×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

How to Approach Customers with Security Issues?

Cliff posted more than 8 years ago | from the break-it-to-them-gently dept.

Security 73

stuntshell asks: "We're a group of IT Professionals and we're starting our own consulting firm. We're most systems administrators, and not business admin, nor lawyers, and we're all have worked on big companies and most of the time the job to be performed was just passed on to us. The scope of the work we're about to perform will be security related, so how do you approach a customer in this kind of business? Do you wait for them to come and ask you to test their firewall? Or do you go scanning and discovering holes on other's network for you to offer them your solution? Do write a letter/email or do you propose a meeting? What works?"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

73 comments

You hire a Sales Manager (5, Insightful)

QuantumG (50515) | more than 8 years ago | (#13610371)

and you give him a budget big enough to do his job. You know, sales? The basis of business? Oh, didn't think you'd need that? Note to investors: GET OUT NOW.

Re:You hire a Sales Manager (2, Informative)

Nasarius (593729) | more than 8 years ago | (#13610515)

Really? I thought you could just put up a website and everyone will come and give you money.

I can't believe this got posted. Look, anyone with good advice to offer is running their own security consulting firm and probably doesn't want more competition. For more general advice, I've seen SmallBizGeeks [smallbizgeeks.com] linked on Slashdot, and it seems like a worthwhile community.

Re:You hire a Sales Manager (1)

NitsujTPU (19263) | more than 8 years ago | (#13627388)

Hrmmm.

You might be on to something. Of course, we've got management who don't think that they need a product these days, so, it balances out.

Personally, I'd rather be at a company where the programmers are respected, but they lack sales expertise, than a shop where they have tons of managers underpaying programmers and talking about outsourcing what little development is done inside the company.

Re:You hire a Sales Manager (1)

QuantumG (50515) | more than 8 years ago | (#13627419)

Company 1 can't pay your paycheck. Company 2 probably pays you more than you're worth because they don't understand how easy it is to do huge-task-X with a perl script. I know which one I'd rather work at. Of course, it's much nicer working at a company that has both.

Re:You hire a Sales Manager (1)

NitsujTPU (19263) | more than 8 years ago | (#13630418)

It certainly is nicer working at a company that has both.

That said, 2 days ago I attended a talk and had the opportunity to speak to Werner Vogels, a VP at Amazon.com. He used to researcher here at Cornell. Everyone that I've spoken to whose worked there has had a nice experience.

Compare that to the familiar situation of someone who doesn't even understand what you do for a living slamming on you, getting paid more than you, getting better perks than you, and I'd rather go to Amazon any day. Wouldn't you? The median salary for my classmates is ~$75k, when they jump off to places like Google, and Amazon. I don't know much about Google's management structure from a personal perspective... but any company that gives you time to pursue independent research interests and work on journal publications, and recruits at conferences like AAAI can't be all bad, and can't have the typical managerial disdain for technical sorts.

Scanning? (5, Insightful)

Monte (48723) | more than 8 years ago | (#13610373)

Or do you go scanning and discovering holes on other's network for you to offer them your solution?

Boy, does that sound like an astonishingly bad idea. Sorta like a locksmith picking the lock on your front door, coming inside and offering to sell you a better lock. Sounds to me like a great way to get shot.

Figuratively speaking, of course.

Re:Scanning? (4, Insightful)

TheWanderingHermit (513872) | more than 8 years ago | (#13610578)

Yes, it is a bad idea. It is so incredibly bad an idea, you should *really* rethink how you're going to handle your business. This is a case of stereotypical geek behavior -- thinking more of how you can show off and what you want rather than what your customers or potential customers would want.

Reverse it, and use an anology like the one in the parent post: how would you feel if someone came to see you, in your office, and said, "Hey, we looked at your locks, and found we could break into your office in less than 5 minutes. For a fee we can tell you how to protect yourself." Wouldn't you wonder if they're running a protection racket? What would you do if, somewhere in the next few months, your business was broken into? Who would the first suspect be? I know if someone came to me and told me how easily any of my systems could be broken into, I'd get all their info, ask them if they had a preliminary report, and tell them I had to talk to my partner. Once I had all their info, I'd turn it over to the cops, since I have NO idea if they are about to hit me up for money, or if they're just geeks that are too stupid to know how to deal with me as a human.

Seriously, if you actually think this could, in any way, be a good idea, then either forget starting your own business or, before you do anything else, hire a sales person who can be your front line and keep you away from your customers so you don't drive them off.

Ever since I started my own business, I've heard from a lot of people who tell me they think they have great ideas -- either for a business, a product, a service, or a way to market. In many years, the idea of scanning, then going up to people and saying they are vulnerable and you can fix it has to be the dumbest one I've heard yet.

And I'm speaking without malice or cruel intent -- just stating it as experience tells me it is.

