a security business case for the common criteria marty ferris ferris & associates, inc....
TRANSCRIPT
![Page 1: A Security Business Case for the Common Criteria Marty Ferris Ferris & Associates, Inc. 202-234-9683 jmferris@erols.com](https://reader031.vdocuments.us/reader031/viewer/2022032106/56649e2f5503460f94b1f23b/html5/thumbnails/1.jpg)
A Security Business Case for the
Common Criteria
Marty Ferris Ferris & Associates, Inc.
![Page 2: A Security Business Case for the Common Criteria Marty Ferris Ferris & Associates, Inc. 202-234-9683 jmferris@erols.com](https://reader031.vdocuments.us/reader031/viewer/2022032106/56649e2f5503460f94b1f23b/html5/thumbnails/2.jpg)
Outline
• Security Problem Overview – Bounding a Moving Target
• Role of Standards • Common Criteria
![Page 3: A Security Business Case for the Common Criteria Marty Ferris Ferris & Associates, Inc. 202-234-9683 jmferris@erols.com](https://reader031.vdocuments.us/reader031/viewer/2022032106/56649e2f5503460f94b1f23b/html5/thumbnails/3.jpg)
Owners
ConfidenceAssets
Threats
Exposures
SecurityFunctions
Assurance
Evaluation
create
to
value require
thatreduce
giving
leads to
Security Concepts and Relationships
![Page 4: A Security Business Case for the Common Criteria Marty Ferris Ferris & Associates, Inc. 202-234-9683 jmferris@erols.com](https://reader031.vdocuments.us/reader031/viewer/2022032106/56649e2f5503460f94b1f23b/html5/thumbnails/4.jpg)
Bound the Exposure Problem – Organizational Security
Management
• Develop Policies and Standards• Develop Operational Security
Practices• On-Going Assessment of Security
Program
![Page 5: A Security Business Case for the Common Criteria Marty Ferris Ferris & Associates, Inc. 202-234-9683 jmferris@erols.com](https://reader031.vdocuments.us/reader031/viewer/2022032106/56649e2f5503460f94b1f23b/html5/thumbnails/5.jpg)
Operational Security Practices Defining “Good Enough”
• Risk/Acceptability Model– Security Program as Starting Place – Ongoing assessment and refinement
• Marketplace dependence for IT Security Solutions
• Security Infrastructures Evolve
![Page 6: A Security Business Case for the Common Criteria Marty Ferris Ferris & Associates, Inc. 202-234-9683 jmferris@erols.com](https://reader031.vdocuments.us/reader031/viewer/2022032106/56649e2f5503460f94b1f23b/html5/thumbnails/6.jpg)
Security Infrastructures
• Physical Security• “People” Security
– Internal Personnel Security– Customer’s Security Role
• IT Product, Systems and Services Security
• Anomaly Processing– Identification of Security Events
![Page 7: A Security Business Case for the Common Criteria Marty Ferris Ferris & Associates, Inc. 202-234-9683 jmferris@erols.com](https://reader031.vdocuments.us/reader031/viewer/2022032106/56649e2f5503460f94b1f23b/html5/thumbnails/7.jpg)
Physical/People
Communications Security
Computer Security
Application Security
Old Security Infrastructures
![Page 8: A Security Business Case for the Common Criteria Marty Ferris Ferris & Associates, Inc. 202-234-9683 jmferris@erols.com](https://reader031.vdocuments.us/reader031/viewer/2022032106/56649e2f5503460f94b1f23b/html5/thumbnails/8.jpg)
Computer Security-Central Technical Security
Infrastructure• Application Security
– Smart Cards– Browsers
• Virtual Private Networks– Firewalls– IPSec– TLS/SSL
• Public Key Infrastructure
![Page 9: A Security Business Case for the Common Criteria Marty Ferris Ferris & Associates, Inc. 202-234-9683 jmferris@erols.com](https://reader031.vdocuments.us/reader031/viewer/2022032106/56649e2f5503460f94b1f23b/html5/thumbnails/9.jpg)
Physical/People
Computer Security
Communications Security
Application Security
New Security Infrastructures
![Page 10: A Security Business Case for the Common Criteria Marty Ferris Ferris & Associates, Inc. 202-234-9683 jmferris@erols.com](https://reader031.vdocuments.us/reader031/viewer/2022032106/56649e2f5503460f94b1f23b/html5/thumbnails/10.jpg)
Bad Security
??
