Oh dear, the spoofed e-mail said. I’m in Europe and I can’t SSH into the rootkit.com server. Be a love and open the firewall, and while you’re at it, reset my password to changeme123, will you, please?

Yes, that’s how easily an astute security company got pwned. One of the most dismaying aspects of the HBGary Federal attack was how a sophisticated security company could be so easy to hack using a mixture of tactics that included the simplest of stumbles: a socially engineered theft that got Anonymous access to the e-mail password used by Greg Hoglund, HBGary co-founder and part-owner of HBGary Federal. With control of his account, the intruders sent an e-mail to the admin of rootkit.com asking for the firewall to be opened and Hoglund’s password reset to “changeme123”.

As Steve Ragan points out in his reporting for The Tech Herald, the move is a “classic” case of social engineering.

“A lot of what [HBGary Federal] did was pretty dumb,” agrees a security researcher who requests anonymity. The security researcher has been impersonated himself in unsuccessful attempts to break into his company, using the same passwords on different accounts. “[They were] basically fooled by e-mail that came through supposedly from the boss, that went to an IT guy who thought he was doing the right thing, who thought he was responding quickly by giving out the password to the server.”

Here’s the rub: How do you vet a security company to figure out if they’re liable to fall victim to something like that? How do you ensure a company won’t send out passwords or other sensitive information to people without verifying identity, it won’t send passwords via e-mail, or that it won’t hand out passwords on the basis of a phone call they themselves didn’t initiate?

If at all possible, Infosec professionals advise, you should visit the firm. Here are some things to watch for if you can pay them a call. Please also read the first article in this series, In God We Trust, but Security Vendors Need to Sign the Papers, if you’d like more input from Infosec professionals on how to vet a security vendor pre-visit.

A Good Sign: Questioning Authority

Take note of an atmosphere where bosses aren’t feared, but who instead encourage employees to question them, the security researcher advises. HBGary Federal shouldn’t have handed over an e-mail without initiating a phone call or using another two-factor authentication technique to ensure the password request wasn’t spoofed.

Similarly, when you’re on-site, take note of whether the encouragement of questioning filters down to every level of the company. If you try to get past their reception desk not wearing a badge, will somebody ask who you are?

Security firms employ lots of people, and not all of them are security professionals. They employ sales people, accountants, receptionists, and Human Resources people. Does the security company train them to follow good security practices? Walk around the office. Keep your eyes open.

Note the Hygienics

Years ago, the security researcher was visiting a rival company. Researchers at the company were analyzing malware on the same computer on which they were sending e-mails. It was before the days of virtual environments; they were testing on a simple Windows computer.

“That was utter anathema. Are you fricking crazy?” the researcher says. “If [there were] an e-mail-aware worm, it would spam itself out to everybody else. This was beaten into us at an early age: You use different computers. Here, we have different cables. Green equals good. Red equals ‛This isn’t our internal network; this is connected to the Internet, so it’s potentially bad.’ It avoids the natural human mistake of plugging the wrong cable to the wrong computer.”

Other things to look for: Are computers allowed into the virus lab? If so, they should never be allowed out. Does the security outfit have a shredder? An industrial shredder is a crusher for anything with a hard drive. The only way something should come out of a virus lab is in pieces.

Beware of Companies Putting on a Show

Richard Stiennon is the Chief Research Analyst at IT-Harvest, which tracks and reports on the cyber defense industry. He visits many security firms. Sometimes, he gets the feeling, when he walks in, is required to sign in and is given an escort, that “They’re putting on a show for the security analyst.”

He watches to see if the front office is actually left unstaffed, without a receptionist. He watches for delivery people coming in and out. He also notes when a facility is just an open room with offices around the perimeter for execs—which “invariably” turns out to be the case, he says.

It’s not a good sign. “Once you’re in, you’re in, and once you’re in, you can wander around and see and do stuff,” he says.

Make Sure They Have a CSO

Even RSA Security appointed its first chief security officer only in June after it was attacked, Stiennon notes. Even a security company needs somebody in charge of security, as attacks on RSA, Symantec, and other once-CSO-less security firms make clear.

Vet the Products

Most security appliances from a given vendor talk to each other using encryption such as SSL, which is great, Stiennon says. On the other hand, many still have backdoors, putting the onus on the customer to change default passwords. Vendors shouldn’t ship products like that, he says. They should lock their products down by default, making it impossible to abuse back doors.

This is a tip for both on-site and off-site security vendor evaluations: Validate how the product is managed remotely, he recommends, with an eye toward a hacker gaining access. Vet how secure the product’s connection is. Is it allowed to connect through a McDonald’s hotspot? Does the management console have strong authentication? Does it contain default passwords to get to the management console?

Presumably, the vendor will have all the answers to address these security aspects of its products.

If You Can’t Visit, Use Input from Those who Can

Besides Stiennon, there are plenty of people who vet the security vendors, with Gartner being the biggest. Stiennon trusts Gartner’s Magic Quadrants, and he should know, having once been vice president of research at the analyst firm. He notes that Gartner analyzes late adopters, however, and not the cutting edge.

Stiennon also has faith in the work of The 451 Group’s “good team of security guys.”

Conclusion in Either Case: Drill and Spend

Regardless of whether or not you make an on-site visit, organizations should be running drills for security crises.

Looking across the swaths of security compromises of both the security and other industries in the past 12-18 months, with perhaps less than two exceptions, Akamai Technologies Director of Security Intelligence Josh Corman surmises that none has been particularly sophisticated at the root cause. Most have been fairly simple compromises. Which isn’t to mock the victims, he says, but rather to simply point out that we’re seeing enough data points that we can surmise that our failures are fairly simple ones. None seem like they couldn’t happen to any of us. None of us would be immune, he says.

Watching the incident responses and the public relation successes and failures is forcing the industry to re-evaluate best practices for communicating breaches. There’s more transparency, less brushing of incidents under the rug.

We’re also seeing an evolution to new best practices in crisis management, Corman notes. He’s encouraging many CISOs to execute table-top crisis exercises, including PR drills, in response to possible incidents involving chaotic actors (e.g., hacktivist groups such as Anonymous or LulzSec) or state-sponsored actors (a.k.a. APTs, or advanced persistent threats: typically a group, such as a nation state, with the capability and the intent to persistently and effectively target a specific entity. Such was presumed to be the actor in the RSA breach).

“We’re not proficient at these scenarios as an industry,” Corman says. “It’s better to practice in a mock situation than to find yourself in the midst of one without a modern playbook.”

Also bear in mind that security spending is frozen. When he was with The 451 Group three years ago, Corman projected the total spend at a little under half a billion. The current total spend as tracked by The 451 Group hasn’t changed: It comes in around $441 million, Corman notes. “I’ve concluded that we’ve seen the push side, the demand side, have reached its limit,” he says. “People who independently care about making software more secure have already spent” their money.

And the rest?

One would assume that, given the state of major breaches, they should consider whether they might not care enough.