Companies that believe their networks can be completely protected by a phalanx of add-on security products may be in for a rude awakening. Underlying vulnerabilities, embedded and unseen many layers down in network infrastructures, may be unwitting invitations to even moderately skilled attackers.
Security auditing companies can give a company expert analysis of obscure but potentially devastating loopholes, along with estimates of cost vs. risk for each of many possible approaches to address them—and a basis for deciding whether spending a little more money upfront will save much more in the long run.
eWeek Labs analyses of the services that three auditing companies provided and the solutions they recommended proved to be a worthwhile look into how security auditors go through a network and what steps are necessary for companies to lock down their networks.
We worked with several eWeek Corporate Partners to create a blueprint of a real-world enterprise network configuration for this eValuation. (The case we developed was based on the real network architecture of a federal agency supervised by one of our Corporate Partners, who asked that the agency not be identified in the story.)
We presented the case to three leading security auditors: Guardent Inc., PricewaterhouseCoopers and SystemExperts Corp. The challenge we put to them was to analyze the case and present that analysis to the Corporate Partner and us.
The participating experts were unable to use two of their most potent techniques: They were barred from conducting penetration tests on the network, and they were not able to discuss network details in-depth with the client. Based solely on a network diagram and other limited information, the consultants were able to offer their insights only on where vulnerabilities were likely to arise—and to offer advice on prudent architectural changes.
Nevertheless, IT managers should note that even with these unusual limitations, all three auditors found significant vulnerabilities in the client network. This eVal highlights the auditors sharp eye for details—possibly the most valuable contribution they can make to locking down a system.
As expected, the auditors gave us three views on what should be done to secure the network. For the specifics of what each company recommended, see reviews of their proposals at right.
Guardent performed best in presenting its findings and identifying areas of the network that needed to be locked down. Its representatives focused on adding the right components for better security internally as well as architectural changes that would offer less risk of security breaches from external traffic.
PricewaterhouseCoopers took a different approach in pricing its services by breaking the price down to the cost per review of each hardware or firewall item. Its emphasis was more on management of business risk and improving security through stricter policies and standards.
SystemExperts consultants pinpointed network problem areas and recommended how the client company could change some network infrastructure and add security in key areas for the lowest cost. SystemExperts also focused on monitoring log information to get a better picture of internal and external traffic.
Organizations do need to bare all to the consultants, painful as that may be, to get the most out of their services. This was evident to us when we sat in on meetings between the auditor and the client, in which the consultancy specified what it needed to know before proposals were given to clients.
Smaller companies may want to consider performing self-assessments before calling in consultants (see story, Page 28) because the cost and time related to outside security audits could be out of reach for cash-strapped companies. The price for consulting and the security precautions the consultant recommends can amount to $100,000 or more, depending on the complexity of the network.