Security Criteria, Certifications, and Training Lesson 25
The “Rainbow Series” NSA Documents, varied color covers Orange: Trusted System Security Evaluation Criteria Green: Password Management Yellow: Guidance for applying Orange Book Tan: Guide to understand audit in trusted system Red: Trusted Network Interpretation Purple: Formal Verification Aqua: Understanding Security Modeling Pink: Ratings Maintenance Phase Program Forest Green: Magnetic remanence
The “Orange Book” The NCSC (NSA) developed the Trusted Computer System Evaluation Criteria (TCSEC) Designed to meet three objectives to provide guidance to manufacturers as to what security features to build into their products to provide the DoD customers with a metric to evaluate the degree of trust they could place in a computer system to provide a basis for specifying security requirements in acquisition specifications
The Orange Book Particular emphasis is on preventing unauthorized disclosure of information. Based on Bell-La Padula security model Simple Security Condition allows a subject read access to an object only if the security level of the subject dominates the security level of the object. *-Property allows a subject write access to an object only if the security level of the subject is dominated by the security level of the object. Also known as the Confinement Property. “No Read Up/No Write Down”
The Orange Book “Trusted Computing Base” Concept 7 Levels D: Minimal Protection C1: Discretionary Security Protection C2: Controlled Access Protection B1: Labeled Security Protection B2: Structured Protection B3: Security Domains A1: Verified Protection
The Orange Book
Division C Class C1
Division C Class C1
Division C Class C2
Division B Class B1
The “Red Book” Trusted Network Interpretation (TNI) Two parts Interprets Orange book for networks interpretation rationale Describes additional security services that arise with networks.
Division C Class C1
The Network Security Services
Issues with Any Certification Certifications take time thus they generally have a hefty price associated with them. By the time the product is evaluated, its obsolete. Who gets to do the evaluation? Lots of folks don’t want the government poking around their product, but can you trust some other company? Certifications are for a single release, if you release a new version it will need to be evaluated too.
The ITSEC and Common Criteria After the TCSEC was published, several European countries issued their own criteria. The Information Technology Security Evaluation Criteria (ITSEC). Had a number of improvements. Permitted new feature definitions and functionalities. Accommodated commercial evaluation facilities Soon the U.S. was preparing to update the TCSEC. Instead of multiple standards, how about a joint one? Thus, the birth of the Common Criteria
Common Criteria
Common Criteria Has 7 Evaluation Assurance Levels (EAL) EAL1: functionally tested EAL2: Structurally tested EAL3: Methodologically tested and checked EAL4: Methodologically designed, tested, & reviewed EAL5: Semiformally designed and tested EAL6: Semiformally verified design and tested EAL7: Formally verified design and tested Any collection of components can be combined with an EAL to form a Protection Profile. Defines an implementation-independent set of security requirements and objectives.
ICSA Certification ICSA Inc. initiated a program for certifying IT products against a set of industry accepted, de facto standards. Standards are developed with input from security experts, vendors, developers, and users. Targets threats that actually occur frequently, not postulated ones (think covert channels). Goal is criteria appropriate for 80% of customers. Has mechanism for certification of future versions.
ICSA
ICSA
ICSA
Security Awareness and Training We keep saying that people are the biggest problem, so… Why not train them so we can get rid of (or reduce) the problem???? What types of things would be useful? General security training passwords, social engineering, viruses Administrator training specialized training for specific OS and security devices (e.g. firewalls, IDS…), vulnerability/risk assessments,
Type of training Formal Courses Online Courses CD-based instruction (Security Awareness Programs)
Checkpoint Firewall Training The first class yields a Check Point Certified Security Administrator (CCSA) degree. It provides a complete overview of FireWall-1 and focuses the hands-on training on stand-alone systems. This class is for end-users and resellers who need a good technical understanding of FireWall-1 and need to install and set up simple configurations. The second more advanced class yields a Check Point Certified Security Engineer (CCSE) degree and dwells more in depth on setting up multiple firewall systems, using different encryption schemes, alternative key management schemes, certificate of authorities, etc., and includes hands-on practice of many of these advanced security techniques. The CCSA degree is a pre-requisite to sign up for this class. This advanced class is for end-users who have sophisticated security requirements for their enterprise networks and for resellers who seek Certified Check Point Partner status.
