* going to make a difference? As long as he does not smoke on the job. Are you going to ask people if they drink alcohol on a recreational basis as well? If someone wants to make this into an example of a "law abiding citizen" vs a "delinquent," saying that the "delinquent" has no regard for the law and should not be trusted, I ask you this... Are you going to request the consultant's driving records as well? Driving above the speed limit shows an EQUAL contempt, disrespect, whathaveyou for the law as smoking pot. Is this *REALLY* a smart criteria to base the security of your company on? Would you really go with an inferior proposal just because the architect of the better proposal has smoked pot?
2) Polygraph? Do you really believe that these things are accurate? I personally have beaten one as a "proof of concept" with no problem at all. Yes, it was administered by a qualified professional. Do you want to base the decision upon which your corporate secrets may rely on something as flimsy as a polygraph?
3)Uh, oh! A hacker! Really. Many of the hackers that are out there are simply university computer science students who eventually end up graduating and getting jobs in the security field. There are many hackers out there who know a great deal more than many of the security professionals that are trying to protect companies from them. A security consultant should be judged on his KNOWLEDGE, SKILLS, & qualifications, and NOT on whether s/he is/was a hacker. This type of attitude spreads the thought that all hackers are these evil malicious people who could never do anything responsible in their life. I would expect this of the media, from some of the books that are out their as well (let us not forget the ulterior motives involved in some of these books, as well as pure lack of correct info, twisting facts, etc.), but not from a security professional. I would hope that professionals in the security industries would be able to see past these erroneous visions of fantasy and not generalize. I realize that yes, there *are* *some* out there who may fit the malicious, delinquent, anarchistic stereotype, but they are *NOT* in the majority. IMO propagating stereotypes (especially 90% erroneous ones, as most are) is generally not good practice.
I am not advocating nor supporting doing drugs, lieing on a polygraph, or hiring hackers. What I am advocating is an open mind and focusing on what is *really* important... what kind of a relationship are you going to have w/ your consultant, etc., etc., etc.
Other than these issues I agree wholeheartedly with your post and think that the issues that you mentioned are all too often not addressed or thought out to the extent that they should be. If I misinterpreted anything, I apologize.
Thanks for "listening,"
net Internet Security Systems, Inc.
Come visit the growing Vulnerability Database