---[ Phrack Magazine Volume 8, Issue 52 January 26, 1998, article 14 of 20 -------------------------[ The International Crime Syndicate Association --------[ Dorathea Demming =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= = = = ICSA = = = = International Computer Security Association = = = = or = = = = International Crime Syndicate Association? = = = = = = by = = = = Dorathea Demming = = = = = = = = (c) Dorathea Demming, October, 1997 = = = =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= This is an article about computer criminals. I'm not talking about the fun loving kids of the Farmers of Doom [FOD], the cool pranksters of the Legion of Doom [LOD], or even the black-tie techno terrorists of The New Order [TNO]. I'm talking about professional computer criminals. I'm talking about the types of folks that go to work every day and make a living by ripping off guileless corporations. I'm talking about the International Computer Security Association [ICSA]. The ICSA has made more money off of computer fraud than the other three organizations mentioned above combined. ICSA was previously known as National Computer Security Association [NCSA]. It seems that they finally discovered that there are networks and gullible corporations in countries other than the United States. In this article I will inform you of the cluelessness and greed of ICSA. Instead of telling you, I will let them tell you in their own words. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Lets look at what the NSCA has to say about it's history: "the company was founded in 1989 to provide independent and objective services to a rapidly growing and often confusing digital security marketplace through a market-driven, for-profit consortium model." This is where the ICSA differs from real industry organizations like the IEEE. Non-profit organizations like the IEEE can provide independent and objective services, for-profit organizations like ICSA cannot be trusted to do so. The goal of the NSCA is profit, nothing more and nothing less. Profit is a desirable goal in a business. However, the ICSA pretends to be an industry association. This is a complete and total fabrication. ICSA is not an industry association -- it is a for-profit enterprise that competes for business directly with the companies it pretends to help. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Let's look at the ICSA's knowledge of computer security: "Early computer security issues focused on virus protection. " This is where the ICSA accidentally informs us if their true history. No one with half of a clue would claim that "Early computer security issues focused on virus protection." In reality, early computer security issues focused on the protection of mainframe systems. Virus protection did not become a concern until the 1980's. We can only conclude that no one at the ICSA has a background in computer security outside of personal computer security. These folks seem to be Unix illiterate -- not to speak of VM, MVS, OS/400, AOS/VS, VMS or a host of other systems where corporations store vast amounts of data. Focusing primarily on PC security will not benefit the overall security posture of your organization. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Let's look at another baseless claim of the ISCA: "ICSA consortia facilitate an open exchange of information among security industry product developers and security service providers within narrow, but well defined segments of the computer security industry." According to the "security industry product developers and security service providers" that I have spoken with, this is complete hogwash. The word on the street is that the ICSA folks collect information and then give nothing useful in return. My response is "How could they?" No one at ICSA has any information to offer. You would do as well to ask your 12 year old daughter for information about computer security -- and you might even do better, if your daughter reads Phrack. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Let's look at what the ICSA has to say about their Web Certification program: "The ICSA Web Certification materially reduces web site risks and liability for both operator and visitor by providing, verifying and improving the use of logical, physical and operational baseline security standards and practices." "Comprised of a detailed certification field guide, on-site evaluation, remote test, random spot checks, and an evolving set of endorsed best practices, ICSA certification uniquely demonstrates management's efforts to assure site availability, information protection, and data integrity as well as enhanced user confidence and trust." What really happens is that ICSA sends out a reseller to your site. The reseller then asks you if you have set up your site correctly. You tell the reseller that you have, and then the reseller tells ICSA that you have set up your site correctly. Very few items are actually verified by the reseller. ICSA then runs ISS (Internet Security Scanner) against your web server. If ISS cannot detect any security vulnerabilities remotely, you receive ICSA Web Certification. For grilling your staff with a series of almost meaningless questions, the reseller receives $2,975 US dollars. For running ISS against your web server, ICSA receives $5,525. For $19. 95, you can buy a copy of Computer Security Basics by Deborah Russell and G.T. Gangemi Sr. (ISBN:0-937175-71-4) and save your company almost $8,500. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Let's look at the ICSA's Reseller Training: ICSA states that every reseller that delivers their product is trained in computer security. In practice, however, this training is actually _sales_ training. The ICSA training course lasts for less than one day and is supposed to be conducted by two trainers, one sales person and one technical person. One recipient of this training told me that the technical person did not bother to show up for his training, while another recipient of this training told me that ICSA instead sent _two_ sales people and _no_ technical people to his training. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Let's look at what ICSA says about change in the "digital world" of firewalls: "The digital world moves far too quickly to certify only a particular version of a product or a particular incarnation of a system. Therefore, ICSA certification criteria and processes are designed so that once a product or system is certified, all future versions of the product (or updates of the system) are inherently certified." What does this mean to you? It means that ICSA is certifying firewalls running code that they have never seen. It means that if you purchase a firewall that has been ICSA certified -- you have no way of knowing if the version of the firewall product that is protecting your organization has ever been certified. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Let's look at how ICSA defends itself from such allegations? ISCA has three ready made defenses: "First, the ICSA gains a contractual commitment from the product vendor or the organization that owns or runs the certified system that the product or system will be maintained at the current, published ICSA certification standards. " So that's how ICSA certification works, the firewall vendors promise to write good code and ICSA gives them a sticker. This works fine with little children in Sunday school, but I wouldn't trust the security of my business to such a plan. "Secondly, ICSA or it's authorized partners normally perform random spot checking of the current product (or system) against current ICSA criteria for that certification category. " Except, of course, that an unnamed source within ICSA itself admitted that these spot checks are not actually being done. That's right, these spot checks exist only in the minds of the marketing staff of the ICSA. ICSA cannot manage to cover the costs of spot checking in their exorbitant fee structure. They must be spending the money instead on all of those free televisions they are giving away to their resellers. "Thirdly, ICSA certification is renewed annually. At renewal time, the full certification process is repeated for the current production system or shipping products against the current criteria. " Well here we have the final promise -- our systems will never out of certification for more than 364 days. If our firewall vendor ships three new releases a year -- at least one of them will go through the actual ICSA certification process. Of course, all of them will have the ICSA certification sticker. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Let's looks at what ICSA has to say about their procedures: "The certification criteria is not primarily based on fundamental design or engineering principles or on an assessment of underlying technology. In most cases, we strive to use a black-box approach. " Listen to what they are really saying here. They are admitting that their certification process does not deal with "fundamental design or engineering principles" or on an "assessment of underlying technology". What else is left to base a certification upon? Do they certify firewalls based upon the firewall vendors marketing brochures? Upon the color of their product boxes? Upon the friendliness of their sales staff? Or maybe they just certify anyone who gives them money. When you are clueless, every computer system must look like a "black- box" to you. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Let's look at how the ICSA web certification process deals with CGI vulnerabilities: "The Site Operator attest that CGIs have been reviewed by qualified reviewers against design criteria that affect security. " (sic) Let's take a close look at this. The #1 method of breaking into web servers is to attack a vulnerable CGI program. And the full extent that the ICSA certification deals with secure CGI programming is to have your staff attest that they have done a good job. What sort of employee would respond "Oh no, we haven't even looked at the security of those CGI bins?" The ICSA counts on employees trying to save their jobs to speed the certification process along to it's conclusion. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Let's look at what ICSA has to say about it's own thoroughness: "Because it is neither practical nor cost effective, ICSA does not test and certify every possible combination of web sites on a web server at various locations unless requested to, and compensated for, by Customer. " We all know that security is breached at it's weakest link, not it's strongest. If we choose to certify only some of our systems, we can only assume that attackers will them simply move on and attack our unprotected systems. Perhaps if ICSA did not attempt to extort $8,500 for a single web server certification, more customers could have all of their web sites certified. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Let's look at how much faith ICSA puts in their own certifications: "Customer shall defend, indemnify, and hold ICSA harmless from and against any and all claims or lawsuits of any third party and resulting costs (including reasonable attorneys' fees), damages, losses, awards, and judgements based on any claim that a ICSA-certified server/site/system was insecure, failed to meet any security specifications, or was otherwise unable to withstand an actual or simulated penetration. In plain English, they are saying that if you get sued, you are on your own. But wait, their faithlessness does not stop there: =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Let's look at how the ICSA sees it's legal relationship with it's customers: "Customer, may, upon written notice and approval of ICSA, assume the defense of any claim or legal proceeding using counsel of it's choice. ICSA shall be entitled to participate in, but not control, the defense of any such action, with it's own counsel and at it's own expense: provided, that if ICSA, it its sole discretion, determines that there exists a conflict of interest between Customer and ICSA, ICSA shall have the right to engage separate counsel, the reasonable costs of which shall be paid by the customer. " What you, the customer, agree to when you sign up for ICSA certification is that you cannot even legally defend yourself in court until you have "written notice and approval of ICSA. " But it's even worse that that, ICSA then reserves the right to hire lawyers and bill YOU for the expense if it feels that you are not sufficiently protecting it's interests. Whose corporate legal department is going to okay a provision like this? =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Let's look at how much the ICSA attempts to charge for this garbage: =========================================================== | Web Certification | | | | 1 Server $8,500 | | 2-4 Servers $7,650 | | 5 or more Servers $6,800 | | | | 6-10 DNS $ 495 | | 11 or more DNS $ 395 | | | | Perimeter Check | | | | up to 15 Devices $3,995 | | additional groups of 10 Devices $1,500 | | bi-monthly reports $1,000 | | monthly reports $3,500 | | | | War Dial | | | | first 250 phone lines $1,000 | | additional lines $3/line | | | | Per Diem | | | | Domestic $ 995 | | International $1,995 | | | =========================================================== Certifying one web server will cost you $8,500. I have seen small web servers purchased, installed, and designed for less than that amount. If you tell the ICSA that you have 15 network devices visible on the Internet and they discover 16 devices, they will bill you an additional $1,500. This is what you agree to when you sign a ICSA Perimeter Check contract. In effect, when you sign up for an ICSA Perimeter Check, you are agreeing to pay unspecified fees. To dial an entire prefix the ICSA will charge you $30,250. I wonder if these folks are using ToneLoc. I wonder if these fools are even using modems... I will leave judgement on the per diem rates to the reader. How much would you pay for a clown to entertain at your daughters birthday party? Would you give the clown a daily per diem of $995? Why would you feel the ICSA clowns might deserve better? How do you spend $995 a day and still manage to put in some work hours? =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= These are just a few excerpts from some ICSA documentation I managed to get my hands on. I do not feel my assessment has been any more harsh than these people deserve. I am certain that if I had more of their literature, there would be even more flagrant examples of ignorance and greed. ICSA feeds on business people who are so ignorant as to fall for the ICSA propaganda. By masquerading as a legitimate trade organization, they make everyone in the data security industry look bad. By overcharging the clientele, they drain money from computer security budgets that could better be spent on securing systems and educating users. By selling certifications with no actual technical validity behind them they fool Internet users into a false sense of security when using e-commerce sites. ISCA is good for no one and it is good for nothing. Dorathea Demming Mechanicsburg, PA 10 Oct, 1997 ----[ EOF