Re:Scanning? -- Forgot to add (1)

TheWanderingHermit (513872) | more than 8 years ago | (#13610598)

If you really are puzzled how to market, prepare a flyer, in humanized terms, of what you do, and offer a little up front. Perhaps you can, for example, offer a port scan as an opening, and show them, again, in humanized and non-geek terms, just what that means and what you can do. Basically, you're offering them a free evaluation. You don't want to give them so much info they can give someone the report and have them fix it, but that way they feel like they're getting a nice demo, something for free, and it creates a sense of good will that can help you sell your services.

Re:Scanning? -- Forgot to add (1)

DeckerDel (914516) | more than 8 years ago | (#13611338)

Thanks I just read what you had to say, and found it quite interesting, honest! that sounds like a good idea, really it borders right about in the middle. Maybe I should have read what you had to say before I poked my own comments in, but cheers really :)

Re:Offer to Scan - Forget it! (1)

skidv (656766) | more than 8 years ago | (#13612778)

As an IT manager, I receive these types of offers on a weekly basis. When I do, I request an e-mail so I can track who sent the request and then add them to my list of suspects.

Any request to scan or security test my network is immediately perceived to be hostile. It's called social engineering and it is one of the most effective security attacks. It's not a good opening line.

If you want my security business, first you need to win my trust with non security work.

Re:Scanning? -- Forgot to add (2, Informative)

mengel (13619) | more than 8 years ago | (#13613205)

Possibly -- but do not under any circumstances do anything to a customers system without permission in writing. This can be a "please give me an evaluation" on a pamphlet, or whatever, but get it in writing.

Otherwise you risk running afoul of computer trespass laws...

Re:Scanning? (1)

DeckerDel (914516) | more than 8 years ago | (#13611319)

Your comment is VERY valid, but where is the line drawn? if clients don't know holes exist then they do nothing. However if you go pen testing and show them their holes this could be considered (i don't know half-hacking) it's a very thin line! I don't really know the answer but I was hoping someone might enlighten me on the subject!

Re:Scanning? (1)

WebCrapper (667046) | more than 8 years ago | (#13617084)

I remember that there was a security firm that decided to basically test the governments security without actually being requested. In the long run, they where confused when the feds showed up and raided the place.

re: What Works (4, Funny)

xmas2003 (739875) | more than 8 years ago | (#13610388)

Get submittal about your company approved on Slashdot
Every company reads about you and wants to hire you.
Profit ... oh s*it ... forgot to post our URL!

Aaaarrrgghh... (4, Informative)

tekiegreg (674773) | more than 8 years ago | (#13610396)

Sniffing me, then emailing me to plug the holes for a price is almost the equivalent of blackmail. This may earn you one of 2 things:

1) A very nasty letter from either management or legal telling you to cease and desist
2) From the more nasty management/legal, a call to the police..

The best way really, is the more conventional way, advertise, network and otherwise legitimately promote your business, this gray area finding holes and near-blackmail will get you more grief than it's worth.

By the way and offtopic: I woulda probably had first post if my new kitten didn't continuously stomp on my keyboard. Cans of air certainly are handy...

Re:Aaaarrrgghh... (1)

bergeron76 (176351) | more than 8 years ago | (#13610480)

Agreed. Even a polite snail mail letter would have potential lawsuit written all over it. Corporate figureheads would immediately go on the defensive (not security wise), and would not take kindly to being told that you were snooping around/outside their network.

It's similar to the old saying about going around seeing if front doors to homes are unlocked. If you reach in and lock the door for them, the vast majority of people wouldn't notice; but the 1 guy that caught you in the act would rearrange your face for trying to "help him".

I'd say to let people come to you on this one.

 

Re:Aaaarrrgghh... (1, Informative)

PunkOfLinux (870955) | more than 8 years ago | (#13610516)

Kitten! Yay!
I wish i had a cat... that walked all over MY keyboard... but nO! my parents won't get a cat!

Re:Aaaarrrgghh... (0)

Anonymous Coward | more than 8 years ago | (#13611813)

Son, if we get you a cat you'll just try to have sex with it. Look at what happened to Hannah the budgie. Poor thing.

OT: Sig (0)

Anonymous Coward | more than 8 years ago | (#13610577)

I have to say, I love your sig. :) That one and its variations (here we use "...between the sheets.") go well with anything. And the end of your post set it up perfectly.

Re:Aaaarrrgghh... (2, Funny)

BaudKarma (868193) | more than 8 years ago | (#13610624)

On the other hand, if you hack into their network and let them know they're vulnerable, *then* you make a polite sales call offering security services, but you don't link yourself in any way to the previous break-in... you might catch someone in panic mode.

Not terribly ethical, I suppose...

Not to mention (2, Funny)

(Score 5, Flamebait) (915262) | more than 8 years ago | (#13611530)

Sniffing me, then offering to plug the holes for a price is almost the equivalent of blackmail. This may earn you one of 2 things: ...and in a bar, this kind of behavior will almost *certainly* get you slapped, hard.

Re:Aaaarrrgghh... (4, Funny)

Frantactical Fruke (226841) | more than 8 years ago | (#13611590)

That's a very nice firewall you've got there. Would be a shame if something happened to it...

The impenetrable firewall (3, Interesting)

worf_mo (193770) | more than 8 years ago | (#13612284)

This reminds me of a little story that happened to a customer who I was working for in the late nineties.

