1. FEATURE 
The risk of offshoring security
Outsourcing across all industries has become commonplace, but as the InfoSec Institute's Kim
Crawley points out, the economical and security issues of such a trend may cause irreparable
damage
By Kim Crawley
CSO | Mar 4, 2014 7:00 AM
Over the past twenty years or more, corporations in nearly all industries have been outsourcing and offshoring at hyperdrive.
[Do ATMs running Windows XP pose a security risk? You can bank on it]
Venture capitalist firms, public shareholders, various types of financial firms, and corporate executives are driven by the temptation of
reducing labor expenses, so they're delegating accountability and responsibility to foreign parties. Often the money saved by
offshoring simply goes back into the pocketbooks of executives. They also often get bonuses, sometimes in seven or eight figures, to
reduce as much domestic labor as possible.
But the costs of this trend are insurmountable.
First of all, with more and more Americans, Canadians, and other people in developed countries out of work, our economies are
being destroyed. That doesn't reflect in the stock market — not yet, anyway. But it will, probably within the next decade. Often the
millions of chronically unemployed or underemployed (such as working at McDonald's or Walmart) have BAs, MAs, or even PhDs.
Many more have significant licenses and certifications in various trades.
A large percentage of those people are in their thirties, forties and fifties. They have years of experience in their areas of expertise,
but they cannot find work in their fields, so they collect welfare, and work as Walmart cashiers.
Keep in mind that in the United States, a large percentage of workers at Walmart, McDonald's, and other low wage employers still
have to collect welfare and use food stamps in order to survive. When more and more people lack the spending money to buy
consumer goods and services, the whole economy suffers. That change started to become noticeable in 2008, and it's only getting
worse.
But, our economies and our ordinary citizens aren't the only areas being hurt by outsourcing, offshoring, and hiring "temporary
foreign workers".
In the 21st century, we're totally dependent on computer technology. Even your grandma, who may not use a PC, smartphone or
tablet, still goes to the bank, and goes to stores to shop. And her medical and governmental records are all managed with computer
technology, as are her bank and her favorite shops.
What's most alarming is that IT security is being offshored.
[Offshore outsourcing: Don't forget IT security]
Those who encourage the practice claim that offshoring IT security frees their in-house IT departments from having to do mundane
work, so their labor can be allocated more efficiently. And look at all the money our company can save!
What somewhat comforts me is a Computer Security Institute study from several years ago, which surveyed 479 security executives
from various corporations and organizations in the United States. 61% of them said they've outsourced none of their security
functions. 22% said they've outsourced up to 20% of their security. 8% said they've outsourced 21% to 40%. 10% said they
outsourced 41% or more of their security.
[Offshore banking more secure? You're dreaming]
TRENDING: CSO Daily Dashboard Social Engineering InfoSec Careers Mobile Security CSO Events Resources/White Papers· · · · · · ·

