chapter 16: standardization and security criteria: security evaluation of computer products

Chapter 16: Standardization and Chapter 16: Standardization and Security Criteria: Security Security Criteria: Security

Evaluation of Computer ProductsEvaluation of Computer Products

Guide to Computer Network Security

Kizza - Guide to Computer Network SecuriKizza - Guide to Computer Network Securityty

22

IntroductionIntroductionBuying computer product is not easy because of Buying computer product is not easy because of the complexity of computer products to the the complexity of computer products to the ordinary person. ordinary person. One cannot always rely on the words of the One cannot always rely on the words of the manufacturers and product vendors to ascertain manufacturers and product vendors to ascertain the suitability and reliability of the products. the suitability and reliability of the products. This is currently the case in both computer This is currently the case in both computer hardware and software products. hardware and software products. It is a new computer security problem all It is a new computer security problem all computer product buyers must grapple with and computer product buyers must grapple with and computer network managers must try to computer network managers must try to mitigate as they acquire new computer products. mitigate as they acquire new computer products. There are several approaches including: There are several approaches including: standardization and security evaluation of standardization and security evaluation of products. products.


33

Product StandardizationProduct StandardizationA standard is a document that A standard is a document that establishes uniform engineering or establishes uniform engineering or technical specifications, criteria, technical specifications, criteria, methods, processes, or practices. methods, processes, or practices. Some standards are mandatory Some standards are mandatory while others are voluntary. while others are voluntary.

Standardization is then Standardization is then a processa process of of agreeing on these standards. agreeing on these standards.


44

Product Standardization Product Standardization The standardization process consists of The standardization process consists of several stages through which the product several stages through which the product specifications must undergo.specifications must undergo.– First the specifications undergo a period of First the specifications undergo a period of

development and several iterations of review development and several iterations of review by the interested engineering or technical by the interested engineering or technical community and the revisions are made based community and the revisions are made based on members experiences. These revisions are on members experiences. These revisions are then adopted by the Steering Committee as then adopted by the Steering Committee as draft standards. The goals of this process are draft standards. The goals of this process are to create standards that: to create standards that:

are technically excellent;are technically excellent;have prior implementation and testing;have prior implementation and testing;are clear, concise, and easily understood are clear, concise, and easily understood documentation; documentation; foster openness and fairness. foster openness and fairness.


55

Need for Standardization of Need for Standardization of (Security) Products(Security) Products

Products and indeed computer products Products and indeed computer products are produced by many different are produced by many different companies with varying technical and companies with varying technical and financial capabilities based on different financial capabilities based on different technical design philosophies. technical design philosophies. The interface specifications for products The interface specifications for products meant to interconnect, must be meant to interconnect, must be compatible. compatible. Stndardization reduces the conflicts in the Stndardization reduces the conflicts in the interface specifications. interface specifications.


66

Security Evaluations Security Evaluations Buyers of computer products cannot Buyers of computer products cannot always rely on the words of the always rely on the words of the manufacturers and those of the manufacturers and those of the product vendors to ascertain the product vendors to ascertain the suitability and reliability of the suitability and reliability of the products products The security evaluation gives the The security evaluation gives the buyer a level of security assurance buyer a level of security assurance that the product meets the that the product meets the manufacturer’s stated claims and manufacturer’s stated claims and also meets the buyer’s expectationsalso meets the buyer’s expectations


77

The process of security evaluation, The process of security evaluation, based on criteria, consists of a series based on criteria, consists of a series of tests based on a set of levels of tests based on a set of levels where each level may test for a where each level may test for a specific set of standards. specific set of standards. The process itself starts by The process itself starts by establishing the following: establishing the following: – Purpose Purpose – CriteriaCriteria– Structure/ElementsStructure/Elements– Outcome/benefit Outcome/benefit


