Security Ripcord

State of Texas Regulating Information Security Consultants

January 7th, 2009 cutaway Posted in Management, Security, Texas, consulting, forensics 5 Comments » 1,929 views

** It was recommended that I add a disclaimer stating I am not a lawyer.  So, be advised, I am not a lawyer **

*** Update 2: shrdlu points out (see comments below) that I missed the very last line of the PSB opinion on security consulting.  Thank you, shrdlu.  So, until they change that opinion all is well. ***

The SANS Computer Forensics Blog post Digital Forensics Professionals: Texas PI Legislation Interpreted got me thinking about the Texas PI laws again so I decided to take another look at the TEXAS OCCUPATIONS CODE CHAPTER 1702.  What I have found concerns me very much and if you or your company does forensic or security consulting work in the State of Texas then you had better read it as well and pass it onto your lawyers BEFORE you do anymore work in this state.

Basically, the State of Texas is now regulating all of the information security consultant industry within its boundaries.  This *DOES NOT* include the security departments of individual businesses.

Let’s start with a bit of clarification.  The State of Texas designates anybody doing investigative or security consultant work as a “company.”  If you do not understand this then reviewing the statue is going to confuse you at first.  With this in mind, here is the definition of “investigations” as put forth in Chapter 1702.

Sec. 1702.104.  INVESTIGATIONS COMPANY.

(a)  A person acts as an investigations company for the purposes of this chapter if the person:

(1)  engages in the business of obtaining or furnishing, or accepts employment to obtain or furnish, information related to:

(A)  crime or wrongs done or threatened against a state or the United States;

(B)  the identity, habits, business, occupation, knowledge, efficiency, loyalty, movement, location, affiliations, associations, transactions, acts, reputation, or character of a person;

(C)  the location, disposition, or recovery of lost or stolen property; or

(D)  the cause or responsibility for a fire, libel, loss, accident, damage, or injury to a person or to property;

(2)  engages in the business of securing, or accepts employment to secure, evidence for use before a court, board, officer, or investigating committee;

(3)  engages in the business of securing, or accepts employment to secure, the electronic tracking of the location of an individual or motor vehicle other than for criminal justice purposes by or on behalf of a governmental entity; or

(4)  engages in the business of protecting, or accepts employment to protect, an individual from bodily harm through the use of a personal protection officer.

(b)  For purposes of Subsection (a)(1), obtaining or furnishing information includes information obtained or furnished through the review and analysis of, and the investigation into the content of, computer-based data not available to the public.

After contacting the Private Security Bureau, which is a division of the Texas Department of Public Safety, I was told that the State of Texas regulates “investigations” so that the persons conducting them are qualified.  To ensure that investigators are qualified they are required to comply with Sec. 1702.113.  GENERAL QUALIFICATIONS FOR LICENSE, CERTIFICATE OF REGISTRATION, OR SECURITY OFFICER COMMISSION (which are basic employment requirements) and:

Sec. 1702.114.  ADDITIONAL QUALIFICATIONS FOR INVESTIGATIONS COMPANY
LICENSE.

(a)  An applicant for a license to engage in the business of an
investigations company or the applicant’s manager must have, before the
date of the application, three consecutive years’ experience in the
investigative field as an employee, manager, or owner of an investigations
company or satisfy other requirements set by the commission.

Now I do understand the need to provide a governing hand to protect the public from “investigators.”  If the state feels it is necessary then so be it.  This is basically stating that you have to have three years experience before you can operate individually or be the primary investigator of a company (yours or somebody elses).  More explaintion about this can be found in the PSB Opinion Summaries in the section titled Computer Forensics.

The part of Chapter 1702 that is really going to concern people is the guidance it provides for people the state considers as “security services contractors” or “private security consulting company.”  Here is the guide lines for what constitutes as a “private security consulting company.”

Sec. 1702.1045.  PRIVATE SECURITY CONSULTING COMPANY.

A person acts as a private security consulting company for purposes of this chapter if the person:

(1)  consults, advises, trains, or specifies or recommends products, services, methods, or procedures in the security or loss prevention industry;

(2)  provides a service described by Subdivision (1) on an independent basis and without being affiliated with a particular service or product;  and

(3)  meets the experience requirements established by the board.

