Yesterday’s entertainment

Slides:

Advertisements

Similar presentations

© Crown Copyright (2000) Module 2.6 Vulnerability Analysis.

Advertisements

Security Requirements

Module 1 Evaluation Overview © Crown Copyright (2000)

National Information Assurance Partnership Paul Mansfield January 2013

IEEE- P2600 PP Validation Suggested Process and Update Members: Ron Nevo, Brian Smithson, Alan Sukert, Lee Farrell, Nancy Chen, Carmen Aubry, Peter Cybuck.

PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.

April 2011S B Chetwynd – Research ethics, Information and Consent 1 Research Ethics, Information and Consent Dr Sue Chetwynd Associate Fellow Warwick University.

IT Security Evaluation By Sandeep Joshi

1 norshahnizakamalbashah CEM v3.1: Chapter 10 Security Target Evaluation.

The Common Criteria Cs5493(7493). CC: Background The need for independently evaluated IT security products and systems led to the TCSEC Rainbow series.

October 3, Partnerships for VoIP Security VoIP Protection Profiles David Smith Co-Chair, DoD VoIP Information Assurance Working Group NSA Information.

19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.

Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.

1 Terrie Diaz/ James Arnold 27 September 2007 Threats, Policies, and Assumptions in the Common Criteria What is the target of evaluation anyhow?

National Information Assurance Partnership NIAP 2000 Building More Secure Systems for the New Millenium sm.

Comparison between Family of PPs and PP with Packages Brian Smithson and Ron Nevo.

Assurance Continuity: What and How? Nithya Rachamadugu September 25, 2007.

Practical IS security design in accordance with Common Criteria Security and Protection of Information 2005 František VOSEJPKA S.ICZ a.s. June 5, 2005.

To Protect What Matters!! Protection Against Computer Virus Unit portfolio presentation by Saira Imtiaz.

Project Risk Management. The Importance of Project Risk Management Project risk management is the art and science of identifying, analyzing, and responding.

Lightweight Mobile Applications Certification: Prepared By: Rahul Biswas.

Tutorial 11 Installing, Updating, and Configuring Software

Lecture 15 Page 1 CS 236 Online Evaluating System Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

Background. History TCSEC Issues non-standard inflexible not scalable.

Computer Security By Rachel Gaines. Computers are used for work, play, and everything in between. So here’s how to keep it fun and protected.

Security Standards and Threat Evaluation. Main Topic of Discussion  Methodologies  Standards  Frameworks  Measuring threats –Threat evaluation –Certification.

1 September, 2002 doc:.: /386r0 Daniel V. Bailey, William Whyte, Ari Singer, NTRU 1 Project: IEEE P Working Group for Wireless Personal.

The Value of Common Criteria Evaluations Stuart Katzke, Ph.D. Senior Research Scientist National Institute of Standards & Technology 100 Bureau Drive;

Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:

Common Criteria V3 Overview Presented to P2600 October Brian Smithson.

CMSC : Common Criteria for Computer/IT Systems

Enterprise Network Security Accessing the WAN – Chapter 4.

1 Using Common Criteria Protection Profiles. 2 o A statement of user need –What the user wants to accomplish –A primary audience: mission/business owner.

INFORMATION TECHNOLOGY. RIGHT METHODS TO DEAL WITH THE COMPUTER  Screen’s brightness and position should be comfortable for your eyes.  Keyboard should.

IEEE P2600 Working Group CygnaCom Solutions Introduction Kris Rogers 25 April 2007.

Chapter 19: Building Systems with Assurance Dr. Wayne Summers Department of Computer Science Columbus State University

Access The L Line The Express Line to Learning 2007 L Line L © Wiley Publishing All Rights Reserved.

The Digital Battery From: Budd, T.A. "Protecting and Managing Electronic Content with a Digital Battery". IEEE Computer (2001) 2-8. Steve Lord.

UnionPay Card Manufacturer Certification Introduction.

9 th International Common Criteria Conference Report to IEEE P2600 WG Brian Smithson Ricoh Americas Corporation 10/24/2008.

CONREPNET Performance based rehabilitation of reinforced concrete structures Members workshop – London – 24 & 25 April 2006 CE marking of concrete repair.