88

Purpose of EvaluationPurpose of Evaluation– Based on the Orange Book, a security assessment of a Based on the Orange Book, a security assessment of a

computer product is done for:computer product is done for:Certification – to certify that a given product meets the Certification – to certify that a given product meets the stated security criteria and, therefore, is suitable for a stated security criteria and, therefore, is suitable for a stated application. Currently, there are a variety of security stated application. Currently, there are a variety of security certifying bodies of various computer products. This certifying bodies of various computer products. This independent evaluation provides the buyer of te product independent evaluation provides the buyer of te product added confidence in the product. added confidence in the product. Accreditation – to decide whether a given computer Accreditation – to decide whether a given computer product, usually certified, meets stated criteria for and is product, usually certified, meets stated criteria for and is suitable to be used in a given application. Again , there are suitable to be used in a given application. Again , there are currently several firms that offer accreditations to students currently several firms that offer accreditations to students after they use and get examined for their proficiency in the after they use and get examined for their proficiency in the use of a certified product.use of a certified product.Evaluation - to assess whether the product meets the Evaluation - to assess whether the product meets the security requirements and criteria for the stated security security requirements and criteria for the stated security properties as claimed. properties as claimed. Potential Market benefit, if any for the product. If the Potential Market benefit, if any for the product. If the product passes the certification, it may have a big market product passes the certification, it may have a big market potential potential


99

CriteriaCriteria– A security evaluation criteria is a collection of security A security evaluation criteria is a collection of security

standards that define several degrees of rigor standards that define several degrees of rigor acceptable at each testing level of security in the acceptable at each testing level of security in the certification of a computer product. certification of a computer product.

– Criteria also may define the formal requirements the Criteria also may define the formal requirements the product needs to meet at each Assurance Level. Each product needs to meet at each Assurance Level. Each security criteria consists of several Assurance Levels security criteria consists of several Assurance Levels with specific security categories in each level. with specific security categories in each level.

– Before any product evaluation is done, the product Before any product evaluation is done, the product evaluator must state the criteria to be used in the evaluator must state the criteria to be used in the process in order to produce the desired result. By process in order to produce the desired result. By stating the criteria, the evaluator directly states the stating the criteria, the evaluator directly states the Assurance Levels and categories in each Assurance Assurance Levels and categories in each Assurance Level that the product must meet. The result of a Level that the product must meet. The result of a product evaluation is the statement whether the product evaluation is the statement whether the product under review meets the stated Assurance Levels product under review meets the stated Assurance Levels in each criteria category. in each criteria category.


1010

Process of EvaluationProcess of Evaluation– The evaluation of a product can take The evaluation of a product can take

one of the following directions:one of the following directions:Product-oriented - which is an investigative Product-oriented - which is an investigative process to thoroughly examine and test process to thoroughly examine and test every state security criteria and determine every state security criteria and determine to what extent the product meets these to what extent the product meets these stated criteria in a variety of situations. stated criteria in a variety of situations.

Process-oriented – which is an audit process Process-oriented – which is an audit process that assesses the developmental process of that assesses the developmental process of the product and the documentation done the product and the documentation done along the way, looking for security loopholes along the way, looking for security loopholes and other security vulnerabilities. and other security vulnerabilities.


1111

Structure of EvaluationStructure of Evaluation– The structure of an effective evaluation The structure of an effective evaluation

process, whether product-oriented or process-process, whether product-oriented or process-oriented, must consider the following items:oriented, must consider the following items:

Functionality - because acceptance of a computer Functionality - because acceptance of a computer security product depends on what and how much it security product depends on what and how much it can do. If the product does not have enough can do. If the product does not have enough functionality, and in fact if it does not have the functionality, and in fact if it does not have the needed functionalities, then it is of no value. needed functionalities, then it is of no value. Effectiveness - after assuring that the product has Effectiveness - after assuring that the product has enough functionalities to meet the needs of the enough functionalities to meet the needs of the buyer, the next key question is always whether the buyer, the next key question is always whether the product meets the effectiveness threshold set by the product meets the effectiveness threshold set by the buy in all functionality areas. If the product has all buy in all functionality areas. If the product has all the needed functionalities but they are not effective the needed functionalities but they are not effective enough, then the product cannot guarantee the enough, then the product cannot guarantee the needed security and, therefore, the product is of no needed security and, therefore, the product is of no value to the buyer.value to the buyer.Assurance – to give the buyer enough confidence in Assurance – to give the buyer enough confidence in the product, the buyer must be given an assurance, a the product, the buyer must be given an assurance, a guarantee, that the product will meet nearly all, if not guarantee, that the product will meet nearly all, if not exceed, the minimum stated security requirements. exceed, the minimum stated security requirements.