Guidance on how this applies can also be found in the PSB Opinion Summaries in the section titled Computer Network Vulnerability Testing Firms.  Here is the part that stands out to me:

However, while the Bureau regulates consultants in the “security industry
or loss prevention industry,” these latter phrase is not explicitly defined
in the statute. It is therefore necessary to look to the rest of the
statute in order to understand to which services the private security
consultant’s licensure requirement applies.

It is reasonable to consider those industries otherwise regulated by the
Private Security Act as reflecting the scope of the phrase “security
industry or loss prevention industry.” In other words, the definitions are
implied by those services that are regulated by the statute, viz., security
guards, locksmiths, alarm system installers and monitors, and private
investigators, and not software designers, installers or suppliers.

Thus, the industries that are directly regulated are the same industries
about which one cannot consult without a license. Because the Private
Security Bureau does not regulate software designers, installers, or
suppliers, it also does not regulate those who provide consulting services
related to computer network security.

What this tells me is basically, if you are a security consultant in the State of Texas you must be registered.  This requires that you apply for a license and pass the Qualified Manager’s Exam.  This is the same exam that is required to become a licensed Private Investigator only where as Private Investigators only pay $350 to take the exam, security consultants have to pay $400 to take the exam, as outlined in Chapter 1702.  This exam simply shows that the person passing the exam has an understanding of the regulations we are covering and nothing specific to investigations or consulting.  The additional requirements to become a licensed security services contractor include:

Sec. 1702.115.  ADDITIONAL QUALIFICATIONS FOR SECURITY SERVICES CONTRACTOR LICENSE.

(a)  An applicant for a license to engage in the business of a security services contractor or the applicant’s manager must have, before the date of the application, two consecutive years’ experience in each security services field for which the person applies as an employee, manager, or owner of a security services contractor or satisfy other requirements set by the commission.

(b)  The applicant’s experience must have been obtained legally and must be:

(1)  reviewed by the commission or the director; and

(2)  determined to be adequate to qualify the applicant to engage in the business of a security services contractor.

As a security profession in the State of Texas I am concerned that I cannot consult, advise, train, or specify or recommend products, services, methods, or procedures in the security or loss prevention industry without being a licensed security services contractor.  This basically tells me that I cannot talk to anybody (family, friends, public gatherings like the PTA or a church, in addition to business relationships) about these issues until I am licensed.  Consultant businesses doing business within Texas should have the very same concerns.

Security professionals coming to Texas should also be concerned.  If you come to Texas to work or even to teach a class (SANS training) or give a presentation (TRISC) that consults, advises, trains, or specifies or recommends products, services, methods, or procedures in the security or loss prevention industry and you are not licensed you could be held accountable.  Specifically:

Sec. 1702.386.  UNAUTHORIZED EMPLOYMENT; OFFENSE.

(a)  A person commits an offense if the person contracts with or employs a person who is required to hold a license, registration, certificate, or commission under this chapter knowing that the person does not hold the required license, registration, certificate, or commission or who otherwise, at the time of contract or employment, is in violation of this chapter.

(b)  An offense under Subsection (a) is a Class A misdemeanor.

Although a Class A misdemeanor does not seem like much, individuals who have been found in violation of this statue may not be able to obtain a license in the future as outlined in Sec. 1702.113.  GENERAL QUALIFICATIONS FOR LICENSE, CERTIFICATE OF REGISTRATION, OR SECURITY OFFICER COMMISSION.

If you have additional information, updates, or clarification on this please leave a comment or shoot me an email so that I can update this post.

I’m starting to wonder if this blog is a violation of this statue.

Go forth and do good things,

Don C. Weber


Moving On To IBM’s ERS Team

August 15th, 2008 cutaway Posted in Incident Response, Security, consulting 2 Comments » 3,846 views

I have only mentioned this to a few people thus far, the number grew at DefCon, because I was waiting for it to actually happen.  When I graduated college I decided that I wanted to move into security because I figured it was a field that would always be necessary.  I knew that people would always be trying to break in and that companies would need people to find out what has happened and need advice on how to respond.  Since starting security with Raytheon I have endeveored to increase my knowledge of technology while mainly focusing on certification, accreditation, and compliance at work.  Now all of my hard work and extra time has paid off.

