Certification and Accreditation: Part 1 - The “Orange Book” (TCSEC)
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
15 hours 43 minutes
Difficulty
Advanced
CEU/CPE
16
Video Transcription
00:01
>> This section,
00:01
security architecture and sign part of section three,
00:01
security engineering has really
00:01
focused on building a secure system,
00:01
choosing the right security model,
00:01
making sure we have the hardware, software,
00:01
firmware architecture in place to enforce that model,
00:01
and making sure that we have
00:01
the design structure for secure communication.
00:01
Now that we've done all that,
00:01
we've built this secure system,
00:01
our time now is to figure out, did it work?
00:01
Did we really produce
00:01
a system that was as secure as we wanted it to be,
00:01
and does it meet the specific needs?
00:01
What we're going to look at in this section
00:01
is a book called the Orange Book.
00:01
The Orange Book's formal name it's the TCSEC,
00:01
the Trusted Computer Security Evaluation Criteria.
00:01
This is something that was used by the US government,
00:01
the last time I have seen the TCSEC
00:01
used was back in the mid '90s.
00:01
Ultimately this, was designed as a way of evaluating
00:01
systems to determine if
00:01
they provide the correct amount of security.
00:01
Now, there are other ways,
00:01
we have the CMMI model
00:01
and that basically is a way to evaluate processes.
00:01
Are your processes mature?
00:01
Then we have the Orange Book.
00:01
The Orange Book was part of a series of
00:01
books called The Rainbow Series.
00:01
These have evolved throughout
00:01
the years to the ITSEC and now the common criteria.
00:01
Just to focus on the Orange Book a little bit,
00:01
it provided essentially almost like a report card,
00:01
and the report card essentially said look,
00:01
if a system meets these requirements, it's a D,
00:01
if it meets higher requirements,
00:01
it's a C, higher requirements,
00:01
it's a B and the topmost systems
00:01
in the world are at an A level.
00:01
This book was developed by
00:01
the National Computer Security Center and ultimately
00:01
was designed specifically for systems
00:01
to be used by the Department of Defense,
00:01
by the federal government and
00:01
depending on what level of security
00:01
was necessary would allow an agency to determine,
00:01
hey, we can implement this system in this environment.
00:01
Now, these are the levels that
00:01
>> the Orange Book provided.
00:01
>> D was the very lowest, most minimal security.
00:01
C1 and C2 use what's called
00:01
discretionary protection and C1
00:01
is the lowest level of discretionary protection,
00:01
C2 is more elevated, more complex.
00:01
Then B1 is the lowest mandatory B2 and B3,
00:01
add additional functions and then the top is A1.
00:01
I don't want you memorizing the Orange Book standards.
00:01
What I want you to know is
00:01
the Orange Book was used at one point in
00:01
time in the US government to
00:01
determine whether or not a system should be certified.
00:01
For instance, I remember when Windows in
00:01
T was certified with the C2 rating.
00:01
This was way back in the day in the '90s.
00:01
Microsoft did everything but
00:01
higher bands marched down the street saying, hey,
00:01
we get C2 ratings,
00:01
because that was huge for them and because they
00:01
were now able to sell
00:01
their systems running in T to the federal government,
00:01
that was the requirement at the time.
00:01
Different agencies will have different requirements,
00:01
but that was the minimum requirement.
00:01
Ultimately, it was a way of certifying systems.
00:01
Now, the problem with
00:01
the TCSEC is that it was very rigid.
00:01
You had this list of requirements for
00:01
a particular system and if
00:01
the system didn't do every single thing on that list,
00:01
it didn't get certified.
00:01
We found that it just wasn't flexible
00:01
enough to really provide that
00:01
>> evaluation that we needed,
00:01
>> so in the next section,
00:01
we're going to find out if the TCSEC
00:01
didn't give us enough of what we need,
00:01
what will do that for us?
Up Next
Instructed By
Similar Content
