Types of Security Consulting

Types of Security Consulting

Security is a big business, the global security services market likely crests 100 billion USD. ¹

Both professional and managed services are components of this market. We will put aside the marketplace for managed services, which has unique complexities and contracting models. This guide will focus on professional services, which include a variety of common security consulting engagements.

More specifically, we’ll discuss the process of buying a security assessment - a consulting engagement focused on evaluating security design, architecture, and/or implemented controls to identify whether they are operating as intended and helping the organization to meet its security requirements (NIST). To start, let’s break down the types of assessments on offer.

Generic Assessments

Vulnerability assessments and penetration testing are the most common and broad modes of assessment.

Vulnerability assessment

A vulnerability assessment is a systemic approach to comprehensively identifying vulnerabilities or information security deficiencies. These assessments tend to be highly automated. Human input is primarily used for prioritization and confirmation of tool-reported vulnerabilities. Vulnerability assessments are an efficient, and therefor cheap, way to identify common and known risks. Generally, identified vulnerabilities are not exploited during a vulnerability assessment. A vulnerability assessment is the least expensive and least comprehensive service that is generally available.

Penetration testing

A penetration test is a security exercise that attempts to safely identify vulnerabilities and weak spots in a system or network’s controls. Identified vulnerabilities are exploited to determine impact and to identify further vulnerabilities accessible post-exploitation.

There are a few specific subtypes of penetration test, characterized by the transparency provided to both the vendor and the target:

• White-box (“full knowledge”): The vendor will be provided full access to the system, as well as documentation on its internals, source code, and partnership from subject-matter experts throughout the assessment.

• Grey-box (“partial knowledge”): The vendor will be granted standard access for the varying personas of users of the system. They may be provided some documentation on architecture or implementation.

• Black-box (“no knowledge”): The vendor will be in the same position as a black-hat hacker, with no special access granted or information provided.

Check out Daniel Miessler’s blog post for more on the difference between a vulnerability assessment and a penetration test.

Targeted Assessments

Other services are denoted specifically by the methodology, deliverable, or goals of the engagement. The most common examples follow.

Code review

A code review focuses on as comprehensive as possible a review of the source code for vulnerabilities. These assessments leverage static analysis tooling as a matter of course. For any finding, all instances of that pattern should be identified. Sophisticated vendors will develop custom rules or analysis tooling. These can be specific to a client, or more generally applicable against a specific language or framework.

Threat model

A threat modeling engagement takes a step back from vulnerability discovery. Instead, it focuses on enumerating likely threats to a system. These assessments may follow a popular methodology, like STRIDE, or leverage a vendor’s custom approach.

Red team (adversary simulation)

A red team assessment is in many ways an extension to a penetration test. It is characterized by an attempt to model the behavior of a specific adversary and/or an attempt to compromise an organization by any means possible, while avoiding detection. The term “red team” originated with late 90s DoD cyber exercises² , where “red” emulated the opposing force (think Cold War). Red teaming requires a mature defensive posture to provide meaningful additional value.

Social engineering (phishing, vishing, smishing)

A social engineering assessment is narrowly targeted at that class of threat. The goal is to evaluate an organization’s resistance to social engineering. These assessments can target an entire company, or more narrowly focus on specific employees or assets. Social engineering can also be performed as a component of a larger assessment.

Technical Specialty (hardware, cryptography, cryptocurrency)

Many technologies have unique risks that require specific expertise to identify. In these cases, you may need a specialty assessment, from a consultant or consultancy that has deep experience in your problem space.

On newer models
When researching vendors, you will stumble across a few emergent offerings - bug bounties and “automated” pentests or red teaming. Without too much digression, suffice to say that vendor marketing often makes false comparisons between these services and traditional consulting engagements. While these new offerings can provide value, they are not a drop-in replacement for a services engagement. As one survey respondent put it: “Getting tough to find something that’s not just a dressed up Nessus scan.”