Malaysian Common Criteria Evaluation & Certification · PDF fileDescription Standard for gaining ... (MS ISO/IEC Malaysian Common Criteria Certification Body ... Malaysian Common Criteria

Malaysian Common Criteria Evaluation

& Certification (MyCC) Scheme

– Activities and Updates –

Copyright © 2010 CyberSecurity Malaysia

Agenda

1. Understand

– Why we need product evaluation and certification

– ICT Product Certification Benchmark

– Common Criteria Recognition Arrangement– Common Criteria Recognition Arrangement

2. What is the MyCC Scheme and its components?

3. What is the potential market for certified CC products?

4. Way forward

Copyright © 2010 CyberSecurity Malaysia 2

Security Objectives

Question is….

Are those ICT products are secure enough

from threats and vulnerabilities??????


Try to answer the requirement of CIA triad….

Security Techniques

Prevention access control

Detection auditing

Tolerance practicality


good prevention and detection both require good authentication as a foundation

• Which one is better?

• Who are we trusted most?

• What is the criteria needed to standing on

International VS Local ICT Products

• What is the criteria needed to standing on same level?


• Software and hardware may containhidden functions

•Danger exists when these secretcodes are not revealed

•Many incidents happened when

Unseen Danger

•Many incidents happened when attackers use these secret codes to gain access to the system

• Some ICT products claimed they have all the security functions, in fact they’re not.


Direct Impact

Loss of

money


Bad

reputation

Low of Performance

Current Pattern of Vulnerabilities


Figure 1: Number of Vulnerabilities in Network, OS and Applications

Source from: SANS – top

cyber security risks

Why IT Security Evaluation is Important?

IT Security

Evaluation

Meet

government

requirements

Reduce

vulnerabilities

Easier product

selection process

Increased

confidence in

claimed security


Evaluationvulnerabilities

Access

international

markets

claimed security

functionality

Continuous

improvement of

security technology

IT Security Evaluation is one method of gaining confidence in the security

functions implemented by a product or system

ICT Product Certification ICT Product Certification

BenchmarkBenchmark

Comparisons of the available ICT product certification

Common Criteria

(CC)

CESG Claims

Tested Mark

(CCTM)

TUVIT Trusted

Product

ICSA Labs

Product

Certification

Description Standard for gaining assurance in the security of IT products and systems through

Provides UKgovernment quality mark for the public and private sectors based on accredited

Demonstrates the trustworthiness of products and systems. This trustworthiness is

Intended to significantly improve commercial computer security


systems through independent evaluation. To prove the validity of security functionality claims made by developers.

based on accredited independent testing, designed to prove the validity of security functionality claims made by vendors. In more colloquial terms, the CCTM is designed to assure public bodies that a product or service does ‘what it says on the box’.

trustworthiness is established on the basis of standards, technical directives and guidelines, lists of criteria or individual rules which correspond to the TÜViT product qualification concept.

computer security and trust.

Recognition Globally UK Germany US

Comparisons of the available ICT product certification

Common Criteria

(CC)

CESG Claims Tested

Mark (CCTM)

TUVIT Trusted

Product

ICSA Labs

Product

Certification

List of products certified

Access control, detection, boundary protection, smart card, network devices and systems, data protection,

Connection protection, erasure and disposal, integrity protection, media & device authentication, media

Domain registration system, web kiosk , Tri-Party Collateral Management, Bank Management

Anti-virus, firewall, IPSec VPN, cryptography, SSL VPN, network IPS, anti-spyware and PC firewall


protection, databases, key mgmt systems, OS, digital signatures products

authentication, media & information protection, netwroklink protection

Management Console portal

PC firewall products

Link http://www.commoncriteriaportal.org/

http://www.cctmark.gov.uk/

http://www.tuvit.de/english/Overview.asp

http://www.icsalabs.com/

Logo

What is the Common Criteria?

• A common structure & language for expressing product/system IT security requirements

(CC Part 1)

• A catalogue of standardised IT security requirement components & packages (security functional and security assurance requirements)


• Supported by a common methodology for gaining assurance that IT security requirements have been satisfied (CEM)

functional and security assurance requirements)

(CC Part 2 & Part 3)

How did we get here?

