The number of cyberattacks, the damage they cause, and the professionalism of the perpetrators continues to grow. Therefore, the security market is currently growing faster than any other. Nevertheless, or precisely because of this, many providers appear on the market who have no business in security. How do you recognize a good security service provider?
There are numerous providers in the field of security consulting. They can do everything, have long lists of strong reference customers and have been present on the market for decades. Nevertheless, evaluating and distinguishing the quality of work is very often a problem, especially for non-specialist personnel. Even the administrators, network architects and/or IT managers currently in place usually do not have the in-depth security expertise to weigh up the various security service providers or even conduct a technical interview.
What to do?
There are different criteria, which I would recommend to you to evaluate the competences of a security service provider. Basically, there are four clues that allow you to evaluate the expertise of the potential service provider:
1. publication of vulnerabilities and/or security tools
If the potential service provider has specific competencies in the area of technical security, he usually has an interest in increasing his reputation in the security community or, in general, idealistically increasing the information security of all systems. There are two widely used and recognized ways to do this: The publication of security vulnerabilities or tools to increase the security of a system.
Service providers can detect and publish previously unknown vulnerabilities (usually after informing the manufacturer) and apply for so-called CVEs for this purpose. This stands for Common Vulnerabilities and Exposures, an industry standard for vulnerabilities. The service provider receives this when it submits a valid security breach to MITRE Coporation, a U.S. research firm that serves various federal agencies, courts, and federal departments in the United States. Provided the request is valid, a unique CVE ID is generated that uniquely catalogs and scores the vulnerabilities publicly.
Can your potential vendor demonstrate CVEs/vulnerabilities and are they even in widespread software use?
While working on exciting projects, service providers are often faced with problems for which there is not yet an automated or at least partially automated solution. Therefore, service providers often develop small tools/scripts to facilitate certain tasks. Often these are then made available to the community (in a watered-down form) via github or gitlab. In addition to the above-mentioned goals, this has another advantage: the open source projects can be further developed by the entire community (provided that an actual added value is generated).
Does the potential service provider develop tools to optimize security for the community and are they even well rated?
2. blogs of the providers
Everything from technical articles on current security topics and instructions for hacking to the development or concealment of malware can be recorded here. Sometimes you can draw a conclusion about the activities from past projects based on the blog posts.
For example, if a blog post describes injecting a malware into a common software, it is conceivable that the service provider used exactly this for a penetration test at their customer’s site.
Read some of the potential service provider’s posts to get an idea of their technical capabilities. If the blog exclusively describes current security topics or is dedicated to them on a very strategic and management-heavy level, the service provider may be more suitable for conceptual assignments than for technical security analyses.
3. social media
The community concept has always been of great importance in the field of security. In the past, IRC chat rooms were used to exchange knowledge, but today Twitter is the primary tool.
Twitter is by far the best medium in the security world to stay up to date (malware, attack vectors, security tools, exploit code, 0Days, etc.).
Based on the number of followers, even non-security people can see relatively quickly whether the potential service provider or consultant adds value to the community. However, you should also pay attention to the reactions of the tweets (likes, retweets) to rule out the possibility that followers have been bought. For example, if an account has 10,000 followers but only two to three likes per tweet, this is highly suspect.
Look at social media accounts (especially Twitter) to gauge whether the potential service provider ranks in the community, and if so, how highly.
4. contributions at security conferences
There are numerous high-profile conferences where security consultants participate as speakers. The following is an excerpt of the most recognized conferences in the technical security community:
- Offensive Con (Berlin): https://www.offensivecon.org/
- Troopers (Heidelberg): https://www.troopers.de/
- CCC Conference (Leizip): https://www.ccc.de/
- BlackHat (worldwide): https://www.blackhat.com/
- ruhrsec (Bochum): https://www.ruhrsec.de/
If your potential service provider has been a speaker at the above conferences, you can assume that they are working at a very high level.