 |
The "No Network is 100% Secure" series
- Temp Placement Agencies -
- Consulting Companies -
- Agency Recruiters -
A White Paper
|
|
All rights reserved - may not be copied without permission
Easyrider LAN Pro, NOC Design Consultants
Contact Us
What do recruiting agencies have to do with network security?: Fair question!
Let's say that you are an IT manager. After reading this series of white papers
you very well may figure it's about time to reduce your risk and have someone take a
good, hard look at your network for security vulnerabilities. So where do you turn?
The self-medicating option:
The most obvious choice is your own IT Staff. And if you're a large organization
you very well may have several really good security engineers on staff to do this
work. But, if they're that good, they've already completely tightened up your
network so no worries, right? Well... maybe. As you've seen in these white
papers, there are some really large, well funded, professionally administered
data centers that have been shown to have major security holes and vulnerabilities.
The reasons for this are many, as we've pointed out. And in most cases, being
managed by an incompetent IT staff is not one of them. Sometimes there is significant
value in having an audit done by an independent organization that will look at
everything through a fresh pair of binoculars. It's a common situation that sometimes
the people who run the day-to-day operations in a data center can be too close to the
problem.
In other cases, the company computing enterprise may be too small to afford the
luxury of an on-staff security expert. This is especially common in these days
of staff/budget cuts where everyone is running "mean and lean" without sufficient
resources to run the day-to-day in many cases, much less focus on something proactive
like network security.
So for the sake of discussion, let's say that you are an IT manager who, for whatever
reason, feels the need to bring in a third party to give your network a good looking
over. So where do you find a competent, reasonably priced security engineer to
do this work?
Google or some other search engine is a popular choice. That's probably how you found
our security white papers. But we're not talking about collecting free information
now. We're talking about hiring someone to do important work. So let's look at the
options that your keyword search provided. If you did a search on "computer network
security consultant Portland Oregon", Easyrider LAN Pro is likely listed on the first
page. And there are plenty of others listed along with us.
Companies that are in the network security business: We're not talking about
VARs who sell firewalls or various types of security related software and who
will be happy to put a pre-sales support guy on your site to rack up billable
hours. We're talking about companies and professional consultants who have made
a business out of doing network security assessments and enterprise hardening.
We aren't here to disparage other people or companies but suffice it to say that not
all consulting firms are equal. The smart IT manager would want to select a
consultant using the same criteria that would be used when investigating any vendor:
length of time in business, level of expertise in the security field, the type(s)
of services being offered and so on. A local company would probably be preferable.
You'd also want a company that offered a professional security audit service versus
having a Technician come in to just "look around", which is what many outfits in this
space do.
In the case of Easyrider LAN Pro, our
Network Security Audit and PC Tune-up Service is a well documented
proprietary process that uses state of the art tools and a systematic, repeatable
approach. Yes, we also "look around"
to follow up on anything we see that looks suspicious. But the core of our audit
process is to follow a documented checklist that runs a comprehensive series of
tests that looks
for specific symptoms, problems and issues. We're not sure that all of our competitors
are quite so organized. Another consideration might be whether the company you are
thinking about has also published a series of comprehensive white papers on the topic of
network security and how well versed and current they are on that subject.
If their business is selling security appliances or "security software",
they may not be the best choice to do a comprehensive vulnerability and threat
audit on your network.
No doubt the experienced IT manager knows how to evaluate service vendors. It's
certainly possible that we have competitors who may be less expensive
than we are in the area of network security engineering. It's just
as likely as not that Easyrider LAN Pro, which has been doing this type of work
in the Portland area for 20 years may be better at it than most.
Since the audit is free if we don't find anything, it's not like
you are taking a huge risk to have us come in and look over your environment.
Offshore Consulting companies:
There are an alarming number of offshore companies in India and other third world
countries proliferating at a dizzying rate. They are presenting themselves as
consulting companies, placement firms, service providers, "Microsoft Partners",
etc. The company's USA-based postal mailbox address and USA VoIP phone number not
withstanding, almost all of these companies have very professional looking
web sites and seek to give the impression that they are multi-national businesses with
a strong presence in America. In almost all cases, nothing could be further from the
truth and this blatant deception ought to be reason enough to steer way clear of these
guys.
In almost all cases, these types of "Consulting Companies" will be a one-man or a
family (Mom and Pop) operation.
The principle will receive your sales inquiry and will
then do the same Google search previously mentioned to try to find someone capable
of doing the actual work. Almost none of these companies have competent engineers on the
payroll and those that do will likely not have anyone here in the USA, much less
living in the city where you are. We get literally dozens of hits on our website
daily from "Consulting firms" from India looking for examples and templates. The
fact is, that anyone who is looking for a NOC SOP has obviously never built a NOC
before. With cost saving measures at the top of everyone's priority, consider if
putting your money to have someone google each step of the project is cost effective,
or if the real value is hiring a company who can actually do the work and be available
for follow up.
