1 Omissions and errors in the CC Who got it right? 8ICCC Denise Cater.

Slides:



Advertisements
Similar presentations
© Crown Copyright (2000) Module 2.6 Vulnerability Analysis.
Advertisements

© Crown Copyright (2000) Module 3.1 Evaluation Process.
Module 1 Evaluation Overview © Crown Copyright (2000)
© Crown Copyright (2000) Module 2.2 Development Representations.
WHAT IS EMV? A joint effort between Europay, MasterCard and Visa It is a security framework that defines the payment interaction at the physical, electrical,
Overview of US Federal Identity Management Initiatives Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority and Asst. CIO E-Authentication, NIH.
Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000, SQL Server 2005, SQL Server Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g),
The 7 Year Itch - Time To Commit Or Time To Move On? Shaun Lee Security Evaluations Manager, Global Product Security.
1 © Cooley Godward 2001 PKI A SSESSMENT The process of evaluating, verifying, and certifying your PKI Presented by: Randy V. Sabett Vanguard Enterprise.
Harvesting High Value Foreign Currency Transactions from EMV Contactless Credit Cards without the PIN 21st ACM Conference on Computer and Communications.
1 Common Criteria Ravi Sandhu. 2 Common Criteria International unification CC v2.1 is ISO Flexibility Separation of Functional requirements Assurance.
Effective Design of Trusted Information Systems Luděk Novák,
IT Security Evaluation By Sandeep Joshi
Computer Security: Principles and Practice Chapter 10 – Trusted Computing and Multilevel Security.
The Common Criteria Cs5493(7493). CC: Background The need for independently evaluated IT security products and systems led to the TCSEC Rainbow series.
Bangalore, India,17-18 December 2012 Sustainable Broadband Communications: International Perspective – Common Criteria David Martin, Head of International.
Lessons Learned from Implementing Existing Standards Dos and Don'ts for Implementing Authentication Standards Jeff Stapleton, CISSP, CTGA, QSA Cryptographic.
1 Evaluating Systems CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 6, 2004.
POS/ATM Protection Profile for a Common European Banking Industry Approval Scheme Common Approval Scheme POI Working Group SRC Security Research & Consulting.
WORKSHOP ON SIMPLIFICATION - HORIZONTAL ISSUES Heber McMahon Principal Officer Finance Division, Ireland.
Mar 11, 2003Mårten Trolin1 Previous lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.
Lesson 1-What Is Information Security?. Overview History of security. Security as a process.
PCI PIN Entry Device Security Requirements PCI PIN Security Standards
7th February PQG Supplier Auditor Certification and Training scheme Introduction to the scheme & implications of the changes David Mogg PQG Chairman.
ISO 9001:2008 What did the November 2008 amendments to ISO 9001 mean to you?
NVLAP Overview and Accreditation Process March 2006.
Information Security Framework & Standards
Smartcard Evaluation TM8104 – IT Security Evaluation Linda Ariani Gunawan.
Credit Card Processing Gail “Montreal” Shoffey Keeler August 14, 2007.
Evaluating Systems Information Assurance Fall 2010.
GRC - Governance, Risk MANAGEMENT, and Compliance
Effective banking products CC evaluations. 8 th I.C.C.C. Rome, September 26th, CHIOCCA Martine Banking products Security Risk Manager.
Software component evaluation A developer’s perspective Sony Corporation’s presentation for the 6 th International Common Criteria Conference.
Background. History TCSEC Issues non-standard inflexible not scalable.
1 Common Criteria Ravi Sandhu Edited by Duminda Wijesekera.
Security Standards and Threat Evaluation. Main Topic of Discussion  Methodologies  Standards  Frameworks  Measuring threats –Threat evaluation –Certification.
10/20/ The ISMS Compliance in 2009 GRC-ISMS Module for ISO Certification.
The Value of Common Criteria Evaluations Stuart Katzke, Ph.D. Senior Research Scientist National Institute of Standards & Technology 100 Bureau Drive;
Bangalore, India,17-18 December 2012 Sustainable Broadband Communications: International Perspective – Common Criteria David Martin, Head of International.
Software component evaluation A developer’s perspective Sony Corporation’s presentation for the 6 th International Common Criteria Conference.
Security consulting What about the ITSEC?. security consulting What about the ITSEC? Where it came from Where it is going How it relates to CC and other.
1 Using Common Criteria Protection Profiles. 2 o A statement of user need –What the user wants to accomplish –A primary audience: mission/business owner.
Copyright (C) 2007, Canon Inc. All rights reserved. P. 0 A Study on the Cryptographic Module Validation in the CC Evaluation from Vendors' point of view.
======!"§==Systems= Technical Guidance for CC Evaluation Wolfgang Killmann T-Systems GEI GmbH.
High Assurance Products in IT Security Rayford B. Vaughn, Mississippi State University Presented by: Nithin Premachandran.
9 th International Common Criteria Conference Report to IEEE P2600 WG Brian Smithson Ricoh Americas Corporation 10/24/2008.
INTERREG III B CADSES Neighbourhood Programme Administrative and Financial Aspects of Hydrocare Project Dr. Janka Strakova Project contact.
EMV Operation and Attacks Tyler Moore CS7403, University of Tulsa Reading: Anderson Security Engineering, Ch (136—138), (328—343) Papers.
Secure Electronic Transaction
Threat Intelligence Solutions. Table Of Contents 1.Company Overview 2.Threat Intelligence Solutions 3.Certifications.
Android App Development Cost. Table Of Contents 1.Company Overview 2.Benefits of Android Development 3.Certifications.
Android App Development Cost. Table Of Contents 1.Company Overview 2.Benefits of Android Development 3.Certifications.
Android App Development Outsourcing. Table Of Contents 1.Company Overview 2. Benefits of Android Development 3.Certifications.
Help Desk Services Pricing. Table Of Contents 1.Company Overview 2.Benefits Help Desk Services Pricing 3.Certifications.
Network monitoring service pricing. Table Of Contents 1.Company Overview 2.Network monitoring service pricing 3.Certifications.
Threat Intelligence Solutions. Table Of Contents 1.Company Overview 2.Threat Intelligence Solutions 3.Certifications.
Customer Service Outsourcing.
Customer Service Outsourcing
Customer Service Outsourcing
Customer Service Outsourcing
Help Desk Outsourcing
Microsoft Dynamics CRM Development
Help Desk Outsourcing. Table Of Contents 1.Company Overview 2.Benefits Of Help Desk Outsourcing 3.Certifications.
9th International Common Criteria Conference Report to IEEE P2600 WG
Smart Cards Todd Moran.
Common Criteria Ravi Sandhu.
Common Criteria Ravi Sandhu.
IT SECURITY EVALUATION ACCORDING TO HARMONIZED AND APPROVED CRITERIA
Presentation transcript:

1 Omissions and errors in the CC Who got it right? 8ICCC Denise Cater

2 Security Standards ISO alone have issued: ISO15408 – Common Criteria ISO19092 – Financial Service – Security ISO19790 – Security Requirements for Cryptographic modules (FIPS 140) ISO27001 – Information Security Management ISO27002 (formerly ISO 17799) – ISMS best practice

3

4 Many standards: One CC Catalogue of security components: –Functional –Assurance Focus on repeatability –Voluminous guidance for consistent application –Scheme rules and interpretations =“Heavy” process

5 Payment Industry Security Standards Payment Card Industry (PCI) Data Security Standard EMV (Europay, Mastercard, Visa) Specifications APACS PIN Entry Device PP APACS

6 APACS application of CC Own Certification Body –Appointment of labs –Issuing of certificates Focus on CC –Less emphasis on CEM Concentration of efforts –Design and testing seen as paramount –Procedural requirements seen as supporting

7 Smartcard Industry Developed PPs Generated own interpretations –Adopted as CC Supporting Documents –Included own Attack Potential Table Examples of Smartcard Specific Attacks

8 Smartcard Industry Took the CC and gave specific guidance for their industry A lot of focus placed on penetration testing Identified additional stages in lifecycle/delivery

9 Adapt to Adopt Both industries have made changes to use CC –Interpretations –Greater emphasis in some areas, less in others

10 Who got it right? The CC of course! –Providing a catalogue that Industry and other schemes can draw upon But, also Industry/other schemes –Focus on areas of specific interest –Light-touch on other areas

11 Who got it wrong? Those who requested EALs to be included in CC (for backwards compatibility) –Led to “incorrect” use of CC –Initially less PPs developed as just concentrated on assurance level

12 Who got it wrong? Authors of the CEM or CC Schemes? –Too prescriptive –Forcing evaluators to complete work units at level of detail that is not always necessary –Time spent on “meeting the CEM” that would be better spent on testing and vulnerability analysis

13 In summary CC got it right CC got it wrong But, Industry can adapt the CC to adopt it

14 Thank you Denise Cater

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.