How to outsource your mission critical services in a secure way

Today more than 30 000 sites are hacked everyday*. It means that they get hacked, modified or alerted by someone placing hidden viruses, which are then transferred to the computer or device who visits the site. The numbers are breathtaking and the trend suggests that the numbers will increase to 40,000 per day by years end. With this in mind, let us simply conclude: most companies today are like a swiss cheese with hole in it. Therefore it is a good idea to outsource your mission critical services to a hosting provider that has the best defenses in place.

As Dante already said in the 1200th century; “there are circles of hell”. That is why the first question we ask to those who want to outsource their mission critical services: “What are your security needs – really?” Are you a hot dog stand or a Fort Knox? Security officers often want to turn a hot dog stand into a fortress if given the chance. While developers can turn Fort Knox to an open hot dog stand, without knowing it. So, how do you outsource your mission critical services in a secure way?

We recommend that it is best to describe the requirements at the component level and get help to see how components interact without compromise, both technically and socially. The latter is just as important because our own employees are often an organization’s biggest threat. Policies and procedures must be implemented internally and you have to create a culture with safety thinking, that understands how important this is. Our customers have a good safety mindset because they appear in sensitive industries with mission critical services, but all companies, organizations and authorities should consider and incorporate safety in their operations. To help you out a get started our VP Global Sales, Stefan Månsby, has created a small checklist with 8 tips for secure IT outsourcing for IT managers to consider:

8 tips for secure IT outsourcing

  1. Define the area/delimit – which systems etc should be included by this? For instance, is your payment platform process flow really separated from your internal systems, like e-mail?
  2. Calculate the cost to do this by yourself: X/users/month – do this to create an image for yourself, do your homework and do not lie to yourself. Also, the quotes you receive from your potential partners becomes easier to compare.
  3. Investigate possible legal challenges – are we allowed to outsource the environment, are there any legal restrictions like geographical limitation requirements that needs to be taken into consideration?
  4. What “evidence” of security experience can the hosting supplier provide you with? – you want a supplier who is just as beautiful the day after the party, someone who can keep your high standard day one as well as day 900. Look for evidence for example track record and if the hosting provider can hold the certifications not only today but after year and year.
  5. What are my compliance requirements (today/tomorrow)? – day one of our outsourcing strategy may not include security or compliance requirements, but please do assume that you one day will have to include compliance and therefore should avoid having the cost of changing outsourcing partner as your security requirements advances.
  6. How do the hosting provider handle Multi-tenancy? – how would the hosting partner isolating its different clients environments?
  7. Does the provider has its own 24/7 security organization? – secure 24/7 to handle all kind of attacks
  8. References – references are king. Look for references and compare hosting providers!

*Source: Trustwave


December 8 – Check your security on a regular basis

A new day with a new security tip! This time our tip #8 for a secure Christmas is to don’t forget to check your security on a regular basis. Checking and reviewing the current state of security in your environment is important in the sense that new attack vectors arrive all the time, and it is important to check that you are not affected by these. You can do this with vulnerability scanners such as Nessus from Tenable or OpenVAS. It is also important to do a recurring check of network traffic and look for strange and out of place peaks that can mean someone has been transferring files out of your network.


Previous security tips from our Christmas calendar


BF-SIRT Newsletter 2013-45

This week got some very interesting stories, some which could very well fit in spy novels. Read how Fake femme fatale dupes IT guys at US government agency and Meet “badBIOS,” the mysterious Mac and PC malware that jumps airgaps.
In other news, there are some articles going through how Iris ID Systems work. Krebs have also written some updates about CryptoLocker, the malware that encrypts your files once infected and then demands a ransom in order to decrypt them.

Top 5 Security links
Fake femme fatale dupes IT guys at US government agency
Meet “badBIOS,” the mysterious Mac and PC malware that jumps airgaps
Cyber dragnet: Five new HACKERS join FBI’s ‘most wanted’ list
CryptoLocker Crew Ratchets Up the Ransom
Hackers Take Limo Service Firm for a Ride

Top 5 Business Intelligence links
Iris ID Systems Go Mainstream
Most organizations unafraid of phishing
Most visits to a login page are made by malicious tools
The Danger of Cybersecurity ‘Ghettos’
Biggest Risks in IPv6 Security Today