1 Terrie Diaz/ James Arnold 27 September 2007 Threats, Policies, and Assumptions in the Common Criteria What is the target of evaluation anyhow?

Slides:



Advertisements
Similar presentations
Security Requirements
Advertisements

Operating System Security
Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.
PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.
Software Quality Assurance Plan
Common Criteria Richard Newman. What is the Common Criteria Cooperative effort among Canada, France, Germany, the Netherlands, UK, USA (NSA, NIST) Defines.
Effective Design of Trusted Information Systems Luděk Novák,
Policies vs Threats by Albert Dorofeev, Sony Corporation 10 th International Common Criteria Conference, 2009.
IT Security Evaluation By Sandeep Joshi
1 norshahnizakamalbashah CEM v3.1: Chapter 10 Security Target Evaluation.
The Common Criteria Cs5493(7493). CC: Background The need for independently evaluated IT security products and systems led to the TCSEC Rainbow series.
The Security Analysis Process University of Sunderland CIT304 Harry R. Erwin, PhD.
1 James Arnold/ Terrie Diaz 25 September 2007 Common Criteria: Optional Security Requirements and Functions?
1 No Silver Bullet : Inherent Limitations of Computer Security Technologies Jeffrey W. Humphries Texas A&M University.
Lecture Outline 10 INFORMATION SYSTEMS SECURITY. Two types of auditors External auditor: The primary mission of the external auditors is to provide an.
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
1 Evaluating Systems CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 6, 2004.
Security Controls – What Works
Information Security Policies and Standards
Cryptography and Network Security Chapter 1. Chapter 1 – Introduction The art of war teaches us to rely not on the likelihood of the enemy's not coming,
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Stephen S. Yau CSE , Fall Security Strategies.
Purpose of the Standards
Network security policy: best practices
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
Fraud Prevention and Risk Management
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
SECURITY REQUIREMENT FROM PROBLEM FRAMES PERPECTIVE Fabricio Braz 01/25/08.
SEC835 Database and Web application security Information Security Architecture.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
Storage Security and Management: Security Framework
1 Autumn 2008 TM8104 IT Security Evaluation Guide on the production of Protection Profiles Karin Sallhammar Q2S/NTNU 29/11/2003 Reference: ISO/IEC TR
Practical IS security design in accordance with Common Criteria Security and Protection of Information 2005 František VOSEJPKA S.ICZ a.s. June 5, 2005.
Introduction to ISO New and modified requirements.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Information Systems Security Computer System Life Cycle Security.
Cryptography and Network Security
The Security Analysis Process University of Sunderland CSEM02 Harry R. Erwin, PhD.
General Key Management Guidance. Key Management Policy  Governs the lifecycle for the keying material  Hope to minimize additional required documentation.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
Background. History TCSEC Issues non-standard inflexible not scalable.
1 Common Criteria Ravi Sandhu Edited by Duminda Wijesekera.
Information Systems Security
The Value of Common Criteria Evaluations Stuart Katzke, Ph.D. Senior Research Scientist National Institute of Standards & Technology 100 Bureau Drive;
Lesson 7-Managing Risk. Overview Defining risk. Identifying the risk to an organization. Measuring risk.
Slides copyright 2010 by Paladin Group, LLC used with permission by UMBC Training Centers, LLC.
Topic 1 – Introduction Huiqun Yu Information Security Principles & Applications.
1 Using Common Criteria Protection Profiles. 2 o A statement of user need –What the user wants to accomplish –A primary audience: mission/business owner.
Information Security IBK3IBV01 College 2 Paul J. Cornelisse.
Security Environment Assessment. Outline  Overview  Key Sources and Participants  General Findings  Policy / Procedures  Host Systems  Network Components.
HIPAA Security Final Rule Overview
Design Principles and Common Security Related Programming Problems
Risk Identification and Risk Assessment
INTRODUCTION TO COMPUTER & NETWORK SECURITY INSTRUCTOR: DANIA ALOMAR.
High Assurance Products in IT Security Rayford B. Vaughn, Mississippi State University Presented by: Nithin Premachandran.
HardSSH Cryptographic Hardware Key Team May07-20: Steven Schulteis (Cpr E) Joseph Sloan (EE, Cpr E, Com S) Michael Ekstrand (Cpr E) Taylor Schreck (Cpr.
Prepared By: Razif Razali 1 TMK 264: COMPUTER SECURITY CHAPTER SIX : ADMINISTERING SECURITY.
Cryptography and Network Security Chapter 1. Background  Information Security requirements have changed in recent times  traditionally provided by physical.
Privacy Compliance in Schools Darrebin A/P’s Network 7 May 2009.
Chapter 3-Auditing Computer-based Information Systems.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Chapter 29: Program Security Dr. Wayne Summers Department of Computer Science Columbus State University
By: Mark Reed.  Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.
Introduction to the Federal Defense Acquisition Regulation
Security in Networking
James Arnold/ Jean Petty 27 September 2007
Cyber security Policy development and implementation
Chapter 1 Key Security Terms.
Presentation transcript:

