-
8/11/2019 A Security Business Case for Common Criteria
1/34
A Security Business Casefor the
Common Criteria
Marty Ferris
Ferris & Associates, [email protected]
-
8/11/2019 A Security Business Case for Common Criteria
2/34
Outline
Security Problem Overview
Bounding a Moving Target
Role of Standards Common Criteria
-
8/11/2019 A Security Business Case for Common Criteria
3/34
Owners
ConfidenceAssets
Threats
Exposures
SecurityFunctions
Assurance
Evaluation
create
to
value require
thatreduce
giving
leads to
Security Concepts andRelationships
-
8/11/2019 A Security Business Case for Common Criteria
4/34
Bound the Exposure Problem
Organizational Security Management
Develop Policies and Standards
Develop Operational Security Practices On-Going Assessment of
Security
Program
-
8/11/2019 A Security Business Case for Common Criteria
5/34
Operational Security Practices
Defining Good Enough
Risk/Acceptability Model
Security Program as Starting Place
Ongoing assessment and refinement
Marketplace dependence for IT Security
Solutions Security Infrastructures Evolve
-
8/11/2019 A Security Business Case for Common Criteria
6/34
Security Infrastructures
Physical Security
People Security
Internal Personnel Security Customers Security Role
IT Product, Systems and Services Security
Anomaly Processing Identification of Security Events
-
8/11/2019 A Security Business Case for Common Criteria
7/34
Physical/People
Communications Security
Computer Security
Application Security
Old Security Infrastructures
-
8/11/2019 A Security Business Case for Common Criteria
8/34
Computer Security-
Central Technical Security Infrastructure Application
Security
Smart Cards
Browsers
Virtual Private Networks
Firewalls
IPSec
TLS/SSL
Public Key Infrastructure
-
8/11/2019 A Security Business Case for Common Criteria
9/34
Physical/People
Computer Security
Communications Security
Application Security
NewSecurity Infrastructures
-
8/11/2019 A Security Business Case for Common Criteria
10/34
Bad Security
?
-
8/11/2019 A Security Business Case for Common Criteria
11/34
Good Security
?
-
8/11/2019 A Security Business Case for Common Criteria
12/34
Security
Reality
?
-
8/11/2019 A Security Business Case for Common Criteria
13/34
Protected
Assets
AssetsSecurity
Gap
}
Actual
AssetExposure
(Reality)
AssetProtection
Policy(Perceived)
-
8/11/2019 A Security Business Case for Common Criteria
14/34
The Security ManagementChallenge:
Bounding a Moving Target
Building and Maintaining SecurityInfrastructures
Managing Security Gaps Security Planning
Support both IT Vision and Security Policies
Marketplace dependence
Best Value Solutions
-
8/11/2019 A Security Business Case for Common Criteria
15/34
Role of Security Standards
Support Management Process for New ITServices(?)
Business case for IT Investment Cost Containment Strategies
Requirements and specifications
Equivalence and Interoperability
Voluntary consensus vs de facto
Limited operational practices context
Compliance assurances
-
8/11/2019 A Security Business Case for Common Criteria
16/34
Standards Development Process
Business need driven
Scopewithin a business context
Balanced participation
open to buyers and sellers of technology aswell as technology
experts
Document requirements/specifications
Voting process for consensus andresolving disagreements
Public comment
-
8/11/2019 A Security Business Case for Common Criteria
17/34
What is the Common Criteria
International Standard Meta-language fordescribing IT security
requirements
Features and assurances Supports both buyer I need and Seller
I
provide
How one applies the Meta language is:
Constituent (Seller or Buyer) dependent
Security Management Tool
-
8/11/2019 A Security Business Case for Common Criteria
18/34
Infrastructure Support for Common
Criteria International Registry of Buyer and Seller
requirements
Assurances Laboratories for both Buyerand Seller
International Mutual Acceptance ofFeatures and Assurances
-
8/11/2019 A Security Business Case for Common Criteria
19/34
Common Criteria
Potential Benefits Better Tool to Bound problem(s)
More accurate definition of
requirements Threat and policy
IT and Non-IT assumptions
Interoperability and equivalence Features and Assurances
-
8/11/2019 A Security Business Case for Common Criteria
20/34
Common Criteria
Potential Benefits (cont.) Market friendlier
Friendlier to integrating both established
and emerging security technologies andpractices
Supports buyers IT business casedevelopment
Supports Sellers business case to bring IT
