Common Criteria

Document Sample
Common Criteria Powered By Docstoc
					Common Criteria Presentation
By: Kyle Cook
Secure Systems Administration Certification
Professor Eileen Dewey
What is Common Criteria?
 A way of evaluating security based
  products to ensure security functionality
  meets the needs of the consumer.
 Not limited to government use but often
  required for government implementation
  of products.
 A multi level process with many “grades”
  of evaluation.
Brief History of Common Criteria
   Common Criteria originated from a 1970’s document
    written by the US DOD, this document was called
    Trusted Security Evaluation Criteria (TCSEC) – “Orange
   Germany : “Green Book”
   Europe : ITSEC
   First CC draft started in 1994
   First CC released in January 1996
   CC becomes an ISO Standard in June 1999 with Version
    2.0 – ISO 15408.
   Next CC released in 2004
   Current Version is 3.1R1 with new release approaching
Who Works on Common Criteria?
   United States, Australia, New Zealand,
    Canada, France, Germany, Japan,
    Netherlands, Spain, and United Kingdom

   How to remember that for the test :

 Never Again Use Grant Formulas Just
  Understand Necessary Simple Concepts
Key Terms
 evaluation assurance level (EAL) ⎯ an assurance
  package, consisting of assurance requirements
  drawn from CC Part 3, representing a point on
  the CC predefined assurance scale.
 Protection Profile (PP) ⎯ an implementation-
  independent statement of security needs for a
  TOE type.
 Security Target (ST) ⎯ an implementation-
  dependent statement of security needs for a
  specific identified TOE.
 target of evaluation (TOE) ⎯ a set of software,
  firmware and/or hardware possibly accompanied
  by guidance.
Three Parts of Common Criteria
   Part 1, Introduction and general

   Part 2, Security functional

   Part 3, Security assurance
     What The Parts Mean to Who
           Consumers                Developers                 Evaluators

Part 1     Use for background       Use for background         Use for background
           information and          information and            information and
           reference purposes.      reference purposes.        reference purposes.
           Guidance structure for   Development of security    Guidance structure for
           PPs.                     specifications for TOEs.   PPs and STs.
Part 2     Use for guidance and     Use for reference when     Use for reference when
           reference when           interpreting statements    interpreting statements
           formulating statements   of functional              of functional
           of requirements for a    requirements and           requirements.
           TOE.                     formulating functional
                                    specifications for TOEs.

Part 3     Use for guidance when    Use for reference when     Use for reference when
           determining required     interpreting statements    interpreting statements
           levels of assurance.     of assurance               of assurance
                                    requirements and           requirements.
                                    determining assurance
                                    approaches of TOEs.

                                                 Taken from Common Criteria
That’s Nice, But What is the Scope?
 What assets would you consider valuable?
 What assets might attackers find valuable?

   Examples of Assets :

   What about the assets environment?

   How Can Common Criteria Help?
What Can A TOE Be?
   software application
   operating system
   software application in combination with an operating system
   software application in combination with an operating system and a
   operating system in combination with a workstation
   smart card integrated circuit
   The cryptographic co-processor of a smart card integrated circuit
   Local Area Network including all terminals, servers, network
    equipment and software
   database application excluding the remote client software normally
    associated with that database application

                                           Taken From Common Criteria
The Asset Relation Diagram
What Evaluation Does For Assets
Life Cycle of the Product
Common Criteria In Your Life
 Does anyone own a product that has
  been evaluated by CC?
 Can you guess some systems that have
  been evaluated?
 What do the EAL’s mean for these
What Do The EAL’s Mean?
 EAL is the Evaluation Assurance Level the
  Target of Evaluation was rated at.
 EAL’s have a rating from 1 to 7
 1 is the lowest rating
 7 is the highest rating
 As the rating increases so does the price
  of evaluation.
Common Criteria In Your Life
 Cisco has 13 products evaluated at EAL 4
  and a few more rated at 3, 2, and 1.
 Netgear has 0 products evaluated.
 Linksys has 0 products evaluated.
 D-Link has 0 products evaluated.
 Linksys is now owned by Cisco and
  although none of the lower end routers
  are evaluated they are still Cisco
CC Behind The Scenes
 Every version of Oracle evaluated
  reached EAL 4 or 4+
 No version of MySQL has been evaluated.
 The last version of DB evaluated was DB2
  and it reached EAL 3+
Common Criteria Anti-Virus
 McAfee Virus Scan v8.5i EE is at EAL 2+
 Symantec has no virus scanners evaluated,
  they do have border protection devices
  and all but one of them are EAL 4
 Norton, Avast, and AVG have nothing
Common Criteria In Your Base
 Several versions of Red Hat linux are
  evaluated at levels 3+
 Several versions of SUSE linux are
  evaluated at levels 2+
 SUSE Server 8 was EAL 2, service pack 2
  was EAL 3, version 9 evaluated at EAL 4+
 No version of Ubuntu has been evaluated.
Common Criteria In Your Base
   OS X 10.3.6 and server 10.3.6 are the
    only pieces of apple software evaluated,
    their EAL is 3.
Common Criteria In Your Base
 Microsoft does not have all of their OS’s
  evaluated under CC, but the ones that
  are obtained EAL 4+
 2003, Server 2003, XP, XP x64, and Server
  2003 Service Pack 3
 Vista is not evaluated by CC.
Common Criteria In The Courts
 Forensic Tool Kit (FTK) is not evaluated
  by CC
 EnCase is not evaluated by CC
Feeling Safe Yet?
   //TODO : Insert In-Class Discussion

   Check for a product?

   Anyone Asleep Yet?
Quick Recap
 EAL :
 TOE :
 ST :
 Who Is Involved?
 Brief History :
 PP :
Quick Recap
   EAL : Evaluation Assurance Level
   TOE : Target of Evaluation
   ST : Security Target
   Who Is Involved? United States, United
    Kingdom, Germany, Netherlands, Japan, Spain,
    France, Canada, New Zealand, Australia
   Brief History : originated in 70’s, first draft
    started in 94, first draft released in 96,
    became an ISO standard in 99
   PP : Protection Profile
Final Thoughts
 Is it worth the money?
 Is the industry pleased?
 What are possible flaws?