NCSA announces Web Site Certification Program.NEW YORK--(BUSINESS WIRE)--Aug. 1, 1996--The National Computer Security Association (NCSA (1) (National Center for Supercomputing Applications, Urbana-Champaign, IL, www.ncsa.uiuc.edu) A high-performance computing facility located at the University of Illinois at Urbana-Champaign. ) Thursday announced its Web Site Certification Program. Under the program, web sites (whether managed internally by an organization or through an Internet Service Provider Internet service provider (ISP) Company that provides Internet connections and services to individuals and organizations. For a monthly fee, ISPs provide computer users with a connection to their site (see data transmission), as well as a log-in name and password. ) can be tested for compliance with NCSA Labs' computer security guidelines for Web Sites. The NCSA Web Site Certification program will lead to both improved security and improved trust for visitors to web sites on the Internet. NCSA Labs, with input from dozens of independent experts, has developed a suite of criteria which Web site managers can implement to significantly reduce risk. Sites which appropriately address all of these criteria can apply to NCSA Labs to be tested and certified. NCSA Labs remotely tests the site for compliance with many of the criteria, and for resistance against common hacking techniques. The program specifications were co-developed by NCSA and Georgia Tech Research Institute The Georgia Tech Research Institute (GTRI) is the nonprofit applied research arm of the Georgia Institute of Technology in Atlanta, Georgia. GTRI employs around 1,300 people, and is involved in approximately $100 million in research annually for more than 200 clients in industry , with additional input from independent security experts. In addition to remote testing, NCSA staff and its Certified Web Site Partners also performs on-site security assessments to ensure compliance with additional security criteria. Sites which pass testing and certification will display an NCSA Certified Web Site icon on the home page. If an end-user clicks on this icon, they are linked automatically to NCSA's Web site where lists of all certified sites and current certification criteria are maintained. As the certification criteria evolve periodically, NCSA labs will perform random checks on certified web sites to ensure compliance. NCSA will partner with Ernst & Young LLP LLP - Lower Layer Protocol to complete the on-site portion of the certification program. NCSA Web Site Certification will improve web site security by addressing a full range of computer security issues. "No single vendor or product can address the global problem of security on the Internet. But certification of Web Sites will lead to both a significant reduction in risk as well as an improved perception of security across the net," said Peter Tippett, president of NCSA. NCSA is an independent organization which facilitates interchange among end users, industry experts and vendors on information security, ethics, and reliability. NCSA has more than 1600 corporate members who represent a wide range of commercial, government, and vendor organizations. Quotes and References: "NCSA's Web Certification Program is one of the most practical and effective ideas around for raising the general level of security on the Internet." --Benjamin Wright, Author, The Law of Electronic Commerce (214-526-5254) "Especially in light of the Web's exponential rate of growth, NCSA's Web Security Certification A certification issued by competent authority to indicate that a person has been investigated and is eligible for access to classified matter to the extent stated in the certification. program is a boon to the international Internet community. Although certification cannot guarantee that particular servers are completely secure, it does clearly indicate whether a site has met the criteria necessary for building and maintaining a secure Web infrastructure." --Larry J. Hughes Jr., an Internet Security ''This article or section is being rewritten at Internet security is the process of protecting data and privacy of devices connected to internet from information robbery, hacking, malware infection and unwanted software. Engineer, author, and lecturer (317-253-7378) "By being certified, a Web Site will be perceived as a very low risk to the insurance industry thus enabling them to purchase broad coverage at a reduced rate." "There are many sites who won't realize what they are doing wrong until they see (NCSA's) requirements. Even if they don't get certified, it will at least make them think hard about what they are doing." --Steven H. Haase, Senior Vice President, Hamilton Dorsey Alston Company (770-850-6670) "We are pleased to support the development and use of standards as a tool in improving the security of the Internet." --Dr. Myron L. Cramer, Principal Research Scientist, Georgia Tech Research Institute (404-894-7292) "Just as the Web is becoming a major conduit for commerce, issues of privacy and threats of malicious code have become increasing concerns of everyone on the Internet. Users are looking for Looking for In the context of general equities, this describing a buy interest in which a dealer is asked to offer stock, often involving a capital commitment. Antithesis of in touch with. assurance that the sites they visit meet reasonable standards for security and trust. The NCSA, with its extensive experience testing information security products, is clearly the organization to take the lead on this much needed task."