A UL-type seal for security? Don't bet on it

[William Knowles <wk () C4I ORG>]

http://www.zdnet.com/eweek/stories/general/0,11011,2640597,00.html

By Scott Berinato, eWEEK
October 16, 2000 12:00 AM ET

Everyone knows, when they buy electronics, to look for the "UL" symbol
on the back. It's the mark of Underwriters Laboratories Inc., and its
seal of approval essentially means the product probably won't
electrocute you or catch fire.

Given the number of IT shops burned by poor security this year, many
think it's time for a UL-like underwriting organization in the world
of Internet security. But don't build your security infrastructure
expecting any such labels in the near future.

One security administrator at a large Midwestern bank recently
purchased an intrusion detection system and says, in retrospect, he
wishes it had some kind of underwriter's seal of approval on it.

"The product just hasn't met our security requirements," said the
administrator, who requested anonym ity. "If there were some stamp
with the weight and respect of a UL when we were evaluating, that
would have meant a lot. It would change our approach to buying
security products."

Underwriters in other industries test products and give them a "grade"
so buyers can make certain assumptions about them. UL, for example,
has three classifications, each meaning a product or its components
have been tested for certain types of risk. There are also legal
implications to having a product tested and approved.

Creating a baseline set of specifications that all security products
must meet would not only help enterprises grappling with a glut of
secur ity products and services but also would protect managed
security providers should they be sued by clients if security is
compromised.

But many of the same security experts who see the need for a UL-like
organization say it's not likely to come about any time soon. Some
doubt it's even possible to create such a thing.

"The sheer complexity and the cost of creating that, and having it be
credible, seems to indicate you could never get ahead of the problem,"
said Bruce Schneier, founder of managed secur ity company Counterpane
Internet Security Inc., in San Jose, Calif. "Plus, to stick to the
analogy, Underwriters Laboratories deals with randomswhat happens if
lightning hits your appliance? With computer security, you have
intelligent adversaries. Lightning doesn't target your radio. Hackers
target your computers."

Another user at a life insurance company also supports a security
underwriter, but he, too, doubts its feasibility, asking rhetorically,
"Have you ever tried to put a basement under a house?"

That's not to say there haven't been efforts to create underwriters in
the security world.

The most notable example is ICSA.net, a Carlisle, Pa., group that most
security managers know for its work certifying firewalls, VPN (virtual
private network) hardware and other security products.

In fact, founder Peter Tippett invites the analogy to UL and wants to
extend certification into the services realm with a "best
practices"-type stamp for Internet sites under the TruSecure brand.

But vendors and users alike are resisting buying into ICSA.net as the
potential nonpartisan underwriter for Internet security.

"First off, they're for- profit," said Dave Williams, CIO of Retail
Solutions Inc., in Lincoln, R.I., who does not look for the ICSA stamp
of approval on security products. "That's a bias right there. And more
than anything, any sort of 'eUL' will have to have credibility. But I
definitely want to see some sort of underwriter. I've been burned like
everyone in security."

Others weren't as kind to ICSA.net.

"We've worked with ICSA, and they are a nightmare," said Steve Peters,
president of VPN hardware vendor Red Creek Communications Inc., in New
ark, Calif. Peters said the number of customers demanding ICSA
certification has been dropping. "There was no service. They were in
it for the money," he said. "But some sort of underwriterwithout the
ICSA politicsthat would help."

Several other users and experts echoed Peters' and Williams'
sentiments, including the administrator at the life insurance company,
who said, "We haven't been real happy with them. I don't see them as
the answer."

But ICSA isn't the only group trying to underwrite security.

Visa International Inc. last week launched a Web site, Global Data
Security, which aims to set privacy and security standards for
merchants and consumers in its network. Visa hopes this becomes akin
to the "Good Housekeeping Seal of Approval" for online security.

None of these efforts, however, meets the real needs of underwriting
security. Most experts said the organization that would oversee
security would have to be not-for-profit, widely respected,
independent and capable of keeping up with technology that changes
quickly.

But the effort to create and support an underwriter is slow. Vendors
say they support such an initiative and would put their products
through the wringer if a stamp of approval were available, but few
seem to want to do anything about it.

Counterpane's Schneier doubts it can happen. "I don't think anyone can
afford to do it or can keep up with the pace of change, which means it
won't happen," he said. "We'd be better to recognize there won't ever
be such an underwriter's stamp and go from there."

Retail Solutions' Williams holds out more hope.

"I can see how that first step is a real big one," he said. "But if
there were an organization already out there willing to take it on,
the rest would read ily fall into place. An underwriter would really
help, and that's what this is all about, right? Helping users?"


---------------------------------------------------------------------

Underwriting Security

While some agree with ICSA.net's certification categories and
criteria, many say it hasn't proved credible enough to be a standards
underwriter

Categories

* Anti-virus software
* Firewalls
* IP Security products
* Cryptographic products

Criteria for passing

* Product resists specified threats
* Product passes battery of tests n Performance-based n Underlying
  technology not assessed

Methodology

* Initial test and contract for certification
* Random tests throughout product life
* Yearly recertification of products



*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".