USTCSEC CC 1.0

CanadianInitiatives

‘89-’93

CTCPEC3

‘93

CommonCriteriaProject

FederalCriteria

CC 2.XISO15408CC 3.1

‘83, ‘85

The Orange

Book

‘96

ITSEC1.2

‘91

EuropeanNational

& RegionalInitiatives

‘89-’93

Project‘93--

ISOInitiatives

‘92--

Criteria

‘92

‘99 ‘06

Common Criteria

Standard for gaining assurance in the security of IT products

through independent evaluation.

• A specifications language:

– Functionality. What is being evaluated?


– Functionality. What is being evaluated?

– Assurance. How much and what type of confidence is required in the TOE?

• A methodology

– Repeatable. Same results different time.

– Comparable. Same process different product.

– Allows mutual recognition among CCRA nations.

Mutual Recognition

•Participants that represent a compliant Certification Body

•Mutually recognizes certified products/systems produced by the Certificate Authorising

Participants based on ISO/IEC 15408

UK

USAAUSTRALIA

CANADA FRANCEGERMANY

SPAIN

NORWAYNEW ZEALAND NETHERLANDS

KOREA

JAPAN

Certificate Authorising Participants

ITALY

SWEDEN


DENMARK GREECEINDIA

FINLAND HUNGARY

ISRAELSINGAPORE

TURKEY

Certificate Consuming Participants

Acceptance

As of Oct 2009

AUSTRIA

MALAYSIA

PAKISTAN

•Participants that have a national interest in recognising CC certificates produced by

the Certificate Authorising Participants based on ISO/IEC 15408

CZECH

REPUBLIC

1. Understand



– Common Criteria Recognition Arrangement

Agenda




4. Way forward


MyCC Scheme

MyCC Scheme

STANDARDS MALAYSIA

(MS ISO/IEC

Malaysian Common Criteria

Certification Body (MyCB)

Common Criteria CCRA

Published

underJemaah Menteri, pada 8 Okt 08, menimbangkan Memorandum

daripada Menteri Sains, Teknologi dan Inovasi No.

592/2618/2008 dan bersetuju:


ICT Product or System

Evaluation Facility (EF)Evaluation Facility (EF)

Malaysian Security

Evaluation Facility

(MySEF)

STANDARDS MALAYSIA

(MS ISO/IEC 17025)

(MS ISO/IEC Guide 65)

Issued for

CC

Certificate

592/2618/2008 dan bersetuju:

i. Supaya CyberSecurity Malaysia, sebuah agensi di bawah

Kementerian Sains, Teknologi dan Inovasi dilantik sebagai

Badan Pensijilan Nasional tunggal bagi Skim Penilaian dan

Pensijilan Keselamatan ICT berdasarkan MS ISO/IEC

15408: 2005 Information Technology – Security Techniques

– Evaluation Criteria for IT Security; dan

ii. Supaya Badan Pensijilan Nasional ini dinamakan Badan

Pensijilan Common Criteria Malaysia (Malaysian Common

Criteria Certification Body)

MyCC Scheme Mission

“to increase Malaysia’s competitiveness in

quality assurance of information security

based on the Common Criteria (CC)


based on the Common Criteria (CC)

standard and to build consumers’

confidence towards Malaysian

information security products”

MyCC Scheme Background

• Project commenced in 2006 to establish the MyCC Scheme

– Driven from 9th Malaysian Plan (2006-2010)

– Supported by the National Cyber Security Policy

• Malaysia accepted as certificate consumer under the CCRA on 28 March 2007.CCRA on 28 March 2007.

• Malaysian Government accepted the Memorandum Jemaah Menteri No 592/2618/2008 from MOSTI and appointed CyberSecurity Malaysia as the sole certification body for MyCC Scheme.

• The MyCC commenced operations in August 2008.

• First evaluations commenced at EAL3/EAL4 to support application for certificate authorising status.


