The "No Network is 100% Secure" series
- Temp Placement Agencies -
- Consulting Companies -
- Agency Recruiters -
A White Paper
All rights reserved - may not be copied without permission
Easyrider LAN Pro, NOC Design Consultants
What do recruiting agencies have to do with network security?: Fair question!
Let's say that you are an IT manager. After reading this series of white papers
you very well may figure it's about time to reduce your risk and have someone take a
good, hard look at your network for security vulnerabilities. So where do you turn?
The self-medicating option: The most obvious choice is your own IT Staff. And if you're a large organization you very well may have several really good security engineers on staff to do this work. But, if they're that good, they've already completely tightened up your network so no worries, right? Well... maybe. As you've seen in these white papers, there are some really large, well funded, professionally administered data centers that have been shown to have major security holes and vulnerabilities. The reasons for this are many, as we've pointed out. And in most cases, being managed by an incompetent IT staff is not one of them. Sometimes there is significant value in having an audit done by an independent organization that will look at everything through a fresh pair of binoculars. It's a common situation that sometimes the people who run the day-to-day operations in a data center can be too close to the problem.
In other cases, the company computing enterprise may be too small to afford the luxury of an on-staff security expert. This is especially common in these days of staff/budget cuts where everyone is running "mean and lean" without sufficient resources to run the day-to-day in many cases, much less focus on something proactive like network security.
So for the sake of discussion, let's say that you are an IT manager who, for whatever reason, feels the need to bring in a third party to give your network a good looking over. So where do you find a competent, reasonably priced security engineer to do this work?
Google or some other search engine is a popular choice. That's probably how you found our security white papers. But we're not talking about collecting free information now. We're talking about hiring someone to do important work. So let's look at the options that your keyword search provided. If you did a search on "computer network security consultant Portland Oregon", Easyrider LAN Pro is likely listed on the first page. And there are plenty of others listed along with us.
Companies that are in the network security business: We're not talking about VARs who sell firewalls or various types of security related software and who will be happy to put a pre-sales support guy on your site to rack up billable hours. We're talking about companies and professional consultants who have made a business out of doing network security assessments and enterprise hardening.
We aren't here to disparage other people or companies but suffice it to say that not all consulting firms are equal. The smart IT manager would want to select a consultant using the same criteria that would be used when investigating any vendor: length of time in business, level of expertise in the security field, the type(s) of services being offered and so on. A local company would probably be preferable. You'd also want a company that offered a professional security audit service versus having a Technician come in to just "look around", which is what many outfits in this space do.
In the case of Easyrider LAN Pro, our Network Security Audit and PC Tune-up Service is a well documented proprietary process that uses state of the art tools and a systematic, repeatable approach. Yes, we also "look around" to follow up on anything we see that looks suspicious. But the core of our audit process is to follow a documented checklist that runs a comprehensive series of tests that looks for specific symptoms, problems and issues. We're not sure that all of our competitors are quite so organized. Another consideration might be whether the company you are thinking about has also published a series of comprehensive white papers on the topic of network security and how well versed and current they are on that subject. If their business is selling security appliances or "security software", they may not be the best choice to do a comprehensive vulnerability and threat audit on your network.
No doubt the experienced IT manager knows how to evaluate service vendors. It's certainly possible that we have competitors who may be less expensive than we are in the area of network security engineering. It's just as likely as not that Easyrider LAN Pro, which has been doing this type of work in the Portland area for 20 years may be better at it than most. Since the audit is free if we don't find anything, it's not like you are taking a huge risk to have us come in and look over your environment.
Offshore Consulting companies: There are an alarming number of offshore companies in India and other third world countries proliferating at a dizzying rate. They are presenting themselves as consulting companies, placement firms, service providers, "Microsoft Partners", etc. The company's USA-based postal mailbox address and USA VoIP phone number not withstanding, almost all of these companies have very professional looking web sites and seek to give the impression that they are multi-national businesses with a strong presence in America. In almost all cases, nothing could be further from the truth and this blatant deception ought to be reason enough to steer way clear of these guys.
In almost all cases, these types of "Consulting Companies" will be a one-man or a family (Mom and Pop) operation. The principle will receive your sales inquiry and will then do the same Google search previously mentioned to try to find someone capable of doing the actual work. Almost none of these companies have competent engineers on the payroll and those that do will likely not have anyone here in the USA, much less living in the city where you are. We get literally dozens of hits on our website daily from "Consulting firms" from India looking for examples and templates. The fact is, that anyone who is looking for a NOC SOP has obviously never built a NOC before. With cost saving measures at the top of everyone's priority, consider if putting your money to have someone google each step of the project is cost effective, or if the real value is hiring a company who can actually do the work and be available for follow up.