Today is my last day as a Navy contractor and Monday will be my first day as an incident responder for IBM Internet Security System’s Emergency Response Team.  I will be joining the likes of Harlan Carvey, Cory Altheide, and other well known and highly respected individuals. Some of whom have already written books on Windows and *nix Forensic Analysis, so I figure I am in for a world of learning and progression.  I am getting very excited and cannot wait to start and prove myself to my new team.

All of that said I have to give a shout-out to my current team.  I have had the pleasure of leading thirteen other Navy contracting security professionals.  It has been very challenging to bring an organization without a security group into the world of security.  Fortunately we usually had executive buy-in which helped easy most of the transition.  But my team of raw (from the security stand point) recruits really shown through and proved that they could come together as a team and work openly with their administrative and developer counterparts.  They have had an amazing impact on the organization we work for and I am certain that as they continue forward without my guidance they will prove that they have both the knowledge and drive to learn that will help them get the job done.  I want to tell all of these people  that it has been my pleasure and privilege to lead them during the past ten months.  It is the only down side to moving on and I will miss them all.

So, here is to new beginnings and old friends.  May we all prosper in our collective and individual futures.

Go forth and do good things,

Don C. Weber


Information Security Consultancy – Market Analysis Summary

September 10th, 2007 cutaway Posted in Management, Security, consulting 3 Comments » 9,899 views

In an attempt to understand the business process better I have recently been working on a business plan for an information security consultancy.  I have based the plan I am working on around a sample business plan I found through Bplans.com titled Computer Consulting Business Plan.  This is a business plan for an actual IT business and modifying most of the sections has not been very difficult.  That is until I came to the Market Analysis Summary section.  It was quickly apparent that I would not be able to cut, paste, and modify the information provided as it did not represent what comes to my mind when I thing about the information security market.

After a little looking around, however, I determined that there is not much information available concerning information security consultancies.  The closest thing that I could find were articles written about Managed Security Service Providers.  Although the customers and services are close there is still several differences between the MSSPs and a consultancy that need to be taken into consideration.

According to the business plan that I am following, a Market Analysis Summary is performed by analyzing Market Segmentation, Target Market Segment Strategy, and Service Business Analysis.  If I am reading into this correctly the basic gist of a Market Analysis Summary is to help determine who the business will target, what services they will provide to these targets, and identify who are the competitors that will be offering similar services to the targets.  In an effort to determine if I am correct, and to provide more information online, the following is what I have written to satisfy the Market Segmentation and Target Market Segment Strategy.  I am hoping that people will comment and let me know if I have forgotten something, misinterpreted something, wandered off the path, or completely misunderstood the goal.

Market Analysis Summary

I.  Market Segmentation

  • Individuals – Many people are concerned about how they are
    affected by hackers and identity thieves. But outside of training and
    user awareness this is probably not the most lucrative group. Although
    some individuals may be worth taking on as clients usually these will
    fall into the Home Office group. Barring allowing people to come to
    group training sessions this groups should be avoided unless absolutely
    necessary.
  • Home Office Businesses – The largest and fastest growing
    segment, this segment is obviously defined as small businesses that are
    based primarily out of the owner’s home. This is not the same as simple
    home computer users. Small quick resources should be developed to
    facilitate plug-in-go solutions such as Linux Linksys Wireless Routers,
    pfSense firewalls, secure desktop builds, etc. This group would benefit
    from weekly and monthly email alerts. Baselining and external
    assessment is a possibility but not likely.
  • Small Businesses – Defined by the government as businesses
    with 1 to 99 employees. This group could also benefit from the
    plug-in-go setups mentioned for the Home Office group. Larger
    organizations may require more advanced solutions such as central
    logging, IDS, email servers, SPAM filters, more advanced network
    design, etc. Larger organizations may also require policy development.
    This group could also benefit from training and customized email
    alerts. Baselining and external assessment may be feasible on a monthly
    or yearly basis.
  • Medium Businesses – 100 to 499 employees. Same as Small
    Business only more likely to be dealing with administrative personnel.
    These will most likely lean toward baselining and assessments after
    review and mitigation. Possibility for pentesting. Possibility for more
    advanced and frequent training.
  • Large Businesses – 500 or more employees. Same as Medium Businesses.

