matthew.brough Posted May 1, 2013 Posted May 1, 2013 Jim, Two things I pick up from that: 1. "sensitive information on how the system operates" is under NDA. If that information was disclosed, would it have material impact on the security of the system? I've seen NDAs breached before, and you've always got to think about what happens if you piss off an employee. 2. "once these techniques are in place they may as well be deployed across all grades if system, it makes no sense not to" - this is a brilliant attitude to have. I really don't think product differentiation should be the reasoning behind a grade 2 product being worse than a grade 4. We have a NDA with Webway and to be fair, they are quite forthcoming with information when asked. www.securitywarehouse.co.uk/catalog/
jimcarter Posted May 1, 2013 Posted May 1, 2013 Agreed (cybergibbons) and this is the same for say any employee working within our own development department and Im sure we are not alone here. Yes you have to be very cautious with disclosing information but when getting involved in meaningful pen-testing you have to be working with companies that are both reputable and trust worthy. The financial institution we worked with on this particular project was insisting on a very demanding test and employed the company to carry out the tests. Part of their criteria was to attach the system from within and focused not only on our systems but their own. Jim Carter WebWayOne Ltd www.webwayone.co.uk
cybergibbons Posted May 1, 2013 Author Posted May 1, 2013 It all sounds like good stuff. Getting proper pen testing done is a really important step. SIA-HS would have been ripped apart in less than a day by an intern at most decent pen testing places. And yes, WebWayOne has a lot of useful and confidence inspiring stuff open to me without an NDA. I have a blog, some of which is about alarm security and reverse engineering:http://cybergibbons.com/
jimcarter Posted May 1, 2013 Posted May 1, 2013 Yes it's a useful from two points, it validates what the test houses such as BRE have done and helps us have great confidence in what we do. We can't use the test results on a commercial basis or openly publish the reports but at least we can talk about and outline what we have done. Jim Carter WebWayOne Ltd www.webwayone.co.uk
james.wilson Posted May 1, 2013 Posted May 1, 2013 Jim, its good to see openess from a manufacturer, thanks for doing that here. Id like to see cyberg have a proper look at your stuff to give an independant view on the kit? Jim, Two things I pick up from that: 1. "sensitive information on how the system operates" is under NDA. If that information was disclosed, would it have material impact on the security of the system? I've seen NDAs breached before, and you've always got to think about what happens if you piss off an employee. 2. "once these techniques are in place they may as well be deployed across all grades if system, it makes no sense not to" - this is a brilliant attitude to have. I really don't think product differentiation should be the reasoning behind a grade 2 product being worse than a grade 4. CG on point 2. I do. There is a cost saving demand in the marketplace. You cannot compete offering a g4 product for g2 money. The standards demand minimum requirements at set grades. You cannot enforce a buyer (customer) should pay for something they feel they dont need. That is the whole point of risk assesment and advising what is best for them at their risk. ie do you have a 50k cash rated safe to put your piggy bank in at night? You dont need to but are you saying you should? securitywarehouse Security Supplies from Security Warehouse Trade Members please contact us for your TSI vetted trade discount.
jimcarter Posted May 2, 2013 Posted May 2, 2013 James..I agree that you to need to differentiate the products in some way and this is generally in the reporting times and maybe other "tangible" features and benefits. But if we stick to the title of this topic here, encryption and substitution techniques are fundamental to how a communications system (or Alarm Transmission System in our case) is developed. You work out how your product is going to signal from a to b and once you have that you use that technique across all your products. Operationally, to differentiate on this level (encryption and substitution) would be a nightmare to "police and maintain". In this area we never compromise on the security of the communications whether it be a lowly "digi" type product or a full blown LPS1277 unit. Its a standard feature. Jim Carter WebWayOne Ltd www.webwayone.co.uk
jimcarter Posted May 2, 2013 Posted May 2, 2013 Sorry..forgot one point you raised. Ive no problem at all in anyone getting an SPT and trying to compromise it. The BRE and DNV Certification we have to LPS & EN50136 (and shortly EN50136 tested to System 5 via CertAlarm) should give confidence to anyone using our systems and save them the effort. Jim Carter WebWayOne Ltd www.webwayone.co.uk
ccbrennan Posted May 2, 2013 Posted May 2, 2013 Couple of points I've read ... Grade differentiation Some people say how do you differentiate between Grade 2, 3 and 4. With regard to encryption and substitution protection we don't see any point in not providing the feature whatever the Grade. For us the clue is in the name of our market sector "Security". Additionally it is hard enough to manage the annual/monthly billing processes with ARCs for products and Grades, adding encrypted or non encrypted would add another layer of difficulty (and consequently cost). The only decision you have to make with our products is what reporting times for dual path failure are you comfortable with (24 Grade 2, 11m Grade 3+ and 3.5m Grade 4). The encryption and substitution protection are all part of the standard service, independent of Grade - it's core to our software. Substitution protection Both the device and the messages require substitution protection under EN standards. We have employed this in our system from day 1. The protection has been tested by BRE/LPCB UK, DNV Norway and we will have our CERT Alarm Certificate during May/June. Obviously the receiver must decrypt the message and determine whether any substitution has taken place (in our case and most ATS providers the receiver is an integral part of the ATS).
matthew.brough Posted May 2, 2013 Posted May 2, 2013 Sorry..forgot one point you raised. Ive no problem at all in anyone getting an SPT and trying to compromise it. The BRE and DNV Certification we have to LPS & EN50136 (and shortly EN50136 tested to System 5 via CertAlarm) should give confidence to anyone using our systems and save them the effort. Interesting. If CG want's to try it into our receivers I'm happy to accommodate. Your competitors refused to allow such test. This says a lot. www.securitywarehouse.co.uk/catalog/
ccbrennan Posted May 2, 2013 Posted May 2, 2013 A test is not a problem. Prior to any test we would need to understand who wants to test and whether that test is an impartial one or funded by another party/competitor. For this reason a face to face meeting, NDA and written disclosure of 3rd party interest is required. Thanks, Chris.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.