Foundstone
Training Courses
SecureInfo
MIS Training Institute Auditing Your Web Server Internet and Web Security Introduction to Network Security Network Intrusion Detection Protecting Your Networks with Firewalls Remote Access Services and Virtual Private Network Security Securing TCP/IP Networks Security and Audit of TCP/IP Networks SWITS Network Security Advanced Class Audit and Security of Windows NT Server V.4 Control Analysis of Enterprise-wide Telecommunications Controlling and Securing Unix-Based Operating Systems Controlling and Securing Windows 2000 Controlling Client/Server Environments Unix Workshop
Training as a Business There is a bunch of money to be made in training: let’s assume 50 hour work weeks, 48 work weeks a year for a consultant, at $200/hour, 75% utilization = $360,000/year 2 weeks/month teaching, 2 weeks preparing for a trainer, 20 students/course, $1500/student = $720,000/year Obviously there are other considerations, marketing & sales overhead competition and demand
(ISC)2 (ISC)2 - International Information Systems Security Certifications Consortium (ISC)² offers two certification examinations: the Certified Information Systems Security Professional (CISSP) the Systems Security Certified Practitioner (SSCP) The CISSP program certifies IT professionals who are responsible for developing the information security policies, standards, and procedures and managing their implementation across an organization. The SSCP program certifies network and systems administrators who implement those policies, standards, and procedures on the various hardware and software programs for which they are responsible.
CISSP The (ISC)², working with a professional testing service, has developed a certification examination based on the information systems security Common Body of Knowledge (CBK). Candidates have up to 6 hours to complete the examination . . . which consists of 250 multiple choice questions that address the ten topical test domains of the CBK. The information systems security test domains are: Access Control Systems & Methodology {Computer} Operations Security Application & Systems Development Business Continuity & Disaster Recovery Planning Telecommunications & Network Security Security Architecture & Models Physical Security -- Cryptography Security Management Practices -- Law, Investigations & Ethics
SSCP The (ISC)², working with a professional testing service, has developed a certification examination based on the SSCP Common Body of Knowledge (CBK). Candidates have up to 3 hours to complete the examination . . . which consists of multiple choice questions that address the seven topical test domains of the CBK. The information systems security test domains are: Access Control Administration Audit and Monitoring Risk, Response, and Recovery Cryptography Data Communications Malicious Code
SANS Institute Conferences – Ontario, May 13-18 GIAC Training and Certification Program SANS' GIAC Training and Certification Program is designed to serve the people who are or will be responsible for managing and protecting important information systems and networks. GIAC course specifications were developed through a consensus process that involved more than a hundred members of SANS' faculty and other experienced security practitioners. They combine the opinions, knowledge, and expertise of many of the world's most experienced front-line security and system administrators, intrusion detection analysts, consultants, auditors, and managers. The GIAC certification program consists of: Information Security KickStart LevelOne Security Essentials LevelTwo subject area modules
SANS Institute
GIAC Training Information Security KickStart Are you looking for a way to "break in" to the information security field? Did your manager just walk up to you and say, "Congratulations, you are the new security officer"? Then Information Security KickStart is for you! KickStart was designed for the professional who needs to get up to speed fast on the terminology, concepts, issues, tools, and technology of the field. A student who completes the Information Security KickStart and GIAC Security Essentials Certification possesses the foundational skills that no information security professional should be without. KickStart and Security Essentials also prepare you for the more advanced, in-depth LevelTwo training.
GIAC Training Welcome to SANS Security Essentials SANS Security Essentials offers a strong technical foundation for all areas of system and network security. Similar to KickStart, Security Essentials provides broad coverage of information security topics, but begins to go more in-depth. Each of the eighteen course units offers practical, from-the-trenches, "how-to" information, not just theory. Security Essentials includes the following units: 1: Information Assurance Foundations 2: IP Concepts 3: IP Behavior 4: Internet Threat 5: Basic Security Policy 6: Malicious Software and Anti-Virus Tools 7: Host Based Perimeter Protection 8: Windows NT Password Management 9: Unix Password Management 10: Introduction To Pretty Good Privacy (PGP) 11: Introduction To Cryptography 1 12: Introduction To Cryptography 2 13: Securing Windows NT Step-by-Step 14: Securing Linux Step-by-Step 15: Backups For Windows NT 16: Backups For Linux 17: Basic Windows NT Auditing 18: Basic Linux Auditing SANS Security Essentials is available through a three-day class.
GIAC Training Intrusion Detection in Depth On-Line Training is one of SANS’ signature courses, and offers an immersion in the world of intrusion detection. Like all GIAC programs, Intrusion Detection in Depth is continually revised to include the latest attack patterns. We strongly recommend that students spend some time getting familiar with tcpdump, Windump, or other network analyzer output before taking this course. Intrusion Detection in Depth covers: Essential TCP/IP concepts for intrusion detection and network traffic analysis Configuration and use of tcpdump, the most widely used freeware traffic analysis tool Log file interpretation and analysis Configuration and use of Snort, the freeware intrusion detection system for both UNIX and Windows Intrusion detection signatures and analysis, including samples and explanation of numerous real-world traces
GIAC Training
Security+ Certification