1212

Outcome/BenefitsOutcome/Benefits– The goal of any product producer and The goal of any product producer and

security evaluator is to have a product security evaluator is to have a product that gives the buyer the best outcome that gives the buyer the best outcome and benefits and benefits


1313

Computer Products Evaluation Computer Products Evaluation StandardsStandards

Among the many standards organizations that Among the many standards organizations that developed the most common standards used by developed the most common standards used by the computer industry today are the following:the computer industry today are the following:– American National Standards Institute (ANSI)American National Standards Institute (ANSI)– British Standards Institute (BSI)British Standards Institute (BSI)– Institute of Electrical and Electronic Engineers Standards Institute of Electrical and Electronic Engineers Standards

Association (IEEE-SA) Association (IEEE-SA)– International Information System Security Certification International Information System Security Certification

Consortium (ISC)2 Consortium (ISC)2 – International Organization for Standardization (ISO)International Organization for Standardization (ISO)– Internet Architecture Board (IAB)Internet Architecture Board (IAB)– National Institute of Standards and Technology (NIST)National Institute of Standards and Technology (NIST)– National Security Agency (NSA)National Security Agency (NSA)– Organization for the Advancement of Structured Organization for the Advancement of Structured

Information standards (OASIS)Information standards (OASIS)– Underwriters Laboratories (UL)Underwriters Laboratories (UL)– World Wide Web Consortium (W3C) World Wide Web Consortium (W3C)


1414

Major Evaluation CriteriaMajor Evaluation CriteriaThe Orange Book The Orange Book – Most of the security criteria and standards in product security Most of the security criteria and standards in product security

evaluation have their basis in evaluation have their basis in The Trusted Computer System The Trusted Computer System Evaluation CriteriaEvaluation Criteria (TCSEC), the first collection of standards used to (TCSEC), the first collection of standards used to grade or rate the security of computer system products. The TCSEC grade or rate the security of computer system products. The TCSEC has come to be a standard commonly referred to as "the Orange Book" has come to be a standard commonly referred to as "the Orange Book" because of its orange cover. The criteria were developed with three because of its orange cover. The criteria were developed with three objectives in mind: objectives in mind:

to provide users with a yardstick with which to assess the degree of to provide users with a yardstick with which to assess the degree of trust that can be placed in computer systems for the secure trust that can be placed in computer systems for the secure processing of classified or other sensitive information; processing of classified or other sensitive information; to provide guidance to manufacturers as to what to build into their to provide guidance to manufacturers as to what to build into their new, widely-available trusted commercial products in order to new, widely-available trusted commercial products in order to satisfy trust requirements for sensitive applications; and satisfy trust requirements for sensitive applications; and to provide a basis for specifying security requirements in to provide a basis for specifying security requirements in acquisition specifications acquisition specifications

– The criteria also address two types of requirements:The criteria also address two types of requirements:specific security feature requirements specific security feature requirements assurance requirements. assurance requirements.


1515

The U.S. Federal CriteriaThe U.S. Federal Criteria– The U.S. Federal Criteria drafted in the The U.S. Federal Criteria drafted in the

early 1990s, were meant to be a early 1990s, were meant to be a replacement of the old TCSEC criteria. replacement of the old TCSEC criteria. However, these criteria were never However, these criteria were never approved and events over run them approved and events over run them when the international criteria board when the international criteria board used some of them in the developing of used some of them in the developing of the ISO-based Common Criteria (CC), the ISO-based Common Criteria (CC), thus overtaking it. Many of its ideas thus overtaking it. Many of its ideas were incorporated in the Common were incorporated in the Common Criteria. Criteria.