MyCC Scheme Services

• Security evaluation and certification of ICT products, systems and protection profiles

– Certify results of evaluations conducted against v3.1 of the Common Criteria (ISO/IEC 15408)

– Results published on MyCC Scheme Certified Products Register (MyCPR)

• Maintenance of assurance for security certified ICT products and systems

– In accordance with CCRA requirements for assurance continuity

– Maintenance addenda published on MyCC Scheme Certified Products Register (MyCPR)

• Recognition of certificates for special purpose

– In accordance with MyCC Scheme Policy


MyCC Scheme Roles

• CyberSecurity Malaysia– Owner of the MyCC Scheme

– CEO CyberSecurity Malaysia is the MyCC Scheme Head

• MyCC Scheme Management Board– At least five members, chair of the Board will rotate annually

– Provide strategic advice, guidance and recommendations to the – Provide strategic advice, guidance and recommendations to the MyCC Scheme Head

• Malaysian Common Criteria Certification Body (MyCB)– A department within CyberSecurity Malaysia

– Manages the MyCC Scheme

– Certifies results of evaluations performed by licensed MySEFs

– Manages CCRA requirementsCopyright © 2010 CyberSecurity Malaysia 22

MyCC Scheme Roles

• Malaysian Security Evaluation Facilities (MySEFs)– Organisations licensed by the MyCB to conduct evaluations of

products and systems using the Common Criteria

• Sponsor– The person or organisation that engages a MySEF to perform an – The person or organisation that engages a MySEF to perform an

evaluation

• Developer– The person or organisation that has developed the product,

system or protection profile

• Consumer– The person or organisation that procures or uses the product or

system


MyCC Scheme Benefits

• Improve the competitiveness of Malaysian ICT products in a global ICT

market

• Enhance Malaysia’s reputation as a provider of ICT security assurance


• Enhance Malaysia’s reputation as a provider of ICT security assurance

services globally

• Gain access to international markets for Malaysian ICT products

• Enhance the security of Malaysian information infrastructure

• Enhance the security of Malaysian ICT products

MyCC Scheme Process

Overview

Malaysian Common Criteria Certification Body (MyCB)

Accept/ Reject

Application

Accept

Malaysian Common Criteria Evaluation and Certification (MyCC) Scheme

Consumer

Certified Target of Evaluation

(TOE)Oversight Certify

Publish Evaluation Details

Conduct Technical Review

Attend Testing & Site Visit

Review Technical Report

Develop Certification

Report


Accept

Sponsor/ Developer

Target of Evaluation

(TOE)

Protection Profile (PP)

(TOE)

Certified Protection Profile (PP)

Oversight Certify

Plan Execute Close

Malaysian Security Evaluation Facility (MySEF)

Review Inputs

Submit Application

Evaluate Evidence

Submit to Technical Review

Submit Technical Report

Closedown

MyCC Scheme Publications

Policy

Strategy

MyCC Scheme Policy

(MyCC_P1)

MyCC Scheme

Certified Products

Register

MyCC Scheme

Evaluation Facility

MyCC Scheme

Customer Manual


Manual

Procedures

Register

(MyCC_P2)

Evaluation Facility

Manual (MyCC_P3)

Customer Manual

(MyCC_P4)

MyCC Scheme Certification Manual

(MyCC_P5)

Publicly available documents at www.cybersecurity.my/mycc

1. Understand




Agenda




4. Way forward


International Market

As of 21 July 2010, there are 1,265 CC certified products and systems in the world. These products are certified from 14 CCRA Authorising countries and recognised globally especially by 26 CCRA countries. Type of products being certified are:

• Access control devices and system

• Boundary protection devices and systems

• Database

• ICs, smart cards and smart card related devices and systems

• Network and network related devices and systems

• Biometric systems and devices

• Data protection

• Detection devices and systems

• Key Management systems

• Operating systems

• Products for Digital Signatures

• Other devices and systems

• Trusted Computing Reference: www.commoncriteriaportal.org


International Market

Finding from the schemes benchmarking:

� the US Government mandated the use of CC certified products for

government agencies. Policies and instructions that are related with

the use of CC certified products that can be found from their web

site (http://www.niap-ccevs.org/)


� the Australia and New Zealand Government also established ACSI

33 and NZSIT 400: Australia and New Zealand ICT Security Policies

which provides policies and guidance to government agencies on

how to protect their ICT systems and guidance on ICT product

selection. CC Certified ICT products are the preferred choice for

securing government information because of the added assurance

that security evaluation provides.

