© Crown Copyright (2000) Module 1 Evaluation Overview.

© Crown Copyright (2000)

Module 1

Evaluation Overview

“You Are Here”

MODULE 3SCHEME RULES &

PROCEDURES

MODULE 2ASSURANCE

MODULE 1EVALUATION OVERVIEW

Introduction

• Why is IT Security needed?

• What is IT security evaluation?

• What is Assurance?

• What are the Scheme Rules?

What Protection ?

Salaries Database

Aspects of IT Security

• Confidentiality - protection against unauthorised disclosure of information

• Integrity - protection against unauthorised modification of information or loss of accuracy

• Availability - protection against unauthorised withholding of information or resources

Assets and Threats

• Assets– valuable organisational resources– disclosure or compromise or loss would be

inconvenient or harmful

• Threats– a potentially harmful action affecting

confidentiality, integrity or availability of assets

Countermeasures

• A measure put in place to counter, or help counter, an identified threat to an asset

• Countermeasures can be:– IT, i.e. implemented by hardware, firmware or

software; or– non-IT, e.g. physical or procedural measures

Types of Countermeasure

• Preventative– place restrictions on who can do what

• Detective– provide means to detect events which indicate a

potential compromise of assets

• Corrective– take action in response to undesirable events

Countermeasure Examples

• Preventative:– access control (physical or logical)– data encryption

• Detective– auditing of security relevant events– data integrity measures, e.g. checksums

• Corrective– user account lockout after login failures– suspension of inactive user sessions

Vulnerabilities and Risks

• Vulnerabilities– a security weakness that may allow realisation

of a threat to compromise an asset

• Risk– likelihood of a threat exploiting a

vulnerability to harm an asset and/or cause loss

Castle Example

Sources of Vulnerabilities

Vulnerabilities can arise from:• Inappropriate selection of countermeasures• Errors in their design or implementation• Conflict between countermeasures• Loopholes allowing circumvention of

countermeasures• Misuse of countermeasures

Impact of Vulnerabilities

Vulnerabilities can be:

• Exploitable– given sufficient time, resources and expertise

an attacker could break through in practice

• Non-Exploitable– an attacker will be unable in practice to exploit

it to compromise an asset

What is Evaluation ?

• An independent assessment of a Target of Evaluation (TOE) involving– analysis– testing

• Scope of work is defined in a Security Target

• Aimed at establishing a required level of assurance

What is Assurance?

• A measure of confidence that a TOE meets its security objectives– risk to assets reduced to acceptable level

• Assurance is governed by– depth of evaluator analysis– degree of developer and evaluator testing– formality / rigour of developer evidence

• Leads to concept of Assurance Levels

Scope of Evaluation

• Product - an IT package that can be purchased and deployed in a number of different operational environments

• System - a specific IT installation with a particular purpose and a known operational environment

Security Target

• This defines:– the assets, threats– assumptions– environment . . . . . etc.

• Everything you need to know about the TOE– including the IT countermeasures or security

functions

Evaluation Criteria

• European, 1991 – Information Technology Security Evaluation

Criteria (ITSEC)

• World-wide (ISO standard), 1998– Common Criteria (CC)

Evaluation Methodology

• How we do evaluations– defined in ITSEM and CEM

• Defines techniques for the various activities:– Refinement Analysis– TOE life-cycle assessment– Vulnerability Analysis– Testing of TOE

The UK Scheme

• Scheme rules cover– quality and management– security / confidentiality– training– appointment and accreditation

Evaluation Parties • Developer - produces the TOE

• Sponsor - pays for the evaluation

• Evaluator - performs the evaluation

• Certifier - oversees the evaluation and issues certificates where appropriate

• Accreditor - relevant to systems only

Evaluation ProcessDeveloper / Sponsor

CLEF

Certification Body

Accreditor / Sponsor

TOE Definition

Evaluation Technical Report

Certification Report

Deliverables

Problem Reports

Evaluation Conduct

• Impartiality- what interest do you have in the outcome?

• Repeatability- could you get the same results?

• Reproducibility- would other CLEFs get the same results?

• Objectivity- minimise subjective judgement

Summary - 1

• Need IT Security to protect assets from threats using adequate countermeasures

• Evaluation allows a Target Of Evaluation to be independently assessed

• Assurance gives a level of confidence that a TOE meets its security objectives

Summary - 2

• Evaluation Criteria - ITSEC and CC

• Evaluation Methodology - ITSEM and CEM

• Scheme Rules and Interpretations– quality, management, security, training– application of criteria and methodology

• Evaluation Conduct– impartial, repeatable, reproducible and objective

Further Reading

• UKSP 01

• UKSP 04 Part 1

• ITSEC, Sections 0 and 1

• Common Criteria Part 1, Section 4