Expanding into Network and Systems Security
Results 1 to 10 of 10

Thread: Expanding into Network and Systems Security

  1. #1
    Senior Member
    Join Date
    Jul 2001
    Posts
    143

    Expanding into Network and Systems Security

    Hello everyone!

    Currently I work for a computer consulting firm that does a lot of network and systems maintainance and consulting (basically we act as their sys and network admins), as well as doing app. development stuff. I've approached my boss about adding network and systems security services to our marketing, but the problem is, how exactly does this fit in with existing and new clients. Basically I'm hoping to add the initial security evaluation and lockdown as a service within itself, and then simply keep the security "upkeep" so to speak with the existing portion of the consulting firm.

    More likely than not they are going to ask why this isn't already part of our service, which is a legit question if we are talking about a brand new install, but it is impossible to fit general upkeep AND a baseline security analysis and lockdown into a client's monthly retainer (or number of hours "alloted" to the client on a per month basis). Plus I'm looking to branch this off into its own division with unique consulting services that I could possibly head once I graduate from school (Just a little bit of self interest).

    Anyway, I was wondering if any of you had any advice on expanding to offer these services, or if you are already in security consulting, what kinds of services do you offer your clients?

    Regards,
    Wizeman
    \"It\'s only arrogrance if you can\'t back it up, otherwise it is confidence.\" - Me

  2. #2
    Senior Member
    Join Date
    Apr 2002
    Posts
    889
    I can answer one of your questions. The reason why security is usually not part of the services already is billable time and personnel question. Is one person always asigned to the same client or is it who ever is free? Do you have standard procedures for each problem encountered or is it up to each consultant to think he is doing the right thing or this might work. If you are sent to solve a email problem you solve the email problem and usually will not have time nor the client in the mood to pay for further study of the problem beyond oh been six months since our last visit and your one service pack and 3 security patches behind. When looking at security issues that should be the focus. All to often consultants are called to solve a specific problem in the clients eyes keep it all going our business depends on the network being up. Being good consultants they are kep up and running and sent off to the next client with your mind thinking that nagging question I know something is wrong but I got no time but to make it to the next client, billable time. New installs are as you say a peice of cake uravel what maybe 6 to 12 other consultants have done and why on a network you have just been sent to and well you see that scope. oops need I say I am mostly like to be the one to ask why also cause I've had to unravel a network put together by about 2 dozen consultants and each did their job solved a problem and in doing so made a real big hole nedless to say long ago corrected by me :-)
    I believe that one of the characteristics of the human race - possibly the one that is primarily responsible for its course of evolution - is that it has grown by creatively responding to failure.- Glen Seaborg

  3. #3
    Senior Member
    Join Date
    Jan 2002
    Posts
    883
    About the same as above. I already include it in my services as billable time. If it takes and extra hour to add, delete or change a users permissions. Or to put a hardware firewall on the network. I bill them. Even if I walk in and blow my nose and leave thats a minimum of a service call, one hour labor and $.16 per mile charge. Period. So just include it in you flat rate charges.

    As far as getting them to understand. Just put on a little demo for them. Plug your laptop in a setup a dummy file to tamper with. Or let them come to your shop and scan their network from there and show them what a malicious user would see and be able to do remotely.
    The COOKIE TUX lives!!!!
    Windows NT crashed,I am the Blue Screen of Death.
    No one hears your screams.


  4. #4
    Senior Member
    Join Date
    Jul 2001
    Posts
    143
    I certainly understand where you guys are coming from. On certain clients they are definitely in the "break-fix" mindset. "We only need you in if we can't do business, otherwise we don't want to see you" But we like to keep clients on a retainer so we have a minimum amount of hours to work with to ensure updates and such, but sometimes you can't just put that into a monthly retainer, not to mention that I don't believe all our consultants are capable of thorough security evaluations, hence the idea of eventually breaking it off into a seperate division (which I believe it most certainly should be).

    It is certainly hard trying to balance billable time, but the point is that when I go to an existing client and say, "WE are no offering a selection of security analysis plans." I guess I'm trying to come up with a reason for clients to start thinking of it as seperate invoice items from the network and sys administration stuff, because in reality it is a job all its own, if it is to be done properly.

    What kinds of services have you guys seen offered by security consulting firms? My first thoughts are basic security analysis and consulting, and auditing. The analysis and consulting would probably be more sparse, but I figure we can get return clients from periodic auditing agreements, as this is somethign that no one does but everyone needs.

    Oh well, if you have any ideas on how to slowly break this off into its own entity please let me know.

    Thanks again!

