Apr 02 2014

ICSA Labs Spreads the Gospel About Security at Interop

The leading independent provider of security product certification explains how it goes about doing its work.

If you’ve used security hardware and software products over the past 25 years, chances are they’ve been tested and certified by ICSA Labs to make sure they meet the highest security standards.

Founded in 1989 and now a part of Verizon — but run as an independent entity with an “intellectual firewall” between itself and the mother ship — ICSA puts security devices through their paces by measuring product compliance, reliability and performance.

According to ICSA Labs Senior Account Manager Harry Brittain, who was on hand at Interop to talk with IT pros at the conference, the company tests various products across different industries. This includes anti-virus programs, network firewalls and more.

“We make sure the product does what it says it does from a security point of view,” Brittain says. “Does it generate logs that tell you what is happening? Is the default security stance of the product adequate?”

ICSA Labs provides services in four areas:

  • Consortium operations and ISO-accredited testing and certification programs
  • Custom testing services for enterprises and developers
  • Health IT testing and certification
  • Accredited government testing services

ICSA’s Role in Security Testing and Standards

As part of its security obligations, the company manages technology groups focusing on emerging and well-defined technologies that include anti-malware programs, firewalls, web application firewalls, virtual private networks, network intrusion prevention, network attached peripherals and mobility.

ICSA Labs provides product designers with a forum for exchanging information for developing product testing standards. However, Brittain explains that it is in one-on-one meetings at shows like Interop where many of its customers truly let their guard down and talk honestly and openly about issues.

“Transparency is an important component of what we do,” Brittain adds.

Information about ICSA Labs testing is on its website, and a comprehensive list of what they test for is publicly available as well. The company makes the final decision on what is tested and how those tests are developed, “but we do consult vendors and security experts,” Brittain says.

ICSA Labs takes a trust-but-verify approach to certification, according to Brittain. Once a product is certified, that certification may carry over to subsequent versions of the product within a year of its certification. However, in order to remain certified, the product must be retested annually — and if a notable piece of malware arrives on the scene, ICSA Labs reserves the right to do spot security checks.

In fact, ICSA Labs has decertified products over the years because a vendor didn't, wouldn't or couldn't address a security problem. The level of certification oversight also depends on what type of security issue the company discovers. A logging problem, for instance, doesn't “warrant as much rigor from a resource development point of view as a rooting issue,” Brittain says.

The Biggest IT Security Threats

The top factor threatening IT security today is not technical, but psychological, according to Brittain.

“The No. 1 issue that security products are never going to be able to fully address is social engineering,” he says.

Brittain views advanced persistent threats as the hardest modern IT security threat to defend against. Organizations should never underestimate the lengths to which hackers will go to compromise a system for nefarious purposes.

One thing Brittain emphasizes is that security product testing and certification is an ongoing process that must be done with due diligence and consistency.

“A properly configured and certified product can mitigate against the threats that we test for, but that doesn't mean the product will still be secure two months from now,” he says.

While IT security is serious business, Brittain does take a light-hearted approach to explaining the meaning behind the company name. It was originally the International Computer Security Association, but when people ask what the acronym stands for today, he simply tells them, “ICSA is the Klingon word for security. “