Tag Archives: standards

NSS Labs drops antitrust suit against AMTSO, Symantec and ESET

NSS Labs ended its legal battle against the Anti-Malware Testing Standards Organization, Symantec and ESET.

The independent testing firm dropped its antitrust lawsuit Tuesday, which was filed in 2018 against AMTSO (a nonprofit organization) and several top endpoint security vendors, including Symantec, ESET and CrowdStrike. The suit accused the vendors and AMTSO of conspiring to prevent NSS Labs from testing their products by boycotting the company.

In addition, NSS Labs accused the vendors of instituting restrictive licensing agreements that prevented the testing firm from legally purchasing products for public testing. The suit also alleged AMTSO adopted a draft standard that required independent firms like NSS Labs to give AMTSO vendor members advance notice of how their products would be tested, which NSS Labs argued was akin to giving vendors answers to the test before they took it.

In May, NSS Labs and CrowdStrike agreed to a confidential settlement that resolved the antitrust suit as well as other lawsuits between the two companies stemming from NSS Labs’ 2017 endpoint protection report that included negative test results for CrowdStrike’s Falcon platform. Under the settlement, NSS Labs retracted the test results, which the firm admitted were incomplete, and issued an apology to CrowdStrike.

In August, a U.S. District Court judge for the Northern District of California dismissed NSS Labs’ antitrust claims, ruling in part that NSS Labs failed to show how the alleged conspiracy damaged the market, which is required for antitrust claims. The judge also said NSS Labs’ complaint failed to show ESET and AMTSO participated in the alleged conspiracy (Symantec did not challenge the conspiracy allegations in the motion to dismiss). The ruling allowed the company to amend the complaint; instead, NSS Labs dropped its lawsuit.

Still, the testing firm had some harsh words in its statement announcing the dismissal of the suit. NSS Labs said vendors “were using a Draft Standard from the non-profit group to demonstrate their dissatisfaction with tests that revealed their underperforming products and associated weaknesses, which did not support their marketing claims.”

“During the past year, AMTSO has made progress to be more fair and balanced in its structure, vendors have shown progress in working with testing organizations, and the market itself has had significant change and notable acquisition activity,” NSS Labs CEO Jason Brvenik said in the statement. “It is said that sunshine is the best disinfectant, and that has been our experience here. We look forward to continued improvement in the security vendor behaviors.”

AMTSO sent the following statement to SearchSecurity:

“While AMTSO welcomes NSS Lab’s decision to dismiss, its actions were disruptive, expensive, and without merit,” said Ian McShane, an AMTSO Board member and senior director of security products at Elastic. “However, we agree with its statement that ‘sunshine is the best disinfectant,’ and we’re looking forward to NSS Labs re-joining AMTSO, and to its voluntary participation in standard-based testing. We believe this will give customers a greater assurance that the tests were conducted fairly.”

AMTSO did not comment on whether the organization has made any specific changes to its structure or policies in the wake of the antitrust suit.

NSS Labs changed its approach to testing results earlier this year with its 2019 Advanced Endpoint Protection Group Test, which redacted the names of vendors that received low scores and “caution” ratings. At RSA Conference 2019, Brvenik told SearchSecurity that NSS Labs decided to take a “promote, not demote” approach that focuses on the vendors that are doing well.

Go to Original Article
Author:

IoT Cybersecurity Improvement Act calls for deployment standards

Proponents of a proposed federal bill are seeking the development of security standards for all government-purchased Internet-connected devices — a move that could spur improved security for IoT deployments across non-government entities as well.     

The IoT Cybersecurity Improvement Act of 2019, co-sponsored by Reps. Robin Kelly (D-Ill.) and Will Hurd (R-Texas), would require the National Institute of Standards and Technology (NIST) to issue guidelines for the secure development, configuration and management of IoT devices. It would also require the federal government to comply with these NIST standards. 

Perhaps more significantly, the bill would likely reach beyond the federal government if passed and made into law. Security experts predict that NIST standards would help elevate IoT security throughout private industry and during development of consumer products.