Said customer wanted to have their (large) network audited for security issues and hired an "established security firm" to do the job. As a first step it was decided that these experts had to try to break into the network from the outside, and they promised to report within a certain time frame.

When the time had come, the customer called them up and asked about the report. The experts said they were still working hard, but from what they had seen the network seemed completely impenetrable. The customer's network admins had not noticed any strange activity or alarming attempts, and asked about the methods used, and the experts gladly explained:

They had gathered a list of public host names via DNS and found an entry firewall.customersdomain.com. From then on they had tried to gain access to or through firewall.customersdomain.com in all possible means and using every tool at hand, but they had not succeeded.

This explanation caused a fair amount of laughter amongst the admins. The DNS entry firewall.customersdomain.com had been created a while ago to perform some tests, but the machine correspoding to the IP address had been disconnected from the net months ago.

Re:war stories (1)

anticypher (48312) | more than 8 years ago | (#13623303)

I'll go you one better.

I had a client (now ex-client, thankfully) who managed to get a very bad name in the web-hosting industry. Unpaid bills, cheated partners, traded stolen equipment, etc. Decided to start all over again, so he changed the name of his company, and pointed the old DNS entries to an ex-partner's company (or the ex-partner kept them).

A year or so later, in comes some snotty young dutch hac^Wwanna-be security team, to pay him a visit. They point out all the holes in his security, have copies of logs from network management machines, figured out the passwords on the routers, etc. Only problem was that the network wasn't his, but another company's. The other company was not thrilled, and had been cleaning up after all the break-ins and the damage done. So the police were called, but they declined to prosecute after throwing a big scare into the pre-pubescent idiots. I hear a few civil cases are still proceeding against them.

the AC

Do nothing (0)

Anonymous Coward | more than 8 years ago | (#13610417)

Unless you want to end up in jail. No matter how good your intentions are, someone is going to think you're trying to extort money from them, and they're going to call the police. Then the only holes you'll have to worry about protecting will be your own.

No, no, no! (3, Informative)

Otter (3800) | more than 8 years ago | (#13610435)

Or do you go scanning and discovering holes on other's network for you to offer them your solution?

Absofreakinglutely do **NOT** any such thing. **NEVER** intrude on a network unless you have **EXPLICIT** **WRITTEN** authorization to do so. You're going to be very, very sorry if you make a practice of doing such things.

I realize that it's impossible to make this point here without a stream of common-sense-impaired nerds lining up to insist that some stupid analogy makes unauthorized intrusion a great idea. You can listen to them or listen to me...

Re:No, no, no! (1)

fred fleenblat (463628) | more than 8 years ago | (#13610542)

I would actually recommend not even scanning a network *with* written authorization. The customer can scan it and send you a report if they want.

I personally know someone who was sent to prison for 6 months for scanning, finding a vulnerability, and informing the site admin. The guy didn't ask for money to fix it or anything.

Prosecutors and juries are simply not in tune with "hacker ethics". The guy in the expensive suit will just ask if you did scan or didn't, the 12 people in casual clothing will note your answer and be done by 2:30 and you'll be more screwed than you ever realized could be possible.

Re:No, no, no! (1)

Sigma 7 (266129) | more than 8 years ago | (#13614306)

Prosecutors and juries are simply not in tune with "hacker ethics". The guy in the expensive suit will just ask if you did scan or didn't, the 12 people in casual clothing will note your answer and be done by 2:30 and you'll be more screwed than you ever realized could be possible.


Any real "security consultant" would insure that the penetration test is authorized by the person running on the equipment. (e.g. the CIO, only by doing an initial port scan if they chose not to in-source it as most corporations should do.) Such a security consultant should know enough about the company anyway to avoid going into hot water.

Likewise, any real lawyer representing such a consultant would try to bring down the person that gave the so-called permission as well. You'll have to ask a lawyer on the exact procedure (and the reasoning, which can vary from case to case) - however, it is a standard motion to add a person to the list of defendants.

Re:No, no, no! (2, Funny)

QuantumG (50515) | more than 8 years ago | (#13610690)

  • Hack MegaCorpWithBadIT.
  • Vandalise their website or whatever.
  • Wait for Head IT Nerd to search Google for security solutions.
  • Make sure your company is in the top 10 hits by modifying the Google response in transit (and replace all the links to the other sites with a link to yours just in case).
  • obligitory ????
  • Profit!

Re:No, no, no! (1)

superpulpsicle (533373) | more than 8 years ago | (#13611042)

That's why there is so many worms invading all these corporations and spreading across the Internet like wildfire.

The time is takes to determine the size of the hole and the severity of the problem is so slow and bureaucratic. By the time you know what the do, the worm has multiplied 100x.

Re:No, no, no! (1)

sdedeo (683762) | more than 8 years ago | (#13611156)

Oh yeah? Well, think of it like... instead of scanning someone's network, it's like flying a plane... over a city... and looking at people's swimming pools... seeing if they're safe. I mean... how can you object to that? To me it seems identical.

