This is a type of con artist. The "security consultant" usually offers you a deal whereby you give him/her access to your network and an unspecified amount of money (usually a lot of money). In exchange, this individual says that they will perform a "secrity audit" or "penetration test" of your network. They often claim to have some kind of magic voodoo that will somehow make your network and production/desktop systems safe from outside attack. Typically, however, all that happens is that this person runs Internet Scanner from ISS or CyberCop Scanner from Network Associates, or even Retina from eEye, and hands you a slightly modified version of that program's output. The "security consultant" typically does not possess the skills or insight to analyze that output of these programs in any significant way, beyond putting his own logos on the document. Most do not even bother to perform any further testing or even a cursory analysis of your IT infrastructure.

Don't be fooled! The only partial solution to the problem of computer security is constant vigilance.

Yes, I do realize there are some genuinly talented people in the consulting business. Unfortunately, they are few and far between. Generally speaking, they just know enough to produce a long report, and tell you what you want to hear.

OK, so writeup does not mean reply, but as someone who works as a security consultant, I feel a little offended at being called a con artist.

I am writing from the perspective of someone who works on the 'high end' of security consulting. The group I work in is the elite one in my company; out of a thousand employees, there are 10 of us. Between us, we've probably presented at every major and most minor security conferences at least once, DEFCON, ToorCon, Blackhat, CanSecEast, Hivercon, Shmoocon, Usenix Security, you name it. We write interesting tools and do cool research on our own time, because we care about this stuff.

First, the basics of what a security consultant (or at least what this security consultant) does. Some company puts out a request for proposals, someone (thankfully not me) writes a proposal. If we win, a contract is signed. This could be for a variety of things, but is typically either an application security review (ASR), or a vulnerability assessment of a network. An ASR can be either functional testing, as in, poke at the app and see what breaks, or a source code review, or both. Typically the application is some boggy financial application with a web interface written in Java or C#, and is pretty boring; seen one web app, you've seen them all. Vulnerability assessments basically boil down to: 1) Run nmap, Nessus, and various application-specific scan tools, 2) take all the output and look for patterns, odd things, or outright holes, 3) verify findings, reject false positives, and 4) write a report. I admit, this doesn't sound that exciting, or that hard. It is much more time consuming than you might think; looking through a few megs of scan data takes quite a while, and requires you know what to look for. This is ignoring hand-holding the client, which, for little introverted me, takes a lot of effort. It's also vital; failing to communicate well with the client can land you in quite a shitstorm if they feel unhappy about something and decide to express this displeasure to, say, your boss.

But for the most part, we consider what I describe in the previous paragraph to be crap work. The interesting stuff comes when we're reviewing the design or implementation of some project which is intrinsically interesting (at least to geeks). Our usual fare, financial applications, are not interesting, because we're not even allowed to steal money when we find holes. But from time to time we do get stuff that's really cool. Unfortunately I'm not supposed to name clients, but if you read Slashdot regularly, you've seen an article on a commercial application I reviewed within the last 3 months (from the posting of this writeup). Next month I'm working an insanely neat project that will never make /., because the client is paranoid (they have massive amounts of data on pretty much everyone in the US, and they like to keep that on the down low).

Now, I've certainly heard many horror stories that make me glad I'm not working for the Big Five. A "pen test" consisting of port scanning 10 ports, and then calling it a day. Political games with clients that verge on the insane. Sheer, brazen incompetence, usually based on selling the services of recent college graduates who may or may not know a thing about security, and who certainly don't know a thing about consulting. There are reasons some people choose not to work at such places, despite the better pay.

Our services are expensive, and I'm going to explain why. Say we sign a contract with Client X for $150,000 to perform some services. Within my group, we have an effective bill rate of $200, which means, basically, that we will have 750 (150000/200) hours budgeted towards that project. But, we also have to maintain a margin of profit on top of that, usually 50%. So in the end we have 500 hours to work on the project, which is still pretty good. Two guys working full time for a month and a half, but that covers all of the testing (which for a pen test would include scanning, validation, running exploits, and probably reading a lot of documentation), more than likely flying around a few times, plus writing the report. I do not just take Nessus output and mail it to the client. I would probably be fired if I tried. Of course we use automated scanners, testing a large network is impossible without it. But we also validate by hand every single finding and look for anything unusual for followup testing. In the past I have been chewed out for being lazy and trusting the output of a scan tool too much.

On a 150K project, writing the report will probably take a week, and then it spends several days in peer review, as people rip it to shreds. Then you spend 3 more days fixing it, and then you ship it out. Oh, and if you're amazed at the $200 an hour bill rate; I see a bit over 10% of that, the rest goes to pay for sales critters, infrastructure, equipment, huge bonuses for the execs, all that good stuff. Trust me, I ain't making bank on this job.

Unlike the consultants that some people have apparently dealt with, we enjoy telling people what they don't like to hear. It is extremely frustrating to have just completed an application security review or a pentest, and have absolutely nothing to report. In the year that I've been doing this job, my favorite project has been a pentest on the network of a major company. I owned border routers, I owned desktop machines, I found so much shit that the report was 40 pages long, and three times we had to call them to let them know about some particularly huge problem that they should fix right the hell now. And here is the interesting thing about consulting. That client loves us. They just signed another contract for testing more of their stuff. First, their guys are geeks. We're geeks. We get along. And we gave them great value for their money; not only have we found and helped them fix a huge number of holes in their network, but that report is politically valuable. A lot of our reports are used by IT staff to justify more spending in security space; not just more stuff by us, but more staff, more training, and more equipment. An exec that blows off requests by internal staff is often more willing to pay attention to a report done by a third party.

Being a good security consultant is not just about being good at security. That is necessary, but you also have to be able to write well, communicate with clients, and handle politically charged situations.

Log in or registerto write something here or to contact authors.