“Our bill establishes baseline cybersecurity standards for government purchased and operated IoT devices,” Rep. Kelly said in an emailed response to questions about the proposed legislation. “Right now, we are focused on securing government IoT devices. I think the most relevant piece to executives would be the ability to use NIST’s Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks as a model for internal standards.”

She added, “Our goal remains securing government IoT devices. If these standards are helpful to the private sector then that’s an additional benefit.”

IoT: Speed to market offsets cybersecurity

Security leaders said there’s a need for improved IoT security: Vendors work fast to bring IoT products to market, while enterprise leaders have moved just as quickly to capitalize on IoT deployments. In both cases, the desire for speed typically trumps security concerns, they said.

Now these security concerns are gaining new attention.

“People have been saying for at least three years that there’s a problem and we need to fix it,” says David Alexander, digital trust expert at PA Consulting.

Others agreed, adding that they think NIST is the right entity to take the lead on establishing security standards.

“We need government intervention,” said Balakrishnan Dasarathy, collegiate professor and program chair for Information Assurance at the Graduate School at the University of Maryland University College.

Our bill establishes baseline cybersecurity standards for government purchased and operated IoT devices.
Robin Kelly U.S. Representative (D-Ill.)

Dasarathy said the ripple effect from federal action on IoT legislation would improve product security for consumers and private industry alike. It would also give appropriate IoT security guidance to chief information security officers (CISOs) and other organizational executives.

“Right now many CISOs struggle to determine adequate security,” Dasarathy said.

Weak IoT security has had significant consequences. The Mirai botnets, for example, exploited vulnerabilities in networked devices and led to a massive distributed denial of service attack in 2016.

The skyrocketing number of connected devices also increases the amount of infrastructure to protect. Gartner, the technology research and advisory firm, predicted that 14.2 billion connected things will be used this year, a figure that will hit 25 billion by 2021. That growth means CISOs will be responsible for more than three times as many endpoints in 2023 than they were in 2018.

The emergence of IoT security standards

Despite often treating security as an afterthought, the IoT community — including vendors, executives engaged in IoT initiatives and regulatory bodies — has already started to address security and data privacy issues. This recognition helped create an emerging collection of standards, best practices and regulations such as California’s IoT device law known as SB-327. –It is the first such state law in the United States, and the European Telecommunications Standards Institute has developed similar rules.

However, the IoT Cybersecurity Improvement Act could push IoT safety to the forefront for IoT device makers and end users. This is because of the clout that NIST has in setting standards and that the federal government has in purchase power. The federal bill was advanced out of the House Oversight and Reform Committee in June.

“It will set a direction that will make it easy for others to follow,” said Gus Hunt, managing director and cyber strategist for Accenture Federal Services.

If the bill passes, IoT device makers that want to sell to the federal government would have to design and manufacture products according to NIST standards. To avoid designing a second-tier product for the nongovernment market, those makers would bring those same government devices to the broader market, Hunt explained.

Even if the IoT Cybersecurity Improvement Act doesn’t pass, Hunt said vendors now recognize that buyers want better security features in their products.

“Many manufacturers realize that they have to find a way [to make sure] that whatever they sell is safe, secure and doesn’t place people at higher risk simply by buying the device,” he added.

Security becoming an IoT priority

Meanwhile, private sector CISOs and CIOs could benefit if the bill is passed and NIST develops security standards that give them guidelines to adopt for their own IoT deployments.

“NIST standards could give them leverage in their discussions about budget, controls and selection of products,” Alexander said, as NIST protocols in other areas have often become the basis for best practices in private sector organizations seeking to strengthen their own programs.

However, the bill’s future is uncertain. A similar measure was introduced in 2017 and failed to move forward. On the other hand, the IoT Cybersecurity Improvement Act of 2019 does have bipartisan sponsors — which security experts said gives them some hope that Congress will take favorable action on this issue.