Re:No, no, no! (1)

TheWanderingHermit (513872) | more than 8 years ago | (#13611249)

There's an expectation of privacy of data in your own network. There is a reasonable expectation of privacy in your back yard, but not from above.

I'm sure, though, if you were the one swimming nude in your pool, or were someplace you felt were private (whether nude or not) and someone showed you pictures they had taken of you when you had every reason to expect to be alone, you'd have a different opinion.

It's also good to remeber that just because one can does not mean one should. It's always best to show others as much consideration as possible. I'm sure you at least understand that.

forgot the (1)

sdedeo (683762) | more than 8 years ago | (#13611415)

tag, my apologies. I tried to come up with the lamest analogy possible.

Re:forgot the (1)

TheWanderingHermit (513872) | more than 8 years ago | (#13611504)

Interesting. I can't really think of an anology that would make it seem acceptable, since the root of the situation is that a network scan is an examination of your assets without your permission. Almsot any situation you can compare it to amounts to the same thing: someone is, in some way, observing you (generic you -- I'm not trying to attack you personally) when you don't want them to or don't expect them to. While they may be able to do it legally (one example is that I think guys with upskirt cameras have gotten away with it because the judges have ruled there's no reasonable expectation of privacy -- but that doesn't mean a woman won't still be very angry at him), it is still VERY unlikely anyone would NOT feel violated at such a move.

Maybe that could explain either the difference in the net scanning and the anology or explain why both would piss people off. I used to work as a videographer and had to tape weddings and even then, when it was a public gathering, and people KNOW there's a camera there (and have talked to me), sometimes people still get upset if there's a frame or two of them where they were caught off guard.

(The most notable I ever had to edit out was one where the camera, with the spotlight, was on the bride's Mother and her boyfriend during a slow dance. There is NO way you can miss the spots the owner made us use, and there was a point, early in the shot, where the boyfriend even looked straight at the camera, but he still, at one point, closed his eyes, and was holding her from behind, and groped her boob -- just a quick feel, but enough to be seen (yet not enough to be sure of what was happening) and the two of them were quite upset when they saw it in the video. They KNEW the camera was there, and still felt violated that they were caught on tape.)

Re:forgot the (1)

AvitarX (172628) | more than 8 years ago | (#13616015)

I one time looked at a fence around a factory. I saw a huge whole in it. I then notified them (I don't want kids getting chemicals and then putting them on my car). I then notified the city when nothing was done. After a few complaints the city made them fix it.

So I:
1) looked at a public facing security measure as an attacker (vandel thief ect.) may.

2) Disclosed how such security was dilapidated and no good to owner.

3) Did the same to a third party.

I got:

1) no punishment

2) accalaids from my more civic minded neighbors

This is just an attempt at a decent anology that works.

Of course I don't expect to get a job with them. And I agree saying I found this, higher me, sounds like racketeering.

Re:forgot the (1)

TheWanderingHermit (513872) | more than 8 years ago | (#13616141)

After reading your post, I stopped and thought about the difference between what you did and scanning a firewall or trying to break in to test a systems integrity. I came to the conclusion there is a VERY fine line involved. In your case, the fence was at the edge of the property, in public view, was was more or less intended to be in public view and was part of the planned interface with the public. It's also worth noting an important part of that interface is the intent of the fence to keep people out.

Compare that to a firewall. It is also intended to keep people out, but the difference is you can SEE a hole in the fence without penetrating it. You were able to see the hole and notify the company about it without going on their property or any type of invasive procedure. To test a firewall, you actually have to penetrate it in one way or another. While you could see the fence hole without going in, to find a hole (not just an open port) in a firewall that is vulnerable, you HAVE to penetrate the firewall. That would be like you not knowing it was a hole until you stepped through onto their property.

It's an interesting point because it shows a fine line.

Re:forgot the (1)

AvitarX (172628) | more than 8 years ago | (#13616355)

Fairly true, but for example you may find in just a simple audit that the port for SMB is open.

You recomondation could be to close it and set up VPN.

Also, I would think tat probing port 80 and 21 to see whatwhat web/ftpserver was running and checking vs known vulnerbilities is in the realm of not penatrating the firewall (both are presumably for the public).

Probing other ports for version would be more of a grey area (for example SMB) because they are not implitly public. Still, doing a fingerprint on the port may not quite be the same as finding a whole in the fence, it is no different that seeing through a part of a stone wall that has a window in it.

I guess my point is that you can find big security wholes without exploiting them.

I still don't think it is ethical markiting, and was really just trying to find an analogy that put it in the same lite I felt it should be viewed in for people who really are doing things unselfishly, or for fear of what will happen when a malicious person comprimises the system.

Re:forgot the (1)

TheWanderingHermit (513872) | more than 8 years ago | (#13616462)

Do you think there's a difference that, in your case, the fence hole was found by accident, and in the course of daily activities and to find a hole in a firewall, one has to deliberately scan that firewall with an intent to find, at the very least, open ports?

Re:forgot the (1)

AvitarX (172628) | more than 8 years ago | (#13616610)

I think the biggest difference is one of techhnology.

