Security operations are a common area to outsource. The scope is often difficult to define and a dedicated team is often not warranted. A third party is contracted to process security events from devices such as firewalls, IDS appliances, generic network equipment and infrastructure. The third party is relied on to process (de-duplicate, reconcile and interpret) the events and call attention to any issues. Few however check to see that the provider is providing as promised. Typically, the outsourcer in this case has a central operations room with lots of monitors displaying plenty of monitoring output. Oversubscribed staff attempt to process the barrage of alerts, but focus primarily on the top three to five customers listed on a whiteboard in the corner. If you aren't on the whiteboard, nobody is looking after your gear. Buying a solution is a way in which security is often inadvertently outsourced.
As already mentioned security is a part of all other domains and thus it follows that there is a security component to all solutions. As with security operations, a lack of demand from customers has meant that most integrators do not well cater for security in their solutions. A company trying to outsource it's WAN is likely to purchase private circuits off a telecommunications company. There is little incentive to go to the expense of dedicated circuits and the WAN may be bundled as part of a package. Typically this means that all inter-branch network security (which often includes telephony) has been outsourced to the telecommunications provider. Assuming that the provider experiences no human error of technical complications, the WAN by design is likely to be insecure.
Telcos rarely employ anything more than the inherent nature of multiplexing technologies (for example MPLS, ATM, Ethernet trunking) to divide customers traffic. They, like any other large entity, are susceptible to social engineering that could lead to the unauthorised connection of two customers' networks.
Telecommunications providers also have the difficult task of physically protecting their network from attack. I recently observed a cellular provider's roadside cabinet was labelled with their name and the name of the vendor who supplied the equipment within it. The cabinet was likely monitored, but its physical defence consisted of a padlock holding fast a cheap latch that a small hammer could likely circumvent.
Penetration testing is a specialist service that is quite rightly outsourced in a lot of cases. It is a complex service and there is significant value in it being done independently. It also produces a deliverable in the form of a report making justifying it easier. We must remember however that it isn't the whole picture. Penetration testing can't consider operational practices that may introduce new vulnerabilities as quickly as the old ones are removed. There often isn't evidence that the individual completing testing is adequately skilled to do so, nor is their proof that the majority of vulnerabilities present were discovered. Unfortunately, the reality is most people who commission penetration testing would be satisfied with the doctored report from a freeware scanning tool.
Sign up for CIO Asia eNewsletters.