PROJECT DOMAIN : NETWORK SECURITY Project Members : M.Ananda Vadivelan & E.Kalaivanan Department of Computer Science.

Embedded Linux Conference6 April 2009Jake Edge - LWN.net Security Issues for Embedded Devices Jake Edge LWN.net Slides:

CS457 Introduction to Information Security Systems

The Common Criteria for Information Technology Security Evaluation

Security SIG in MTS 05th November 2013 DEG/MTS RISK-BASED SECURITY TESTING Fraunhofer FOKUS.

복합기의 보안 기술 디지털 프린팅 사업부 삼성전자

P802.11aq Waiver request regarding IEEE RAC comments

P802.11aq Waiver request regarding IEEE RAC comments

Making a Holiday Special For All The Right Reasons

IEEE 2600 Protection Profile Group

WHAT IS A VIRUS? A Computer Virus is a computer program that can copy itself and infect a computer A Computer Virus is a computer program that can copy.

How to Install Vipre Antivirus on Windows 10 PC?

8ICCC Update for IEEE P2600 Brian Smithson Ricoh Americas Corporation

Chapter 19: Building Systems with Assurance

Chapter 10: Supporting and Maintaining Desktop Applications

doc.: IEEE <doc#>

9th International Common Criteria Conference Report to IEEE P2600 WG

VeriCon Quality Certification Scheme

IEEE- P2600 PP Validation Suggested Process and Update

Security week 1 Introductions Class website Syllabus review

Don Wright Director of Standards Lexmark International

Final Conference 18 Set 2018.

P802.11aq Waiver request regarding IEEE RAC comments

P802.11aq Waiver request regarding IEEE RAC comments

Security in SDR & cognitive radio

IEEE- P2600 PP Guidelines Suggested Format and Content

New versus old asset/threat models

Mcafee.com/activate

Presentation transcript:

Yesterday’s entertainment Decided to remove Denial of Service threats, and related assets, objectives, etc., from the PPs DoS will remain in the P2600 best practices and mitigation techniques Decided to not consider the external network environment as a TOE asset, and to remove threats against that asset Instead, use OSPs as the basis for security objectives related to the TOE doing no harm to external devices Decided to use the proposed Family of PPs approach instead of the proposed Packages approach Decided to use the organization/content of PPs that makes it possible to apply the FPP to any combination of Print, Scan, Copy, and Fax, with or without network, etc.

Ideas for roundtable discussion How to get assurances from schemes (US, JP, others?) that our FPP approach is acceptable Would they certify this kind of FPP and conforming STs? If the FPP was certified by another scheme, would they be comfortable certify conforming STs? How to approach the problem of getting the FPPs evaluated by a CC lab and the P2600.* draft standards approved by the IEEE standards process? Some comments/corrections will be made by different reviewing bodies and will need to be merged into a new draft How to avoid (or negotiate away) conflicting comments? How to minimize the number of iterations

Ideas for roundtable discussion(2) How to reward/acknowledge organizations that fund certification of the FPPs? Funding is voluntary We can have some acknowledgment of organizations in the front matter of IEEE standards that contain each of the four FPPs We could also have some acknowledgment in the front matter of FPPs as they are published for the CC community (with CC front matter instead of IEEE front matter) Strategies for dealing with NIAP CCEVS, IPA, or other schemes

Ideas for roundtable discussion(3) Which SFRs might be used to fulfill the objective that some data on hard disks must be protected from being salvaged from hard disks that are removed from the TOE We already know about FDP_RIP for dereferenced data We assume that encryption would be used, but FCS_ class does not specify what will be encrypted, it only specifies how crypto is handled Even if we assume crypto is used in practice, can we do so without requiring cryptography? Or at least without using FCS_ class?

Ideas for roundtable discussion(4) Which SFRs might be used to fulfill the objective of preventing data from passing through the TOE (in one interface and out another) that hasn’t been mediated by the TSF? We have a special case of fax modems, using ADV_ARC? Others might use FDP_IFC/FDP_IFF How should we handle threats related to installing software? Re-installation or upgrade of the main HCD software Downloading and executing applets