Certification and Accreditation: Part 2 - Common Criteria

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
15 hours 43 minutes
Difficulty
Advanced
CEU/CPE
16
Video Transcription
00:00
>> Now in this section, we're going to focus
00:00
on certification through the common criteria.
00:00
I'd already said the previous evaluation criteria
00:00
was just too rigid or there were other issues.
00:00
The common criteria is what we're currently
00:00
using as our standard to certify federal systems.
00:00
We're going to look at that and we're going to talk about
00:00
the processes for getting systems certified.
00:00
As I mentioned before,
00:00
the Orange Book or the TCSEC is
00:00
its formal name was, was very rigid.
00:00
You might have a really secure system,
00:00
but because it didn't take off
00:00
one specific box on a checklist,
00:00
it might get a much lower rating.
00:00
We had good systems that weren't being certified.
00:00
After that, the ITSEC came out,
00:00
which was from the European Union,
00:00
and they basically provided
00:00
a really flexible way of evaluating systems,
00:00
but it was so flexible
00:00
nobody could figure out what was what.
00:00
Then the Canadians, those silly Canadians came up with,
00:00
I love Canadians, I'm just joking.
00:00
The Canadians came up with a product called the CTCPEC,
00:00
which was their version.
00:00
But ultimately, each of
00:00
those different iterations had some problems.
00:00
Ultimately what won out is
00:00
the standard ISO 15408, the common criteria.
00:00
This is an international standard whose job it is to
00:00
certify systems based on
00:00
two elements, trust and assurance.
00:00
Trust and assurance are two different aspects that let
00:00
me know if this system is going to perform well.
00:00
Trust is sometimes called function.
00:00
The idea is we want trust of a system.
00:00
We want function of a system,
00:00
the function of the product.
00:00
What does the product do?
00:00
Of course, that's critical.
00:00
Does the product support firewall?
00:00
Does the product allow auditing?
00:00
Does the product have
00:00
a separate account for security administrator?
00:00
Those are all under the category of trust,
00:00
also known as function.
00:00
But then we have assurance also,
00:00
which is the assurance of the process,
00:00
function of the product,
00:00
assurance of the process.
00:00
You might have a system that
00:00
does a lot of really cool stuff,
00:00
but if you don't have
00:00
a sound and thorough process in place,
00:00
your system isn't going to function reliably.
00:00
For assurance, show me your documentation,
00:00
show me how you tested the product,
00:00
show me how revisions were handled,
00:00
show me those things about the process.
00:00
When we evaluate a system
00:00
according to the common criteria,
00:00
both of those areas are
00:00
considered, function and assurance.
00:00
But let's walk through this process.
00:00
We're going to start off up at the top with
00:00
what's called the protection profile.
00:00
This is a list of
00:00
requirements that come from the customer.
00:00
Let's say I'm a government agency that wants to put
00:00
300 computers on federal systems,
00:00
and I have a need for what those computers will do.
00:00
I will publish those requirements
00:00
in a document called the protection profile.
00:00
Now that protection profile is released and
00:00
vendors will build systems
00:00
to satisfy the protection profile.
00:00
The systems they build are called
00:00
TOEs, targets of evaluation.
00:00
The requirements are in the protection profile,
00:00
the systems vendors build are called the TOEs.
00:00
Then also, the vendor,
00:00
will also provide a document called the security target.
00:00
That security target is going to document how
00:00
the target of evaluation meets the protection profile.
00:00
You can think of it almost like their sales peak.
00:00
Look at what a great product we've built for you.
00:00
Now, those elements are
00:00
submitted for the audit process where the auditor
00:00
evaluate the function and
00:00
assurance of a system and determine
00:00
its evaluation assurance level, it's EAL level.
00:00
EAL is rated from 1-7,
00:00
and it describes the degree to which
00:00
the TOE meets the protection profile.
00:00
EAL 1 is the lowest,
00:00
EAL 7 is the highest.
00:00
The idea is, let's say that I
00:00
am wanting to get EAL certified for a case for my iPhone.
00:00
Somebody builds a cheap case and I hold it
00:00
an inch from the desk and drop it and it doesn't break,
00:00
so that's functionally tested.
00:00
That's EAL 1.
00:00
Great, it pass this test.
00:00
Now I'm going to hold it up three feet and drop it,
00:00
and I'm going to tap on it or I
00:00
drop it on a hard surface.
00:00
EAL 3.
00:00
I drop it from the top of my house onto a rocky surface.
00:00
The idea is, what type of testing
00:00
can this product still meet its requirements?
00:00
How stringent the testing is where the product
00:00
still successfully meets those needs.
00:00
Those are my EAL ratings.
00:00
They don't necessarily mean greater security,
00:00
they mean the closer the match
00:00
to the protection profile of the customer.
00:00
I'll also mention,
00:00
vendors don't just sit around waiting for customers
00:00
to release protection profiles.
00:00
If, as a customer,
00:00
I have a need, I'll put down a protection profile,
00:00
but as a vendor,
00:00
I might just have a good idea for a system,
00:00
and it's not the result of a protection profile.
00:00
What I'll do is I'll build that system,
00:00
the target of evaluation.
00:00
I will provide a security target and the auditor will see
00:00
how well my security target
00:00
defines the target of evaluation.
00:00
I just wanted to stress it doesn't always have to be
00:00
a process initiated by the client,
00:00
the vendors can initiate the process as well.
00:00
Now, all of this, the TCSEC,
00:00
I mentioned briefly that ITSEC and the
00:00
CTCPEC, the common criteria.
00:00
All of these elements or certification criteria,
00:00
they evaluate the trusted computing base
00:00
of a system and determine
00:00
the degree of technical security implementations.
00:00
It's a technical exam.
00:00
It is penetration testing.
00:00
Does it sufficiently provide
00:00
the degree of security that's necessary?
00:00
If the product passes, it's now certified.
00:00
Now, the product is presented to
00:00
senior management and senior management decides,
00:00
this meets my needs.
00:00
We're going to implement this product and we
00:00
accept all risks moving forward with the product,
00:00
and that's called accreditation.
00:00
Now of course, the government changes the name
00:00
for these process every little bit.
00:00
Accreditation is now called authorization,
00:00
and you'll have a designated authority
00:00
who's capable of authorizing these systems,
00:00
and ultimately, it comes down to, does it work?
00:00
That's certification.
00:00
Are we going to implement it?
00:00
That's accreditation.
00:00
Just wrapping up, we talked about
00:00
the Orange Book and some previous evaluation criteria,
00:00
but with a real focus on the common criteria.
00:00
ISO 15408 specifies that we use
00:00
the common criteria to evaluate
00:00
the trust and assurance of a product.
00:00
We discussed the fact that
00:00
EAL ratings are assigned to the product
00:00
to indicate how successfully
00:00
the product performs in various situations.
00:00
Ultimately, this gives agencies
00:00
the ability to determine,
00:00
does a system meet our technical needs?
00:00
Then after certification, it's up to
00:00
the agency to decide to move forward with accreditation,
00:00
also known as authorization.
00:00
Folks, that wraps up
00:00
Domain 3 Part 2
00:00
of the security architecture and design element.
00:00
This has been a chapter
00:00
where we've covered a lot of good information.
00:00
We started off by talking about our security models.
00:00
Bell-LaPadula and Biba, Clark-Wilson,
00:00
Brewer-Nash, those are
00:00
the ones I would have you focus your attention on.
00:00
Then we had system architecture
00:00
where we talked about hardware,
00:00
operating systems and application software.
00:00
We talk about building for
00:00
security so that these components could
00:00
interoperate and move as closer
00:00
to our goal of having a secure system.
00:00
We also talked about certification and accreditation
00:00
and the modes of secure operations for systems.
00:00
That wraps up Chapter 3.
00:00
Stay tuned for Domain 4,
00:00
where we'll discuss networking and telecommunications.
Up Next