Common Criteria Evaluation and Validation Scheme Syed Naqvi XtreemOS Training Day.

Slides:

Advertisements

Similar presentations

Title Slide EVOLVING CRITERIA FOR INFORMATION SECURITY PRODUCTS Ravi Sandhu George Mason University Fairfax, Virginia USA.

Advertisements

Security Requirements

© Crown Copyright (2000) Module 2.5 Operational Environment.

Module 1 Evaluation Overview © Crown Copyright (2000)

University of Tulsa - Center for Information Security Common Criteria Dawn Schulte Leigh Anne Winters.

IT Audit Methodologies

Practical experience of CC3.1 applied on smartcard hardware Wouter Slegers

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 5.2: Evaluation of Secure Information Systems.

PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.

4/28/20151 Computer Security Security Evaluation.

Information Security of Embedded Systems : Design of Secure Systems Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer FIRST.

Effective Design of Trusted Information Systems Luděk Novák,

The Common Criteria for Information Technology Security Evaluation

IT Security Evaluation By Sandeep Joshi

1 norshahnizakamalbashah CEM v3.1: Chapter 10 Security Target Evaluation.

The Common Criteria Cs5493(7493). CC: Background The need for independently evaluated IT security products and systems led to the TCSEC Rainbow series.

Standards In The Evaluation Of IT Security Steve Randall & Scott Cadzow TC-MTS# October 2004 Sophia Antipolis 39TD025.

An Overview of Common Criteria Protection Profiles María M. Larrondo Petrie, PhD March 26, 2004.

Introduction 4/15/2017 Chapter 9.

, Name, Folie 1 IT Audit Methodologies.

Secure Operating Systems Lesson 0x11h: Systems Assurance.

1 Evaluating Systems CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 6, 2004.

1 Lecture 8 Security Evaluation. 2 Contents u Introduction u The Orange Book u TNI-The Trusted Network Interpretation u Information Technology Security.

COEN 351: E-Commerce Security Public Key Infrastructure Assessment and Accreditation.

Cryptography and Network Security Chapter 20 Fourth Edition by William Stallings.

Fraud Prevention and Risk Management

Comparison between Family of PPs and PP with Packages Brian Smithson and Ron Nevo.

1 A Common-Criteria Based Approach for COTS Component Selection Wes J. Lloyd Colorado State University Young Researchers Workshop (YRW) 2004.

Gurpreet Dhillon Virginia Commonwealth University

Principles of Information System Security: Text and Cases

Practical IS security design in accordance with Common Criteria Security and Protection of Information 2005 František VOSEJPKA S.ICZ a.s. June 5, 2005.

A Security Business Case for the Common Criteria Marty Ferris Ferris & Associates, Inc

Evaluating Systems Information Assurance Fall 2010.

1 A Disciplined Security Specification for a High- Assurance Grid by Ning Zhu, Jussipekka Leiwo, and Stephen John Turner Parallel Computing Centre Distributed.

ISA 562 Internet Security Theory & Practice

Lecture 15 Page 1 CS 236 Online Evaluating System Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

Background. History TCSEC Issues non-standard inflexible not scalable.

1 Common Criteria Ravi Sandhu Edited by Duminda Wijesekera.

Security Standards and Threat Evaluation. Main Topic of Discussion  Methodologies  Standards  Frameworks  Measuring threats –Threat evaluation –Certification.

The Value of Common Criteria Evaluations Stuart Katzke, Ph.D. Senior Research Scientist National Institute of Standards & Technology 100 Bureau Drive;

CACR CC Briefing Stephen Booth Computer and System Security Section Communications Security Establishment

Common Criteria V3 Overview Presented to P2600 October Brian Smithson.

CMSC : Common Criteria for Computer/IT Systems

Security Engineering Assurance & Control Objectives Priyanka Vanjani ASU Id #

TM8104 IT Security EvaluationAutumn CC – Common Criteria (for IT Security Evaluation) The CC permits comparability between the results of independent.

1 Common Evaluation Methodology for IT Security Part 2: Evaluation Methodology chapter 5-8 Marie Elisabeth Gaup Moe 06/12/04.

Trusted OS Design and Evaluation CS432 - Security in Computing Copyright © 2005, 2010 by Scott Orr and the Trustees of Indiana University.

Proposed Privacy Taxonomy for IOT Scott Shorter, Electrosoft, These slides are based on work contributed to the IDESG Use Case AHG in January.

CSCE 548 Secure Software Development Security Operations.

Security consulting What about the ITSEC?. security consulting What about the ITSEC? Where it came from Where it is going How it relates to CC and other.

1 Using Common Criteria Protection Profiles. 2 o A statement of user need –What the user wants to accomplish –A primary audience: mission/business owner.

Copyright (C) 2007, Canon Inc. All rights reserved. P. 0 A Study on the Cryptographic Module Validation in the CC Evaluation from Vendors' point of view.

SAM-101 Standards and Evaluation. SAM-102 On security evaluations Users of secure systems need assurance that products they use are secure Users can:

TM8104 IT Security EvaluationAutumn Evaluation - the Main Road to IT Security Assurance CC Part 3.

High Assurance Products in IT Security Rayford B. Vaughn, Mississippi State University Presented by: Nithin Premachandran.

Chapter 21: Evaluating Systems Dr. Wayne Summers Department of Computer Science Columbus State University

CSCE 727 Awareness and Training Secure System Development and Monitoring.

Technology Services – National Institute of Standards and Technology Conformity Assessment ANSI-HSSP Workshop Emergency Communications December 2, 2004.

Information Security Principles and Practices by Mark Merkow and Jim Breithaupt Chapter 5: Security Architecture and Models.

1 Trusted OS Design CS461/ECE Reading Material Section 5.4 of Security in Computing.

Security Architecture and Design Chapter 4 Part 4 Pages 377 to 416.

The Common Criteria for Information Technology Security Evaluation

TCSEC: The Orange Book.

Ch.18 Evaluating Systems - Part 2 -

Partnerships for VoIP Security VoIP Protection Profiles

2006 Annual Research Review & Executive Forum

Official levels of Computer Security

Computer Security: Art and Science, 2nd Edition

IT SECURITY EVALUATION ACCORDING TO HARMONIZED AND APPROVED CRITERIA

Presentation transcript:

Common Criteria Evaluation and Validation Scheme Syed Naqvi XtreemOS Training Day

Formal Security Evaluations Independent (third party) attestation of a developer’s security claims against a defined security evaluation criteria. Evaluations result in independent measure of assurance, therefore build confidence in security. Secures development process and yields better product. Comprehensive security solutions cannot be evaluated by simple examination!

Evolution of Evaluations Criteria TCSEC 1985 UK CLs 1989 German Criteria French Criteria ITSEC 1991 Federal Criteria Draft 1993 Canadian Criteria 1993 v v v Dutch Criteria ISO/IEC 15408

Common Criteria Purpose From the User perspective: –A way to define Information Technology (IT) security requirements for some IT products: Hardware Software Combinations of above From the Developer/Vendor perspective: –A way to describe security capabilities of their specific product From the Evaluator/Scheme perspective: –A tool to measure the belief we may attain about the security characteristics of a product.

Common Criteria Terminologies PP : Protection Profile contains a set of Functional and Assurance requirements for a product or system written to be implementation independent ST : Security Target contains the requirements that the specific product or system under evaluation conforms to, written to be implementation dependent TOE : Target of Evaluation product or system that is to be evaluated against the criteria detailed in the Security Target EAL : Evaluation Assurance Level contains specific and building assurance requirements in each level. CC defines EAL 1 through 7, with EAL7 being the highest. SOF : Strength of Function a qualification of a TOE Security Function expressing the minimal efforts assumed to defeat its security mechanisms.

Common Criteria Model Helmut Kurth, How Useful are Product Security Certifications for Users of the Product, June 2005

Evaluation Assurance Levels 1.Functionally tested 2.Structurally tested 3.Methodically tested and checked 4.Methodically designed, tested, and reviewed 5.Semi-formally designed and tested 6.Semi-formally verified design and tested 7.Formally verified design and tested

CC Evaluation Example

Target of Evaluation (TOE)

Evaluated Configuration

Security Environment

Security Objectives

Security Requirements Security Functional Requirements Class FAU: Security Audit Class FPR: Privacy Class FCO: Communication Class FPT: Protection of the TSF Class FCS: Cryptographic SupportClass FRU: Resource Utilization Class FDP: User Data ProtectionClass FTA: TOE Access Class FMT: Security ManagementClass FTP: Trusted Path/Channels Class FIA: Identification & Authentication Security Assurance Requirements Class ACM: Configuration & Management Class AVA: Vulnerability Assessment Class ADO: Delivery & Operation Class ADV: Development Class ALC: Life Cycle Support Class ATE: Tests Class AGD: Guidance Documents

Functional Requirements

> <

Functional Requirements

Assurance Requirements

Security Rationale

Security Objectives Rationale

Security Requirements Rationale

Dependencies

Thank you Syed Naqvi CoreGRID Research Fellow E-Science Systems Research Department CCLRC Rutherford Appleton Laboratory, UK