Forwarded From: Aleph One <aleph1@dfw.net>
http://www.wired.com/news/news/technology/story/11528.html
Network Security Seal a Sticky Wicket
by James Glave
5:04am 8.Apr.98.PDT
Just as the Good Housekeeping Seal of Approval assured consumers that
a given blender could cut the mustard, a new auditing and
certification scheme called TruSecure hopes to instill the same
battle-tested confidence in computer networks and Web sites.
But some security experts are saying that TruSecure should never have
left the lab.
The program, announced Tuesday by the for-profit International
Computer Security Association (ICSA) -- formerly the NCSA -- is based
on an audit that uses various commercial and custom tools to plumb the
vulnerabilities of firewalls, Web servers, email servers, and Internet
utilities such as File Transfer Protocol. Once a company has fixed the
problems uncovered by the audit -- and paid the $39,900 annual fee --
they are eligible for the vaunted ICSA TruSecure Certification.
"We can't guarantee that a TruSecure certified network is 100
percent secure, but it means it is as secure as it can be," said ICSA
product manager Pam Zemaitis.
But some computer security experts said that the TruSecure label can
become moot within hours.
"It's like saying this seatbelt is certified to handle 40,000 pounds
of pressure per square inch, but you don't know if the customer has
tied it around their neck," said Marcus Ranum, CEO of Network
Flight Recorder, which makes network and security tools.
Ranum said that computer security products such as firewalls are so
customizable that even minor, routine modifications by a system
administrator can open new vulnerabilities and render a seal of
approval obsolete.
The other problem with certifying a network as bulletproof is that new
bugs and holes are uncovered and widely circulated all the time, said
Alan Paller, research director with the SANS Institute, a
cooperative security research and education organization.
"That's just silly for the customer who buys it," said Paller when
informed of the TruSecure program. "BugTraq didn't stop last
night," he said, referring to the popular security mailing list that
publicizes vulnerabilities. More than 18,000 people subscribe to
BugTraq.
But the ICSA's Pam Zemaitis said that the TruSecure certification
comes with a twice-monthly "security alert" email that recommends
other upgrades and patches as they are discovered. Further, ICSA will
conduct spot checks to make sure certified clients remain up to snuff,
she said.
However, the onus is on certified companies to notify ICSA when they
have installed a new firewall or other software. "If they install a
new product, it is to their benefit to make sure it is configured
correctly," said Zemaitis. Companies in the financial industries,
healthcare, government, and e-commerce are all candidates for the
TruSecure program, she added.
Elias Levy, moderator of BugTraq, confirmed that new, significant
holes surface almost daily, and should be patched as soon as possible.
"Services such as ICSA's do take a long time in implementing these
fixes," Levy said. The ICSA audit and certification is likely to
appeal to organizations too small to have a dedicated network
administrator who watches for problems and fixes them in real time, he
said.
"Security is something you always want to do in-house, for many
different reasons, including the risk of someone leaving with all your
secrets; it's not something you want to leave to outside parties,"
Levy said. Ranum agreed: "The single most valuable security tool you
can get is a network manager," he said.
But Paller said that any action that could improve security will raise
the hurdles that intruders need to jump over -- and that
realistically, vigilant, skilled system administrators are hard to
come by.
"It comes down to another religious argument between the people who
want to do good, but have to find a common denominator to do it, and
the people who want to do it exactly right but are faced with a dearth
of talent," Paller said.
Both Ranum and Paller said that the network certification program was
a political or public relations tool that at once appeals to senior
management and justifies the need for in-house security staff.
"The real value of TruSecure audit and certification is that it will
give system administrators some extra weight to go get more bodies,"
said Paller. "It gives an economic justification to the security
people who want more people."
"Certification appeals very strongly to the clueless senior manager
who feels comfortable with the stuff that is certified," Ranum said.
Zemaitis said that while it would be possible to revoke a site's
TruSecure certification if it became riddled with holes, she said such
a penalty is "not our intention."
"Our intention is to assist them; it's not for an additional lump sum,
we are guiding them and helping them," she said.
But Ranum was skeptical, citing ICSA's business model, which he said
capitalized on the association's reputation as a vendor-neutral,
independent association. The ICSA is, in fact, a for-profit concern
that makes money from certifications, a position that Ranum said left
little room for accountability.
"Once you have your certification, what does it mean?" Ranum asked.
"Right now, it means about 40,000 bucks."
-o-
Subscribe: mail majordomo@sekurity.org with "subscribe isn".
Today's ISN Sponsor: Dimensional Communications (www.dim.com)
Received on Wed Apr 8 13:36:34 1998