UK NCSC publishes 4-step guide to assessing vendor security

The UK’s National Cyber Security Centre (NCSC) has published a new four-tier guide for objectively assessing the security of vendors and the cyber risks posed to organisations by network equipment. It has been written to support telecommunications operators and other providers of critical services or critical infrastructure that rely on network equipment to deliver their services and should be used when making product selection decisions.

The guidance is referenced in the UK government’s draft Telecommunications Security Code of Practice. Experts are mixed on whether it provides businesses with enough practical guidelines for carrying out effective security assessments of vendors and their products.

Product security critical for organisations, assessment currently challenging

The security of network equipment is critical to the security of any network. When selecting equipment that will support a critical service or critical infrastructure, customers should assess the security of that equipment as part of their procurement and risk management processes, the NCSC stated in its report, Vendor Security Assessment.

However, one of the biggest challenges when assessing the security of network equipment is the industry practice of producing regional or operator-specific versions of products, it added. “Where vendors follow this practice, international customers cannot share the burden of gaining evidence or assurance about product quality or security, whether through working with each other or through international testing schemes.” What’s more, vendor audits or evaluations that rely on vendor documentation are unlikely to provide useful evidence unless it is possible to verify that the audit relates to the security of the network equipment. “For the same reason, audits or evaluations where the evidence behind the audit is not widely available and testable should also not be considered.”

4 steps to assessing a vendor’s security approach

Objective assessment should be carried out by gathering repeatable evidence on the security of the vendor’s processes and network equipment, focusing on three core aspects of evidence from the vendor themselves, testing to validate the vendor’s claims, and third-party evidence, the NCSC said. In doing so, organisations should take a four-tier structure to vendor security assessment.

• Tier 1 – Assess: Assess the vendor’s security declaration. This should state the vendor’s approach to security, and the security promises that the vendor makes to its customers. In the interests of developing the security ecosystem, the NCSC recommends that the vendor openly publishes their security declaration. This provides confidence to customers that the vendor’s approach is consistent for all customers and product lines and allows the wider security community to participate in the security discussion.
• Tier 2 – Check: Perform spot checks on the vendor’s implemented security processes for specific, independently chosen product releases. As all details should be readily available to the vendor within their own systems, providing advance notice of the choice should not be necessary.
• Tier 3 – Analyse: Perform lab tests against equipment. The tests should either be against all equipment, or the equipment should be randomly selected from the equipment provided by the vendor. Lab tests should be automated wherever possible so they can be easily repeated at low cost. Lab tests performed independent of the customer should be against the same product version track, hardware, software, firmware, and configuration as used by the customer.
• Tier 4 – Sustain: Hold vendors to the standard in the security declaration throughout the entire period of the customer’s relationship with the vendor. Customers should analyse root causes of issues and record the vendor’s security performance to ensure future assessments are made with a rigorous evidence base.

With regards to applying the four tiers to assessments, organisations should focus on a vendor’s security performance in terms of culture and behaviour as evidenced by factors including transparency, openness and collaboration with the security research community, customer support around security vulnerabilities and incidents, and compliance with security obligations and requirements, the NCSC added.

Security assessment guidance will benefit businesses

Mike Parkin, technical engineer at Vulcan Cyber, tells CSO that the UK NCSC’s guidance is extensive and should prove useful to organisations in practice. “The assessment criteria in this framework give enough detail that following it as a guideline should deliver the desired result within the framework’s scope.”

A lot of players deal with networking and it can be very challenging to effectively assess whether a specific one is the right fit for an organisation’s needs, Parkin adds. “While it is often easiest to simply go with the biggest name, they may not be the best match to the specific use case or may be cost prohibitive. Companies are playing a constant balancing game between managing risks and containing costs while meeting business needs, but often lack the insight into just how effective their options are relative to those costs. The NCSC’s guide makes it easier to compare alternatives and select the best option to meet the organisation’s needs.”

However, chief security scientist and advisory CISO at Delinea, Joseph Carson, questions whether the guidance is detailed enough, likening it to a basic checklist of things companies should doing as standard when selecting new products. “For me, it is a five out of ten, because while these are great starting points, and the checklist is pretty good, it does not mean organisations are going to put them into practice or, even if they do, become secure. The guidance will likely be used more by the vendors so they will have responses to possible questions during an RFI or RFP. When we get down to the reality, we need to go further and show examples of real-world scenarios along with how the guidance should be implemented.”

The guidance also lacks a focus on risk, which can vary between organisations and the services they provide, Carson adds. “Yes, the guidance is good, but it really comes down to how you practice it.”