Local Market

• Malaysian Government is encouraging local ICT products to be evaluated and certified:

• Development of policy of buy Malaysian ICT security products or solution for the CNII. This policy encourage the use of certified ICT security products.encourage the use of certified ICT security products.

• Security evaluation and certification financial assistance for local ICT developers.


1. Understand




Agenda




4. Way forward


MyCC Scheme Implementation Plan

• Implementation will occur in three phases spanning five years and beyond

• Development – ends with CCRA certificate authorising acceptance

• Growth – ends with establishment of at least one MySEF external to CyberSecurity Malaysia

• Maturity – sufficient range of certified products and


• Maturity – sufficient range of certified products and several licensed MySEFs operating such that policy mandate is possible Jan - Dec 2008Aug - Dec 07

1: Development

Jan - Dec 2009 Jan - Dec 2010 Jan - Dec 2011 Jan - Dec 2012 Jan - Dec 2013 Jan - Dec 2014 Jan - Dec 2014

2 Growth

3 Maturity

Overlap because of possible

early increase in number of labs

10thMalaysian Plan9

thMalaysian Plan

MyCC Scheme Objective

MyCC SCHEME

Certifying ICT products against CC Standard and using CC

MyCBMyCB

(MALAYSIAN COMMON CRITERIA (MALAYSIAN COMMON CRITERIA

CERTIFICATION BODY)CERTIFICATION BODY)

MySEFsMySEFs

(MALAYSIAN SECURITY (MALAYSIAN SECURITY

EVALUATION FACILITIES)EVALUATION FACILITIES)

ICT products security evaluation against CC Standard and using CC Standard and using CC

Evaluation Methodology (CEM)against CC Standard and using CC Evaluation Methodology

(CEM)

CCRA CERTIFICATE AUTHORISING PARTICIPANT

Security Evaluation and Certification Project (1)

• To become the CCRA Authorising member, we need to

evaluate and certify 2 ICT products for at least 1 EAL3

and 1 EAL4. This is called Trial Evaluation and

Certification.

• There are 3 ICT products in evaluation:

– Firewall (EAL3)– Firewall (EAL3)

– Single sign-on application (EAL4)

– Smartcard OS (EAL4+)


• To stimulate the Malaysian economy, Malaysian

Government has accepted CyberSecurity Malaysia

proposal on ICT product security evaluation and

certification.

• The implementation of the Malaysia 2nd Economic • The implementation of the Malaysia 2 Economic

Stimulus Package is 2 years (2009 – 2010).

• Under this project, MyCC Scheme has to evaluates and

certifies local ICT products for EAL1 and EAL2.


As of July 2010 No of Product

Registered financial assistance application 103

Selected for pitching 44

Successful financial assistance application 27

• Status of 2nd Economic Stimulus Package projects:

Products in acceptance phase (evaluation application review by MyCB)

13

Products accepted by MyCC Scheme and kickoff evaluation

5

CCRA Certificate Authorising Participant

• Malaysia has submitted the application for CCRA

Certificate Authorising membership in Dec 2009.

• The application has been accepted by CCRA in March

2010.2010.

• Shadow Certification assessment by CCRA members

for MyCC Scheme is planned to be conducted in Oct

2010.

1. Understand




Agenda




4. Way forward


Corporate Office:

CyberSecurity Malaysia,

Level 8, Block A,Mines Waterfront Business Park,No 3 Jalan Tasik, The Mines Resort City,43300 Seri Kembangan,43300 Seri Kembangan,Selangor Darul Ehsan, Malaysia.

T +603 8946 0999F +603 8946 0888

www.cybersecurity.my


Documents

Malaysian Common Criteria Evaluation & Certification · PDF fileDescription Standard for gaining ... (MS ISO/IEC Malaysian Common Criteria Certification Body ... Malaysian Common Criteria