![Page 11: A Security Business Case for the Common Criteria Marty Ferris Ferris & Associates, Inc. 202-234-9683 jmferris@erols.com](https://reader031.vdocuments.us/reader031/viewer/2022032106/56649e2f5503460f94b1f23b/html5/thumbnails/11.jpg)
Good Security
??
![Page 12: A Security Business Case for the Common Criteria Marty Ferris Ferris & Associates, Inc. 202-234-9683 jmferris@erols.com](https://reader031.vdocuments.us/reader031/viewer/2022032106/56649e2f5503460f94b1f23b/html5/thumbnails/12.jpg)
Security “Reality”
??
![Page 13: A Security Business Case for the Common Criteria Marty Ferris Ferris & Associates, Inc. 202-234-9683 jmferris@erols.com](https://reader031.vdocuments.us/reader031/viewer/2022032106/56649e2f5503460f94b1f23b/html5/thumbnails/13.jpg)
Protected Assets
Assets
Security Gap
}} Actual
Asset Exposur
e(Reality)
Asset Protection
Policy (Perceived)
![Page 14: A Security Business Case for the Common Criteria Marty Ferris Ferris & Associates, Inc. 202-234-9683 jmferris@erols.com](https://reader031.vdocuments.us/reader031/viewer/2022032106/56649e2f5503460f94b1f23b/html5/thumbnails/14.jpg)
The Security ManagementChallenge:
Bounding a Moving Target
• Building and Maintaining Security Infrastructures
• Managing “Security Gaps”• Security Planning
– Support both IT Vision and Security Policies
– Marketplace dependence– Best Value Solutions
![Page 15: A Security Business Case for the Common Criteria Marty Ferris Ferris & Associates, Inc. 202-234-9683 jmferris@erols.com](https://reader031.vdocuments.us/reader031/viewer/2022032106/56649e2f5503460f94b1f23b/html5/thumbnails/15.jpg)
Role of Security Standards
• Support Management Process for New IT Services(?)– Business case for IT Investment– Cost Containment Strategies
• Requirements and specifications• Equivalence and Interoperability • Voluntary consensus vs “de facto”• Limited operational practices context• Compliance assurances
![Page 16: A Security Business Case for the Common Criteria Marty Ferris Ferris & Associates, Inc. 202-234-9683 jmferris@erols.com](https://reader031.vdocuments.us/reader031/viewer/2022032106/56649e2f5503460f94b1f23b/html5/thumbnails/16.jpg)
Standards Development Process
• Business need driven• Scope – within a business context• Balanced participation
– open to buyers and sellers of technology as well as technology experts
• Document requirements/specifications• Voting process for consensus and
resolving disagreements• Public comment
![Page 17: A Security Business Case for the Common Criteria Marty Ferris Ferris & Associates, Inc. 202-234-9683 jmferris@erols.com](https://reader031.vdocuments.us/reader031/viewer/2022032106/56649e2f5503460f94b1f23b/html5/thumbnails/17.jpg)
What is the Common Criteria
• International Standard Meta-language for describing IT security requirements– Features and assurances– Supports both buyer “I need” and Seller
“I provide”
• How “one applies” the Meta language is:– Constituent (Seller or Buyer) dependent
• Security Management Tool
![Page 18: A Security Business Case for the Common Criteria Marty Ferris Ferris & Associates, Inc. 202-234-9683 jmferris@erols.com](https://reader031.vdocuments.us/reader031/viewer/2022032106/56649e2f5503460f94b1f23b/html5/thumbnails/18.jpg)
Infrastructure Support for Common Criteria
• International Registry of Buyer and Seller requirements
• Assurances Laboratories for both Buyer and Seller
• International Mutual Acceptance of Features and Assurances
![Page 19: A Security Business Case for the Common Criteria Marty Ferris Ferris & Associates, Inc. 202-234-9683 jmferris@erols.com](https://reader031.vdocuments.us/reader031/viewer/2022032106/56649e2f5503460f94b1f23b/html5/thumbnails/19.jpg)
Common Criteria Potential Benefits
• Better Tool to Bound problem(s) – More accurate definition of
requirements– Threat and policy – IT and Non-IT assumptions– Interoperability and equivalence– Features and Assurances
![Page 20: A Security Business Case for the Common Criteria Marty Ferris Ferris & Associates, Inc. 202-234-9683 jmferris@erols.com](https://reader031.vdocuments.us/reader031/viewer/2022032106/56649e2f5503460f94b1f23b/html5/thumbnails/20.jpg)
Common Criteria Potential Benefits (cont.)
