Can using a packaged software solution really offer the protection that's available from a dedicated and specialized security provider, or does this kind of software literally lure us into a false sense of security?
I was chatting with a customer the other day when the topic of testing their firewall solution came up. During the conversation I asked who he was going to use to do the testing. When he pointed toward the systems administrator, a capable individual, but one who has had nothing to do with firewalls, I was a little taken aback. Much as I had faith in this individual to create a user account or even install an operating system, the thought of him testing the corporate firewall was as scary as my next date with the dentist.
What, I asked in the steadiest voice I could muster, made the client think that their junior administrator was capable of testing the firewall? Instead of a justification of the administrator's technical skills, the client simply reached into a cardboard box and produced a shrink-wrapped package from within it. The package contained firewall testing software, and the sticker on the box proclaimed among other things, that it was 'usable by those with only a basic understanding of firewalls'. It would seem the claim was about to be put to the test. The client informed me the software was the same as that used by an outside security consultant during his last visit. In effect, the client resented paying the fees charged by the security consultant for using the same software that he could buy and operate himself.
As the threats from outside sources have increased in their complexity, the ease with which our security systems, such as firewalls, can be tested has increased also. Packaged software now enables us to test security solutions and determine their effectiveness with ease. But can using a packaged software solution really offer the protection that's available from a dedicated and specialized security provider? To put it another way, does this kind of software literally lure us into a false sense of security?
Competence Cannot Always Be Shrink-Wrapped
In a sense, there is no reason why testing a security solution should not be as simple as point and click. Most of the other things we do on a daily basis are done the same way. Perhaps the bigger issue is that while the software to test our security solutions may be simple and easy to use, are those doing the pointing and clicking able to effectively test, and (just as important) interpret the information produced from such a test? In addition, are they able to act on the information produced from the test to correct the problem? Given that in many cases the person conducting the test is the network or server administrator, you have to wonder whether the task is not more suited to someone who does it for a living.