Network Security Seal a Sticky Wicket

by James Glave

5:04am 8.Apr.98.PDT

http://www.wired.com/news/news/technology/story/11528.html

Just as the Good Housekeeping Seal of Approval assured consumers that a given blender could cut the mustard, a new auditing and certification scheme called TruSecure hopes to instill the same battle-tested confidence in computer networks and Web sites.

But some security experts are saying that TruSecure should never have left the lab.

The program, announced Tuesday by the for-profit International Computer Security Association (ICSA) -- formerly the NCSA -- is based on an audit that uses various commercial and custom tools to plumb the vulnerabilities of firewalls, Web servers, email servers, and Internet utilities such as File Transfer Protocol. Once a company has fixed the problems uncovered by the audit -- and paid the $39,900 annual fee -- they are eligible for the vaunted ICSA TruSecure Certification.

The key. Pay the 39,900 annual fee. Paying for certification is obviously not a method to guarantee security.

"We can't guarantee that a TruSecure certified network is 100 percent secure, but it means it is as secure as it can be," said ICSA product manager Pam Zemaitis.

They want you to pay 40,000 dollars to become secure, and then tell you that they can't guarantee you are secure. What?!

But some computer security experts said that the TruSecure label can become moot within hours.,/p>

"It's like saying this seatbelt is certified to handle 40,000 pounds of pressure per square inch, but you don't know if the customer has tied it around their neck," said Marcus Ranum, CEO of Network Flight Recorder, which makes network and security tools.

Ranum said that computer security products such as firewalls are so customizable that even minor, routine modifications by a system administrator can open new vulnerabilities and render a seal of approval obsolete.

The other problem with certifying a network as bulletproof is that new bugs and holes are uncovered and widely circulated all the time, said Alan Paller, research director with the SANS Institute, a cooperative security research and education organization.

"That's just silly for the customer who buys it," said Paller when informed of the TruSecure program. "BugTraq didn't stop last night," he said, referring to the popular security mailing list that publicizes vulnerabilities. More than 18,000 people subscribe to BugTraq.

But the ICSA's Pam Zemaitis said that the TruSecure certification comes with a twice-monthly "security alert" email that recommends other upgrades and patches as they are discovered. Further, ICSA will conduct spot checks to make sure certified clients remain up to snuff, she said.

Twice monthly? If a new vulnerability comes out, you could receive the warning about it 13 days later. That is not helpful.

However, the onus is on certified companies to notify ICSA when they have installed a new firewall or other software. "If they install a new product, it is to their benefit to make sure it is configured correctly," said Zemaitis. Companies in the financial industries, healthcare, government, and e-commerce are all candidates for the TruSecure program, she added.

To their benefit? And the ICSA's benefit. More consulting, more money.

Elias Levy, moderator of BugTraq, confirmed that new, significant holes surface almost daily, and should be patched as soon as possible. "Services such as ICSA's do take a long time in implementing these fixes," Levy said. The ICSA audit and certification is likely to appeal to organizations too small to have a dedicated network administrator who watches for problems and fixes them in real time, he said.

"Security is something you always want to do in-house, for many different reasons, including the risk of someone leaving with all your secrets; it's not something you want to leave to outside parties," Levy said. Ranum agreed: "The single most valuable security tool you can get is a network manager," he said.

But Paller said that any action that could improve security will raise the hurdles that intruders need to jump over -- and that realistically, vigilant, skilled system administrators are hard to come by.

"It comes down to another religious argument between the people who want to do good, but have to find a common denominator to do it, and the people who want to do it exactly right but are faced with a dearth of talent," Paller said.

Both Ranum and Paller said that the network certification program was a political or public relations tool that at once appeals to senior management and justifies the need for in-house security staff.

"The real value of TruSecure audit and certification is that it will give system administrators some extra weight to go get more bodies," said Paller. "It gives an economic justification to the security people who want more people."

"Certification appeals very strongly to the clueless senior manager who feels comfortable with the stuff that is certified," Ranum said.

Zemaitis said that while it would be possible to revoke a site's TruSecure certification if it became riddled with holes, she said such a penalty is "not our intention."

"Our intention is to assist them; it's not for an additional lump sum, we are guiding them and helping them," she said.

But Ranum was skeptical, citing ICSA's business model, which he said capitalized on the association's reputation as a vendor-neutral, independent association. The ICSA is, in fact, a for-profit concern that makes money from certifications, a position that Ranum said left little room for accountability.

"Once you have your certification, what does it mean?" Ranum asked. "Right now, it means about 40,000 bucks."