Saying that the service you provide, or the fashion of service you
provide, is better than another is Ok, but let's be realistic as well.
First of all, you say that you cost a mere $1-2k more than the Remote
Security Testing (RST) packages. So if I have 5 offices, that's $5-10k
more expensive, etc... starts to add up, doesn't it?.
Next, let's say that I want this done every month, because I want to
make sure that a new system or new configuration hasn't been implemented
incorrectly. That's now $60-120k per year that you're costing me more
than the RST, right?
Then there is the cost of my people who have to be around while you're
doing your thing, their salaries. That's another $1-2k per month, or
$12-24k per year. So now we're up to $72-144k per year you're costing
Now to the risks that RST doesn't address, or so you say. You keep
referring to the ISP being taken out. If, as a previous poster pointed
out, I'm running from different netblocks around the world, the only ISP
that could be taken out and prove viable to the hacker would be the
customer's ISP. That means they (the hackers) have to take out the
customer ISP for every customer you have. Don't you think you're
over-emphasizing this risk? Let's be realistic here, Mom and Pop ISPs
might not be in a position to protect themselves from such exploits, but
the vast majority of business is not getting supplied by M&P, they're
getting it from a bigger entity with the resources to protect themselves
(hey, don't get me wrong here, its not like big ISPs never get hit, but
not as casually as you suggest hackers can to track your activities).
So while the risk of such an exploit, as you suggest, is not nil it is
also not a major factor in my risk assessment of doing RST. Wide-spread
compromise of my testing service is virtually impossible (since the
hacker would need monitoring code in hundreds of ISPs or on major
network backbone routers - which further minimizes the risk to those
customers of that backbone provider). Localized compromise of my efforts
is more likely (i.e. one particular ISP or network), but its highly
unlikely that this will exist for a protracted period of time without me
becoming aware of it (either through one of my customers getting hacked
following an RST, or information gained from the network providers
themselves). So where's the beef??
Then there are the RST services run by ISPs themselves. These services
are provided completely within networks controlled by the ISP itself,
between itself and its customer. No external networks involved, and they
have the ability to verify the integrity of their systems between
themselves and the client. This is a valid RST service in the model
you're condemning, but it's extremely unlikely that its susceptible to
the risk you state.
COPS services can be extremely valuable to customers to keep them
informed of patches and known vulnerabilities. While the order from on
high may come down to have a particular daemon patched, its difficult to
ensure that it has been done everywhere without such services. They can
be run internally, and in every good network there should be systems
dedicated to the tasks of performing COPS analysis regularly with
appropriate escalation procedures when the errors are not corrected, but
that's not viable for everyone. Paying a consultant to do this work is,
in many cases, a viable option and makes sense, but not in all cases or
So its fine for you to say that your service is better, but let's not
claim that every implementation of RST is a Bad Thing(tm) just to make
your marketing point. Some of them can be a Good Thing(tm), and are.
A company may not wish to spend $72-144k per year on you doing what a
system can do automatically. Instead they may spend $12-24k on the
automatic service and have $60-120k money left in their budget to hire
you to come in and do the *Good Stuff(tm)*, meaty security
policy/analysis work with much more value to them, and you.
Of course the profit margin is much higher on Tiger Testing than
anything else in the security industry, so I can appreciate you not
wanting to loose that revenue stream, but its happening and going to
BTW, I do not perform RST myself and do not sell RST services from any
company/organization. I also do not perform Tiger Testing in-house. So I
have no personal stake in this argument other than to avoid fear
mongering to sell a service type.
R.C. Consulting, Inc. - NT/Internet Security