security start-up suggestions please

Hello All,
I am interested in starting a network services company in the
midwestern United States, with a strong focus on security, and would
like to hear your thoughts on this. Specifically: what kinds of
products/services are most important to offer customers? If you've
worked for a network company, what has management done well and what
could it have done better?

Any suggestions are comments are much appreciated.

Thanks,
c3dy8911r

c3dy8911r

(c3dy8911r) wrote in
news: om:

> Any suggestions are comments are much appreciated.

Think like a mechanic.
Offer hardening, tune-ups, diagnostics, estimates.
Especially for co-locates and home servers.

I would offer a really cheap charge for "I will poke my head in and give
you an estimate". Dont be afraid to lay out a complete list of what you
find is wrong but be generic in what you will do (say you will install a
watchdog program but dont say which one so they can go to their own guy
for it). Dont make every little thing sound like a major hole or the
customer will wave you off like they would a mechanic that made every
frayed belt and hose into an immeadiate emergency repair. Downplay what
you find but be subtle in giving them things to panic over. "Oh its only
1 chance in a thousand that anyone will come thru that hole and you can
probably catch him before he does too much damage".

Also, offer "second opinion" checks. Most systems have only one person
who looks at it in a security frame of mind. Dont try to belittle or
replace the guy they have even if he is some poor shmuck with a home
machine that knew 10% more than anyone else they had at the time. Offer a
service to just "see if theres anything I would feel should be looked
at". In most cases these wont lead to a further install so dont
underprice it but I do feel there is a need for that kind of peace of
mind. And sometimes it may lead to a larger contracted arrangment with
them even if its just a yearly visit to double check things. They will be
good word-of-mouth and eventually might even feel big enough to hire you
in a full-time arrangment.

Offer on-call middle-of-the-night response but do it on retainer.
Be sure to make mileage costs there and back a seperate charge.

As part of a package deal with larger companies see if you can stick some
old computer in their closet online NAMED as though its part of their
network but not on their network. Set it up as a honeypot called
something like admin.thiscompany or accounting.thiscompany (and if they
have machines named that PLEASE change them). Make the monitoring of it
free.
(A) it will be a hugely useful learning tool for you.
(B) it will be a cheesy distraction for the little online rats
(C) it will help you avoid a common problem of continually having to
justify your presence when you do your job well. If they see no security
problems they may question what you are doing for the money. Saying that
bad things are happening out on the net isnt nearly as good as saying
"well remember that honeypot named accounting.thiscompany.com? Over the
last month it got xxxxx probes, xxxx were fairly sophisticated, xxx would
have gotten into the system as it was when we started, and x were new
things not previously seen which we developed watchdogs for and installed
on your other machines"

OK thats just a few thoughts. Good luck in the endeavor.
And remember, what security shall do, the desire for "easy
administration" shall undo.

Gandalf Parker
--
www.alt-hacker.org
Why did the hacker cross the road? To get to the other side.
Why did the cracker cross the road? To get what was on the other side.
A minor difference but an important one.

Gandalf Parker

You also might want to make aware to anyone
Just because you do not find vulnerabilities in the security does not
make a network secure.
no matter who you are, someone else will always find a vulnerability.
if you state upfront that you can make a network more secure, but youll
never be 100% .. then the customer will understand upfront .. if it
comes back later and the customer says 'well you said i was secure.. BUT
someone else was still able to...'
then the customer learning the point after the fact .. would show you to
be liable

just my 2 cents if it makes any sense

kyra

Gandalf and Kyra,
Thank you both for your comments. I appreciate your input.

Daniel

c3dy8911r

I would assume a lot of SME's would be looking to setup a small LAN of 2-50
PC's with a single email server & ADSL/Cable modem internet connection via a
secure proxy web server, with security (firewalls/NAT).

Whilist this is not rocket science, I would suspect that the Father & Son
outfits & the small local buisnesses would need this skills gap plugging
using external resource. They don't want to employ IT on site permanent, and
would look to contract the work in without fear of rip-off.

I don't know how dense the market is in your area for this, but a lot of
companies may not be able to afford Companies with Cisco trained engineers,
but equally don't want some 16 year old muppet with XP letting loose on
their corporation.

I suspect you might fill this gap.

Network archiecture & security alone will not detect all the securiy
vulnerabilities. You should also offer external (internet) and interal (corp
lan) network & PC vulnerability scanning. A wealth of tools is available,
incl Nessus, Languard, Microsoft Baseline Security Ananyliser, Port
Scanners, etc etc, which can be used to scan large or small subnets at
virtually no setup cost, but produce a good, authortiative looking report
for review. As long as you can put the vulnerabiliteis into perspective, and
offer realistic, cost effective solutions to the holes (i.e. don't just
shout 'hole' and not be able to plug it), then you have a foot in the door
and cash for consulatncy.

Enjoy.

erewhon

erewhon wrote:

> I would assume a lot of SME's would be looking to setup a small LAN of 2-50
> PC's with a single email server & ADSL/Cable modem internet connection via a
> secure proxy web server, with security (firewalls/NAT).
>
> Whilist this is not rocket science, I would suspect that the Father & Son
> outfits & the small local buisnesses would need this skills gap plugging
> using external resource. They don't want to employ IT on site permanent, and
> would look to contract the work in without fear of rip-off.
>
> I don't know how dense the market is in your area for this, but a lot of
> companies may not be able to afford Companies with Cisco trained engineers,
> but equally don't want some 16 year old muppet with XP letting loose on
> their corporation.
>
> I suspect you might fill this gap.
>
> Network archiecture & security alone will not detect all the securiy
> vulnerabilities. You should also offer external (internet) and interal (corp
> lan) network & PC vulnerability scanning. A wealth of tools is available,
> incl Nessus, Languard, Microsoft Baseline Security Ananyliser, Port
> Scanners, etc etc, which can be used to scan large or small subnets at
> virtually no setup cost, but produce a good, authortiative looking report
> for review. As long as you can put the vulnerabiliteis into perspective, and
> offer realistic, cost effective solutions to the holes (i.e. don't just
> shout 'hole' and not be able to plug it), then you have a foot in the door
> and cash for consulatncy.
>
> Enjoy.
>
>

*NICE* tip! Thanks...


GDIAngel

"Join G.D.I - We Save Lives"
- Billboard in C&C II:TS

"The problem in those days was the technical limitation of 16-color EGA
graphics, and 320x200 resolution."
- Scott Miller (Apogee Software)

"In terms of multiplayer, Descent was the first game to work well over
the Internet."
- Matt Toschlog (Outrage)

GDIAngel

Yes, thanks for the input. Please keep it coming, everyone...

Daniel

c3dy8911r