Another consideration is that virtually all of these Third World Country "Service Providers" pay their temporary help on a 1099 or a corp-to-corp basis. This is done primarily to avoid paying income taxes, FICA, unemployment insurance, business insurance, workers comp and so on. Here in Oregon it is illegal to pay consultants this way just to avoid paying taxes although it happens all the time. The risks to the customer and to the person who will be doing the actual work on your site are huge and neither of you have much recourse if things go bad. Want to try taking an Indian company to court? Good luck with that!
Local recruiters and placement agencies: Of course there are agencies right here in town that are also paying temporary workers on a 1099 basis to avoid paying taxes too. And in our opinion, these guys should be avoided like the plague. The recruitment model for local placement firms is similar to what's already been discussed. They get your job order. They do a Google search. They find some hapless, out of work, marginally qualified Tech who's willing to work for peanuts. The agency keeps the lion's share of the money you are paying to have your project worked on. Maybe the temp they put on your site knows what he's doing and maybe he doesn't. Who would sign up for a deal like that? Surprisingly, this is exactly how many Portland-area companies staff their projects today. In my opinion, if you want to launch a security audit project that's guaranteed to fail, this would certainly be a great way to make sure that happens.
It should also be noted that just like the offshore companies, many employment agency headhunters now market themselves as "Consulting Companies". You be the judge of that. Personally, if I am paying big bucks to have someone work on a high risk, high visibility project, I'll sleep a lot better knowing that the person doing the work has more than a few successful projects already under his belt.
Think globally, buy locally:
You also might want to think about how you'd feel about having your own job
outsourced to Bangalore one day. A few years ago, a member of the Oregon House of
Representatives outsourced his speech writing to some place in India. Apparently
he felt that no citizen of Oregon was up to the task of doing this work.
Predictably, the media got ahold of this story and that was the end of this fellow's
political career. As it should have been!
Portland has several excellent colleges, universities and technical schools that graduate hundreds of well educated, hard working local citizens who should be hired by local employers. America has been bleeding jobs to Third World Counties for years. Your job or your Wife's/Husband's job could be next. Portland has a superior job pool of talented candidates for high tech work. We strongly believe in buying locally. And we also strongly support local businesses that purchase locally. We believe that you should too.
Are Third World Country "Consulting companies" competent?: You decide. I recently received this "inquiry" from Vaibhav Malhotra who wrote using a free, stealth Google e-mail address. This is far from the first time I have been asked for "free advice" by someone who knew absolutely nothing about building Network Operations Centers and/or about enterprise monitoring generally. The e-mail text has not been modified.
I am looking for a designs to build a NOC\SOC for a large company in india which has a capability of almost 125 engineers...
Please send me few NOC/SOC pictures or any related diagrams and budget and whatever you feel can help me............
Is this a "consulting company" that you'd feel confident about building your high visibility, high value NOC? If failure is not an option, you may want to consider someone who's actually built a few NOCs. If there is an "up" side to engaging Third World "consulting companies", we're sorry but we just don't see it.
Next in the security white paper series:
How Cyber Criminals will mature over the next ten years
Are you vulnerable to drive-by exploits?
High value sites recent hacks
IT employment challenges of the 21st century
Employment reference checking white paper
Competency Certifications White Paper
Firewall White Paper
Virus White Paper
GhostNet White Paper
Password White Paper
Digital Identification Certificates White Paper
Cryptography White Paper
OpenID White Paper
Intrusion Detection Systems IDS White Paper
Rootkit White Paper
Unnecessary Windows XP Services White Paper
Scareware White Paper
Exaflood Internet Brownout White Paper
Cloud Computing White Paper
Proxy Server White Paper
Personal Computer PC Security White Paper
Phishing White Paper
DNS Poisoning White Paper
Conficker White Paper
SPAM White Paper
Best Practices White Paper
Denial of Service DoS White Paper
Trojan Virus Attacks White Paper
Port Scanning White Paper
Monitoring Basics 101 White Paper
Monitoring Basics 102 White Paper
Monitoring Basics 103 White Paper
Virtual Machine Security White Paper
Aurora vulnerability White Paper
Shelfware White Paper
Outsourced IT White Paper
Easyrider LAN Pro Consulting services:
Network Security Audit and PC Tune-up service
- Proxy server installation and configuration
- Enterprise security consultations
- Disaster recovery planning
- Disaster recovery services
- Capacity, migration and upgrade planning
- Build and deploy central syslog server
- Build trouble ticket systems
- Design and build monitoring environments
- Design and build Network Operations Centers (NOC)
- HP Openview, BMC Patrol consulting
Last modified May 18, 2009
Copyright 1990-2009 Easyrider LAN Pro