converted by Web2PDFConvert.com

2. Well, the 39% who said they've outsourced any percentage of their security still worries me a great deal.
But leaders in the IT security world who know what they're doing are too sensible to be tempted by offshoring and outsourcing. Jon
Gossels, president of SystemExperts, said to NetworkWorld, "my bias is against it."
Not having direct access to your security management and logging creates a massive vulnerability. There's now a new area of work in
my industry; information security auditors who have to dedicate their efforts to monitoring the security of third-party security firms.
What's the point? Information security auditors should be able to focus their work on monitoring in-house security only, because,
except for penetration testing and third-party compliance, all security work should be done in-house. And third-party pen testers and
compliance regulators should be domestic, not foreign.
The NSA scandal and recent news about Russia and China highlight how outsourcing security or any technical work to foreign
countries can be a national security threat. The Patriot Act, in my opinion, is bloody well useless for securing the United States.
Especially considering America's economic, security, and technological dependence on other countries. Some of them are possibly
hostile, namely China.
On February 11th, the Mandiant security firm released an earth-shattering report. They identified attacks on American corporations,
individuals, and computing infrastructure from China's People's Liberation Army, using "Unit 61398" as a handle.
Since 2006, Mandiant has recorded attacks on 141 different companies, in a number of industries. The United States, and other
predominantly English-speaking countries, like the UK and Canada, are the main targets. Of course, the Chinese government denies
everything.
[The 25 most dangerous cities for offshore outsourcing]
My husband and I own and operate a few rackmount servers in the data center owned by Toronto Freenet, a Canadian ISP. We use
our servers for various work and recreational purposes. Their network administrator, Michael Kaulbach, is a good friend of ours.
Whenever my husband or I visit the downtown Toronto data center, Mike always tells us about attempted attacks he's had to stop,
coming from predominantly Russian IP addresses and domain names.
Sometimes, outsourcing firms are simply poorly qualified and incompetent. Foreign workers with no IT experience are writing IT
security policies and procedures for domestic corporations. Aric Bandy, the CEO of IT outsourcing firm Agosto Inc. said to the
Chicago Tribune, "a lot of these security rules were written by non-IT people, and they aren't specific enough to give IT professionals
a clear idea of how to set up security, and there are a lot of other ways to do it. One client wanted us to ensure we had control of
who was physically able to access a computer server in our data center. We already had card access to the data center, personal
identification numbers for data access, and a guard. But that wasn't enough. They wanted a camera focused on that server, and we
had to do that."
[IT offshore outsourcing security: Put it in the contract]
The language problems and having more middlemen than necessary in data center and IT security services are also causing
operational problems, many of which I've observed here in Canada.
There's an ongoing class action lawsuit against PC Financial, and the Canadian Imperial Bank of Commerce, which provides all of PC
Financial's infrastructure, and handles all of their services. Thousands of PC Financial customers have found their checking and
savings accounts to be completely non-operational, with no fix in sight. We're almost completely certain that the CIBC outsources
their security and other electronic banking functions to India. With no access to their money, of course those thousands of customers
are pissed off.
I have a checking account with the Royal Bank of Canada. There have been a few times over the past couple of months that I've
found the ATMs in my downtown Toronto neighbourhood to be non-operational. So, I couldn't withdraw my money. Fortunately,
those incidents have been temporary, lasting 36 hours at a time, at most.
But the same problems that caused their ATMs and Interac (a Canadian debit system that all Canadian banks and most Canadian
credit unions use) systems to go down also affected their whole electronic banking system. So, customers couldn't even withdraw or
deposit via a human teller. My local branch has been swarmed with angry customers on those days. RBC offshores their electronic
banking management to India.
[Survey explores cultural differences when work goes offshore]
There's also been a scandal in the last year about RBC replacing their domestic workers in various areas with "temporary foreign
workers." The Canadian media has dubbed it the "Temporary Foreign Worker Scandal." Prime Minister Stephen Harper's Conservative
government has made it easy for Canadian companies to replace Canadian workers with foreigners who are sent to Canada to work.
According to legislation, they can be paid less than Canadians, and aren't protected by the same labor laws. That hurts both the
converted by Web2PDFConvert.com

