---[  Phrack Magazine   Volume 8, Issue 52 January 26, 1998, article 14 of 20
-------------------------[  The International Crime Syndicate Association
--------[  Dorathea Demming
  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
  =                                                                         =
  =                                ICSA                                     =
  =                                                                         =
  =               International Computer Security Association                =
  =                                                                         =
  =                                 or                                      =
  =                                                                         =
  =               International Crime Syndicate Association?                =
  =                                                                         =
  =                                                                         =
  =                                 by                                      =
  =                                                                         =
  =                          Dorathea Demming                               =
  =                                                                         =
  =                                                                         =
  =                                                                         =
  =                  (c) Dorathea Demming,  October, 1997                   =
  =                                                                         =
  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
This is an article about computer criminals. I'm not talking about the fun
loving kids of the Farmers of Doom [FOD], the cool pranksters of the Legion of 
Doom [LOD], or even the black-tie techno terrorists of The New Order [TNO].
I'm talking about professional computer criminals.  I'm talking about the
types of folks that go to work every day and make a living by ripping off
guileless corporations.  I'm talking about the International Computer Security
Association [ICSA].  The ICSA has made more money off of computer fraud than
the other three organizations mentioned above combined.
ICSA was previously known as National Computer Security Association [NCSA].
It seems that they finally discovered that there are networks and gullible
corporations in countries other than the United States.
In this article I will inform you of the cluelessness and greed of ICSA.
Instead of telling you, I will let them tell you in their own words.
  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Lets look at what the NSCA has to say about it's history:
        "the company was founded in 1989 to provide independent and
        objective services to a rapidly growing and often confusing
        digital security marketplace through a market-driven, for-profit
        consortium model."
This is where the ICSA differs from real industry organizations like the IEEE.
Non-profit organizations like the IEEE can provide independent and objective
services, for-profit organizations like ICSA cannot be trusted to do so.
The goal of the NSCA is profit, nothing more and nothing less.
Profit is a desirable goal in a business.  However, the ICSA pretends to be
an industry association.  This is a complete and total fabrication.  ICSA is
not an industry association -- it is a for-profit enterprise that competes for 
business directly with the companies it pretends to help.
  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Let's look at the ICSA's knowledge of computer security:
"Early computer security issues focused on virus protection. "
This is where the ICSA accidentally informs us if their true history.  No one
with half of a clue would claim that "Early computer security issues focused
on virus protection."  In reality, early computer security issues focused on
the protection of mainframe systems.  Virus protection did not become a
concern until the 1980's.  We can only conclude that no one at the ICSA has a
background in computer security outside of personal computer security.  These
folks seem to be Unix illiterate -- not to speak of VM, MVS, OS/400, AOS/VS,
VMS or a host of other systems where corporations store vast amounts of data.
Focusing primarily on PC security will not benefit the overall security
posture of your organization.
  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Let's look at another baseless claim of the ISCA:
        "ICSA consortia facilitate an open exchange of information among
        security industry product developers and security service
        providers within narrow, but well defined segments of the
        computer security industry."
According to the "security industry product developers and security service
providers" that I have spoken with, this is complete hogwash.  The word on the 
street is that the ICSA folks collect information and then give nothing useful 
in return.  My response is "How could they?"  No one at ICSA has any
information to offer.  You would do as well to ask your 12 year old daughter
for information about computer security -- and you might even do better, if
your daughter reads Phrack.
  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Let's look at what the ICSA has to say about their Web Certification program:
        "The ICSA Web Certification materially reduces web site risks
       and liability for both operator and visitor by providing,
       verifying and improving the use of logical, physical and
       operational baseline security standards and practices."
       "Comprised of a detailed certification field guide, on-site
       evaluation, remote test, random spot checks, and an evolving set
       of endorsed best practices, ICSA certification uniquely
       demonstrates management's efforts to assure site availability,
       information protection, and data integrity as well as enhanced
       user confidence and trust."
What really happens is that ICSA sends out a reseller to your site.  The
reseller then asks you if you have set up your site correctly.  You tell the
reseller that you have, and then the reseller tells ICSA that you have set up
your site correctly. Very few items are actually verified by the reseller.
ICSA then runs ISS (Internet Security Scanner) against your web server.  If ISS
cannot detect any security vulnerabilities remotely, you receive ICSA Web
Certification.
