security start-up suggestions please

Discussion in 'Computer Security' started by c3dy8911r, Mar 2, 2004.

  1. c3dy8911r

    c3dy8911r Guest

    Hello All,
    I am interested in starting a network services company in the
    midwestern United States, with a strong focus on security, and would
    like to hear your thoughts on this. Specifically: what kinds of
    products/services are most important to offer customers? If you've
    worked for a network company, what has management done well and what
    could it have done better?

    Any suggestions are comments are much appreciated.

    Thanks,
    c3dy8911r
     
    c3dy8911r, Mar 2, 2004
    #1
    1. Advertising

  2. (c3dy8911r) wrote in
    news::

    > Any suggestions are comments are much appreciated.


    Think like a mechanic.
    Offer hardening, tune-ups, diagnostics, estimates.
    Especially for co-locates and home servers.

    I would offer a really cheap charge for "I will poke my head in and give
    you an estimate". Dont be afraid to lay out a complete list of what you
    find is wrong but be generic in what you will do (say you will install a
    watchdog program but dont say which one so they can go to their own guy
    for it). Dont make every little thing sound like a major hole or the
    customer will wave you off like they would a mechanic that made every
    frayed belt and hose into an immeadiate emergency repair. Downplay what
    you find but be subtle in giving them things to panic over. "Oh its only
    1 chance in a thousand that anyone will come thru that hole and you can
    probably catch him before he does too much damage".

    Also, offer "second opinion" checks. Most systems have only one person
    who looks at it in a security frame of mind. Dont try to belittle or
    replace the guy they have even if he is some poor shmuck with a home
    machine that knew 10% more than anyone else they had at the time. Offer a
    service to just "see if theres anything I would feel should be looked
    at". In most cases these wont lead to a further install so dont
    underprice it but I do feel there is a need for that kind of peace of
    mind. And sometimes it may lead to a larger contracted arrangment with
    them even if its just a yearly visit to double check things. They will be
    good word-of-mouth and eventually might even feel big enough to hire you
    in a full-time arrangment.

    Offer on-call middle-of-the-night response but do it on retainer.
    Be sure to make mileage costs there and back a seperate charge.

    As part of a package deal with larger companies see if you can stick some
    old computer in their closet online NAMED as though its part of their
    network but not on their network. Set it up as a honeypot called
    something like admin.thiscompany or accounting.thiscompany (and if they
    have machines named that PLEASE change them). Make the monitoring of it
    free.
    (A) it will be a hugely useful learning tool for you.
    (B) it will be a cheesy distraction for the little online rats
    (C) it will help you avoid a common problem of continually having to
    justify your presence when you do your job well. If they see no security
    problems they may question what you are doing for the money. Saying that
    bad things are happening out on the net isnt nearly as good as saying
    "well remember that honeypot named accounting.thiscompany.com? Over the
    last month it got xxxxx probes, xxxx were fairly sophisticated, xxx would
    have gotten into the system as it was when we started, and x were new
    things not previously seen which we developed watchdogs for and installed
    on your other machines"

    OK thats just a few thoughts. Good luck in the endeavor.
    And remember, what security shall do, the desire for "easy
    administration" shall undo.

    Gandalf Parker
    --
    www.alt-hacker.org
    Why did the hacker cross the road? To get to the other side.
    Why did the cracker cross the road? To get what was on the other side.
    A minor difference but an important one.
     
    Gandalf Parker, Mar 2, 2004
    #2
    1. Advertising

  3. c3dy8911r

    kyra Guest

    You also might want to make aware to anyone
    Just because you do not find vulnerabilities in the security does not
    make a network secure.
    no matter who you are, someone else will always find a vulnerability.
    if you state upfront that you can make a network more secure, but youll
    never be 100% .. then the customer will understand upfront .. if it
    comes back later and the customer says 'well you said i was secure.. BUT
    someone else was still able to...'
    then the customer learning the point after the fact .. would show you to
    be liable

    just my 2 cents if it makes any sense
     
    kyra, Mar 2, 2004
    #3
  4. c3dy8911r

    c3dy8911r Guest

    Gandalf and Kyra,
    Thank you both for your comments. I appreciate your input.

    Daniel
     
    c3dy8911r, Mar 3, 2004
    #4
  5. c3dy8911r

    erewhon Guest

    I would assume a lot of SME's would be looking to setup a small LAN of 2-50
    PC's with a single email server & ADSL/Cable modem internet connection via a
    secure proxy web server, with security (firewalls/NAT).