II.  Target Market Segment Strategy

The following image (the original image has been split for display purposes) is an attempt to break down the different types of businesses and the security services they might require. Each color is significant in that they bring the two lists together. The color of each business, or actually regulatory requirement, is linked via color to the services that the business subsection is most likely to purchase. This definitely different from the services that regulations say they are required to do in order to be compliant.

Market Needs

The list of security related services can be broken down into a specific list of business needs.

  • Training for technical and nontechnical staff.
  • Implementation of business and security related technologies.
  • Assessments for determining state.
  • Auditing to determine/ensure compliance with policies and regulations.
  • Development of policies.
  • Development and implementation of incident response.
  • Research into the security of current and future technologies.

Market Trends

Drivers of the Security Market Place in order of importance to a small security consultant company.

  1. Increase in consequences for technological and non-technological breaches.

    • Identity Theft

      • This issue will drive the development of new or the modification of current regulations.
      • Changes will increase individual responsibility in the form of monetary and criminal penalties.
    • Theft of Intellectual Property
      • Affected by the dynamic technological growth in third world countries.

        • Increased the flow of money in and out of these countries.
        • Allowed for cost effective education to reach remote locations.
        • Expanded the level of connectivity to remote locations.
        • Raised the need for rapid technological advancement to keep pace with more advanced companies.
      • Affected by differences in societal belief systems.
        • Military espionage is usually only illegal when it is
          occurring against the victim. Politics always provide plausible
          deniability.
        • Some countries believe that business espionage is a part of the game and therefore acceptable.
    • Service Availability
      • Customers want a product or service “right now.”
      • Customers will most often go some place else if the product or services is unavailable even for a short period of time.
      • It is fairly easy to adversely and unanimously affect online availability.
  2. Security evolving into a part of job descriptions and duties.
    • The funding for security related projects are funded infrequently or not at all in small and medium businesses.
    • Administrators and managers are increasingly expected to be
      responsible for security considerations thereby negating the necessity
      for extra personnel.
    • Outside help in the form of consultants, MSSPs, or Value
      Added Resellers (VARs) are brought in for development and deployment or
      when necessary for very specific projects such as regulatory auditing.
  3. Rapid Growth of Technology
    • Number of non-security and security related products.

      • Difficult to send people to training on each and every product.
      • Understanding a product does not necessarily mean the person understands how it fits into the overall deployment.
      • Often lack sufficient security evaluations.
    • Need for advanced web applications
      • These are great for online businesses.
      • Are often complex.
      • Often have been rushed to market and lack sufficient security evaluations.
    • Diversity has increased attack vectors.
      • Each product has individual and often unique considerations.
      • This has caused the rapid increase in software and hardware analysis tools that are used by good and bad guys.
  4. Growth of Managed Security Service Providers.
    • Provide businesses with the option to outsource all or part of their security solutions.
    • A medium and large MSSP can pull from a pool of experienced professionals and then tailor to the specific needs of a business.
    • Medium and large MSSP are willing to pay for security research as a service to customers and for marketing purposes.
  5. Government security driven by the security of commercial solutions. I marked this low because of my lack of experience in security research or this might have been placed as high as #2.
    • This will have to be addressed at some point.
    • May mean network separation from the Internet but this will have a bigger affect for telecom consulting firms.
    • Will mean an increase in code and product review and analysis.
    • Will generate business for large firms and MSSPs.
      • These companies will have to augment by purchasing or hiring smaller consultant firms.
    • Vulnerabilities in products may start to affect payments and bonuses to vendors and resellers.
      • This will drive vendors to increase code and product review and analysis.

Market Growth

Although there is not much to find referencing growth in information security consulting there are several references to the increase in businesses turning to MSSPs for solutions.

Helpful Links

Go forth and do good things,
Cutaway

Technorati Tags: , , , ,

Powered by ScribeFire.