For grilling your staff with a series of almost meaningless questions, the
reseller receives $2,975 US dollars.  For running ISS against your web server,
ICSA receives $5,525.  For $19. 95, you can buy a copy of Computer Security
Basics by Deborah Russell and G.T. Gangemi Sr. (ISBN:0-937175-71-4) and save
your company almost $8,500.
  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Let's look at the ICSA's Reseller Training:
ICSA states that every reseller that delivers their product is trained in
computer security.  In practice, however, this training is actually _sales_
training.  The ICSA training course lasts for less than one day and is
supposed to be conducted by two trainers, one sales person and one technical
person.  One recipient of this training told me that the technical person did
not bother to show up for his training, while another recipient of this
training told me that ICSA instead sent _two_ sales people and _no_ technical
people to his training.
  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Let's look at what ICSA says about change in the "digital world" of
firewalls:
        "The digital world moves far too quickly to certify only a
        particular version of a product or a particular incarnation of a
        system.  Therefore, ICSA certification criteria and processes are
        designed so that once a product or system is certified, all
        future versions of the product (or updates of the system) are
        inherently certified."
What does this mean to you?  It means that ICSA is certifying firewalls
running code that they have never seen.  It means that if you purchase a
firewall that has been ICSA certified -- you have no way of knowing if the
version of the firewall product that is protecting your organization has ever
been certified.
  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Let's look at how ICSA defends itself from such allegations?  ISCA has
three ready made defenses:
        "First, the ICSA gains a contractual commitment from the
        product vendor or the organization that owns or runs the
        certified system that the product or system will be maintained
        at the current, published ICSA certification standards. "
So that's how ICSA certification works, the firewall vendors promise to write
good code and ICSA gives them a sticker.  This works fine with little children
in Sunday school, but I wouldn't trust the security of my business to such a
plan.
        "Secondly, ICSA or it's authorized partners normally perform
        random spot checking of the current product (or system) against
        current ICSA criteria for that certification category. "
Except, of course, that an unnamed source within ICSA itself admitted that
these spot checks are not actually being done.  That's right, these spot
checks exist only in the minds of the marketing staff of the ICSA.  ICSA
cannot manage to cover the costs of spot checking in their exorbitant fee
structure.  They must be spending the money instead on all of those free
televisions they are giving away to their resellers.
        "Thirdly, ICSA certification is renewed annually. At renewal
        time, the full certification process is repeated for the current
        production system or shipping products against the current
        criteria. "
Well here we have the final promise -- our systems will never out of
certification for more than 364 days.  If our firewall vendor ships three new
releases a year -- at least one of them will go through the actual ICSA
certification process. Of course, all of them will have the ICSA certification
sticker.
  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Let's looks at what ICSA has to say about their procedures:
        "The certification criteria is not primarily based on
        fundamental design or engineering principles or on an assessment
        of underlying technology. In most cases, we strive to use a
        black-box approach. "
Listen to what they are really saying here.  They are admitting that their
certification process does not deal with "fundamental design or engineering
principles" or on an "assessment of underlying technology".  What else is left
to base a certification upon?  Do they certify firewalls based upon the
firewall vendors marketing brochures?  Upon the color of their product boxes?
Upon the friendliness of their sales staff?  Or maybe they just certify anyone
who gives them money.
When you are clueless, every computer system must look like a "black-
box" to you.
  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Let's look at how the ICSA web certification process deals with CGI
vulnerabilities:
        "The Site Operator attest that CGIs have been reviewed by
        qualified reviewers against design criteria that affect
        security. "  (sic)
Let's take a close look at this.  The #1 method of breaking into web servers
is to attack a vulnerable CGI program.  And the full extent that the ICSA
certification deals with secure CGI programming is to have your staff attest
that they have done a good job.  What sort of employee would respond "Oh no,
we haven't even looked at the security of those CGI bins?"  The ICSA counts on 
employees trying to save their jobs to speed the certification process along
to it's conclusion.
  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Let's look at what ICSA has to say about it's own thoroughness:
        "Because it is neither practical nor cost effective, ICSA does
        not test and certify every possible combination of web sites on
        a web server at various locations unless requested to, and
        compensated for, by Customer. "
We all know that security is breached at it's weakest link, not it's
strongest.  If we choose to certify only some of our systems, we can only
assume that attackers will them simply move on and attack our unprotected
systems.  Perhaps if ICSA did not attempt to extort $8,500 for a single web
server certification, more customers could have all of their web sites
certified.
