Common Criteria Presentation

1
Common Criteria Presentation

• By Kyle Cook
• Secure Systems Administration Certification
• Professor Eileen Dewey

2
What is Common Criteria?

• A way of evaluating security based products to
  ensure security functionality meets the needs of
  the consumer.
• Not limited to government use but often required
  for government implementation of products.
• A multi level process with many grades of
  evaluation.

3
Brief History of Common Criteria

• Common Criteria originated from a 1970s document
  written by the US DOD, this document was called
  Trusted Security Evaluation Criteria (TCSEC)
  Orange Book.
• Germany Green Book
• Europe ITSEC
• First CC draft started in 1994
• First CC released in January 1996
• CC becomes an ISO Standard in June 1999 with
  Version 2.0 ISO 15408.
• Next CC released in 2004
• Current Version is 3.1R1 with new release
  approaching

4
Who Works on Common Criteria?

• United States, Australia, New Zealand, Canada,
  France, Germany, Japan, Netherlands, Spain, and
  United Kingdom
• How to remember that for the test
• NAUGFJUNSC
• Never Again Use Grant Formulas Just Understand
  Necessary Simple Concepts

5
Key Terms

• evaluation assurance level (EAL) ? an assurance
  package, consisting of assurance requirements
  drawn from CC Part 3, representing a point on the
  CC predefined assurance scale.
• Protection Profile (PP) ? an implementation-indepe
  ndent statement of security needs for a TOE type.
  
• Security Target (ST) ? an implementation-dependent
  statement of security needs for a specific
  identified TOE.
• target of evaluation (TOE) ? a set of software,
  firmware and/or hardware possibly accompanied by
  guidance.

6
Three Parts of Common Criteria

• Part 1, Introduction and general model
• Part 2, Security functional components
• Part 3, Security assurance components

7
What The Parts Mean to Who
Taken from Common Criteria
8
Thats Nice, But What is the Scope?

• What assets would you consider valuable?
• What assets might attackers find valuable?
• Examples of Assets
• What about the assets environment?
• How Can Common Criteria Help?

9
What Can A TOE Be?

• software application
• operating system
• software application in combination with an
  operating system
• software application in combination with an
  operating system and a workstation
• operating system in combination with a
  workstation
• smart card integrated circuit
• The cryptographic co-processor of a smart card
  integrated circuit
• Local Area Network including all terminals,
  servers, network equipment and software
• database application excluding the remote client
  software normally associated with that database
  application

Taken From Common Criteria
10
The Asset Relation Diagram
11
What Evaluation Does For Assets
12
Life Cycle of the Product
13
Common Criteria In Your Life

• Does anyone own a product that has been evaluated
  by CC?
• Can you guess some systems that have been
  evaluated?
• What do the EALs mean for these systems?

14
What Do The EALs Mean?

• EAL is the Evaluation Assurance Level the Target
  of Evaluation was rated at.
• EALs have a rating from 1 to 7
• 1 is the lowest rating
• 7 is the highest rating
• As the rating increases so does the price of
  evaluation.

15
Common Criteria In Your Life

• Cisco has 13 products evaluated at EAL 4 and a
  few more rated at 3, 2, and 1.
• Netgear has 0 products evaluated.
• Linksys has 0 products evaluated.
• D-Link has 0 products evaluated.
• Linksys is now owned by Cisco and although none
  of the lower end routers are evaluated they are
  still Cisco products.

16
CC Behind The Scenes

• Every version of Oracle evaluated reached EAL 4
  or 4
• No version of MySQL has been evaluated.
• The last version of DB evaluated was DB2 and it
  reached EAL 3

17
Common Criteria Anti-Virus

• McAfee Virus Scan v8.5i EE is at EAL 2
• Symantec has no virus scanners evaluated, they do
  have border protection devices and all but one of
  them are EAL 4
• Norton, Avast, and AVG have nothing evaluated.

18
Common Criteria In Your Base

• Several versions of Red Hat linux are evaluated
  at levels 3
• Several versions of SUSE linux are evaluated at
  levels 2
• SUSE Server 8 was EAL 2, service pack 2 was EAL
  3, version 9 evaluated at EAL 4
• No version of Ubuntu has been evaluated.

19
Common Criteria In Your Base

• OS X 10.3.6 and server 10.3.6 are the only pieces
  of apple software evaluated, their EAL is 3.

20
Common Criteria In Your Base

• Microsoft does not have all of their OSs
  evaluated under CC, but the ones that are
  obtained EAL 4
• 2003, Server 2003, XP, XP x64, and Server 2003
  Service Pack 3
• Vista is not evaluated by CC.

21
Common Criteria In The Courts

• Forensic Tool Kit (FTK) is not evaluated by CC
• EnCase is not evaluated by CC

22
Feeling Safe Yet?

• //TODO Insert In-Class Discussion
• Check for a product? http//www.commoncriteriaport
  al.org/public/consumer/index.php
• Anyone Asleep Yet?

23
Quick Recap

• EAL
• TOE
• ST
• Who Is Involved?
• Brief History
• PP

24
Quick Recap

• EAL Evaluation Assurance Level
• TOE Target of Evaluation
• ST Security Target
• Who Is Involved? United States, United Kingdom,
  Germany, Netherlands, Japan, Spain, France,
  Canada, New Zealand, Australia
• Brief History originated in 70s, first draft
  started in 94, first draft released in 96, became
  an ISO standard in 99
• PP Protection Profile

25
Final Thoughts

• Is it worth the money?
• Is the industry pleased?
• What are possible flaws?