I have to agree with the other replies to this post. You need a broad skill base.

One thing i have noticed, working in the public sector in the UK, is that when trying to chose an external compnay to carry out any testing they have to reach a specific level of approval - eg CHECK via CESG. This is all well and good but it limits the availability of companies as this is neither cheap or easy to obtain. In order to get accredited you need to spend quite a bit of cash so unless you are either working for a big company or an ex-government crew then it is quite hard/expensive, not sure how this works in the US so correct me if i am wrong.
The problem is then that you have a smaller list of companies to chose  from and although some are good others are not so good and as someone mentioned in a post before just because you select a thrid party to do some work and a flash consultant turns up, who is to say that they will actually do the job for you.
Personally i prefer to go with smaller companies as they, in my experience, work on a more personal basis rather than just doing a job. I have recently gone through the process to chose a company and was only offered to attend the pen test by one company, which in the end i suggested to go for. Not a big thing but it is nice to think that if i wanted i could go and watch what was done rather than just waiting for the report to arrive.
With this in mind it makes it harder for small companies and consultants to get the bigger contracts because they need to spend the cash just to get through the front door.
Sorry to move slightly off topic but this is something that does bug me and i think is limiting for people looking to break into the market.

interesting story..
one question though, it mentions that he planted a logic bomb in 1000 out of 1500 systems and that things did not go his way. Did his bomb not go off or did he target the wrong systems? If you are going to do something like that then you tend to think it through ( especially if you are forking out $23k). Are there any other details about this?
I suppose it shows that the systems were very resilient either that or his was not very good or unlucky.
Is it me or do alot of these stories blow the situation up a bit to make it newsworthy without giving any credible information?

I am glad i am not on my own on this. Thanks for your comments, now all i need to do it convince my office that we need to change. I think i will go down the savings route as outsourcing our kit costs a fortune and does not provide a service of the related standard.

See how it goes..the words brickwall and running spring to mind but will persist.

In light of recent conversations at work i have been wondering what other people think about outsourcing of security to parties outside the organisation.

The reason for this is that whilst looking after the security of the network there are some parts, namly our VPN link, that are not in control of us and we have limited access to view the concentrator logs.
I am wondering what others think as i am of the opinion that if you are going to our source it should be all or nothing, depending on the size of the oranisationand resources available. The reason for this in my case, historically, was that there was not the skill base in-house to cope with this.
I find it increasingly difficult to work on keeping a network secure when there is a grey area that i have no access to that connects to the internet.
Having sneaked a look at the config of the firewall that the 3rd party controls, i have become increasing alarmed as although our request for changes have been actioned there are several inconsistances that give me concerns as to how it is managed.
The main problem i see with outsourcing of security devices in pieces is that you have to assume that the other party are doing a good job. We have on many occasions asked for a config of the devices but trying to find someone willing to give it out is very hard.
I just think that without knowledge of the internal network it is very difficult for a 3rd party to be able to work efficiently, plus the fact that any changes required take time to do and are chargable even when testing so simple tests tend to turn into a headbanging exercise of paper configs and working it though step my step to see if it should in theory work.
There is a movement to trasnfer these devices back to internal control, led by me due to the remote connection becoming more critical.
Anyway after my rant i feel better but my main point is that i have to make sure the network meet accredication standards that are high but how can anyone say the perimeter is secure when there is this grey area?
Even with external testing of the devices you have to assume that the config of devices is updated and kept locked down, but without access how does anyone know and if you have access to the config would it not be easier to do it yourself.
I can understand smaller companies needing to outsource such services due to manpower and internal resource but is there any place for this in mid-larger organisations?
Correct me if i am out of order on this.

Thanks for info!

I was thinking the same way just wanted to make sure i was on track. The other reason for this is that i may be able to propse it as an alternative to a client requiring IPSEC system we use that is clunky at best and also controlled by a 3rd party...something i am not very keen on..

My main concern was that i have to make sure it fullfills standards set by government and other parties that, dare i say it, take so long to ratifiy anything it is out of date by the time we are allowed to  use it to keep our accrediation for the connection. So if i can make this secure then i may be able to propose it as an alternative it i can get the right people to say it is ok.

Although not mentioned within work i can forsee a need for peole to be able to access allowed applications and the like from anywhere at anytime in case of a policy change or emergency.
I was looking to beef up the security of not only the connection but also that data passed through it using the Cisco Secure Desktop, something i have been playing around with in my 'spare time' at work. This would mean that any data used by the connections and downloaded data is removed on log out. I was then thinking about using radius/token based authentication for ths and then take them straight to the citrix log on page.
The main problem i have is the confidentiality/protective marking of the data...bane of my life..but this may overcome any problems with that aside from shoulder surfers.

See how it goes anyway....during the pilot, knowing my luck, they might say that it is not worth it. This would be a shame as i can see so much potential for it just finding it hard to put it across without mentioning the access from anywhere, which i have been 'told' should be kept quite unless asked for..... Something about not making more work for ourselves and some other not very good reasons. However i will keep trying to break them down from within..should be in place before they even know what is happening...