Another consideration is that virtually all of these Third World Country "Service
Providers" pay their temporary help on a 1099 or a corp-to-corp basis. This is done
primarily to avoid paying income taxes, FICA, unemployment insurance, business
insurance, workers comp and so on. Here in Oregon it is illegal to pay consultants
this way just to avoid paying taxes although it happens all the time. The risks
to the customer and to the person who will be doing the actual work on your site
are huge and neither of you have much recourse if things go bad. Want to try
taking an Indian company to court? Good luck with that!
Local recruiters and placement agencies:
Of course there are agencies right here in town that are also paying temporary
workers on a 1099 basis to avoid paying taxes too. And in our opinion, these
guys should be avoided like the plague. The recruitment model for local placement
firms is similar to what's already been discussed. They get your job order.
They do a Google search. They find some hapless, out of work, marginally qualified
Tech who's willing to
work for peanuts. The agency keeps the lion's share of the money you are paying
to have your project worked on. Maybe the temp they put on your site knows what
he's doing and maybe he doesn't. Who would sign up for a deal like that?
Surprisingly, this is exactly how many Portland-area companies staff their
projects today. In my opinion, if you want to launch a security audit project that's
guaranteed to fail, this would certainly be a great way to make sure that happens.
It should also be noted that just like the offshore companies, many employment agency
headhunters now market themselves as "Consulting Companies". You be the judge
of that. Personally, if I am paying big bucks to have someone work on a high risk,
high visibility project, I'll sleep a lot better knowing that the person doing the
work has more than a few successful projects already under his belt.
Think globally, buy locally:
You also might want to think about how you'd feel about having your own job
outsourced to Bangalore one day. A few years ago, a member of the Oregon House of
Representatives outsourced his speech writing to some place in India. Apparently
he felt that no citizen of Oregon was up to the task of doing this work.
Predictably, the media got ahold of this story and that was the end of this fellow's
political career. As it should have been!
Portland has several excellent colleges, universities and technical schools that
graduate hundreds of well educated, hard working local citizens who should be hired
by local employers. America has been bleeding jobs to Third World Counties for years.
Your job or your Wife's/Husband's job could be next. Portland has a superior job pool
of talented candidates for high tech work. We strongly believe in buying locally. And
we also strongly support local businesses that purchase locally. We believe that you
should too.
Are Third World Country "Consulting companies" competent?: You decide. I
recently received this "inquiry" from Vaibhav Malhotra who wrote using a free, stealth
Google e-mail address. This is far from the first time I have been asked for
"free advice" by someone who knew absolutely nothing about building Network
Operations Centers and/or about enterprise monitoring generally. The e-mail text
has not been modified.
Hi,
I am looking for a designs to build a NOC\SOC for a large company in india which has
a capability of almost 125 engineers...
Please send me few NOC/SOC pictures or any related diagrams and budget and whatever
you feel can help me............
Thanx
Is this a "consulting company" that you'd feel confident about building your
high visibility, high value NOC? If failure is not an option, you may want to
consider someone who's actually built a few NOCs. If there is an "up" side to
engaging Third World "consulting companies", we're sorry but we just don't see
it.
Next in the security white paper series:
How Cyber Criminals will mature over the next ten years
Are you vulnerable to drive-by exploits?
High value sites recent hacks
IT employment challenges of the 21st century
Employment reference checking white paper
Competency Certifications White Paper
Firewall White Paper
Virus White Paper
GhostNet White Paper
Password White Paper
Digital Identification Certificates White Paper
Cryptography White Paper
OpenID White Paper
Intrusion Detection Systems IDS White Paper
Rootkit White Paper
Unnecessary Windows XP Services White Paper
Scareware White Paper
Exaflood Internet Brownout White Paper
Cloud Computing White Paper
Proxy Server White Paper
Personal Computer PC Security White Paper
Phishing White Paper
DNS Poisoning White Paper
Conficker White Paper
SPAM White Paper
Best Practices White Paper
Denial of Service DoS White Paper
Trojan Virus Attacks White Paper
Port Scanning White Paper
Monitoring Basics 101 White Paper
Monitoring Basics 102 White Paper
Monitoring Basics 103 White Paper
Virtual Machine Security White Paper
Aurora vulnerability White Paper
Shelfware White Paper
Outsourced IT White Paper
Easyrider LAN Pro Consulting services:
Network Security Audit and PC Tune-up service
- Proxy server installation and configuration
- Enterprise security consultations
- Disaster recovery planning
- Disaster recovery services
- Capacity, migration and upgrade planning
- Build and deploy central syslog server
- Build trouble ticket systems
- Design and build monitoring environments
- Design and build Network Operations Centers (NOC)
- HP Openview, BMC Patrol consulting
|
|
Last modified May 18, 2009
Copyright 1990-2009 Easyrider LAN Pro