services to market
-
8/11/2019 A Security Business Case for Common Criteria
21/34
1985 1990 1997
USTCSEC
FederalCriteria
ITSEC1.2
EuropeanNational
& RegionalInitiatives
CanadianInitiatives
CTCPEC3
ISOInitiatives
CommonCriteriaProject
NISTsMSFR
ISOStandard
1998
A Brief History of CommonCriteria
-
8/11/2019 A Security Business Case for Common Criteria
22/34
Common Criteria
as International Standard 1990 - Working Group 3, Subcommittee
3,
Joint Technical Committee 1 begins
addressing IT security 1993 - Member Nations pool resources
and assist WG3
Common Criteria (CC) Version 2
provided, May 1998
CC, Version 2, as International StandardISO/IEC 15408 being
reviewed and voted
upon
-
8/11/2019 A Security Business Case for Common Criteria
23/34
Part 3 SecurityAssurance Requirements
Assurance Classes
Assurance Families
AssuranceComponents
Detailed Reqts
Eval. Assur. Levels
Part 2 Security
Functional Requirements
Functional Classes
Functional Families
Functional
Components
Detailed Reqts
Part 1Introduction & Model
Introduction to
Approach
Terms & Model
Requirements forProtection Profiles& Security Targets
Part 4Registry ofProtection Profiles
Overview of Common Criteria
Structure
-
8/11/2019 A Security Business Case for Common Criteria
24/34
Common Criteria Look and Feel
Official title - Common Criteria forInformation Technology
Security
Evaluations Part 1, Introduction
Part 2, Functional Requirements
Desired information technology securitybehavior
-
8/11/2019 A Security Business Case for Common Criteria
25/34
Common Criteria Look and Feel
(cont.) Part 3, Assurance Requirements
Measures providing confidence that
the Security Functionality is effectiveand correctly
implemented
CC intro at
-
8/11/2019 A Security Business Case for Common Criteria
26/34
Functional Requirements Classes
FAU -- Security Audit (35)
FCO -- Communication (Non-Repudiation) (4)
FCS -- Cryptographic Support (40)
FDP -- User Data Protection (46) FIA -- Identification &
Authentication (27)
FPR -- Privacy (Anonymity, etc.) (8)
FPT -- Protection of Trusted Security
Functions (43) FRU -- Resource Utilization (8)
FTA -- TOE Access (11)
FTP -- Trusted Path (2)
-
8/11/2019 A Security Business Case for Common Criteria
27/34
Evaluation Assurance Levels
Levels - EAL 1 through 7
increasing rigor and formalism from 1up to 7
Seven classes addressed for each level
Configuration Management Delivery and operation
Development
Guidance documents Life-cycle support
Testing
Vulnerability Assessment
-
8/11/2019 A Security Business Case for Common Criteria
28/34
Vendor/Customer Requirements
Protection Profiles (PP)
User requirements (I need)
Multiple implementations may satisfy
Security Targets (ST) Vendor claims (I will provide)
Implementation specific
Methodology
First, threats and policy stated
then Features and Assurances selected
-
8/11/2019 A Security Business Case for Common Criteria
29/34
CC Product Validation and EvaluationScheme
Targeted to begin in 1999
Using security specifications fromCommon Criteria (CC)
Procedures based upon CommonEvaluation Methodology (CEM)
Testing and evaluations performed by
NVLAP accredited commercial labs International recognition of
evaluations
(Mutual Recognition)
Results posted on NIAPs WWW page
-
8/11/2019 A Security Business Case for Common Criteria
30/34
Laboratories
NSAs TTAP laboratories are the Interim CC
labs
ARCA Systems, BAH, COACT, CSC,Cygnacom Solutions, NSTL and
SAIC
Will have to reapply for CCEVSaccreditation
Mutual Recognition between Canada,France, Germany and UK and US
for
CC-based evaluations
Netherlands are developing their scheme
Australia and New Zealand applying
-
8/11/2019 A Security Business Case for Common Criteria
31/34
Product evaluations
As of 19 Oct. 98 CC-based
Evaluation
Completed: ITT Dragonfly EAL 2
Guard
Milkyway Black
Hole V3.01 EAL3Firewall in Canada
CC-basedEvaluations
Underway 3 EAL2 Firewalls
Checkpoint
CISCO Pix
Lucent ManagedFirewall
-
8/11/2019 A Security Business Case for Common Criteria
32/34
Product evaluations
(cont.)
OS evaluations underway:
IBM RS6000 - C2 OS
IBM NT 4.0 - C2 OS
IBM SQL Server - C2 DB
Sybase Anywhere Adaptive Server - C2
DB
-
8/11/2019 A Security Business Case for Common Criteria
33/34
Assistance
Classes
schedule on webpage(niap.nist.gov)
CC familiarization,1 day
PP development, 4days
CC Toolbox
CCDA version 1,(ST), Oct. 98
PDA version 2, (PP),Dec. 98
PDA version 1, July99
CCDA version 2,Jan. 00
-
8/11/2019 A Security Business Case for Common Criteria
34/34
Right Time for Common Criteria?
