Common Criteria Presentation - PowerPoint PPT Presentation

1 / 25
About This Presentation
Title:

Common Criteria Presentation

Description:

A way of evaluating security based products to ensure security functionality ... Norton, Avast, and AVG have nothing evaluated. Common Criteria In Your Base ... – PowerPoint PPT presentation

Number of Views:783
Avg rating:3.0/5.0
Slides: 26
Provided by: Thot
Category:

less

Transcript and Presenter's Notes

Title: Common Criteria Presentation


1
Common Criteria Presentation
  • By Kyle Cook
  • Secure Systems Administration Certification
  • Professor Eileen Dewey

2
What is Common Criteria?
  • A way of evaluating security based products to
    ensure security functionality meets the needs of
    the consumer.
  • Not limited to government use but often required
    for government implementation of products.
  • A multi level process with many grades of
    evaluation.

3
Brief History of Common Criteria
  • Common Criteria originated from a 1970s document
    written by the US DOD, this document was called
    Trusted Security Evaluation Criteria (TCSEC)
    Orange Book.
  • Germany Green Book
  • Europe ITSEC
  • First CC draft started in 1994
  • First CC released in January 1996
  • CC becomes an ISO Standard in June 1999 with
    Version 2.0 ISO 15408.
  • Next CC released in 2004
  • Current Version is 3.1R1 with new release
    approaching

4
Who Works on Common Criteria?
  • United States, Australia, New Zealand, Canada,
    France, Germany, Japan, Netherlands, Spain, and
    United Kingdom
  • How to remember that for the test
  • NAUGFJUNSC
  • Never Again Use Grant Formulas Just Understand
    Necessary Simple Concepts

5
Key Terms
  • evaluation assurance level (EAL) ? an assurance
    package, consisting of assurance requirements
    drawn from CC Part 3, representing a point on the
    CC predefined assurance scale.
  • Protection Profile (PP) ? an implementation-indepe
    ndent statement of security needs for a TOE type.
  • Security Target (ST) ? an implementation-dependent
    statement of security needs for a specific
    identified TOE.
  • target of evaluation (TOE) ? a set of software,
    firmware and/or hardware possibly accompanied by
    guidance.

6
Three Parts of Common Criteria
  • Part 1, Introduction and general model
  • Part 2, Security functional components
  • Part 3, Security assurance components

7
What The Parts Mean to Who
Taken from Common Criteria
8
Thats Nice, But What is the Scope?
  • What assets would you consider valuable?
  • What assets might attackers find valuable?
  • Examples of Assets
  • What about the assets environment?
  • How Can Common Criteria Help?

9
What Can A TOE Be?
  • software application
  • operating system
  • software application in combination with an
    operating system
  • software application in combination with an
    operating system and a workstation
  • operating system in combination with a
    workstation
  • smart card integrated circuit
  • The cryptographic co-processor of a smart card
    integrated circuit
  • Local Area Network including all terminals,
    servers, network equipment and software
  • database application excluding the remote client
    software normally associated with that database
    application

Taken From Common Criteria
10
The Asset Relation Diagram
11
What Evaluation Does For Assets
12
Life Cycle of the Product
13
Common Criteria In Your Life
  • Does anyone own a product that has been evaluated
    by CC?
  • Can you guess some systems that have been
    evaluated?
  • What do the EALs mean for these systems?

14
What Do The EALs Mean?
  • EAL is the Evaluation Assurance Level the Target
    of Evaluation was rated at.
  • EALs have a rating from 1 to 7
  • 1 is the lowest rating
  • 7 is the highest rating
  • As the rating increases so does the price of
    evaluation.

15
Common Criteria In Your Life
  • Cisco has 13 products evaluated at EAL 4 and a
    few more rated at 3, 2, and 1.
  • Netgear has 0 products evaluated.
  • Linksys has 0 products evaluated.
  • D-Link has 0 products evaluated.
  • Linksys is now owned by Cisco and although none
    of the lower end routers are evaluated they are
    still Cisco products.

16
CC Behind The Scenes
  • Every version of Oracle evaluated reached EAL 4
    or 4
  • No version of MySQL has been evaluated.
  • The last version of DB evaluated was DB2 and it
    reached EAL 3

17
Common Criteria Anti-Virus
  • McAfee Virus Scan v8.5i EE is at EAL 2
  • Symantec has no virus scanners evaluated, they do
    have border protection devices and all but one of
    them are EAL 4
  • Norton, Avast, and AVG have nothing evaluated.

18
Common Criteria In Your Base
  • Several versions of Red Hat linux are evaluated
    at levels 3
  • Several versions of SUSE linux are evaluated at
    levels 2
  • SUSE Server 8 was EAL 2, service pack 2 was EAL
    3, version 9 evaluated at EAL 4
  • No version of Ubuntu has been evaluated.

19
Common Criteria In Your Base
  • OS X 10.3.6 and server 10.3.6 are the only pieces
    of apple software evaluated, their EAL is 3.

20
Common Criteria In Your Base
  • Microsoft does not have all of their OSs
    evaluated under CC, but the ones that are
    obtained EAL 4
  • 2003, Server 2003, XP, XP x64, and Server 2003
    Service Pack 3
  • Vista is not evaluated by CC.

21
Common Criteria In The Courts
  • Forensic Tool Kit (FTK) is not evaluated by CC
  • EnCase is not evaluated by CC

22
Feeling Safe Yet?
  • //TODO Insert In-Class Discussion
  • Check for a product? http//www.commoncriteriaport
    al.org/public/consumer/index.php
  • Anyone Asleep Yet?

23
Quick Recap
  • EAL
  • TOE
  • ST
  • Who Is Involved?
  • Brief History
  • PP

24
Quick Recap
  • EAL Evaluation Assurance Level
  • TOE Target of Evaluation
  • ST Security Target
  • Who Is Involved? United States, United Kingdom,
    Germany, Netherlands, Japan, Spain, France,
    Canada, New Zealand, Australia
  • Brief History originated in 70s, first draft
    started in 94, first draft released in 96, became
    an ISO standard in 99
  • PP Protection Profile

25
Final Thoughts
  • Is it worth the money?
  • Is the industry pleased?
  • What are possible flaws?
Write a Comment
User Comments (0)
About PowerShow.com