Baseline Security Evaluation - SEPR

Matt Tett

Matt Tett is the Managing Director of Enex TestLab, an independent testing laboratory with over 22 years history and a heritage stemming from RMIT University. Matt holds the following security certifications in good standing CISSP, CISM, CSEPS and CISA. He is a long standing committee member of the Australian Information Security Association (AISA), Melbourne branch, and is also a member of the Information Systems Audit and Control Association (ISACA). Enex TestLab can be found at http://www.testlab.com.au blog at http://enextestlab.blogspot.com and can be found on twitter as @enextestlab.

Enex TestLab has been providing independent testing services for 24 years now. We cover 90 industry sectors with 8 separate testing divisions.

One of those divisions is ICT hardware testing—covering everything from servers, desktops and notebooks through to routers, switches and printers. We even look at ‘emerging’ technologies such as interactive whiteboards, tablets and smartphones.

Primarily we conduct testing for government and large enterprise clients who are evaluating a short list of tenderers. Tenderers ship their product to our labs for rigorous and independent technical testing and evaluation. The reports we provde on these products are used to inform the procurement decision, they enable a decision to be based on objective facts rather than the more subjective comparison that paper based evaluations engender.

Our Australian and, more recently, our UK laboratory have conducted similar evaluations for a variety of programs over the years in the security vendor-product realm—everything from anti-malware software to paper shredders and unified threat management devices. We’ve even evaluated technologies like alarm transmission systems and a machine used for mechanically pulping hard disk drives.

We are not limited to evaluation of equipment or vendor’s claims, we also regularly perform independent assessments on vendor source code—everything from gaming machines (pokies) through to the internally developed systems.

At the moment there is a lot of noise and media about state security and state sponsored cyber-espionage. It exists, no doubt, as does the more traditional forms of spying. However, while this focuses on top level Government Departments and Agencies from a National Defence perspective, who is looking after the next tier down? What about large enterprise and Critical National Infrastructure (CNI) operations? These are organisations of significant interest that support our social fabric—power, water, telecommunications, financial services and much more.

For a long time Common Criteria (CC) and the associated Evaluated Assurance Levels (EAL) have delivered assurance that products and services have met minimum criteria for defence applications.

Unfortunately times have changed and the advance of technology means that legacy systems (particularly militarised systems) struggle to keep up. Despite the best of intentions, systems become fragmented and are ultimately diluted.

Please don't get me wrong. CC and indeed CC2 (its recently ratified replacement) are entirely valid to protect defence-level and top-level systems. Of concern, however, is this next level down. CNI and large enterprises are (while well-resourced from security perspectives) not generally experienced in regular, detailed testing and evaluation of vendors, products or services.

In most cases this tier has its resources focused on operational security requirements. They often don't have the desire to occupy their teams with security procurement or the evaluation of vendor security solutions. (Hence Enex TestLab picks up a significant amount of this work privately.)

I am not complaining about this work—however, it is focussed and tailored specifically on the individual client’s environment and stakeholder requirements.

Due to timeframes and budget constraints, it often leaves many potential vendor solutions by the wayside. It does not set a baseline characterisation of that vendor and their product/service under evaluation, nor is the outcome publicly released. Most clients treat the information as commercially sensitive and keep it to themselves. It’s their money and their report—they handle it how they wish.

So what is a solution that sits below CC or CC2, but is still independent, rigorous, transparent and open to any vendors’ product or service?

Enex TestLab launched the Security Evaluated Product Register (SEPR) in 2012, based on decades of experience. It came from work in both government and private/public procurement evaluations and security testing, and from understanding the security stance many organisations now take.

There is a clear need for a sustainable, scalable reference point that sits outside of government, yet also takes the burden of baseline evaluation off the prospective client.

SEPR does need acceptance and non-financial support from consumers (owners/operators) to provide confidence to vendors that it is worth participating in the register. The SEPR features low overheads and a timely schedule which ensures it will not be a burden on stakeholders. Nor do rapidly changing products need to be fixed for unnatural periods of time before being superseded.

At the end of the day we are independently testing and validating vendor claims to provide assurance that what they say their product or service delivers— it actually delivers. What’s on the box, should be in the box— nothing more, nothing less.

Watch this space!

Show Comments