Guys,
I am a looking at piloting a citrix access solution but in order to do so i need to create a full ADS (Accreditation document Set) and risk assessment to be approved by our security board...something that is not enjoyable and will take some time.
I am interested in any opinions as to the security of such a project.
My understanding of this is that an https connection is made to the gateway and then using one of many forms of authentication a user is then able to access published applications via a connection that is proxied through the gateway. As the gateway is located within a DMZ and as long as the security between the gateway and backend servers is strong then the connections are secure.
I have done some searching around the web and come up with some answers as to the security risks although a lot of these were a few years old.
Does anyone have any opinions as to the security of such a project and what if anything can be done to mitigate the risks? IDS will be running behind the firewall. I would also like to test the security of this and was wondering whether https tunnelling would pose a major problem this kind of connection.
My main concern is that at present we have no incoming connections straight from the internet via this link and so all my documentation will need to be spot on to pass the board.
Any thoughts welcome as got someideas just could use some educated thought from other people in the field, also any sites that show how to make citirx access secure would be good.
Thanks

don,
Thanks for that. Feel better today as been working hard for this some weeks and think i just needed a day off.
I will contact mile2 when i get into work on monday and see how that pans out. If i can get the vids i will of course use the link...any support i can give the site am more than happy to as have got a lot out of it so far.
Keep up the good work and will see how it goes.
Nothing keeps me down for long, just needed a day of relaxation, it you can call going round the shop for xmas presents and food shopping that!!
 

Not sure about the content of the CBT's/ I know that one of the guys on them, wayne, was they lecturer on the course i did with Mile2 last year and he was excellent.
Might have to look at those CBT's..although they normally cost quite a bit so not sure if my meager wages will cover them.
Was looking to retake in the next few weeks but not sure now...confidence has taken a bit of a knock and just need to get myself backup there.
Let me know what you think of the disks as might have to get in touch with Mile2 and see how much they are.

well the best laid plans of mice and men...and all that!
Took the exam but got 69%.. not too happy as put a lot of work into it but at least i know what the test is like now. I think i messed up on a few of the 'chose all that apply questions'...really hate those ones.
Back to the books and will try again soon.

Finally booked my CPTS exam for this friday..... still not sure if ready but what the hey, got a free exam voucher so will see if i am.

What i am really asking is if any one has any advice for this...not asking for the questions just whether you need the full time limit and stuff. I have been hitting the books all week as off work on holiday but not really sure if they are the right ones.
My main revision has come from the Mile2 notes, Grey Hat Hacking and just reading around. The lack of information about what is acutally in the exam is making me a bit nervous as not sure if i have covered everything.
Really want to do well ( not that anything above 80% , a pass mark my friends cannot get to grips with as their Accountancy qualifications only need 50%, is bad.)
Any thoughts or advice welcome as running out of fingernails.

Cheers

Don,
Not a bad idea...might have to give it some thought!!
Not sure where to start though so any ideas would be welcome. Would be good to get something going in the UK aside from the Infosec conference.
There are a few things run by the British Computer Society but they can be a bit on the dry side...
I think i might just send a few emails out and see if i can get some feedback...there is the new iisp - Institure of Info Sec professionals that has recently started up so might have a chat with them as they are looking for ideas to promote Info Security.
See how it goes...

This sounds great but being located in the UK is a real bummer. Does anyone know if conferences like this actually make it over the water to old blighty. I keep seeing all these really interesting expos and the like advertised but there is no way i could get the cash to go. Really feel like we are missing out in europe.
Correct me if i am wrong but there does seem to be a major lack of such events outside of attending manufacturer hosts lectures which i my experieince often turn into heavy sales pitches rather than knowledge gathering.
I know that there are some events held around europe but they seem to be hosted by companies at different times rather than something like this which brings them all together.
Correct me if i am wrong but finding info about them is still quite difficult.
My 2 cents anyway

Thanks for the comments. Something to think about. I see what you mean about the pass mark for the exam, i misread it as for the assignments.

Glamorgan Uni is in walse so as you say not much use to anyone outside the UK.

I think that Don is right about keeping the certs and training seperate it makes it easier to become a more recognised thing if you can do the course/exam anywhere as apposed to being tied to one place. They are also less likley to go under as well.

I agree the 3 days is a bit short and would be very intense but then that is not always a bad thing, especially if you already have some knowledge...but then why pay the full 1300 for it. ...
I think that i might still consider it, as you say Don, for the knowledge and as a pathway to a Masters/
post Grad cert rather than for a technical cert. I have been looking to do a Masters for some time and this could prove an interesting way to do it. I will see what other options are available as most courses i have seen tend to go off into the management systems and higher end of computing.

See how it goes but thanks again for the comments.

Guys,
I was looking through Computing today and noticed an advert for a course and cert path i was not aware of.

7safe appear to be running a cert path with practical courses that can be put towards a post grad cert as well as part of a masters. I have been thinking of pursuing an IT related post grad but found that they were very academic with not much practical/useful courses whereas this would be more security based at least for most of the course.
The course seems ok and the price is not too bad, compared to some. Although a lot of these courses are starting to look similar once you read into it.
Looking further into it the next level includes an exam that is a practical assessment of skills, something i had not seem before.
I am really wondering if people have any comments or experieince of this as it seems good but must say i am worried there is a catch. The main oddity as far as i can see is that you must do the course to take the exam (from what i can read into it) so wonder how global accepted it is as it would be run by a single company.

Details of the cert can be found here : http://www.7safe.com/CSTA-Certified_Security_Testing_Associate.html

Comments?

Skel,

I took the exam about 2 years ago and got the same as Negrita, Smartdefense and StormCenter...confused me as it was not really covered that much.
In terms fo a test environment i did find that installing the software from the CD that came with the courseware came in handy, do not want to mess around with the live system at work anymore than normal. You can install it on any system without causing any problems at it is only a demo of what can be done. if in dounbt vmware is the way forward...

One big question did you take the second course as well as the CCSA one. It is just that i found that on the first course they told you how to configure it and the second course told you how to install and set it up. A bit strange but if you have done both you should be in a stronger position as in hindsight i found personally that the courses flowed into both exams.
Saying all this it was a while ago i took all this so it may well have changed plus as always no exam is the same as tey take it from such a large batch of questions.