If I were dishonest and found the fence whole it would be trivial to patch it up and prevent me from ever getting back in (check for foiled locks/cut bolts/open windows). In a computer if I found a real vulnerbility you would need to reformat/install to be sure you were clean on the firewall. If it was something systemic to the OS version used you would need to do so to every computer in the company. This means that even if my actions are the same and my intentions are good I can still cause a huge stir by doing nothing wrong. The timult that would be caused would be akin to someone accidently walking into a federal building with a hand gernade, the cost immence even if the outcome is more security. I personally think in the case of a bank, the IRS, a University and others with key info it is ethical to cause this reaction, but when the risk to others is quite low and you are only protecting the company it is pointless and wasteful. Unthical should not be a crime though.

As for looking/stumbling upon I see no difference. There is an abandoned house down the street from me (owned by Luthrans even). My neighbor is quite fearful that drug dealers will hang out there, she inspects the fence reqularly (fallen limbs often take parts down) she is not being unethical because the cost of a discovery is very low and in her mind people are protected. If on the otherhand it was soemthing that would instantly cost $1000's to fix (and could not be ignored) but only protected the property owner and not the community the ethics are at the very least grey (still should not be a crime, just really bad marketing stradegy).

English as a second language courses (0, Redundant)

Professor_UNIX (867045) | more than 8 years ago | (#13610436)

I would suggest brushing up on your English if you plan on conducting business in English speaking countries. I would also highly recommend against attacking a company's network pre-emptively without their express written approval and a solidly established rules of engagement. Anything less is likely to land your ass in jail very quickly. An attacker coming to me offering "consulting services" is akin to a mobster offering his protection to local businesses for a weekly fee. You may very seriously want to consider partnering with someone with some experience establishing, managing, and growing a small business, even if it's not previously computer related experience. The business experience will probably prove invaluable to you and save you a lot of headaches down the road.

Might want to think about keeping your day jobs (4, Informative)

hrbrmstr (324215) | more than 8 years ago | (#13610466)

We're most systems administrators, and not business admin, nor lawyers, and we're all have worked on big companies and most of the time the job to be performed was just passed on to us.
Perhaps you "IT Professionals" might want to consider a few tech writing courses to help you beef up on grammar and, I suspect, spelling. If you approached my company with an cover letter that contained sentences like the one I just quoted, your firm would be placed near the bottom of the pile.
The scope of the work we're about to perform will be security related, so how do you approach a customer in this kind of business? Do you wait for them to come and ask you to test their firewall? Or do you go scanning and discovering holes on other's network for you to offer them your solution? Do write a letter/email or do you propose a meeting? What works?
Do you have a security background or did you just manage to apt-get or rpm Nessus and nmap successfully? Are you certified (SANS, CISSP, MSIA, etc)? If you just plan on handing someone a default Nessus report, please - don't!

As far as "getting the sale", what worked for salespeople that sold goods/services - security or otherwise - to your previous company/companies? That might be a good place to start. If you were never brought into sales-discussions, you might want to ask yourselves "why not?".

What you *definitely* want to do is perform unauthorized scans and/or penetration attempts on a potential customer's external firewalls and/or servers. That will most assuredly endear you to them. Why, they might even ask to have a police escort for you!

One of the last things you should do is approach a new career in security consulting without really knowing that part of the IT world like the back of your hand (and not just the tech bits).

(Have you considered starting up a Starbucks franchise instead?)

Re:Might want to think about keeping your day jobs (0)

Anonymous Coward | more than 8 years ago | (#13610571)

Parent post wins the thread. Congratulations!

Re:Might want to think about keeping your day jobs (0)

Anonymous Coward | more than 8 years ago | (#13610881)

/QFT

ps nerf shamans

Re:Might want to think about keeping your day jobs (1)

austad (22163) | more than 8 years ago | (#13611011)

Starbucks doesn't franchise, they are all company owned stores. :)

Re:Might want to think about keeping your day jobs (0)

Anonymous Coward | more than 8 years ago | (#13611174)

You're not invited to many parties, are you?

Re:Might want to think about keeping your day jobs (1)

hrbrmstr (324215) | more than 8 years ago | (#13612225)

Point well taken.

Great sig. NetScreen firewalls are rock solid. We've got a plan slated to replace a good number of the cisco pix-ie dust boxes with them next year. Stupid, crappy connection table limits.

Re:Might want to think about keeping your day jobs (1)

Nasarius (593729) | more than 8 years ago | (#13611497)

(Have you considered starting up a Starbucks franchise instead?)

You really have a point here. The security consulting market is pretty saturated; you have to offer something unique (and have good connections) to get any attention.

If you want your own company, there are much more interesting and profitable markets to break into, IMO, even if they don't exploit your full expertise. And if you don't know how to run a business, it doesn't matter how good you are at the technical stuff -- you're fucked. At the very least, you should have read a few books about entrepreneurship.

Re:Might want to think about keeping your day jobs (1)

hrbrmstr (324215) | more than 8 years ago | (#13612221)

You aren't kidding about it being saturated. The "big" vendors hit me up at least 1x/wk and I'm *constantly* getting pinged by small outfits (who at least seem more capable than these folks).