• Market friendlier• Friendlier to integrating both
established and emerging security technologies and practices
• Supports buyers IT business case development
• Supports Seller’s business case to bring IT services to market
![Page 21: A Security Business Case for the Common Criteria Marty Ferris Ferris & Associates, Inc. 202-234-9683 jmferris@erols.com](https://reader031.vdocuments.us/reader031/viewer/2022032106/56649e2f5503460f94b1f23b/html5/thumbnails/21.jpg)
1985 1990 1997
USTCSEC
FederalCriteria
ITSEC1.2
EuropeanNational
& RegionalInitiatives
CanadianInitiatives
CTCPEC3
ISOInitiatives
CommonCriteriaProject
NIST’sMSFR
ISOStandard
1998
A Brief History of Common Criteria
![Page 22: A Security Business Case for the Common Criteria Marty Ferris Ferris & Associates, Inc. 202-234-9683 jmferris@erols.com](https://reader031.vdocuments.us/reader031/viewer/2022032106/56649e2f5503460f94b1f23b/html5/thumbnails/22.jpg)
Common Criteria as International Standard
• 1990 - Working Group 3, Subcommittee 3, Joint Technical Committee 1 begins addressing IT security
• 1993 - Member Nations pool resources and assist WG3
• Common Criteria (CC) Version 2 provided, May 1998
• CC, Version 2, as International Standard ISO/IEC 15408 being reviewed and voted upon
![Page 23: A Security Business Case for the Common Criteria Marty Ferris Ferris & Associates, Inc. 202-234-9683 jmferris@erols.com](https://reader031.vdocuments.us/reader031/viewer/2022032106/56649e2f5503460f94b1f23b/html5/thumbnails/23.jpg)
Part 3 SecurityAssurance Requirements
• Assurance Classes
• Assurance Families
• Assurance Components
• Detailed Req’ts
• Eval. Assur. Levels
Part 2 SecurityFunctional Requirements
• Functional Classes
• Functional Families
• Functional Components
• Detailed Req’ts
Part 1Introduction & Model
• Introduction to Approach
• Terms & Model
• Requirements for Protection Profiles & Security Targets
Part 4Registry ofProtection Profiles
Overview of Common Criteria Structure
![Page 24: A Security Business Case for the Common Criteria Marty Ferris Ferris & Associates, Inc. 202-234-9683 jmferris@erols.com](https://reader031.vdocuments.us/reader031/viewer/2022032106/56649e2f5503460f94b1f23b/html5/thumbnails/24.jpg)
Common Criteria Look and Feel
• Official title - Common Criteria for Information Technology Security Evaluations
• Part 1, Introduction• Part 2, Functional Requirements
– Desired information technology security behavior
![Page 25: A Security Business Case for the Common Criteria Marty Ferris Ferris & Associates, Inc. 202-234-9683 jmferris@erols.com](https://reader031.vdocuments.us/reader031/viewer/2022032106/56649e2f5503460f94b1f23b/html5/thumbnails/25.jpg)
Common Criteria Look and Feel(cont.)
• Part 3, Assurance Requirements– Measures providing confidence
that the Security Functionality is effective and correctly implemented
• CC intro at <http://csrc.nist.gov/cc/info/cc-sum/content.htm>
![Page 26: A Security Business Case for the Common Criteria Marty Ferris Ferris & Associates, Inc. 202-234-9683 jmferris@erols.com](https://reader031.vdocuments.us/reader031/viewer/2022032106/56649e2f5503460f94b1f23b/html5/thumbnails/26.jpg)
Functional Requirements Classes
• FAU -- Security Audit (35)• FCO -- Communication (Non-Repudiation) (4)• FCS -- Cryptographic Support (40)• FDP -- User Data Protection (46)• FIA -- Identification & Authentication (27)• FPR -- Privacy (Anonymity, etc.) (8)• FPT -- Protection of Trusted Security
Functions (43)• FRU -- Resource Utilization (8)• FTA -- TOE Access (11)• FTP -- Trusted Path (2)
![Page 27: A Security Business Case for the Common Criteria Marty Ferris Ferris & Associates, Inc. 202-234-9683 jmferris@erols.com](https://reader031.vdocuments.us/reader031/viewer/2022032106/56649e2f5503460f94b1f23b/html5/thumbnails/27.jpg)
Evaluation Assurance Levels• Levels - EAL 1 through 7
– increasing rigor and formalism from 1 up to 7• Seven classes addressed for each level
– Configuration Management– Delivery and operation– Development– Guidance documents– Life-cycle support– Testing– Vulnerability Assessment
![Page 28: A Security Business Case for the Common Criteria Marty Ferris Ferris & Associates, Inc. 202-234-9683 jmferris@erols.com](https://reader031.vdocuments.us/reader031/viewer/2022032106/56649e2f5503460f94b1f23b/html5/thumbnails/28.jpg)
Vendor/Customer Requirements
• Protection Profiles (PP)– User requirements (“I need”)– Multiple implementations may satisfy
• Security Targets (ST)– Vendor claims (“I will provide”)– Implementation specific
• Methodology– First, threats and policy stated– then Features and Assurances selected
![Page 29: A Security Business Case for the Common Criteria Marty Ferris Ferris & Associates, Inc. 202-234-9683 jmferris@erols.com](https://reader031.vdocuments.us/reader031/viewer/2022032106/56649e2f5503460f94b1f23b/html5/thumbnails/29.jpg)
CC Product Validation and Evaluation Scheme
• Targeted to begin in 1999• Using security specifications from
Common Criteria (CC)• Procedures based upon Common
Evaluation Methodology (CEM)• Testing and evaluations performed by
NVLAP accredited commercial labs• International recognition of evaluations
(Mutual Recognition) • Results posted on NIAP’s WWW page
![Page 30: A Security Business Case for the Common Criteria Marty Ferris Ferris & Associates, Inc. 202-234-9683 jmferris@erols.com](https://reader031.vdocuments.us/reader031/viewer/2022032106/56649e2f5503460f94b1f23b/html5/thumbnails/30.jpg)
Laboratories
• NSA’s TTAP laboratories are the Interim CC labs
• ARCA Systems, BAH, COACT, CSC, Cygnacom Solutions, NSTL and SAIC
• Will have to reapply for CCEVS accreditation• Mutual Recognition between Canada,
France, Germany and UK and US for CC-based evaluations
• Netherlands are developing their scheme• Australia and New Zealand applying
![Page 31: A Security Business Case for the Common Criteria Marty Ferris Ferris & Associates, Inc. 202-234-9683 jmferris@erols.com](https://reader031.vdocuments.us/reader031/viewer/2022032106/56649e2f5503460f94b1f23b/html5/thumbnails/31.jpg)
Product evaluations As of 19 Oct. 98
• CC-based Evaluation Completed:– ITT Dragonfly
EAL 2 Guard– Milkyway Black
Hole V3.01 EAL3 Firewall in Canada
• CC-based Evaluations Underway
• 3 EAL2 Firewalls – Checkpoint– CISCO Pix– Lucent Managed
Firewall
![Page 32: A Security Business Case for the Common Criteria Marty Ferris Ferris & Associates, Inc. 202-234-9683 jmferris@erols.com](https://reader031.vdocuments.us/reader031/viewer/2022032106/56649e2f5503460f94b1f23b/html5/thumbnails/32.jpg)
Product evaluations
(cont.) • “OS” evaluations underway:
– IBM RS6000 - C2 OS– IBM NT 4.0 - C2 OS– IBM SQL Server - C2 DB– Sybase Anywhere Adaptive
Server - C2 DB
![Page 33: A Security Business Case for the Common Criteria Marty Ferris Ferris & Associates, Inc. 202-234-9683 jmferris@erols.com](https://reader031.vdocuments.us/reader031/viewer/2022032106/56649e2f5503460f94b1f23b/html5/thumbnails/33.jpg)
Assistance
• Classes– schedule on web
page (niap.nist.gov)
– CC familiarization, 1 day
– PP development, 4 days
• CC Toolbox– CCDA version 1,
(ST), Oct. 98– PDA version 2,
(PP), Dec. 98– PDA version 1,
July 99– CCDA version 2,
Jan. 00
![Page 34: A Security Business Case for the Common Criteria Marty Ferris Ferris & Associates, Inc. 202-234-9683 jmferris@erols.com](https://reader031.vdocuments.us/reader031/viewer/2022032106/56649e2f5503460f94b1f23b/html5/thumbnails/34.jpg)
Right Time for Common Criteria?