Too much cyber, too little security!

The number of cyber attacks, the associated damage and the professionalism of the perpetrators continues to increase. Therefore, the security market is currently growing faster than anyone else. Nevertheless, or precisely because of this, many providers appear on the market who have no business in security. How do you recognize a good security service provider?

There are numerous providers in the area of ​​security consulting. These can do everything, have long lists of strong reference customers and have been on the market for decades . However, evaluating and distinguishing the quality of work is very often a problem, especially for non-specialist staff. Even the administrators, network architects and / or IT managers currently in use do not usually have the in-depth security expertise to weigh up the various security service providers or even conduct a specialist interview.

What to do?

There are various criteria that I would recommend you to evaluate the competencies of a security service provider. There are basically four clues that give you the opportunity to assess the professional competence of the potential service provider:

1. Publication of vulnerabilities and / or security tools

If the potential service provider has specific competencies in the area of ​​technical security, he usually has an interest in increasing his reputation in the security community or in an idealistic manner increasing the information security of all systems. There are two widely used and recognized options for this: The publication of security gaps or tools to increase the security of a system.

Service providers can detect and publish previously unknown vulnerabilities (usually after informing the manufacturer) and apply for so-called CVEs. This stands for Common Vulnerabilities and Exposures, an industry standard for vulnerabilities. The service provider receives this if he sends a valid security gap to MITER Coporation, an American research company that works for various federal agencies, courts and federal ministries in the United States. If the application is valid, a unique CVE-ID is generated, which publicly clearly catalogs and assesses the weaknesses.

Can your potential provider show CVEs / vulnerabilities and are they even used in widespread software?

During the processing of exciting projects, service providers are often faced with problems for which there is no automated or at least partially automated solution. Therefore, service providers often develop small tools / scripts to make certain tasks easier. Often these are then made available to the community (in a weakened form) via github or gitlab. In addition to the goals mentioned above, this has another advantage: The open source projects can be further developed by the entire community (provided that additional value is actually generated).

During the processing of exciting projects, service providers are often faced with problems for which there is no automated or at least partially automated solution. Therefore, service providers often develop small tools / scripts to make certain tasks easier. Often these are then made available to the community (in a weakened form) via github or gitlab. In addition to the goals mentioned above, this has another advantage: The open source projects can be further developed by the entire community (provided that additional value is actually generated).

2. Blogs of providers

Everything from technical articles on current security topics, instructions for hacking to the development or disguising of malware can be recorded here. Sometimes you can use the blog posts to draw conclusions about the activities from past projects. For example, if a blog post describes injecting malware into common software, it is conceivable that the service provider used exactly this for a penetration test at his customer.

Read a few posts from the potential service provider to get an idea of ​​their technical skills. If the blog only describes current security topics or is dedicated to them at a very strategic and management-related level, the service provider may be more suitable for conceptual orders than for technical security analyzes.

3. Social Media

The community concept has always been very important in the area of ​​security. In the past, it was mainly IRC chat rooms where you exchanged your knowledge that Twitter is now used.
Twitter is by far the best medium in the security world to stay up to date (malware, attack vectors, security tools, exploit Code, 0Days, etc.).
Based on the number of followers, even non-security people can recognize relatively quickly whether the potential service provider or consultant provides added value for the community. However, you should also pay attention to the reactions of the tweets (likes, retweets) to rule out that followers have been bought. For example, if an account has 10,000 followers, but only two to three likes per tweet, this is extremely suspicious.

Take a look at the social media accounts (especially Twitter) to assess whether and what importance the potential service provider is in the community.

4. Contributions to security conferences

There are numerous top-class conferences in which security consultants participate as speakers. The following is an extract from the most recognized conferences in the technical security community:

If your potential service provider was a speaker at the above conferences, you can assume that they are working at a very high level.