IT Security History and Architecture Part 2 of 6

Thursday, August 12, 2010

Dr. Steve Belovich


2.0 Security Standards and Certifications

This is the second installment of six part series on IT Security History and Architecture (Part One).

2.1 Standards

Another big issue is certification. Because the need for security is so evident and the lack of security is so prevalent, various standards and certifications have arisen to “prove” certain levels of security.

The DoD (Department of Defense), the NIST (National Institute of Standards and Technology), NIAP (National Information Assurance Partnership) and the ISO (International Standards Organization) have all issued and/or endorsed standards for system security.

The two main standards are DoD 5200.28 (the so-called “Orange Book) and ISO 15408, shown below.

Secure System Classification (ISO 15408)
(NIST - National Institute of Standards & Technology)
(NIAP - National Information Assurance Partnership)

  • EAL-1 - Functionally Tested - independent testing of selected features.
  • EAL-2 - Structurally Tested - independent testing of selected features using limited developer design data.
  • EAL-3 - Methodically Tested & Checked - independent testing using limited developer design data, selective developer result confirmation, evidence of develop search for obvious vulnerabilities.
  • EAL-4 - Methodically Designed, Tested & Reviewed - independent testing using low-level vendor design data, search for vulnerabilities, development controls, automated configuration management.
  • EAL-5 - Semiformally Designed & Tested - independent testing of all of the implementation (TOE), formal model, semiformal conformance to design specs, vulnerability assessment for attackers with moderate potential.
  • EAL-6 - Semiformally Verified Design & Tested - independent testing of 100% of TOE, modular & layered approach to design, structured presentation, vulnerability assessment for attackers with high potential, systematic search for covert channels.
  • EAL-7 - Formally Verified Design & Tested - same as above, but all models, specs & presentations are formal, TOE is tightly focused on security functionality, amenable to formal analysis, design complexity must be minimized.

Secure System Classification (DoD)

  • D - Minimal Protection
  • C - Discretionary Protection
  • C1 - Discretionary security protection - separates users & data, uses credible controls to enforce access limitations on an individual basis.
  • C2 - Controlled Access Protection - users individually accountable for their actions, security audit trail, resource isolation.
  • B - Mandatory Protection
  • B1 - Labeled Security Protection - security policy model, keeps integrity of sensitivity labels, sensitivity labels must be held in all major system data structures, demonstration of reference monitor implementation.
  • B2 - Structured Protection - formal security policy model, discretionary & mandatory access control enforcement extended to all subjects & objects, separation of critical & non-critical system elements, stringent configuration management controls, covert channels are addressed, relatively resistant to penetration.
  • B3 - Security Domains - Reference monitor mediates all accesses of subjects to objects, be 100% tamperproof, TCB (trusted Computing Base) only contains security-relevant code & data structures, system engineered for minimal complexity, security-relevant events are signaled, system recovery is required, highly resistant to penetration.
  • A - Verified Protection
  • A1 - Verified Design - Functionally same as B3, full mathematical verification of design.

2.2 The “Weak Spot” of Security Standards and Certifications

The problem with all of these standards and certifications is that they are imperfect and incomplete. The big flaw with the ISO 15408 standard is that it only focuses on the “TOE” (Target of Evaluation).

What this means is that a system can have the highest rating and still be vulnerable, since the vulnerable aspect of the system was neither tested nor evaluated. This is not good.

The DoD standard does mandate some system structure so there is a lot more confidence in using that standard. However, that standard is incomplete and difficult to apply.

Further, few organizations are really skilled at application of these standards and there is a lot of politics in the process. Consequently, such certifications are more for legal defense (e.g., for defense against negligence) than they are for actual cyber defense.

Stay tuned for more!

Possibly Related Articles:
Security Management DoD
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.