[The comments made below are criticism of NCSA/ICSA and their propoganda, NOT of Al Berg or GCN]

Is your web site secure?

NCSA certification seeks to assure customers that personal data is safe

Government Computer News

You've downloaded all the patches, and you're using the most current firewalls and encryption technology. You know your site is safe. But how do you convince customers? The National Computer Security Association hopes that its new World Wide Web certification program will jump-start Internet commerce by providing users with the confidence that the confidential data they send to vendor Web sites is secure, and by providing Webmasters with a consistent set of security standards.

Participating sites will be required to meet a number of "best practices" criteria outlined in a field guide provided by the NCSA. Participating Webmasters will receive a copy of the guide, which contains standards for physical and system security, including anti-virus, firewall, access control, backup, redundancy, and password access control.

In addition to the technical security requirements, the guide sets standards for the safe storage of confidential data as well as disclosure of how that data will be used and disseminated. The Webmaster will receive a briefing on the certification criteria from NCSA personnel, complete a set of worksheets in the field guide, and return them to the NCSA for assessment.

Then things get interesting. The security gurus at NCSA headquarters will perform a "remote security assessment" - they'll try to break in to the site using known hacker techniques and examine the site's disclosure of how confidential data will be used.

Finally, an NCSA representative or a representative from an NCSA partner organization will make an onsite visit to evaluate the physical security of the site. So far, NCSA has signed up eight partner organizations, including network consultants and security consultants, and is negotiating with a Big Six accounting firm as well to provide certification services, according to Sam Glesner, senior product manager for the program, based in Carlisle, Penn.

After the successful completion of these checks, the site will be allowed to display the "NCSA Certified" seal to inform potential customers that their data is secure.

That their data is secure according to ICSA standards.

Once a site is certified, the Webmaster will receive periodic security updates and new standards with which to comply as new threats are found.

On a bi-monthly basis.. giving hackers up to a 13 day window to break in without you knowing about the new hole.

The NCSA certification team will perform at least two random spot checks of each site yearly.

Web sites will need to ante up for this certification. The NCSA charges annual fees starting at $8,500 to certify a single server hosting up to five Web sites. Quantity discounts are available.

Cost considerations

Is the cost worth it? The NCSA claims its studies show that typical Web users are 3.5 times more likely to provide sensitive data such as credit-card numbers, and 1.8 times as likely to provide the demographic data sought after by marketers, to a site whose security is certified. However, the NCSA has yet to convince the vast Internet community that its certification is comphrehensive and valuable.

The NCSA plans to promote the benefits of site security certification to end users through advertising and direct mail programs. Glesner says the NCSA believes that "as more sites become certified, users will find out more about the program and its benefits."

A comprehensive certification program could have some benefits to Webmasters and corporate IS departments beyond increased end-user confidence. If the NCSA delivers on its promise to keep security standards up-to-date, content providers could spend less time and money worrying about discovering new threats and dealing with intrusions, and more time on content development and directed security tasks.

With more stringent attention being given to protecting the confidentiality of personal data, participating in such a program may also serve to demonstrate to customers that your organization takes due care and diligence to protect sensitive information. Acquiring such a reputation could be a potentially valuable asset in case legal actions result from a security breach.

NCSA's criteria for certifying Web sites

To qualify for an NCSA logo, Web sites must demonstrate several layers of security to the security organization. Sites must:

* Be resistant to net-based attacks
* Be reachable using an IP address or DNS name

Wow. "Resistant to net-based attacks" isn't vague at all.

* Have correct and up-to-date contact information on file at the InterNIC
* Log all activity in a secure, retrievable format
* Use standard encryption to protect connections

So a company using strong but proprietary encryption doesn't qualify?

* Use carefully checked CGI scripts and client-side executables
* Protect sensitive data by using non-cached pages
* Be physically secured
* Be logically secured through password policies, separate development systems, and so on.
* Be operationally secured with documentation and backup procedures.


main page ATTRITION feedback