Pattern Recognition and Applications Lab CYBER...
Transcript of Pattern Recognition and Applications Lab CYBER...
Pattern Recognitionand Applications Lab
Universityof Cagliari, Italy
Department of Electrical and Electronic
Engineering
CYBERSECURITYCERTIFICATIONS
Giorgio Giacinto
ComputerSecurity2017
http://pralab.diee.unica.it 2
Whatisthemeaningofcertification?
• Needtodefinethemeaningofsecurity– Whicharethecharacteristicsofasecuresystem?– Howtodefinedifferentlevels ofsecurity?
• Needtoregulateahierarchyofcertification services– Whoistitledtoassigntherolesforissuingcertificates– Thecharacteristicsneededtoapplytotheroleofcertificationbody
• Professionalcertification
• ProductandProcessCertifications
http://pralab.diee.unica.it 4
CISSPCertifiedInformationSystemsSecurityProfessional
• Managedbythenot-for-profitorganization(ISC)²InternationalInformationSystemsSecurityCertificationConsortium.
• Since2004theCISSPcertificationiscompliantwiththeANSIISO/IECStandard17024– Currentversion:ISO/IEC17024:2012
• ThiscertificationiscompliantwiththerequirementsoftheUSDepartmentofDefense(DoD)
http://pralab.diee.unica.it 5
HowtoobtaintheCISSPcertification• Candidatesmusthaveaminimumof5yearscumulativepaidfull-timework
experiencein2ormoreofthefollowing8domainsoftheCISSPCBK(CommonBodyofKnowledge),thenpasstheexamonthe8domains– SecurityandRiskManagement
• Security,Risk,Compliance,Law,Regulations,BusinessContinuity– AssetSecurity
• ProtectingSecurityofAssets– SecurityEngineering
• EngineeringandManagementofSecurity– CommunicationsandNetworkSecurity
• DesigningandProtectingNetworkSecurity– IdentityandAccessManagement
• ControllingAccessandManagingIdentity– SecurityAssessmentandTesting
• Designing,Performing,andAnalyzingSecurityTesting– SecurityOperations
• FoundationalConcepts,Investigations,IncidentManagement,DisasterRecovery– SoftwareDevelopmentSecurity
• Understanding,Applying,andEnforcingSoftwareSecurity
http://pralab.diee.unica.it 6
CISSPinItaly• Thereisa(ISC)2 Italysectionthatorganizestraining
sessionstopreparefortheCISSPexam
http://pralab.diee.unica.it
OrangeBook• Thefirstdocumentonsoftware
certificationistheso-calledOrangeBook – USDepartmentofDefense(DoD)
http://www.dynamoo.com/orange
• Thisdocumentprovidedthecriteriatoevaluatethesecurityofoperatingsystems,andprovidedacategorizationinsevenclassesD,C1,C2,B1,B2,B3,A1
8GiorgioGiacinto 2014Certificazione
http://pralab.diee.unica.it
OrangeBook• D:MinimalProtection
– Thesecurityoftheoperatingsystemsinthiscategorycannotbeevaluted• MS-DOS,Windows95/98/ME
• C:DiscretionaryProtection– Theadministratorcanapplyprotectionmechanismstoobjects
– Theoperatingsystemsprovidessomebasicloggingcapabilities• C1:DiscretionarySecurityProtectionearlyUNIXversions
• C2:ControlledAccessProtectionIBMOS/400,WinNT/2000/XP,NovellNetware
9GiorgioGiacinto 2014Certificazione
http://pralab.diee.unica.it
OrangeBook• B:MandatoryProtection
– Theoperatingsystemrequiresthatprotectionlevelsareassignedtoeachobject• B1:LabeledSecurityProtectionHP-UX,CrayResearchTrustedUnicos 8.0,DigitalSEVMS
• B2:StructuredProtectionHoneywellMultics,Cryptek VSLAN,trustedXENIX
• B3:SecurityDomainsGetronics/WangFederalXTS-300
• A:VerifiedProtection– Thetrustworthinessoftheoperatingsystemisverifiedthroughformalmethods• A1:VerifiedProtectionBoeingMSLLAN,HoneywellSCOMP
10GiorgioGiacinto 2014Certificazione
http://pralab.diee.unica.it
CommonCriteria• ThenationalsecurityauthoritiesofUSA,Canadaand
Europehaveworkedtoproduceacommonsetofcriteriaforevaluatingthesecurityofcomputersystems
