The Common Criteria Cs5493(7493). CC: Background The need for independently evaluated IT security...
-
Upload
daisy-flowers -
Category
Documents
-
view
216 -
download
0
Transcript of The Common Criteria Cs5493(7493). CC: Background The need for independently evaluated IT security...
![Page 1: The Common Criteria Cs5493(7493). CC: Background The need for independently evaluated IT security products and systems led to the TCSEC Rainbow series.](https://reader036.fdocuments.net/reader036/viewer/2022081516/56649ccf5503460f9499a644/html5/thumbnails/1.jpg)
The Common Criteria
Cs5493(7493)
![Page 2: The Common Criteria Cs5493(7493). CC: Background The need for independently evaluated IT security products and systems led to the TCSEC Rainbow series.](https://reader036.fdocuments.net/reader036/viewer/2022081516/56649ccf5503460f9499a644/html5/thumbnails/2.jpg)
CC: Background
The need for independently evaluated IT security products and systems led to the TCSEC Rainbow series
![Page 3: The Common Criteria Cs5493(7493). CC: Background The need for independently evaluated IT security products and systems led to the TCSEC Rainbow series.](https://reader036.fdocuments.net/reader036/viewer/2022081516/56649ccf5503460f9499a644/html5/thumbnails/3.jpg)
CC: Background
• 1996 - The CC was conceived following the TCSEC, Rainbow series.• The Rainbow series was used as a guide and
model for the CC.• 1997 NIAP is formed (National Information
Assurance Partnership)• Published in 1998
![Page 4: The Common Criteria Cs5493(7493). CC: Background The need for independently evaluated IT security products and systems led to the TCSEC Rainbow series.](https://reader036.fdocuments.net/reader036/viewer/2022081516/56649ccf5503460f9499a644/html5/thumbnails/4.jpg)
CC: Background
1999 Adopted by the ISO (International Standards Organization, ISO-15408)
2000 Evaluations performed by accredited labs with government oversight and validation.
2003 NSA Assumes responsibility for CCEVS (CC Evaluation and Validation Scheme)
![Page 5: The Common Criteria Cs5493(7493). CC: Background The need for independently evaluated IT security products and systems led to the TCSEC Rainbow series.](https://reader036.fdocuments.net/reader036/viewer/2022081516/56649ccf5503460f9499a644/html5/thumbnails/5.jpg)
CC Purpose
• To provide consistent evaluation standards to IT products and systems
• To improve the availability of evaluated security-enhanced IT products and systems.
• To eliminate duplicating evaluations of IT products and systems.
• To improve the efficiency and cost-effectiveness of the evaluation process.
![Page 6: The Common Criteria Cs5493(7493). CC: Background The need for independently evaluated IT security products and systems led to the TCSEC Rainbow series.](https://reader036.fdocuments.net/reader036/viewer/2022081516/56649ccf5503460f9499a644/html5/thumbnails/6.jpg)
CC
The CC does not define the features of an IT product
The CC does not require the product itself be secure
The CC is a common framework for an evaluation process.
![Page 7: The Common Criteria Cs5493(7493). CC: Background The need for independently evaluated IT security products and systems led to the TCSEC Rainbow series.](https://reader036.fdocuments.net/reader036/viewer/2022081516/56649ccf5503460f9499a644/html5/thumbnails/7.jpg)
CC
By placing focus on security evaluation process, and not on the actual product design, vendors can keep their technology proprietary.
![Page 8: The Common Criteria Cs5493(7493). CC: Background The need for independently evaluated IT security products and systems led to the TCSEC Rainbow series.](https://reader036.fdocuments.net/reader036/viewer/2022081516/56649ccf5503460f9499a644/html5/thumbnails/8.jpg)
The CC Process
IT products are organized into categories:
http://www.commoncriteriaportal.org/products
![Page 9: The Common Criteria Cs5493(7493). CC: Background The need for independently evaluated IT security products and systems led to the TCSEC Rainbow series.](https://reader036.fdocuments.net/reader036/viewer/2022081516/56649ccf5503460f9499a644/html5/thumbnails/9.jpg)
The CC Process
The CC process is centered around an IT product referred to as the Target Of Evaluation: TOE.
The CC Process is determined for the TOE by three documents:
1. The Protection Profile (PP)2. The Security Target (ST)3. The Certification/Validation Report
![Page 10: The Common Criteria Cs5493(7493). CC: Background The need for independently evaluated IT security products and systems led to the TCSEC Rainbow series.](https://reader036.fdocuments.net/reader036/viewer/2022081516/56649ccf5503460f9499a644/html5/thumbnails/10.jpg)
CC General Requirements
• Functional security requirements – define desired security behavior.
• Assurance requirements – indicating claimed security measures are effective and implemented correctly.
![Page 11: The Common Criteria Cs5493(7493). CC: Background The need for independently evaluated IT security products and systems led to the TCSEC Rainbow series.](https://reader036.fdocuments.net/reader036/viewer/2022081516/56649ccf5503460f9499a644/html5/thumbnails/11.jpg)
The CC Process: Protection Profile
Each IT category has at least one document describing the functional and assurance security requirements. These documents are known as Protection Profiles
![Page 12: The Common Criteria Cs5493(7493). CC: Background The need for independently evaluated IT security products and systems led to the TCSEC Rainbow series.](https://reader036.fdocuments.net/reader036/viewer/2022081516/56649ccf5503460f9499a644/html5/thumbnails/12.jpg)
CC: Protection Profile
Created by a user, user community, laboratory, etc.
NIAP is currently working on a standard protection profile for each technology category.
![Page 13: The Common Criteria Cs5493(7493). CC: Background The need for independently evaluated IT security products and systems led to the TCSEC Rainbow series.](https://reader036.fdocuments.net/reader036/viewer/2022081516/56649ccf5503460f9499a644/html5/thumbnails/13.jpg)
CC : Protection Profile
Contains a description of threats Security objectives Security functional requirements Security assurance requirements etc
![Page 14: The Common Criteria Cs5493(7493). CC: Background The need for independently evaluated IT security products and systems led to the TCSEC Rainbow series.](https://reader036.fdocuments.net/reader036/viewer/2022081516/56649ccf5503460f9499a644/html5/thumbnails/14.jpg)
CC : Security Target
The Security Target (ST) document is usually written by the developer/vendor of the IT product.
![Page 15: The Common Criteria Cs5493(7493). CC: Background The need for independently evaluated IT security products and systems led to the TCSEC Rainbow series.](https://reader036.fdocuments.net/reader036/viewer/2022081516/56649ccf5503460f9499a644/html5/thumbnails/15.jpg)
CC : Security Target
The document contains information on how the TOE fulfills the security objectives outlined in the PP.
![Page 16: The Common Criteria Cs5493(7493). CC: Background The need for independently evaluated IT security products and systems led to the TCSEC Rainbow series.](https://reader036.fdocuments.net/reader036/viewer/2022081516/56649ccf5503460f9499a644/html5/thumbnails/16.jpg)
CC : Evaluation
• The evaluation process is used to determine if the security target (ST) is satisfied for the target of interest (TOE).
• The TOE developer requests the evaluation.• Evaluation only occurs when the product is
complete• Cost of the evaluation is negotiated between
the developer and the evaluator.
![Page 17: The Common Criteria Cs5493(7493). CC: Background The need for independently evaluated IT security products and systems led to the TCSEC Rainbow series.](https://reader036.fdocuments.net/reader036/viewer/2022081516/56649ccf5503460f9499a644/html5/thumbnails/17.jpg)
CC : Evaluations
A validation/certification report documents the evaluation findings.
![Page 18: The Common Criteria Cs5493(7493). CC: Background The need for independently evaluated IT security products and systems led to the TCSEC Rainbow series.](https://reader036.fdocuments.net/reader036/viewer/2022081516/56649ccf5503460f9499a644/html5/thumbnails/18.jpg)
CC : Validation
Validation for the TOE comes in the form of a Validation/Certification Report.
The Validation report assigns an EAL to the TOE.
![Page 19: The Common Criteria Cs5493(7493). CC: Background The need for independently evaluated IT security products and systems led to the TCSEC Rainbow series.](https://reader036.fdocuments.net/reader036/viewer/2022081516/56649ccf5503460f9499a644/html5/thumbnails/19.jpg)
CC : EAL
Evaluation Assurance Levels Levels 1 through 7 The EALs reflect the degree of confidence a
user can have in the performance of the TOE EAL – 1 are no longer done by accredited labs EAL – 2 through 4 are assigned by one of the
accredited labs EAL 4+ are assigned by the NSA
![Page 20: The Common Criteria Cs5493(7493). CC: Background The need for independently evaluated IT security products and systems led to the TCSEC Rainbow series.](https://reader036.fdocuments.net/reader036/viewer/2022081516/56649ccf5503460f9499a644/html5/thumbnails/20.jpg)
CC : EAL
EAL 1-4 do not require evaluation of the software, only the development process
EAL 4+ require more rigorous design evaluation.
![Page 21: The Common Criteria Cs5493(7493). CC: Background The need for independently evaluated IT security products and systems led to the TCSEC Rainbow series.](https://reader036.fdocuments.net/reader036/viewer/2022081516/56649ccf5503460f9499a644/html5/thumbnails/21.jpg)
CC Sustainability Cycle
– Revisions are required as vulnerabilities are discovered
– Each revision may require re-evaluation
![Page 22: The Common Criteria Cs5493(7493). CC: Background The need for independently evaluated IT security products and systems led to the TCSEC Rainbow series.](https://reader036.fdocuments.net/reader036/viewer/2022081516/56649ccf5503460f9499a644/html5/thumbnails/22.jpg)
Accredited Evaluators
NIST accredits the evaluators There are 15 countries that have accredited
evaluators. There are 11 other countries that support
the CC standards.