Guess it's all those CISSP "cram sessions" that made all these _fine_ security engineers.

I hear theres good money in long haul trucking!

Re:Might want to think about keeping your day jobs (1, Funny)

Anonymous Coward | more than 8 years ago | (#13612355)

"there are much more interesting and profitable markets to break into"

Haha! "break into". I get it!

Re:Might want to think about keeping your day jobs (1)

anticypher (48312) | more than 8 years ago | (#13623598)

If you just plan on handing someone a default Nessus report

The security industry is filled with people doing this. Its not just a few here and there, it seems like every university computer student is out flogging Nessus reports. Every internet company I know gets at least a few contacts per week from guys flogging their security scanning service. The more socially apt geeks actually call in advance and set up a meeting with someone in the IT or networking group, the hopeless cases just run a Nessus scan, print it out, and then try to meet someone by hanging around IRC channels and selling them the report.

If you were never brought into sales-discussions, you might want to ask yourselves "why not?"

Excellent advice. Geeks aren't sales critters, and sales people should never pretend to be geeks. And neither type are management. The only successful companies have a real business person at the head, hire an accountant to keep the books, a lawyer to review the contracts and answer any judicial questions, and then sales and techies for the grunt work. If the OP is just starting out, the best thing they can do is find a business-savy type to head their company. Just as there are geeks who think they can start their own company with just a couple of years work experience, there are also management trainees who would jump at a chance to play "boss", but they need someone with ideas and skills to do the grunt work.

the AC

"scope of the work" (1)

crimoid (27373) | more than 8 years ago | (#13610474)

You perform what is in the "scope of the work". Nothing more, nothing less.

You can OFFER to widen the scope once you are onsite if you suspect that there are other things wrong, but you should never go poking around.

eRICO (1)

spoonyfork (23307) | more than 8 years ago | (#13610550)

Or do you go scanning and discovering holes on other's network for you to offer them your solution?

I believe that's called extortion [wikipedia.org] . Watch your step.

Reputation first... (4, Insightful)

phamlen (304054) | more than 8 years ago | (#13610586)

Well, speaking from my experience at a fairly successful consultancy business, I think there are a couple of strategies. First, there are some key skills you all need:

1) Distinguish yourself as a group that provides "practical, effective" security. Never leave any of your first customers wondering why they paid you.

2) Solve the problems they want solved rather than the problems you think should be solved. Don't go tell the customer what they need you to do; instead, listen to what they say are the problems and solve them.

3) Brutally asses all the communication skills of your team. Know who your great communicators are, and who are the people you need to hide from the customer. Face it, as a consulting firm, it matters most how you interact with the customer.

As far as strategies go:
1) I bet your primary battle will be convincing people that it's worth investing in security. Start gathering factual stories of security failures so that you can talk about specific incidents and what happened. Be prepared to explain to a non-technical user why they should spend money - and make sure it's completely relevant to them.
    For instance, I worked at a web-firm that doesn't really care about security... but they also have about 12,000 social security numbers in one of their databases. When we tried to push "network security" in general, there was no traction. When we asked "what if we have to announce to all our customers that their SSN's were stolen from our database?", that allowed us to push for greater security controls.

2) Consider focusing on the "virus-protection" market. I know a lot of small businesses completely struggle with Windows viruses that can bring down the network. Since good network security can help stop the spread of viruses, it might be a reasonable fit. "Stop the havoc that viruses cause" is a strong selling point.

3) Maybe offer a "security review and emergency assistance when needed" package. Basically, you do a review of their network for a nominal fee and then you're available for emergency issues if they have a security issue. Sell it as "now you'll know who to call if you really have a problem."
        Once you get in to do the review, you can even make some suggestions to improve logging/auditing so that you can respond better in an emergency.

4) Get some street cred. Publish some articles on security issues, find a security weakness in Mozilla (we just heard that it's buggier than IE, right?) and get your name out there as a "security firm".
        As an alternative, answer questions on newsgroups or forums. If you're good, you can get a rep as knowing your shit by answering people's questions. Sometimes, the sysadmin who asks for help could really use a consulting group instead.

Finally, one last piece of advice:

1) Always treat your clients' problems more seriously than they treat them. If your clients are a little concerned, you need to be very concerned. If they're satisfied, you need to be slightly concerned. And don't just sound like you're taking them more seriously - take them more seriously! If the client thinks it's a little problem, treat it like a big problem and get it fixed right away. If it's a big problem, treat it like it's the end of the world.
      I know it sounds silly, but it means that every time your customers contact you, they will always get the impression that you're more on top of the problem and solution than they are. And that, in the consulting world, is gold!

Good luck.

-Peter

Re:Reputation first... (1)

nelsonal (549144) | more than 8 years ago | (#13610786)

Another topical area of importannce right now is access control and data control which are tangentially related to security. This is exceedingly important to most public companies with all their efforts to be Sarbanes-Oxley compliant. Once you come up with a good plan don't advertise to CIOs try to find auditors in your area who can reccomend you and advertising in accounting type rags. Make darn sure you are ready to handle the flow of business (and willing to turn down business you cannot handle because there are many firms that are not close to Sarb-Ox compliance.