  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Let's look at how much faith ICSA puts in their own certifications:
        "Customer shall defend, indemnify, and hold ICSA harmless from
        and against any and all claims or lawsuits of any third party
        and resulting costs (including reasonable attorneys' fees),
        damages, losses, awards, and judgements based on any claim that
        a ICSA-certified server/site/system was insecure, failed to meet
        any security specifications, or was otherwise unable to
        withstand an actual or simulated penetration.
In plain English, they are saying that if you get sued, you are on your own.
But wait, their faithlessness does not stop there:
  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Let's look at how the ICSA sees it's legal relationship with it's
customers:
        "Customer, may, upon written notice and approval of ICSA, assume
        the defense of any claim or legal proceeding using counsel of
        it's choice. ICSA shall be entitled to participate in, but not
        control, the defense of any such action, with it's own counsel
        and at it's own expense: provided, that if ICSA, it its sole
        discretion, determines that there exists a conflict of interest
        between Customer and ICSA, ICSA shall have the right to engage
        separate counsel, the reasonable costs of which shall be paid by
        the customer. "
What you, the customer, agree to when you sign up for ICSA certification is
that you cannot even legally defend yourself in court until you have "written
notice and approval of ICSA. "  But it's even worse that that, ICSA then
reserves the right to hire lawyers and bill YOU for the expense if it feels
that you are not sufficiently protecting it's interests.  Whose corporate
legal department is going to okay a provision like this?
  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Let's look at how much the ICSA attempts to charge for this garbage:
        ===========================================================
        | Web Certification                                       |
        |                                                         |
        |         1 Server                                $8,500  |
        |         2-4 Servers                             $7,650  |
        |         5 or more Servers                       $6,800  |
        |                                                         |
        |         6-10 DNS                                $  495  |
        |         11 or more DNS                          $  395  |
        |                                                         |
        | Perimeter Check                                         |
        |                                                         |
        |         up to 15 Devices                        $3,995  |
        |         additional groups of 10 Devices         $1,500  |
        |         bi-monthly reports                      $1,000  |
        |         monthly reports                         $3,500  |
        |                                                         |
        | War Dial                                                |
        |                                                         |
        |         first 250 phone lines                   $1,000  |
        |         additional lines                        $3/line |
        |                                                         |
        | Per Diem                                                |
        |                                                         |
        |         Domestic                                $  995  |
        |         International                           $1,995  |
        |                                                         |
        ===========================================================
Certifying one web server will cost you $8,500.  I have seen small web servers
purchased, installed, and designed for less than that amount.
If you tell the ICSA that you have 15 network devices visible on the Internet
and they discover 16 devices, they will bill you an additional $1,500.  This
is what you agree to when you sign a ICSA Perimeter Check contract.  In
effect, when you sign up for an ICSA Perimeter Check, you are agreeing to pay
unspecified fees.
To dial an entire prefix the ICSA will charge you $30,250.  I wonder if these
folks are using ToneLoc.  I wonder if these fools are even using modems...
I will leave judgement on the per diem rates to the reader.  How much would
you pay for a clown to entertain at your daughters birthday party?  Would you
give the clown a daily per diem of $995?  Why would you feel the ICSA clowns
might deserve better?  How do you spend $995 a day and still manage to put in
some work hours?
  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
These are just a few excerpts from some ICSA documentation I managed to get my 
hands on.  I do not feel my assessment has been any more harsh than these
people deserve.  I am certain that if I had more of their literature, there
would be even more flagrant examples of ignorance and greed.
ICSA feeds on business people who are so ignorant as to fall for the ICSA
propaganda.  By masquerading as a legitimate trade organization, they make
everyone in the data security industry look bad.  By overcharging the
clientele, they drain money from computer security budgets that could better
be spent on securing systems and educating users.  By selling certifications
with no actual technical validity behind them they fool Internet users into a
false sense of security when using e-commerce sites.
ISCA is good for no one and it is good for nothing.
Dorathea Demming
Mechanicsburg, PA
10 Oct, 1997
----[  EOF