-- Winn Schwartau, President Interpact, Inc., Infowar See information warfare. .Com., author of Information Warfare Also called "cyberterrorism," it refers to creating havoc by disrupting the computers that manage stock exchanges, power grids, air traffic control and telecommunications. While the term often deals with attacks against a nation, it may also refer to attacks on organizations and the and co-author, The Complete Internet Business Toolkit. (813-393-6600) "As a WEB Site developer, it's important to let users know we're serious about the Internet and security. This program helps us do both." -- John G. Sancin, President, Market.al. Inc. (216-524-2227) "No single vendor or product can address the global problem of security on the Internet. But certification of Web Sites will lead to both a significant reduction in risk as well as an improved perception of security across the net." --Peter Tippett, President, NCSA. (717-258-1816 x213) "NCSA Certification is a great first step that companies can take to make their web sites secure." --Scott D. Ramsey, National Director Information Security Services Security services are state institutions for the provision of intelligence, primarily of a strategic nature, but also including protective security intelligence. Examples include the Security Service (MI5) and the Secret Intelligence Service (MI6) in the United Kingdom, and the , Ernst & Young LLP (216-737-1213) "Security remains a major concern for many users of the Internet," said Michael S. Karlin, President and COO of Security First Network Bank, the World's first Internet bank (404-679-3201). "The NCSA web site certification program is an excellent first step in recognizing secure Internet sites, such as Security First Network Bank, and allowing consumers to easily identify those sites." "NCSA's active role in making the Internet a more secure medium for electronic commerce is commendable. A third party, unbiased, certification of secure products, including Web Sites, establishes a level of credibility which is essentially non-existent today in the commercial markets. Any manufacturer can claim their product is secure and, unfortunately, that claim's first challenge comes after it is in market use. What NCSA is doing, is giving the market a level of comfort with respect to manufacturer claims. If the product is stamped 'NSCA Certified' you can trust it has passed a certain level of test and evaluation. We all know that no product is 100% secure, but it can be tested against known vulnerabilities A bug in software that has been identified. It typically refers to bugs that have been used for malicious purposes. For example, bugs in Web server, Web browser and e-mail client software are widely exploited by attackers. , and that is what the Web Site Certification is all about. There are many electronic commerce packages out there claiming to secure your Web Site and related transactions. Many of these products are based on the same underlying encryption technologies. What NCSA is testing goes beyond the encryption mechanisms and investigates potential vulnerabilities like Denial of Service attacks An assault on a network that floods it with so many additional requests that regular traffic is either slowed or completely interrupted. Unlike a virus or worm, which can cause severe damage to databases, a denial of service attack interrupts network service for some period. , probability of Down-Time, potential for Virus migration, Data Integrity, etc. This process is definitely a step in the right direction." --Mark Mercer, President, TECHMATICS (813-887-3488) "The NCSA Certified Web Site program is a great first step to improving security on the Internet. This program will establish the foundation for self regulation of the industry while deterring government regulation." --Kevin O'Connor Other People who are informed and may comment about NCSA's Web Certification Program: -- Patrick Taylor
Patrick Alan Taylor (born November 25, 1981 in Annapolis, Maryland, U.S. , Internet Security Systems, Atlanta GA (404-252-7270) plus Justin Potts, On Technology (617-692-3226) -- Rick Hulett, Sprint - Western Operations, (541-387-9030) plus Emma Rosen, Pilot Network Services, (510-433-7851) -- Brian Cohen cohen or kohen (Hebrew: “priest”) Jewish priest descended from Zadok (a descendant of Aaron), priest at the First Temple of Jerusalem. The biblical priesthood was hereditary and male. , Technologic, (404-843-9111) -- John Kirkwood, Merck & Company, (201-703-7667) Technical Specifications for Web Site Certification Program: The National Computer Security Association establishes and manages information security-related certification programs. Many Information Technology managers believe security concerns and privacy issues are major factors inhibiting full business use of