1 Terrie Diaz/ James Arnold 27 September 2007 Threats, Policies, and Assumptions in the Common Criteria What is the target of evaluation anyhow?

2 Topics  Introduction  Approaches and philosophies in describing the security problems  Reuse of and sources of security problem statements;  Proper construction of security problem statements, –specification of threat agents, assets, methods, etc.;  When to use threats vs. organizational security policies;  Emphasis on the security problems directly addressed by the product (described in the ST); and  Handling of security problems only partially addressed by the product  Recommendations and Conclusions Note that the presentation was developed in accordance with Common Criteria version 3.1, but it applies equally to version 2.X as well.

3 Introduction  Security Problem Definition (a.k.a) Security Environment in CCv2.X –Top level statement of the problems to be solved Threats Organizational security policies Assumptions  Security Objectives –Top level statement of how the security problems will be addressed TOE Environment –IT Environment distinguished only in CCv2.X

4 Introduction  Different approaches and philosophies in describing the security problems. –Problems addressed by the TOE, introduced by the TOE, related to evaluation of the TOE, and to be addressed outside the TOE –Abstract and general to very detailed and specific –Minimal set of brief statements to a very extensive collection of statements  This presentation will examine security problem presentations and offer recommendations that could help to make security problem statements more consistent in the future.

5 Approaches and philosophies in describing the security problems  Identification of Security Problem –CC intends the security problem to precede the TOE –However, Security Targets are often created from the bottom up We know what the TOE does and hence the requirements it can satisfy Those requirements are abstracted into objectives and then security problem statements –The result is often that the security problem tends to lose focus as it strays away from what the TOE was created to solve and into problems related to the TOE itself or its environment, for example “An administrator’s intentions may become malicious resulting in user or TSF data being compromised” (Medium Robustness Traffic Filter Firewall PP)

6 Approaches and philosophies in describing the security problems  Subjects of Security Problems –The target of the TOE – the TOE was created to solve some security problem and those problems Primary purpose of the TOE Must always be represented in the security problem definition  Example –“An unauthorized person may send impermissible information through the TOE which results in the exploitation of resources on the internal network” (Medium Robustness Application Firewall PP) –“A private or secret key is improperly disclosed” (Certificate Issuing and Management Components PP)

7 Approaches and philosophies in describing the security problems  Subjects of Security Problems –The TOE – the TOE brings its own security problems that either it or its environment must solve (e.g., protect itself from tampering) Secondary purpose of the TOE Should not be included in the security problem definition –Can be introduced in the form of objectives for the TOE that map to the primary purpose of the TOE –Example An administrator may incorrectly install or configure the TOE resulting in ineffective security mechanisms

8 Approaches and philosophies in describing the security problems  Subjects of Security Problems –The evaluation of the TOE – while the TOE solves some security problems (as indicated above) there is the issue of the level of assurance it has in so doing Note that the CC does not require the tracing of assurance requirements to objectives or security problems Should not be included in the security problem definition –The assurance requirement rationale should address the selection of assurance requirements –Hypothetically the problems addressed by the CC-defined assurance requirements should be fixed and should not be left to be recreated within each Security Target –Example “Lack of or insufficient tests to demonstrate that all TOE security functions operate correctly (including in a fielded TOE) may result in incorrect TOE behavior being undiscovered thereby causing potential security vulnerabilities” (Consistency Instruction Manual)

9 Approaches and philosophies in describing the security problems  Subjects of Security Problems –The TOE environment – there are security problems that are not addressed by the TOE and are left to be addressed elsewhere With the exclusion of IT environment objectives in CCv3.1, these should no longer occur Some historical cases where an overall problem was defined only to show that the TOE fits into the solution by addressing part of the problem while leaving the rest to something else –Example “A hacker physically interacts with the system to exploit vulnerabilities in the physical environment, resulting in arbitrary security compromises” (Certificate Issuing and Management Components PP)