First hand experience with security business (2, Interesting)

gothzilla (676407) | more than 8 years ago | (#13610613)

I worked for a network security business in Denver. We did good work but found something very interesting.
Most businesses were not concerned with actual security but more interested in what name they could put on their website that says "Secured by _______"
Because of this the business died since we hadn't made a name for ourselves. Sure some people were genuinely interested in security, but not enough to support a business.
If you're going to deal with security, keep it on the down low and offer it as a secondary service. As expensive as security audits are, name means more than anything. If your company isn't widely known for security, you'll find doing security jobs hard to get as a primary offering.

Lifecycle Management Approach (4, Insightful)

Midnight Warrior (32619) | more than 8 years ago | (#13610623)

Treat it just like any other project that uses a cyclic lifecycle management. I'm supposing you already have your foot in the door, you are just unsure as to how to conduct yourself. At the end of each round, the customer can decide if they like the kind of progress being made and has the option to cancel the contract after each round if they disagree with methods or results. Start small and simple and develop their trust. If they really have security problems, you are best off finding a way to make them want to change rather than just telling them off.

Round 1: Spend one week writing a paper on the intellectual or physical property deemed essential to the company, and then document what measures the company believes they are practicing to protect them. At this point, you should also define your known enemies, be it a competitor or vast amounts of time wasted during virus outbreaks. Don't dwell on anything but the obvious as we all learned in the Six Dumbest Ideas In Computer Security [ranum.com] document.

Round 2: Propose a paper exercise approach to physical security, both in the server room and in the cubicle farms. Spend a week and not too much money. This will confirm or deny that declared in Round 1.

Round 3: Address disaster recovery options because arson and other DOS techniques are just as bad for protecting IP as is an electronic attack. This is a check to see if the current protections methods covered this usually underfunded area. Don't forget offsites.

Round 4: Propose, via contractual methods, solutions for closing gaping holes in the protection measures. That is, cover the areas for which no protection is provided, be it physical, procedural, or electronic. Implement if approved and have alternate, albeit less-effective approaches for those rejected due to cost or time.

Round 5: Propose a development area be established to test current and future configurations of electronic equipment for known attack vectors (e.g. new patches on a firewall don't open new ports). [At this stage, your customer has confidence that you know what you're doing, but it took you this long before you really started touching the inside of their network.] You never subject the production network to most scans, except maybe for proper patch deployment. All the exploit attempts happen in the lab.

Round 6: Like every good reader of Bruce Schneier's Secrets and Lies [schneier.com] , you now propose methods and procedures for monitoring and reacting to attacks against the core intellectual or physical property documented in Round 1. Depending on your company goals, you can hope to win this one, or you can let them run the service while you move on to another customer.

Tips: If you get lots of resistance at Round 1 telling you that you aren't moving fast enough, beware because you will be the victim of the blame game in Round 6. Don't forget that sometimes the attack vector is physical theft - encrypt core files anywhere they are found, most especially on laptops. Round 1 may have identified Internet access as a risk, so in Round 4, consider using a private, internal network and force all users to use thin-client tools for Internet access - no removable media, highly-enforced group policies, and the ability to quarantine viruses at the door. For that matter, proxy all Internet access and monitor it in Round 6.

Start making sales calls (0)

TykeClone (668449) | more than 8 years ago | (#13610771)

Soliciting business from places that are highly regulated (banking, medicine) as far as privacy is concerned. Mention things like Gramm-Leach-Bliley (GLB) and HIPAA and how vulnerable those businesses are.

bah (3, Insightful)

mrsbrisby (60242) | more than 8 years ago | (#13610840)

This question should've been titled:

"How do I perform a security audit?"

It's clear from the phrasing that you have no idea what system security actually is, so instead of asking how do you market it, and how do you talk to people about it, it'd probably be a good idea to understand it yourself.

Here are some hints:

* Real security professionals don't "test anyone's firewall."
* Real security professionals don't "discover" holes. They prove them.

It sounds like what you really want to know is "how do I go about charging people for my script collection?" which is a shameful thing indeed.

You are the reason business is booming for me, so while I despise everything you are, I will also offer you advise:

Learn how to build a secure system. Sell that. Sell the solution for customers that is a secure system. Don't offer to tell them what's wrong, but tell them what's right.

phenominally bad idea (1, Interesting)

Anonymous Coward | more than 8 years ago | (#13610877)

these days, infiltrating a company's network is considered cyber-terrorism, and instead of a contract you'll get charged with a few felonies. I think someone suggested a sales manager. much better idea. I would suggest a sales manager who writes well.

Here's my advice (3, Informative)

psiber (722466) | more than 8 years ago | (#13610960)

DO NOT scan/test a company's network without their permission! This is the fast track to a jail cell. Like QuantumG said (albeit a little sarcastically), get a sales manager and expect to pay out a lot of money in advertising.