• CommonCriteria– Firstversionin1996– CurrentVersion:3.1Release5(April2017)– ISO/IEC15408-1:2009- ISO/IEC15408-2:2008ISO/IEC15408-3:2008
11GiorgioGiacinto 2014Certificazione
http://pralab.diee.unica.it
CommonCriteriaMembers• 17CertificateAuthorizingMembers
– Australia– Canada– SouthKorea– France– Germany– India– Italy (5October2009)– Japan– Malaysia
• 10CertificateConsumingMembers– Austria,CzechRepublic,Denmark,Finland,Greece,
Hungary,Israel,Pakistan,Qatar,Singapore
12
– Norway– NewZeland– Netherlands– UnitedKingdom– Spain– USA– Sweden– Turkey
GiorgioGiacinto 2014Certificazione
http://pralab.diee.unica.it 13
EvaluationAssuranceLevel(EAL)• SevenEvaluationLevels
– EAL1,lowerlevel– EAL7,upperlevel
EAL1- functionallytestedEAL2- structurallytestedEAL3- methodicallytestedandcheckedEAL4- methodicallydesigned,testedandreviewedEAL5- semiformally designedandtestedEAL6- semiformally verifieddesignandtestedEAL7- formallyverifieddesignandtested
http://pralab.diee.unica.it
ProtectionProfiles• Documentdescribingacategoryofproductstoidentifythe
elementssubjectofevaluationfortheCCcertification– AccessControlDevicesandSystems(3PP)– BiometricSystemsandDevices(2PP)– BoundaryProtectionDevicesandSystems(11PP)– DataProtection(7PP)– Databases(1PP)– ICs,SmartCardsandSmartCard-RelatedDevicesandSystems
(67PP)– KeyManagementSystems(4PP)– Mobility(2PP)– Multi-FunctionDevices(1PP)– NetworkandNetwork-RelatedDevicesandSystems(10PP)– OperatingSystems(2PP)– OtherDevicesandSystems(41PP)– ProductsforDigitalSignatures(19PP)– TrustedComputing(5PP)
14
http://pralab.diee.unica.it
ExamplesofcertifiedproductsEAL7+
– FortFoxHardwareDataDiode,versie FFHDD2+
EAL7– VirtualMachineofMultos M3G230MmaskwithAMD113v4– MemoryManagementUnitdesmicrocontrôleurs SAMSUNGS3FT9KF/
S3FT9KT/S3FT9KSen révision 1
EAL6+– GreenHillsSoftwareINTEGRITY-178BSeparationKernel,comprising:
INTEGRITY-178BRealTimeOperatingSystem(RTOS),versionIN-ICR750-0101-GH01_RelrunningonCompactPCIcard,versionCPN944-2021-021withPowerPC,version750CXe
– InfineonSecurityControllerM7893B11withoptionalRSA2048/4096v1.03.006,ECv1.03.006,SHA-2v1.01librariesandToolboxv1.03.006andwithspecificICdedicatedsoftware(firmware)
18GiorgioGiacinto 2014Certificazione
http://pralab.diee.unica.it
ExamplesofcertifiedproductsEAL4+– RedHatEnterpriseLinuxVersion7.1– SUSELinuxEnterpriseServerVersion12– JBoss EnterpriseApplicationPlatform6Version6.2.2– MicrosoftSQLServer2014DatabaseEngineEnterpriseEditionx64– FINXRTOSSecurityEnhanced(SE)v3.1
OperatingSystemscompliantwiththeProtectionProfile– MicrosoftWindows10AnniversaryUpdateHomeEdition,ProEdition
andEnterpriseEdition(32and64bits),andMicrosoftWindowsServer2016StandardEditionandDatacenterEdition
– IBMz/OSVersion2Release1
19
http://pralab.diee.unica.it 20
OCSIOrganismo Certificazione Sicurezza Informatica• InItaly,OCSI isinchargeofmaintainingtheNational
SchemefortheevaluationandcertificationofthesecurityofsystemsandproductsintheICTsector(DPCMdel30.10.2003- G.U.n.9827.04.2004)
• OCSI iswithinISCOM(Istituto Superiore delleComunicazioni edelle Tecnologie dell’Informazione)oftheMinistryfortheEconomicDevelopment(MISE)
• CurrentlysixlaboratoriesinItalyprovidestheservicesforsystemandproductevaluationfortheassignmentoftheEAL
http://pralab.diee.unica.it
LimitsofCommonCriteria• CommonCriteria drawbacks
– Longtimerequiredtoperformtheevaluation– Highcosts
• IturnsoutthatproductevaluationthroughtheCCschemaisappropriate– equipmentformilitaryforces– criticalinfrastructure(nuclearandchemicalplants,etc.)
• Theconnectionofeverythingtothenetworkrequiresnovelcertificationschemes– fastenoughtocopewiththereleaseofnewversions– withalargerbaseofcertificationlaboratories
22
http://pralab.diee.unica.it
JoshuaCorman @OneConferenceDirector|CyberStatecraftInitiative|atAtlanticCouncil
23
http://pralab.diee.unica.it
Public-Privateinitiatives• USAandUKestablishedpublic-privateworkinggroupsto
definenovelcertificationschemes– NISTistheUSagencyinchargeforthisaction– InUKthehome-affairsministrycarriedouttheinitiative
• InEurope
24
http://pralab.diee.unica.it
NIST– CyberSecurity Framework• Version1.0- February2014
FrameworkforImprovingCriticalInfrastructureCybersecurity
25
http://pralab.diee.unica.it
ItalianCyberSecurity Frameworkhttp://www.cybersecurityframework.it
• February2016
• CIS-SapienzaandCININationalCybersecurityLab
• BasedontheNISTCybersecurityframework
• Mainfeature:focusonSME
26
http://pralab.diee.unica.it
UKCyberEssentials• UKGovernment
FirstproposedinJune2014• CyberEssential
SelfCertification• CyberEssentialPlus
Certifiedbyanexternalorganization• EssentialRequirements
– Boundaryfirewallsandinternetgateways– Secureconfiguration– Accesscontrol– Malwareprotection– Patchmanagement
27
http://pralab.diee.unica.it
ItalianCybersecurityEssentialshttp://www.cybersecurityframework.it/csr2016
• February2017
• 15EssentialSecurityMeasuresin8areas– Inventoryofdevicesandsoftware(4Measures)– Governance(1Measure)– MalwareProtection(1Measure)– PasswordandAccountManagement(3Measures)– TrainingandAwareness(1Measure)– DataProtection(2Measures)– NetworkProtection(1Measure)– PreventionandMitigation(2Measures)
28
http://pralab.diee.unica.it 30
OWASPSecurityVerificationStandard
• OWASPApplicationSecurityVerificationStandard3.0.1– 3SecurityVerificationLayers
http://pralab.diee.unica.it
OWASPASVSLevels• Level1 – Opportunistic
– allsoftware
• Level2 – Standard– applicationsthatcontainsensitivedata
• Level3 – Advanced– mostcriticalapplications,i.e.,applicationsthatperformhighvaluetransactions,containsensitivemedicaldata,etc.
31
http://pralab.diee.unica.it
Level1- Opportunistic• Theapplicationadequatelydefendsagainst
vulnerabilitiesthatareeasytodiscover,andincludedintheOWASPTop10.
• Appropriateforapplicationswherelowconfidenceinthecorrectuseofsecuritycontrolsisrequired,
• Ensuredeitherautomaticallybytoolsorsimplymanuallywithoutaccesstosourcecode.
• Threatstotheapplicationwillmostlikelybefromattackerswhoareusingsimpleandlowefforttechniquestoidentifyeasy-to-findandeasy-to-exploitvulnerabilities.
32
http://pralab.diee.unica.it
Level2- Standard• Theapplicationadequatelydefendsagainstmostofthe
knownrisks.• Level2ensuresthatsecuritycontrolsareinplace,
effective,andusedwithintheapplication.• Appropriateforapplicationsthathandlesignificant
business-to-businesstransactions,includingthosethatprocesshealthcareinformation,orprocessothersensitiveassets.
• Threatswilltypicallybeskilledandmotivatedattackersfocusingonspecifictargetsusingtoolsandtechniquesthatarehighlypracticedandeffectiveatdiscoveringandexploitingweaknesseswithinapplications.
33
http://pralab.diee.unica.it
Level3- Advanced• Applicationsthatrequiresignificantlevelsofsecurity
verification– military,healthandsafety,criticalinfrastructure,etc.
• ToachieveLevel3,anapplicationmustundergoanindepthanalysis,architecture,coding,andtesting
• Asecureapplicationismodularizedinameaningfulway– eachmoduletakescareofitsownsecurityresponsibilities
• controlstoensureconfidentiality (e.g.encryption)• controlstoensureintegrity (e.g.transactions,inputvalidation)• controlstoensure availability (e.g.handlingloadgracefully)• controlstoensureauthentication (includingbetweensystems)• controlstoensure non-repudiation,authorization,andauditing(logging)
34
http://pralab.diee.unica.it
VerificationrequirementsV1. Architecture,design
andthreatmodellingV2. AuthenticationV3. SessionmanagementV4. AccesscontrolV5. Maliciousinput
handlingV7. CryptographyatrestV8. Errorhandlingand
loggingV9. Dataprotection
V10. CommunicationsV11. HTTPsecurity
configurationV13. MaliciouscontrolsV15. BusinesslogicV16. FileandresourcesV17. MobileV18. Webservices
(NEWfor3.0)V19. Configuration
(NEWfor3.0)
35
http://pralab.diee.unica.it
Verificationrequirementsandlevels
• Foreachlevel,therequirementschange– ExampleforV1.ArchitectureDesignandThreatModelling
36
http://pralab.diee.unica.it
ISO27000sstandardsInformationsecuritymanagement
38
IES/IEC27000
27001
27002
27034
Familyofstandardsforthemanagementofinformationsecurity– theyarenotstrictlyrelatedtocomputersecurity
Standard concerningthesecuremanagementofinformation,regardlessofthetechnologyused
Securitymeasurestomitigatetheriskininformationmanagement,eachmeasurebeingrelatedtothespecifictechnologyused
ApplicationSecurityControls
http://pralab.diee.unica.it
FinancialSector• PCI(PaymentCardIndustry)SecurityStandard
– PCI-DSS(DataSecurityStandard)Standardformerchant thatprocesscardpayments
– PA-DSSStandardforsoftwaredevelopersofapplicationsthatprocesscardpayments
• SWIFT (SocietyforWorldwideInterbankFinancialTelecommunication)– Standardizethemessagesexchangedbyfinancialplayerstoperformcommonbusinessprocesses,suchasmakingpaymentsorconfirmingtrades.
– MaintainsISO20022
39