1616

The Information Technology Security Evaluation The Information Technology Security Evaluation Criteria (ITSEC)Criteria (ITSEC)– While the U.S. Orange Book Criteria were developed in While the U.S. Orange Book Criteria were developed in

1967, the Europeans did not define a unified valuation 1967, the Europeans did not define a unified valuation criteria well until the 1980s when the United Kingdom, criteria well until the 1980s when the United Kingdom, Germany, France and the Netherlands harmonized their Germany, France and the Netherlands harmonized their national criteria into a European Information Security national criteria into a European Information Security Evaluation Criteria (ITSEC). Since then, they have been Evaluation Criteria (ITSEC). Since then, they have been updated and the current issue is Version 1.2, published updated and the current issue is Version 1.2, published in 1991 followed two years later by its user manual, in 1991 followed two years later by its user manual, the IT Security Evaluation Manual (ITSEM), which the IT Security Evaluation Manual (ITSEM), which specifies the methodology to be followed when carrying specifies the methodology to be followed when carrying out ITSEC evaluations. ITSEC was developed because out ITSEC evaluations. ITSEC was developed because the Europeans thought that the Orange Book was too the Europeans thought that the Orange Book was too rigid. ITSEC was meant to provide a framework for rigid. ITSEC was meant to provide a framework for security evaluations that would lead to accommodate security evaluations that would lead to accommodate new future security requirements. It puts much more new future security requirements. It puts much more emphasis on integrity and availability.emphasis on integrity and availability.


1717

The Trusted Network Interpretation (TNI): The Trusted Network Interpretation (TNI): The Red BookThe Red Book– The Trusted Network Interpretation (TNI) of the The Trusted Network Interpretation (TNI) of the

TCSEC, also referred to as "The Red Book," is a TCSEC, also referred to as "The Red Book," is a restating of the requirements of the TCSEC in a restating of the requirements of the TCSEC in a network context. It attempted to address network context. It attempted to address network security issues. It is seen by many as network security issues. It is seen by many as a link between the Red Book and new critera a link between the Red Book and new critera that came after. Some of the shortfall of the that came after. Some of the shortfall of the Orange Book that the Red Book tries to Orange Book that the Red Book tries to address include the distinction between two address include the distinction between two types of computer networks: types of computer networks:

Networks of independent components with different Networks of independent components with different jurisdictions and management policiesjurisdictions and management policies

Centralized networks with single accreditation Centralized networks with single accreditation authority and policy.authority and policy.


1818

The Common Criteria (CC)The Common Criteria (CC)– The Common Criteria (CC) occasionally, The Common Criteria (CC) occasionally,

though incorrectly, referred to as the though incorrectly, referred to as the Harmonized Criteria, is a multinational Harmonized Criteria, is a multinational successor to the TCSEC and ITSEC that successor to the TCSEC and ITSEC that combines the best aspects of ITSEC, combines the best aspects of ITSEC, TCSEC, CTCPEC (Canadian Criteria), and TCSEC, CTCPEC (Canadian Criteria), and the and U.S. Federal Criteria (FC) into the and U.S. Federal Criteria (FC) into the Common Criteria for Information the Common Criteria for Information Technology Security Evaluation . CC was Technology Security Evaluation . CC was designed to be an internationally designed to be an internationally accepted set of criteria in the form of an accepted set of criteria in the form of an International Standards Organization International Standards Organization ( ISO ) standard.( ISO ) standard.


1919

Does Evaluation Mean Security?Does Evaluation Mean Security?

The evaluation of a product either with a standard The evaluation of a product either with a standard or a criteria does not mean that the product is or a criteria does not mean that the product is assured of security. No evaluation of any product assured of security. No evaluation of any product can guarantee such security. However, an can guarantee such security. However, an evaluated product can demonstrate certain evaluated product can demonstrate certain features and assurances from the evaluating features and assurances from the evaluating criteria, that the product does have certain criteria, that the product does have certain security parameters to counter those threats. security parameters to counter those threats. The development of new security standards and The development of new security standards and criteria, will no doubt continue to result in better criteria, will no doubt continue to result in better ways of security evaluations and certification of ways of security evaluations and certification of computer products and will, therefore, enhance computer products and will, therefore, enhance computer systems’ security. computer systems’ security.

chapter 16: standardization and security criteria: security evaluation of computer products

Documents