Yet that hope comes with a caveat: They said lawmakers — in Congress and elsewhere — must pay attention to each other’s IoT legislation to ensure they’re all moving in the same direction.

Also, they said NIST should work with industry to craft standards. This cooperative approach is one that NIST typically takes, and it would help ensure that all the various laws share common elements so that vendors understand what they must deliver to the market.

“These things cannot be contradictory. All these versions of [IoT] legislation need to be aligned because vendors want to make one version of their product. All the legislation has to be pointing in the same direction, otherwise it’s not going to work,” Alexander said.

Go to Original Article
Author:

Verizon 5G rollout could change broadband competition

Verizon has chosen to temporarily forego standards and launch a proprietary 5G internet service to homes in four U.S. cities. The rush to market could start generating a return from the billions of dollars spent on developing the fifth-generation wireless technology.

Verizon introduced its 5G Home service this week and said it would be available Oct. 1 in select neighborhoods in Houston, Indianapolis, Los Angeles and Sacramento, Calif. The service provider promised a baseline speed of about 300 Mbps, which is significantly higher than Verizon’s current fiber optic service, Fios.

Customers covered in the Verizon 5G rollout could experience speeds close to 1 Gbps if they are in a favorable location relative to Verizon’s 5G small cell site that broadcasts the wireless signal to the home.

Verizon plans to charge wireless subscribers $50 a month for the 5G service and nonwireless subscribers $70 a month. Verizon won’t charge for the first three months of service or for the 5G router and its installation in the home.

The promotional deal makes the 5G offering similar in pricing to the internet service Verizon currently provides through its Fios product, which delivers speeds of only about 100 Mbps or less, said Tom Nolle, principal analyst at technology consulting firm CIMI Corp., based in Township, N.J., in a research note.

“I think Verizon will be moving to normalize their pricing across FiOS and 5G, which could give Verizon users the best internet bargain out there today,” Nolle wrote.

Verizon 5G rollout using nonstandard gear

The home and cell site gear used in the Verizon 5G rollout are temporary. The company plans to replace the proprietary 5G equipment with devices built around universal standards set by the 3rd Generation Partnership Project (3GPP). Verizon will replace the equipment as suppliers deliver standard gear.

Verizon is willing to forego standards initially to be quick to market with 5G internet services and to start generating revenue as soon as possible, said Rajesh Ghai, an analyst at IDC.

“This is a brand-new service for Verizon — incremental revenue,” he said. “They’re not going to eat into anything they’re already selling. They don’t have to get their existing customer base to adopt it.”

Because 5G is a fixed-wireless technology, Verizon can compete against cable companies and rival AT&T without having to bring a cable connection to homes or apartment buildings.

“If you have broadband deliverable to homes over the air, then it becomes a lot faster for a customer to provision the service,” Ghai said. “You get the box from Verizon, and it’s ready to go.”

Indeed, Verizon has made ordering the service easy by launching a website for would-be subscribers.

Verizon 5G rollout includes TV over IP

Verizon’s handling of TV over IP (TVoIP) through the 5G service is also significant. Subscribers get Google’s YouTube TV at no charge for the first three months and then have the option of continuing the service for $40 a month.

The offer shows Verizon is experimenting with TVoIP without having to buy a content provider. “If they like what happens, they could shift FiOS to TVoIP too, and drop a lot of cost along the way,” Nolle said. Also, Verizon could collect user data and website activity on the 5G service and use the information in other applications, such as ad selection.

Microsoft joins the Coalition For Better Ads – Bing Ads

At Microsoft, we believe in supporting and collaborating with the online advertising industry to develop standards that make the digital ecosystem function better for consumers, marketers and publishers.

In this spirit, we are excited to announce that Microsoft has joined the Coalition for Better Ads (CBA). Through our advertising platforms, and our multitude of consumer services, we believe we can make an important contribution to improving and safeguarding advertising standards on the web. 

Microsoft is committed to working with our industry partners and the Coalition for Better Ads to continue the development and implementation of standards that will have a positive impact on consumers and the entire online advertising community.