If you think you're post was well composed, I would recommend some English/technical writing classes. If you recognize your post has some grammar problems and you know your writing skills are good, I would not worry about it.

Check out Bruce Schneier [schneier.com] , Counterpane Internet Security [counterpane.com] , or SecurityFocus [securityfocus.com] . Gibson Research Corporation [grc.com] is another site to check out. This is just a start to getting some background on the basics and depth of IT "security".

I would say from the post you are not coming from a security background. Assuming you have an IT Bachelors degree, the minimum I would recommend is for you to study for some basic security certifications (such as the CompTIA Security+ and the MCSE/MCSA: Security on Windows Server 2003 specialization) and take them if you have not already. On top of this, I would recommend doing research into security conferences and possibly even local university classes on IT security (although I recommend these with a grain of salt as there is a lot of variance between the quality and type of information offered currently). There are whole books written on this subject, so visit your local bookstores and research what they have available. My rule of thumb in evaluating books is to see how in depth they get with their subjects. If they just talk in general about their subjects with no specific examples, I typically look for something else (unless it is an introductory book, of course).

Finally, just remember security is different to everyone (even in the business/corporate world). One company might just need you to identify their weak spots, patch them, and setup a plan to make sure they stay patched. Another company might need you to analyze everything from weak spots/patches to physical security of IT assets. Your job as a consultant would be to identify what they need (Business 101).

Hope this helps.

Me no speak English (3, Insightful)

miTcixelsyD (754878) | more than 8 years ago | (#13610964)

I would definitely get someone to proofread anything you would send to a potential customer so you don't sound like a complete ass or, even worse, a scam artist. I'm serious about that. If you can't take the time to read over what you've just typed and think to yourself "does this make sense?" why would I want to hire you to perform security audits for my company? If you have that little attention to detail, what would you miss when working for me on my network?

Easy: (1)

adamjaskie (310474) | more than 8 years ago | (#13611066)

1) Scan wide swaths of the internet for problems. 2) Find a vulnerable server, and break in. 3) Hack any existing security on said server to bits, leaving it completely open. 4) Offer to fix their security. 5) If they refuse the offer, make them regret their decision by repeating steps 1 through 3 until they call you back.

Connotation (1)

DavidLeeRoth (865433) | more than 8 years ago | (#13611088)

This had a different connotation for me "Sniffing me, then emailing me to plug the holes for a price". Think: Traci Lords, Jenna Jameson.

Best way is to meet your customer on the street (1)

WetCat (558132) | more than 8 years ago | (#13611674)

- Sir! Sir! You'd have a security hole! You'd owned
[kicks, screams]
- Please, where are you going? Don't leave me!

This is the way to do it (1)

tsa (15680) | more than 8 years ago | (#13611687)

At work we have an ftp server, the purpose of which is to share files between people in various locations and from various organizations working on the same project. Out IT manager insists that everyone who wants to use this ftp-server first gives his/her IP-address to him, so he can open the server for that specific address. This server has never been hacked. Needless to say it's never been used either.

Hire a Sales Manager (1)

CohibaVancouver (864662) | more than 8 years ago | (#13615450)

Basically, you need to hire a good sales manager who will explain to you how to land customers. Make sure your business plan budgets for this. In a nutshell he'll need to drum up business from higher-ups in companies who might be willing to hire your service. It doesn't really do any good to call on the juniors in a company because it creates conversations like this:

IT Dude: We need to hire these guys to do an audit
Boss: Why? Aren't you doing your job? What am I paying you IT guys for?

I've seen variations on this numerous times at various companies.

A good sales team/person (1)

srikrishnak (893435) | more than 8 years ago | (#13626806)

A good sales person with good contacts with the industry can do the magic. I am not quite convinced that by doing a scan and mailing them to offer the service works. Infact it may bounce back as well ;) Target SME/SMBs and keep your price attractive. there are tons of internet bases firms which offer remote scans. You shall be able to differentiate with them. Based on your experience and skills if you can provide a better customized service with a competetive price tag then you can make your mark on the industry. Its not quite easy but to reach the peak you should work hard. my best wishes to you.

Your network is insecure! Click here to fix it !!! (1)

hadaso (798794) | more than 8 years ago | (#13633372)

Approach them using a browser pop-up window telling the user that her system is insecure and and that she needs to click the pop-up to fix it. Then take the user to a website where she has to fill in some data (such as Credit Card number + security code + billing address ) name etc. Then, just to convince her that her system really is insecure, you might choose to make some random purchases with that info. You might use it to purchase some mailing lists that you can then use to send buisness offers to select customers (selected by whoever composed that mailing list) If she entered her ISP username and password that is required so you can fix her network problem then you can use it to mail your offers. You should check first if this buisness model is not patented. I've seen it used in the past (though I have not clicked on the pop-up so my network is still insecure...

make them come to you (0)

Anonymous Coward | more than 8 years ago | (#13641660)

Your best choice is to make them come to you instead of telling them you just happened to break their box.

And please don't pay attention to the racists retards here in slashdot, no matter what you speak it was worth asking!
Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...