10 Approaches and philosophies in describing the security problems  The statement of the environment should be a concise statement of the problem being solved by the TOE  Threats –The threats should be based on product type Certain products imply certain threats –The threats should be limited to the purpose of the TOE Should not include any threats that would not exists in the absence of the TOE –Self-serving assertions distract the reader

11 Approaches and philosophies in describing the security problems (continued)  Organizational Security policies –Rules, procedures, practices, or guidelines imposed by an organization upon its operations Example of how the TOE is intended to work –The TOE shall display an initial banner describing restrictions of use, legal agreements, or any other appropriate information to which users consent by accessing the system. Reference: DODI Example of out of scope –Must be FIPS certified or CC evaluated  Assumptions –Constrain the evaluation –Articulate elements the TOE requires to fulfill its claims Connectivity - e.g. interactions with other products Personnel – e.g. the users that are managing the functions of the TOE as well as the users that using the functions of the TOE Physical – e.g. a requirement for a backup power supply

12 Reuse of and sources of security problem statements  Validated Protection Profiles –Claim conformance –Borrow content for related technology  NSA PP Development Consistency Guides  Validated Security Targets –Borrow content for related technology –Composite TOE  PPs and Consistency Guides suffer from including problems about the TOE, its evaluation, and its environment.  STs suffer from general inconsistency.

13 Security Problem Definition  Threats to assets which specific protection within the TOE or its environment is required –Threats of Disclosure –Threats to Integrity –Threats to Service  Organizational Security Policies are imposed by the organization controlling the operational environment of the TOE –Rules, process, procedures, standard  Assumptions about the operating environment in which the TOE will be used –Placed on the operational environment –Derived from knowledge of the product and how it is intended to be used

14 Threats  Threat elements –Agent is the entity that can adversely act on assets Human entity –Employee –Non-employee Computer Processes –Method of attack Network Abuse of privileges Physical –Asset TSF Data User Data –In storage –On the network Resources –Files

15 Organizational Security Policy  Rules, procedures, or guidelines that are currently imposed or will be by an actual organization or a hypothetical organization. –CCEVS disallowed OSPs when the organization could not be identified with the policy –CCv3.1 allows hypothetical policies  Imposed by the controlling organization or by legislative or regulatory bodies  OSPs can be levied against the TOE or the operational environment, for example –Access Control –Management –Password generation –Encryption

16 When to use threats vs. organizational security policies  In many cases OSP and threat can be interchanged, but there are exceptions where a policy cannot readily become a threat –All products used by the Government must conform to the National Standard for password generation and encryption  In reality OSP and threat are two different abstractions since there can be no threats without first having some policies (at least implied) –OSP - Only users with system administrator privilege and clearance of Department Secret shall be allowed to manage the Department fileserver. –Threat – An unprivileged or uncleared user could take control of the fileserver

17 Assumptions  Identify the things outside the TOE control that the TOE depends on –Physical Assumptions Restricted access area Minimize electromagnetic emanations –Personnel Assumptions Users will be sufficiently trained Users are approved to have access to the level of information –Connectivity Assumptions Will not be connected to an untrusted network Requirement of disk space Application host requirement Location

18 Emphasis on the security problems directly addressed by the product (described in the ST)  Security Objectives are a concise and abstract statement of the intended solution to the defined problem –Delving into a complete solution that addresses the problem(s) as well as protecting the solution –Solutions should be focused and minimal Primary Function –Reason product was developed –Most important function Protect Primary Function –If primary function not protected, it could fail Manage Primary Function  Can all be traced to the real purpose of the TOE

19 Handling of security problems only partially addressed by the product  The operational environment implements measures to assist the TOE in providing its security functionality –Protect Functions –Manage Functions –Supports the TOE security functions e.g. cryptographic operations

20 Recommendations and Conclusions  Consistent security problem statements –Abstract as possible while still representing the problem  Focus on the problem to be solved; minimum set necessary to represent the problem  Expand the solution into security objectives to represent a complete solution

21 Contact Terrie Diaz SAIC Accredited Testing & Evaluation Labs Quality Assurance Director James Arnold SAIC Accredited Testing & Evaluation Labs AVP/Technical Director