From: Russ (Russ.Cooper[at]RC.ON.CA)
Date: Thu, 27 May 1999 19:23:19 -0400
Subject: Re: ICSA - Certified Sites and Criteria Issues

If ICSA is

"constrained by NDAs from discussing the specific issues of any
particular ICSA customer's security issues or policy"


"Nearly all of the criteria elements are driven by the customer's
security and operational policy-- which is derived from their business
objectives and risk management approach."

and you say

"Do we need to add an "appropriate crypto strength" element to the
TruSecure criteria?  Yes I guess we do."

then what, pray tell, should a consumer visiting

glean from the fact that the page linked on their site from your ICSA
icon contains the following;

"ConsumerInfo.Com employs sophisticated encryption"

and further states;

"In addition to employing these high-security measures, ConsumerInfo.Com
has undergone the rigorous certification process for the International
Computer Security Association's (ICSA) Web Certification program. This
process examined every aspect of our security precautions, encompassing
an on-site inspection of our facility for physical security and policy
plus a remote assessment of our potential vulnerabilities to web-based
attacks. In addition, the ICSA's certification is a continuous process,
repeated several times during the year and renewed annually, so you know
ConsumerInfo.Com's security measures are state-of-the-art."

However, the bottom line is that;

- They are *NOT* employing "sophisticated encryption", they're employing
the least sophisticated deployable.

- They also say ICSA "examined every aspect of our security
precautions", but in fact, you only examined those aspects defined in
their policies.

- They also claim that because of your certification, their customers
"know ConsumerInfo.Com's security measures are state-of-the-art" when in
fact their *NOT*.

I will not, at this time, question the integrity of ICSA. Nor will I
suggest that ConsumerInfo.Com is out and out lying.

I will, however, suggest that ICSA is tacitly allowing ConsumerInfo.Com
to mislead their customers via the ICSA Web Certification approval. By
ICSA not being permitted, by NDA, to discuss certification they have
performed, it renders, IMNSHO, the certification itself *worthless*. It
would appear that ConsumerInfo.Com has been allowed to say anything they
want about their work with ICSA and, by NDA, ICSA cannot rebuke it.

ICSA Web Certification reports should be public, or, not trusted.

Russ - NTBugtraq Editor

main page ATTRITION feedback