[转载]The Inherent Dilemma of Security Consulting
信息来源:lineman.netYou can learn a lot from the experience of providing security consulting. Unfortunately, most of the lessons have little to do with your job, save finding ways to keep it. It would seem there is a dilemma inherent to security consulting, a job with no such thing as a happy customer.
With security, you constantly have an ethical choice placed before you. Do your job poorly, and it's your ass. Do your job well, and it's still your ass. Nothing like a no-win situation, is there?
On the one hand, you can do a good job and provide your clients with all the information they need to make a security-related decision. You can tell them the choices and implications from top to bottom. But then, you inevitably step on someone's toes. Not that they are qualified to dispute you on this topic, but they don't want you changing anything. And not for any good reason; just because it might cause a little discomfort. Now you have an enemy for the rest of your contract, and only because you tried to do your job.
On the other hand, you could just let them know the big stuff. Minor details can be glossed over and sensitive toes spared a mashing. The odds are, it's things nobody would even notice like changing default passwords or disabling guest accounts, the type of stuff that 99% of the clients out there would never think about being a problem. But if something does happen and you didn't at least let them know of the possibility, guess whose ass it will be.
Nobody can fully appreciate the truth of your situation. You may be a pain to some, but you are a valuable asset that clients should recognize. Want to talk about loyalty? Who's more loyal than the person who will risk losing his or her job just do it right? These aren't the people to let go because they ticked off someone important; they are the ones that should be given incentives to stick around.
Many people do recognize that, believe it or not. Therein lies the problem.
Part of the it is that you are working from the outside in. This may not always be the case, but in most cases you wouldn't be hired as a consultant in the first place if the client had someone on the inside handling security. This puts you in a place where you will appear as a threat to even more people than if you were an insider.
So if you do your job too well, you will threaten the folks with fragile egos. Never mind the fact that you don't want their lousy jobs in the first place. They are threatened anyway, and you end up adjusting your professional behavior to accommodate their own weaknesses. In other words, you find yourself walking on eggshells as a result, doing your job poorly just for the sake of keeping it.
security dilemma response
Good points in your article. However, I am a contractor at a government site and we recently asked for a network vulnerability and security test to be performed at our site--remember--at OUR request. We WANTED to see what sorts of vulnerabilities still exist at our very secure site. We let the security consultant know this and still what we got for our money was some useless output from a Nessus scan that none of the non-technical folks, that would be seeing these reports, would comprehend. BTW, you cannot run a Nessus scan and then simply charge for the output of this application--open source doesn't mean free as in $$$. That came directly from the creator of the Nessus program so ask him about his licensing if you don't agree with this.
These security consultants (very large in the contracting world) wrote the worst report I have ever seen. Rather, they handed us the output of their Nessus scan with an all too brief page barely mentioning any of the mitigating factors or explanations we provided them. We already know about Windows vulnerabilities and did not need to pay someone to tell us about NETBIOS issues or NULL session crap! What we wanted was a true assessment of our network so that we could close any holes we may have missed and that would actually be a threat. Don't tell me about Windows vulnerabilities on desktops that have no direct access to the outside world nor is there any external access to them. SO WHAT! if null sessions create a vulnerability--tell me if someone from outside our organization can hack in OR how much damage an internal person could potentially do to the system. That's the stuff that matters.
Obviously, we got the entry level "experts" who think using someone else's tool makes them security gurus. That fact aside, our problem was that they did not understand that these reports they so casually create and hand out not only have detailed info about our network but these same reports are handed over to people who know knothing about how our network is configured. This site must meet certain guidelines in order to operate and if some outside auditor reads these incomplete/inaccurate reports it could affect the business operations here as well as their ability to operate.
Keep in mind I am a contractor and when someone casually creates and sends unprofessional reports to government personnel that can affect their ability to operate as well as my job here. That may tell you why some people react negatively to an outsider coming in to do "security assessments" of a network.
If you don't understand why an IT person would feel protective and sometimes defensive about their network then you have never been in the trenches like the rest of us. You should also keep in mind that IT doesn't happen in a bubble. Things may be in place because of a business decision or because the CEO said to do it or some other ridiculous thing that came from what we call "toilet seat management".
That doesn't mean the IT personnel managing the system wanted it set up that way. Just some points to keep in mind when you say a security consultant has it rough..you aren't the only ones who have to deal with the politics, disrespect and sometimes contempt from management and endusers.
页:
[1]