Q&A: Providing security certification in a world of cyber threats

We sat down with George Japak who heads up ICSA Labs, an independent division of Verizon, to discuss current developments in the security and vulnerability landscape.

  1. George, can you tell us what ICSA Labs does?

ICSA Labs provides a comprehensive set of ISO accredited testing and certification services for information security products, Internet of Things (IoT), health information technology (HIT), mobile devices, and mobile apps, as well as custom services that can support the enterprise. ICSA Labs has provided these services globally for 25 years.

  1. What are the common myths surrounding certification?

Very often certification gets incorrectly lumped in with testing in general. There are numerous types of testing programs that serve many purposes.

Certification verifies certain functions of a product against a specified set of criteria to validate the product are performing in accordance with the requirements. ICSA Labs makes these criteria publically available for vendors – including Anti-Virus (AV), Advance Threat Defense (ADT), Anti-Spyware, etc. (View all 14 testing services here).

ICSA Labs regularly reviews and updates test criteria; however, its testing methodologies continually undergo change in response to market conditions. For example, for its AV program, the test sets are created monthly to capture the latest malware threats. This provides end users with the assurance ICSA Labs certified security products are well protected against the evolving threat landscape.

Another myth is that once a vendor achieves certification, nothing more needs to be done. That is not true. One of the most important aspects of certification is that it has a requirement to not just satisfy the criteria the first time, but to continue to meet the requirements through periodic retesting. Failing to do so will result in the vendor losing the certification.

  1. There are several labs focusing on security products. How do they differ from what you do?

ICSA Labs has been performing information security testing and certification for 25 years. No other testing/certification lab has been doing this for as long. Along with ICSA Labs’ history and deep domain expertise, the criteria and requirements used in its testing and certification programs are openly vetted with stakeholders and publicly available on our web site.

ICSA Labs is ISO 9001 certified for quality and ISO/IEC 17025 accredited for technical competence. To the best of our knowledge, no other commercial testing/certification lab holds similar credentials.

  1. What is ICSA Labs' disclosure process when vulnerabilities are identified?

ICSA Labs certification testing results are pass/fail. Products “pass” when they satisfy the criteria requirements in their entirety. Only those products that have successfully met all the criteria requirements and maintain compliance are posted publically on the ICSA Labs website.

If vulnerabilities are found during the testing cycle, ICSA Labs discloses the vulnerability directly to the customer and they are given the opportunity to resolve the issues. After the vendor resubmits the product, ICSA Labs analysts may perform regression testing to verify that nothing other than the deficiencies initially found during earlier testing were affected by product patches, changes, or enhancements.

All certified product test reports include testing details and are publicly posted to the ICSA Labs website.

  1. How do you determine the severity of the vulnerability?

With more than 20 years of security testing, ICSA Labs has accumulated a great deal of experience and knowledge about common weaknesses in security products. We’ve seen first-hand how problems occur, what types of shortcomings arise most often, and why. We’ve also seen how vendors respond to these issues and how their actions can affect consumers for better or worse.

To determine the severity of vulnerabilities we find, in many cases we look to publicly available information on the vulnerability. If we find something through our testing process, we make a determination on a case-by-case basis, which is heavily influenced by the impact on the underlying system.

  1. Given how security solutions have changed over the past two decades, how do you see your job evolving in the long run?

Our programs continue to evolve by observing the results of our testing, the evolution of the technology, and the complexity of vulnerabilities and exploits.

ICSA Labs pays close attention to research such as the Verizon Data Breach Investigations Report (DBIR) that keeps a pulse on how enterprises are impacted by cyberthreats. Our staff stays up-to-date on new tools and techniques that increase the effectiveness of our testing. ICSA Labs continually interfaces with the stakeholders (vendors and enterprises) to solicit their input which is appropriately integrated into our programs. ICSA Labs is committed to growing our certification programs to include testing technologies in mobile, advanced threats, HIT and IoT.

  1. What are ICSA Labs’ views on new technology like IoT, smart devices, drones or driverless cars?

ICSA Labs sees that these new technologies all share a common theme: features and functionality are the primary focus while security is not built in by design, but rather as an afterthought.

A developer or vendor should subscribe to a secure software development lifecycle process, and apply this discipline across all the appropriate areas within their organisation. For an enterprise dealing with vendors and suppliers that provide these new technologies, security should be a part of their supply chain risk management process.

  1. What is the most important advice you'd give to enterprises to protect themselves better?

It is most important to have a supply chain risk management program that provides a comprehensive evaluation of vendors within the enterprise supply chain. This can include the use of an independent third party such as ICSA Labs for evidence to support relevant requirements which can be used in the RFP process, for example.

A comprehensive risk and security management program should take a holistic look at security and data protection. An integral part of such a program is for technology solutions to provide a layered security approach. Verifying that the technology solutions are properly vetted is an important aspect, and determining if the products provide the functionality needed is where the ICSA Labs testing and certification services come into play.

  1. Lastly, Encryption: benevolent or malevolent? (referring to FBI/Apple, e-Commerce or Ransomware)

Encryption has been around for a very long time and plays a valuable role in information security. Today, the cost of encryption has come down significantly and part of the old argument around cost and impact on performance as an impediment is no longer warranted.

As with any technology, encryption can be used for malevolent purposes too, but that does not outweigh the benefits of employing it. From a data protection perspective, in today’s environment, you need a strong argument as to why you aren’t encrypting your data.

Given the nature of ransomware, and in particular the impact it has had on enterprises or innocent end users who fall victim, a fallback position to completely eliminating the problem is to keep a current backup of all files.

As a user, being diligent and educating yourself will further help to prevent such cyberattacks.

Photo Credit: lolloj/Shutterstock