The risk of offshoring security

Kim Crawley, security researcher for InfoSec Institute

Well, the 39% who said they've outsourced any percentage of their security still worries me a great deal.

But leaders in the IT security world who know what they're doing are too sensible to be tempted by offshoring and outsourcing. Jon Gossels, president of SystemExperts, said to NetworkWorld, "my bias is against it."

Not having direct access to your security management and logging creates a massive vulnerability. There's now a new area of work in my industry; information security auditors who have to dedicate their efforts to monitoring the security of third-party security firms. What's the point? Information security auditors should be able to focus their work on monitoring in-house security only, because, except for penetration testing and third-party compliance, all security work should be done in-house. And third-party pen testers and compliance regulators should be domestic, not foreign.

The NSA scandal and recent news about Russia and China highlight how outsourcing security or any technical work to foreign countries can be a national security threat. The Patriot Act, in my opinion, is bloody well useless for securing the United States. Especially considering America's economic, security, and technological dependence on other countries. Some of them are possibly hostile, namely China.

On February 11th, the Mandiant security firm released an earth-shattering report. They identified attacks on American corporations, individuals, and computing infrastructure from China's People's Liberation Army, using "Unit 61398" as a handle.

Since 2006, Mandiant has recorded attacks on 141 different companies, in a number of industries. The United States, and other predominantly English-speaking countries, like the UK and Canada, are the main targets. Of course, the Chinese government denies everything.

My husband and I own and operate a few rackmount servers in the data center owned by Toronto Freenet, a Canadian ISP. We use our servers for various work and recreational purposes. Their network administrator, Michael Kaulbach, is a good friend of ours. Whenever my husband or I visit the downtown Toronto data center, Mike always tells us about attempted attacks he's had to stop, coming from predominantly Russian IP addresses and domain names.

Sometimes, outsourcing firms are simply poorly qualified and incompetent. Foreign workers with no IT experience are writing IT security policies and procedures for domestic corporations. Aric Bandy, the CEO of IT outsourcing firm Agosto Inc. said to the Chicago Tribune, "a lot of these security rules were written by non-IT people, and they aren't specific enough to give IT professionals a clear idea of how to set up security, and there are a lot of other ways to do it. One client wanted us to ensure we had control of who was physically able to access a computer server in our data center. We already had card access to the data center, personal identification numbers for data access, and a guard. But that wasn't enough. They wanted a camera focused on that server, and we had to do that."

Previous Page  1  2  3  4  Next Page