Are you sleeping on NAPS?

ICSA certification would validate network appliances as safe to install
Tuesday, October 13, 2009

MECHANICSBURG, Pa.—Since 1992, ICSA Labs has been certifying products like anti-virus software and firewalls, providing third-party validation that those network security products basically do what they say they’re going to do: protect the network and reduce vulnerabilities.

This fall, however, the company, an independent division of Verizon Business, has unveiled the Network Attached Peripheral Security certification, which will identify and remediate existing and potential vulnerabilities in network devices manufacturers sell that do not serve a network security purpose, but may actually affect a network’s security—among these are IP cameras, IP access readers, basically anything that has a network connection, along with things like printers and postage meters.

One of the first vendors to get NAPS certification is Pitney Bowes, for example, said Al Potter, senior consulting analyst at ICSA Labs. “Their machines renew and update their postage over an Internet connection,” he said, “and there was a great deal of concern as to the security of those devices, especially among their customers in the financial sector. So we certified that they didn’t introduce a vulnerability or provide a platform from which to attack the network.”

While ICSA prefers to work in specific verticals, bringing, say, all of the manufacturers of firewalls together to form a consortium, set criteria, and then test against those best practices, NAPS casts a wider net and encompass devices that wouldn’t normally be considered a part of the network security ecosystem.

The company is ISO 9001 certified and ISO 17025 certified, and takes its objectivity very seriously, said Potter.

“We’ve gone to some lengths to secure third-party certification of ourselves,” he said, “and we’ve got a 20-year track record of providing that third-party assurance. The physical security community is stepping into our lane, as we see it, and a lot of these vendors and product developers moving to IP cameras and IP access control are stepping into a brave new world, and we can help. That’s the core of the Network Attached Peripheral Security program, devices that don’t provide security, but which generate security concerns.”

Right now, he said confidentiality agreements prevented him from identifying companies that are going through the certification process, and no physical security companies have yet received certification, but he said ICSA is very interested in working with camera and access manufacturers and that they’ve been walking the floor at recent ISC shows to get the lay of the physical security land.

“What does the integrator have for assurance when he’s installing the device on the network?” he asked rhetorically. “He just plugs it in and it appears to work. Our aim is to raise that bar of confidence.”