    Whilist this is not rocket science, I would suspect that the Father & Son
    outfits & the small local buisnesses would need this skills gap plugging
    using external resource. They don't want to employ IT on site permanent, and
    would look to contract the work in without fear of rip-off.

    I don't know how dense the market is in your area for this, but a lot of
    companies may not be able to afford Companies with Cisco trained engineers,
    but equally don't want some 16 year old muppet with XP letting loose on
    their corporation.

    I suspect you might fill this gap.

    Network archiecture & security alone will not detect all the securiy
    vulnerabilities. You should also offer external (internet) and interal (corp
    lan) network & PC vulnerability scanning. A wealth of tools is available,
    incl Nessus, Languard, Microsoft Baseline Security Ananyliser, Port
    Scanners, etc etc, which can be used to scan large or small subnets at
    virtually no setup cost, but produce a good, authortiative looking report
    for review. As long as you can put the vulnerabiliteis into perspective, and
    offer realistic, cost effective solutions to the holes (i.e. don't just
    shout 'hole' and not be able to plug it), then you have a foot in the door
    and cash for consulatncy.

    Enjoy.
     
    erewhon, Mar 5, 2004
    #5
  6. c3dy8911r

    GDIAngel Guest

    erewhon wrote:

    > I would assume a lot of SME's would be looking to setup a small LAN of 2-50
    > PC's with a single email server & ADSL/Cable modem internet connection via a
    > secure proxy web server, with security (firewalls/NAT).
    >
    > Whilist this is not rocket science, I would suspect that the Father & Son
    > outfits & the small local buisnesses would need this skills gap plugging
    > using external resource. They don't want to employ IT on site permanent, and
    > would look to contract the work in without fear of rip-off.
    >
    > I don't know how dense the market is in your area for this, but a lot of
    > companies may not be able to afford Companies with Cisco trained engineers,
    > but equally don't want some 16 year old muppet with XP letting loose on
    > their corporation.
    >
    > I suspect you might fill this gap.
    >
    > Network archiecture & security alone will not detect all the securiy
    > vulnerabilities. You should also offer external (internet) and interal (corp
    > lan) network & PC vulnerability scanning. A wealth of tools is available,
    > incl Nessus, Languard, Microsoft Baseline Security Ananyliser, Port
    > Scanners, etc etc, which can be used to scan large or small subnets at
    > virtually no setup cost, but produce a good, authortiative looking report
    > for review. As long as you can put the vulnerabiliteis into perspective, and
    > offer realistic, cost effective solutions to the holes (i.e. don't just
    > shout 'hole' and not be able to plug it), then you have a foot in the door
    > and cash for consulatncy.
    >
    > Enjoy.
    >
    >


    *NICE* tip! Thanks...


    GDIAngel

    "Join G.D.I - We Save Lives"
    - Billboard in C&C II:TS

    "The problem in those days was the technical limitation of 16-color EGA
    graphics, and 320x200 resolution."
    - Scott Miller (Apogee Software)

    "In terms of multiplayer, Descent was the first game to work well over
    the Internet."
    - Matt Toschlog (Outrage)
     
    GDIAngel, Mar 6, 2004
    #6
  7. c3dy8911r

    c3dy8911r Guest

    Yes, thanks for the input. Please keep it coming, everyone...

    Daniel
     
    c3dy8911r, Mar 7, 2004
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. JohnNews
    Replies:
    3
    Views:
    1,826
    Blue Jean
    Jun 24, 2003
  2. COMSOLIT Messmer

    IT-Security, Security, e-security

    COMSOLIT Messmer, Sep 5, 2003, in forum: Computer Support
    Replies:
    0
    Views:
    615
    COMSOLIT Messmer
    Sep 5, 2003
  3. hugh jass
    Replies:
    1
    Views:
    497
    William Poaster
    Sep 26, 2003
  4. Harvey Rothenberg

    Suggestions for Best Security+ Prep Book 2003

    Harvey Rothenberg, Aug 14, 2003, in forum: Computer Security
    Replies:
    2
    Views:
    1,589
    NetEng
    Aug 15, 2003
  5. Cindy
    Replies:
    6
    Views:
    443
    Lord Shaolin
    Oct 1, 2003
Loading...

Share This Page