3. Follow everything from CSO Online     
How to spot a phishing email
Social Engineering: The Basics
What is social engineering? What are the most common and current tactics? A guide on how to stop...
6 Desk Security Mistakes Employees Make Every Day
From passwords on sticky notes to sensitive contracts left in a pile by the printer, many office...
Canadians who lose their jobs, and the foreign workers who are sent here to Canada.
RBC has been taking full advantage of the Harper government's program.
Dave Moreau, an IT systems support worker who was employed by RBC, talked about how the bank's practice of replacing their
Canadian workers with temporary foreign workers affected him and his colleagues to the CBC.
"They are being brought in from India, and I am wondering how they got work visas," he said. "The new people are in our offices,
and we are training them to do our jobs. That adds insult to injury."
In the next couple of months, I'm closing my RBC checking account, and I'll be transferring my funds and all of my banking services
to a credit union. In my opinion, credit unions tend to be less greedy than major banks. When I'm charged extra because I have to
use other banks' ATMs, I'll consider it to be a good return on investment. If I accumulate a couple of hundred dollars a year for
having to use other banks' ATMs, I figure I'll be saving more than that in the lower fees credit unions charge for services, and I'll get
better service. All while supporting Canadian workers and smaller businesses.
Speaking of business ethics, the most effective blackhats are people who used to do IT and computing work for the companies they
were laid off from. They have intimate, insider information about how their networks and computing systems work, and their
security policies. When a technical worker has been laid off, and then finds it difficult to put food on the table and pay their bills, it's
incredibly tempting to attack their former employers. And so far, there have been numerous incidents of that happening.
[The top 10 risks of offshore outsourcing]
There are other costs related to offshoring technical services and work in other industries, as well.
According to Australia's Passion Computing, outsourcing to India isn't actually cheaper at all. Companies and firms often get
incredibly buggy code from Indian programmers, and additional money has to be spent on debugging. Because Indian programmers
are paid poorly, even by Indian standards, there's no extra incentive for them to spend more time producing quality code.
Even though, in India, English is the language of choice when an Urdu speaker has to communicate with a Hindi speaker, those
Indian technical workers and their supervisors often don't have a firm enough grasp of English to talk about technical matters in
proper detail to their English speaking clientele.
Outsourced projects can be illegally copied, causing licensing and copyright issues. India's not the worst contender for that sort of
thing, but China is.
Until the developed world starts to replace foreign workers with domestic workers, on a significant scale, we're collectively screwed;
economically, technically, and security-wise.
Kim Crawley is a security researcher for the InfoSec Institute, an IT security training company specializing in CCNA certification
training.
Recommended
offshoring financial security Outsourcing banking security
converted by Web2PDFConvert.com

4. What's wrong with this picture? The NEW clean desk test
Salted Hash: Live from CircleCityCon
Three best practices for reducing the risk of SQL injection attacks
A federal indictment against a cybercrime ring indicates that some of the most prominent credit...
Join the discussion
One-click test finds Gameover Zeus infections
Researchers from F-Secure created a Web page to test if computers are infected with the Gameover Zeus
8 security hits and misses on the silver screen
AT&T Mobility data breach
MOST POPULAR
Get the latest security news and analysis.
Sign up for our CSO Update newsletter
Enter your email address GO
NEWSLETTERS
Target top security officer reporting to CIO seen as a mistake
In hiring its first CISO to prevent another massive data breach, Target made a mistake in not having
Target finally gets its first CISO
That it often takes a data breach to get one is a sad reality for many companies, analyst says
Sponsored by Fortinet
Fortinet’s Advanced Threat Protection Framework
BrandPost Learn more
converted by Web2PDFConvert.com

5. WHITE PAPER
Best practices for facing today's log management challenges
WHITE PAPER
Alert Logic: Leader in Forrester Wave evaluation of emerging MSSPs
WHITE PAPER
Protect your brand with Alert Logic PCI DSS compliance solutions
WHITE PAPER
Security Concerns in the C-Suite - and How Next-Generation Firewalls Can Help
WHITE PAPER
Defense throughout the Vulnerability Life Cycle with Alert Logic Threat and Log Manager
Search Resources Go
POPULAR RESOURCES
Business not taking mobile security seriously?
Lack of visibility of mobile losses and thefts
FEATURED STORIES
converted by Web2PDFConvert.com

6. BUSINESS CONTINUITY DATA PROTECTION IDENTITY & ACCESS PHYSICAL SECURITY SECURITY LEADERSHIP
How-Tos Features News Blogs Resources Newsletters
    
Sponsored Links
Share your opinions on cloud computing and enter to win $500 cash!
Security training is lacking: Here are tips on how to do it better
A recent survey found that more than half of enterprise employees weren't getting any security
Amazon AWS continues to use TrueCrypt despite project's demise
Importing and exporting data from Amazon Simple Storage Service requires TrueCrypt
Judge orders DOJ to turn over FISA surveillance documents
The agency failed to justify keeping the 66 pages of documents secret, the federal judge said
converted by Web2PDFConvert.com

7. ABOUT CONTACT PRIVACY POLICY ADVERTISING CAREERS AT IDG SITE MAP AD CHOICES
Copyright © 1994 - 2014 CXO Media, Inc. a subsidiary of IDG Enterprise. All rights reserved.
▾Explore the IDG Network
converted by Web2PDFConvert.com