the Internet. The NCSA Certified Web Site program provides assurance to web users, and also to the organizations represented on web sites, that these sites meet minimal standards for a range of logical and physical security issues. By implementing the methods, procedures, policies and other criteria required to achieve NCSA Certification, a site and its users can expect significantly reduced risk of down-time, intrusion, tampering tampering The adulteration of a thing. See Drug tampering. , data loss, hacking, data theft, and other security risks compared with sites which are not NCSA certified. Criteria Required to Achieve an NCSA Certified Web Site: -- The web site must withstand network based attacks. This can be accomplished by utilizing a NCSA Certified Firewall, a filtering router whose policy prohibits all protocols which are not necessary to business operations Business operations are those activities involved in the running of a business for the purpose of producing value for the stakeholders. Compare business processes. The outcome of business operations is the harvesting of value from assets , or other appropriate security measures Noun 1. security measures - measures taken as a precaution against theft or espionage or sabotage etc.; "military security has been stepped up since the recent uprising" security . -- The Domain Naming Service Software that converts a name into a physical address on a network. It is similar to someone looking up a phone number in a telephone book by first and last name. Providing "logical" to "physical" conversion, a naming service can be thought of as a White Pages or Yellow Pages directory entries for all Universal Resource Locator Universal Resource Locator - Uniform Resource Locator (URL URL in full Uniform Resource Locator Address of a resource on the Internet. The resource can be any type of file stored on a server, such as a Web page, a text file, a graphics file, or an application program. ) referenced systems comprising the site must be resolvable, both as a Fully Qualified Domain Name, and as an Internet Protocol See Internet and TCP/IP. (networking) Internet Protocol - (IP) The network layer for the TCP/IP protocol suite widely used on Ethernet networks, defined in STD 5, RFC 791. IP is a connectionless, best-effort packet switching protocol. (IP) address, and the InterNIC contact information for the site's domain name must be accurate. -- Logging of the connecting IP addresses, date & time, page(s) being accessed, date & time of each secure connect and disconnect, and denials of access/unauthorized access attempts must be maintained for users accessing the Certified web server. -- A generally accepted encryption mechanism (i.e., SSL (Secure Sockets Layer) The leading security protocol on the Internet. Developed by Netscape, SSL is widely used to do two things: to validate the identity of a Web site and to create an encrypted connection for sending credit card and other personal data. or SHTTP (Secure HTTP) A protocol that provides secure transactions over the Web. It is endorsed by a variety of organizations. See security protocol. ) must be used for sensitive data transmission. -- A person designated as the site's "Common Gateway Interface (CGI CGI in full Common Gateway Interface. Specification by which a Web server passes data between itself and an application program. Typically, a Web user will make a request of the Web server, which in turn passes the request to a CGI application program. ) evaluator" must examine and evaluate all CGI scripts (Common Gateway Interface script) A relatively compact program written in a language such as Perl, Tcl, C or C++ that processes data on a Web server. It is commonly used to process a query from the user that was entered on an HTML page (Web page) and returned as an and programs which are accessible on the systems comprising the site. -- A person designated as the site's "Client Executable (CxE) evaluator" must examine and evaluate all CxE's which are accessible on the systems comprising the site. -- Pages containing or accepting sensitive data must be non-cacheable. -- Persistent Client State mechanisms (e.g. Cookies) must not be used to store sensitive data. -- The web site server must meet various physical and logical security checks (i.e., physical locks, access controls, back-up procedures, etc.). -- Any "back-end" transaction process must be documented, and available for review. For further Web Site Certification information contact: Larry Bridwell, NCSA Sales Associate, 10 S. Courthouse Ave., Carlisle, PA, 17013, (717) 258-1816 Ext. 262, FAX (717) 243-8642, e-mail: certification@ncsa.com, www: http://www.ncsa.com. -0- NOTE TO EDITORS: NCSA is a registered trademark of the National Computer Security Association. Other brand and product references herein are registered trademarks or trademarks of their respective holders. CONTACT: NCSA, Carlisle Kevin J. Stevens, 717/258-1816 ext. 224 Fax: 717/243-8642 e-mail: kstevens@ncsa.com or Network Associates, Provo, Utah Amy Neuberger, 801/373-7888 e-mail: amyn@netassoc.com or Cheryl Snapp, 801/373-7888 e-mail: cheryls@netassoc.com |
|
||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion