150 likes | 273 Views
Omissions and errors in the CC. Who got it right?. 8ICCC Denise Cater. Security Standards. ISO alone have issued: ISO15408 – Common Criteria ISO19092 – Financial Service – Security ISO19790 – Security Requirements for Cryptographic modules (FIPS 140)
E N D
Omissions and errors in the CC Who got it right? 8ICCC Denise Cater
Security Standards ISO alone have issued: • ISO15408 – Common Criteria • ISO19092 – Financial Service – Security • ISO19790 – Security Requirements for Cryptographic modules (FIPS 140) • ISO27001 – Information Security Management • ISO27002 (formerly ISO 17799) – ISMS best practice
Many standards: One CC • Catalogue of security components: • Functional • Assurance • Focus on repeatability • Voluminous guidance for consistent application • Scheme rules and interpretations =“Heavy” process
APACS Payment Industry Security Standards • Payment Card Industry (PCI) Data Security Standard • EMV (Europay, Mastercard, Visa) Specifications • APACS PIN Entry Device PP
APACS application of CC • Own Certification Body • Appointment of labs • Issuing of certificates • Focus on CC • Less emphasis on CEM • Concentration of efforts • Design and testing seen as paramount • Procedural requirements seen as supporting
Smartcard Industry • Developed PPs • Generated own interpretations • Adopted as CC Supporting Documents • Included own Attack Potential Table • Examples of Smartcard Specific Attacks
Smartcard Industry • Took the CC and gave specific guidance for their industry • A lot of focus placed on penetration testing • Identified additional stages in lifecycle/delivery
Adapt to Adopt • Both industries have made changes to use CC • Interpretations • Greater emphasis in some areas, less in others
Who got it right? • The CC of course! • Providing a catalogue that Industry and other schemes can draw upon • But, also Industry/other schemes • Focus on areas of specific interest • Light-touch on other areas
Who got it wrong? • Those who requested EALs to be included in CC (for backwards compatibility) • Led to “incorrect” use of CC • Initially less PPs developed as just concentrated on assurance level
Who got it wrong? • Authors of the CEM or CC Schemes? • Too prescriptive • Forcing evaluators to complete work units at level of detail that is not always necessary • Time spent on “meeting the CEM” that would be better spent on testing and vulnerability analysis
In summary • CC got it right • CC got it wrong But, Industry can adapt the CC to adopt it
Thank you Denise Cater denise@iconsecurity.co.uk