    Regards,
    Wizeman
    \"It\'s only arrogrance if you can\'t back it up, otherwise it is confidence.\" - Me

  5. #5
    Senior Member
    Join Date
    Apr 2002
    Posts
    889
    Well I usually buy peoples time because of the size of the network I have and how many people I have for a given project. Take my W2K server upgrade going on this week now the email server was left to a consultant to install on a new box while I exported. Happen to stand there on the install upgrade, became clear to me security was not on the mind because I had to correct the default install path. Yes rather simple step but as long as win knows where it installs it's self it can usually find it;s self while other things may not. Anyway most systems handled by consultants initial nstall were done when things were more free wheelin and respectful..an entire 7, 8 years ago. I'd say get the marketing people on part of it they are good at fluff (LOL) ours are great people give them stats on intrusions etc let them offer say a free 2 hour evulation on site security visit. Simply then produce the number of holes in their system how they can cost them the bottom line, or their professional standing and an estimate of how to fix it. In short unless Owners and Partners understand the effect on their bottom line they will baulk at it. Me I want to upgrade ore make things more secure I say well if you don't do this here are your risk factors and cost, business men hate taking a big gamble. Sya for example their email server is open to relay, say this only means you may be liable for the false headers when it is traced to your server and in our state that's like 50 busks a pop. Learn a bit about your clients operations, needs etc study them as much as the set up and code relate to them on business terms and it will work every time, relate on geek terms they will bulk at the cost.
    I believe that one of the characteristics of the human race - possibly the one that is primarily responsible for its course of evolution - is that it has grown by creatively responding to failure.- Glen Seaborg

  6. #6
    Senior Member
    Join Date
    Jul 2001
    Posts
    143
    Palemoon:

    Ok, well here is a question for you then, what do you do if you already have servers deployed at client sites that aren't secured (and I KNOW they aren't), just like the relay example, default install with only service packs and patches installed. How do you go about auditing these servers for security without getting hit for a loss? In other words what do I say to a client if a server my company installed has security flaws that I just audited?


    I guess I'm trying to find some way to make the creation of a baseline security policy for new installs billable time, rather than non-bill.

    Either way, I appreciate your insite. I now know what the onsite admins think when they see me coming

    Regards,
    Wizeman
    \"It\'s only arrogrance if you can\'t back it up, otherwise it is confidence.\" - Me

  7. #7
    Senior Member
    Join Date
    May 2002
    Posts
    390
    hi.

    i supppose if it was me, i would try to impress the client by "caring" for his welfare.

    a letter. something like, "we were doing routine re-evaluations of the network installed by [said company]."

    heck, networks should really be evaluated every few years as the technology progresses.

    "and it has come to my attention that, due to the latest advances in malicious on-line attacks, such as viruses, trojans, etc., that your present system could stand an upgrade."

    on second thought, that could sound like blackmail.?

    well, you get the idea.
    just like water off a duck\'s back... I AM HERE.

    for CMOS help, check out my CMOS tut?

  8. #8
    Senior Member
    Join Date
    Apr 2002
    Posts
    889
    I'd say qwerty_smith has it about right and really as a consultant you must care about your clients systems. As for fault place it if it's a Win sys where it lays M$ like due to the 167 patches issued in 2001 and the recent patches relating directly to security issues we would like to assure your network what XP has one just to comply with Anitrust. Liability as a consultant is you do fixes as you are called questions is and you know the answer your client does not spend 2 hours each day learning on what patches M$ Wins needs now do they. Black mail is when M$ wants me to pay for a privalge to upgrade even though at best company contract spell out Office 2000 and PDF at best. Do your clients a favor and let them baulk at M$ new privladege payed in advance terms..tell them how short M$ leaves them and their total cost..M$ has to now live up to being the standard and well we all need time more like 6 years between upgrades, I am not my company not assured of their marketing fluff of Software Assurance Agreement"..pay to get secure not upgrade this is better, is why I was hired I put it in reality terms my company clients drive my upgrade not M$.
    I believe that one of the characteristics of the human race - possibly the one that is primarily responsible for its course of evolution - is that it has grown by creatively responding to failure.- Glen Seaborg

  9. #9
    AntiOnline Newbie
    Join Date
    Apr 2002
    Posts
    178
    Another thing to be mindful of is to document the hell out of everything you do.

    I have many clients who are very happy with the job I do for them, but they have problems with their own employees not following policy.

    I have actually been asked to be the enforcer in some situations and eventually ended up telling those clients that they needed to find their help elsewhere. Document what you find and let them enforce their own polices. Don't get caught in the trap of being talked into dropping the axe on somebody for violating policy if you're not a company employee in a position to do so. BIG lawsuit in many states. But a lot of companies have execs and managers who have little or no understanding of IT policies and will push it off on you if you let them.

    The other purpose behind the documentation is CYA. Cover Your A$$. Regardless of how many hours you put in and how much you care for your clients, invariably there will be an incident somewhere, somehow when someone will try to pin it up to your negligence and/or lack of competency. Places you AND your company in a bad position.

    Make sure you have you have covered your "6" before entering into that relationship w/a client.

    Just a little food for thought...

  10. #10
    Computer Forensics
    Join Date
    Jul 2001
    Posts
    672
    services offered by security consulting firms:

    Penetration testing

    Security analysis ( down to physical security)

    vulnerability assesment

    Firewall installation

    training

    forensics ( data recovery)

    emergency response

    intrusion detection

    offsite management

    disaster recovery

    system maintenance and integration

    as you can tell, this list could go on and on, as security are consultants are still consultants and do run-of-the-mill consulting. Hope some of those helped you wize
    Antionline in a nutshell
    \"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"

    Trust your Technolust

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •