Presentation is loading. Please wait.

Presentation is loading. Please wait.

Background. History TCSEC Issues non-standard inflexible not scalable.

Published byMaude Carroll Modified over 8 years ago

Similar presentations

Presentation on theme: "Background. History TCSEC Issues non-standard inflexible not scalable."— Presentation transcript:

1 Background

2 History

3 TCSEC Issues non-standard inflexible not scalable

4 The Global Information Grid (GIG) and the Common Criteria (CC) Global Information Grid Clinger-Cohen Act of 1996 (reference (d)) and Title 10, U.S.C., Section 2223 (reference (a)) All DoD and Intelligence Community Computers Information Assurance G&PM: 5.2.20. Consult the IA Technical Framework (IATF) and published Common Criteria (CC) Protection Profiles for guidance regarding common classes of network and system attacks, interoperability and compatibility with the defense-in-depth strategy, and IA solutions that should be considered to counter attacks. 5.2.21. Acquire IA solutions that have been evaluated using the Common Criteria Evaluation and Validation Scheme based on the National Information Assurance Program (NIAP) process. NIAP - Collaboration between NIST and NSA for security evaluation

5 Common Criteria Sections I.Introduction and General Model II.Security Functional Requirements III.Security Assurance Requirements

6 I.Introduction and General Model Defines general concepts and principals of IT security evaluation. Provides constructs for defining and selecting security objectives Provides guidelines for writing high-level specifications

7 II. Security Functional Requirements Provides functional components

8 III. Security Assurance Requirements Provides assurance requirements Evaluation Criteria of PP and ST Provides evaluation levels with a predefined scale (EAL’s)

9 Common Criteria I. Introduction and General Model

10 Definitions- Target of Evaluation (TOE) — An IT product or system and its associated administrator and user guidance documentation that is the subject of an evaluation. Protection Profile (PP) — An implementation-independent set of security requirements for a category of TOEs that meet specific consumer needs. Security Target (ST) — A set of security requirements and specifications to be used as the basis for evaluation of an identified TOE.

11 I. Introduction and General Model Protection Profiles Operating System Firewall Database Smart Card etc.

12 I. Introduction and General Model Security Targets NT 4.0 Oracle 8 Checkpoint-1 Visa SmartCard etc.

13

14

15 Requirements Structure Class Family leveling-specifies if components are hierarchic Component dependencies-other components that are relied upon

16 Requirements Structure CLASS_FAMILY.Component Class FIA-Identification and authentication Family FIA_UID-User Identification Component FIA_UID.1-Timing of Identification

17 Common Criteria II. Security Functional Requirements

18 Hierarchy of Security Functional Requirements

19 II. Security Functional Requirements Security Functional Component Dependencies -Components rely on other components for satisfaction Operations -Iteration -Assignment: FAU_ARP.1.1 The TSF shall take [assignment: list of the least disruptive actions] upon detection of a potential security violation. -Selection: FAU_GEN.1.1 The TSF shall be able to generate an audit record of the following auditable events: a) Start-up and shutdown of the audit functions; b) All auditable events for the [selection: minimum, basic, detailed, not specified] level of audit; -Refinement

20 Class FAU FCO FCS FDP FIA FMT FPR FPT FRU FTA FTP Name Audit Communications Cryptographic Support User Data Protection Identification & Authentication Security Management Privacy Protection of TOE Security Functions Resource Utilization TOE Access Trusted Path / Channels Security Functional Classes II. Security Functional Requirements

21 Common Criteria III. Security Assurance Requirements

22 Definitions- Package — A reusable set of either functional or assurance components (e.g. an EAL), combined together to satisfy a set of identified security objectives. Evaluation Assurance Level (EAL) — A package consisting of assurance components from Part 3 that represents a point on the CC predefined assurance scale.

23 III.Security Assurance Requirements Hierarchy of Security Assurance Requirements

24 Class ACM ADO ADV AGD ALC ATE AVA APE ASE AMA Name Configuration Management Delivery & Operation Development Guidance Documents Life Cycle Support Tests Vulnerability Assessment Protection Profile Evaluation Security Target Evaluation Maintenance of Assurance III.Security Assurance Requirements Security Assurance Classes

25 III.Security Assurance Requirements Evaluation Assurance Levels

26

27 Current Certified Protection Profiles C2 =Controlled Access Protection Profile (Version 1.d) B1=Labeled Security Protection Profile (Version 1.b) Traffic Filter Firewall Protection Profile for Low Risk Environments (Version 1.d)

28 Controlled Access Protection Profile (CAPP) Version 1.d Written by NSA Designed to replace C2

29 C2 vs CAPP

30 New Items in CAPP 5.1 Security Audit-lists 19 auditable events All modifications to the values of security attributes Actions taken due to audit storage failure 5.3.2 Strength of Authentication Data Single guess has less than 1/1,000,000 chance Multiple attempts in one minute have less than 1/100,000 chance 5.4 Security Management-specifies requirements and roles. 6.2 Delivery and Operation

31 Labeled Security Protection Profile (LSPP) Version 1.b Developed by NSA Designed to replace B1

32 B1 vs LSPP

33 New Items in LSPP 5.1 Security Audit-lists 19 auditable events All attempts to import user data, including any security attributes Actions taken due to audit storage failure 5.3.2 Strength of Authentication Data Single guess has less than 1/1,000,000 chance Multiple attempts in one minute have less than 1/100,000 chance 5.4 Security Management-specifies requirements and roles. 6.2 Delivery and Operation

34 ISO/IEC PDTR 15446 Expands on PPs and STs PPs and STs for composite TOEs Functional and Assurance Packages Generic and Worked Examples

35 Websites of Interest Common Criteria NIST- csrc.ncsl.nist.gov/cc CC Toolbox- niap.nist.gov/tools/cctool.html Others GIG- cno-n6.hq.navy.mil/files.htm NIAP- niap.nist.gov

Download ppt "Background. History TCSEC Issues non-standard inflexible not scalable."

Similar presentations

Security Requirements

Security Requirements
© Crown Copyright (2000) Module 2.5 Operational Environment.

© Crown Copyright (2000) Module 2.5 Operational Environment.
University of Tulsa - Center for Information Security Common Criteria Dawn Schulte Leigh Anne Winters.

University of Tulsa - Center for Information Security Common Criteria Dawn Schulte Leigh Anne Winters.
Common Criteria Evaluation and Validation Scheme Syed Naqvi XtreemOS Training Day.

Common Criteria Evaluation and Validation Scheme Syed Naqvi XtreemOS Training Day.
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 5.2: Evaluation of Secure Information Systems.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 5.2: Evaluation of Secure Information Systems.
Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.

Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.
PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.

PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.
Software Quality Assurance Plan

Software Quality Assurance Plan
Information Security of Embedded Systems 6.1.2010: Design of Secure Systems Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer FIRST.

Information Security of Embedded Systems : Design of Secure Systems Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer FIRST.
Common Criteria Richard Newman. What is the Common Criteria Cooperative effort among Canada, France, Germany, the Netherlands, UK, USA (NSA, NIST) Defines.

Common Criteria Richard Newman. What is the Common Criteria Cooperative effort among Canada, France, Germany, the Netherlands, UK, USA (NSA, NIST) Defines.
Effective Design of Trusted Information Systems Luděk Novák,

Effective Design of Trusted Information Systems Luděk Novák,
The Common Criteria for Information Technology Security Evaluation

The Common Criteria for Information Technology Security Evaluation
IT Security Evaluation By Sandeep Joshi

IT Security Evaluation By Sandeep Joshi
1 norshahnizakamalbashah-19112007- CEM v3.1: Chapter 10 Security Target Evaluation.

1 norshahnizakamalbashah CEM v3.1: Chapter 10 Security Target Evaluation.
The Common Criteria Cs5493(7493). CC: Background The need for independently evaluated IT security products and systems led to the TCSEC Rainbow series.

The Common Criteria Cs5493(7493). CC: Background The need for independently evaluated IT security products and systems led to the TCSEC Rainbow series.
Standards In The Evaluation Of IT Security Steve Randall & Scott Cadzow TC-MTS#39 20-21 October 2004 Sophia Antipolis 39TD025.

Standards In The Evaluation Of IT Security Steve Randall & Scott Cadzow TC-MTS# October 2004 Sophia Antipolis 39TD025.
An Overview of Common Criteria Protection Profiles María M. Larrondo Petrie, PhD March 26, 2004.

An Overview of Common Criteria Protection Profiles María M. Larrondo Petrie, PhD March 26, 2004.
Introduction 4/15/2017 Chapter 9.

Introduction 4/15/2017 Chapter 9.
October 3, 20031 Partnerships for VoIP Security VoIP Protection Profiles David Smith Co-Chair, DoD VoIP Information Assurance Working Group NSA Information.

October 3, Partnerships for VoIP Security VoIP Protection Profiles David Smith Co-Chair, DoD VoIP Information Assurance Working Group NSA Information.
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.

DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.

Similar presentations

Ads by Google