Contributors - CyberSecurity Malaysia

More documents

Recommendations

Info

32.Usually, in any CC scheme, there will be four partiesinvolved in the evaluation and certification of a product:1) The developer who developed the product or thesponsor who sponsored the developer for their productcertification. [Note: The term ‘sponsor’ will be usedonwards to represent the sponsor/developer in thecontext of this article]2) The consultant who has been contracted by thesponsor to produce the documentation necessary forevaluation. However, the consultant is an optionalparticipant depending on the sponsor’s willingnessto hire them. The sponsor can also produce the CCdocumentation on their own.3) The evaluation facilities/laboratory which is thephysical venue/location used in evaluating the productagainst CC requirements by the evaluators.4) The certification body, usually a government agencythat oversees the evaluation process and eventuallygives out the certificate that states the product hasbeen successfully evaluated and therefore, certified.How does the use of a CC certified productincrease CNII security, resilience and self-reliance?Common Criteria is a product security framework.CC comprises three important parts:Part 1: Introduction and the CC General ModelPart 2: Security Functional ComponentsPart 3: Security Assurance ComponentsAll three parts are linked in a Common EvaluationMethodology (CEM). Part 1 is all about CC in general. Part2 describes security requirements in CC language. Thesponsor needs to interpret their product security functionsin terms of CC language by picking and matching the SecurityFunctional Requirements (SFR) in Part 2 to the productsecurity functions. This is important in standardising thesecurity functions used in one terminology, which is theCC terminology. Part 3 is the assurance requirement thatcovers major aspects of a product development process– security problem definition, security features usedto mitigate security problems, development, life cycle,testing, and vulnerability assessment. Identification anderadication of security flaws discovered on the product,system or life-cycle development during evaluation willresult in a more robust IT product or system. Improvementof security engineering practices for the IT product orsystem developers during development and maintenanceactivities is important, and if neglected, may result invulnerability of the product or system.The important thing to highlight is that assurancerequirement in CC comprise standard phases of a productdevelopment process and emphasises the security ofthe environment where the product is installed. Securityis not only enforced by the product but also depends onthe people and environment that surround the product.Thus, it gives consumers (who can be public consumers,consumers from the government sector or private sector)a level of assurance on the reliability and security featuresenforced by the product.How to promote CC implementationPromote CC benefits to local developersMarket Access: When a product gets CC certification, theproduct gains access to new markets and opportunities,especially in countries that are a signatory to the CommonCriteria Recognition Arrangement such as Australia,Germany, United States, United Kingdom, Japan and Korea.In these countries, CC is mutually recognised as a standardthat provides assurance of the reliability of any evaluatedsecurity feature.Independent Verification: Gaining independent verificationof security claims in an ICT product or system usingstandard terms (CC terms) for product comparison isadvantageous and becomes a market differentiator. Aproduct which is CC certified definitely has an advantagebecause its security functions have been evaluated andverified by an evaluation facility.Increase security awareness to consumerIn CC evaluation, a documentation called Security Target(ST) will be produced by the sponsor to define their Targetof Evaluation (TOE), which are parts of product featuresthat will be evaluated. The ST also specifies the scope ofevaluation, security problems that the TOE solves, theassumptions put into the environment that will ensure theeffectiveness of the TOE, and the evaluated TOE securityfeatures. Thus, a consumer who is aware of informationsecurity will definitely want to know all the contents thathave been specified in the ST as their basis for productcomparison.Government directive on purchasing CC certifiedproductsThe first step to implement this directive is to call forthe developments of Protection Profile (PP) from usercommunities, IT product developers, or a combinationof both user and developer. A PP is a specification of acommon set of security requirements for a security problemwhich is not product specific, evaluated by an evaluationfacility and verified by a certification body. A PP can beon a Firewall, Smart Card, network device, or any systemor device that is protecting valuable assets (information,infrastructure) in government sectors. PP is treated as arequirement for security features of that particular producttype. Policies can be developed to reflect any product thatis going to be purchased by the government. It is critical toprotect the government’s assets. Hence, there is a need fora product to comply with the requirements in a PP, whichmeans that the product needs to be CC certified.
33.Case Study: US Government DirectivesConclusionAccording to Alex Ragen [6], the US government and theUS industry have increased their security control in allsecurity aspects including information security since theterrorist attacks on September 11, 2001. In the aspect ofinformation security, Common Criteria has been chosen asthe baseline standard for assuring security in ICT products.Therefore, the US government has taken action byreleasing two directives on the procurement of CC certifiedICT products for US government agencies:1) US National Information Assurance (IA) AcquisitionPolicy [7]The US National Security Telecommunications andInformation Systems Security Committee (NSTISSC), alsoknown as the Committee on National Security Systems(CNSS), has specified in the National InformationAssurance (IA) Acquisition Policy (NSTISSP No. 11), thatany acquisition for ICT products used for entering,processing, storing, displaying or transmitting nationalsecurity information, shall be limited to evaluated andverified products in accordance with Common Criteria,NIAP Evaluation and Validity Programs, or NIST FederalInformation Processing Standards (FIPS). This meansUS Government Departments and Agencies should onlypurchase certified products to protect their valuableassets; products that provide a certain level of assuranceon their reliability. This directive came into effect on July1, 2002.2) US Department of Defense’s Instruction [8]The US Department of Defense (DoD) has instructedthat ICT products that are purchased must comply withthe Protection Profile (PP) which has been approvedby the US government. If no PP exists for the relatedtechnology, the acquiring organisation must have theproduct evaluated and verified under the CommonCriteria scheme before purchase. This directive is onlyenforced throughout the US Department of Defenseonly.The US government has implemented these directives toensure information security is put in place. It shows thatCC is accepted as the standard assurance that a productis reliable in terms of protecting assets and protectingitself from being tampered by attackers. It is time for usto take the same step.Common Criteria is new in Malaysia. Structured planningshould be implemented to allow this standard to gainrecognition among the developer community andconsumers. Currently, CyberSecurity Malaysia is pioneeringthe initiative to establish a CC Scheme in Malaysia. AMalaysian Common Criteria Certification Body (MyCB) andMalaysian Security Evaluation Facility (MySEF) have beenestablished under CyberSecurity Malaysia for executingthe Common Criteria evaluation and certification process.This initiative should be supported and promoted as one ofthe efforts to secure our information security environment,especially our CNII information security environment. •References[1] Idan Ofrat, 2008, “C4 Security Advisory - ABBPCU400 4.4-4.6 Remote Buffer Overflow”, C4 SCADAvulnerability research portal, http://www.scadasecurity.com/vulnerabilities/abb1.html[2] Ministry of Science, Technology and Innovation(MOSTI), ICT Policy Division, 2008, “National CyberSecurity Policy”, Malaysia’s National Cyber SecurityPolicy, pp. 2-4, http://www.mosti.gov.my/mosti/images/pdf/NCSP-Policy2.pdf[3] CyberSecurity Malaysia, 2009, “About CNII”, CNIIPortal, http://cnii.cybersecurity.my/en/about.html[4] CCRA, 2009, “About Common Criteria”, CommonCriteria Portal, http://www.commoncriteriaportal.org/index.html[5] CyberSecurity Malaysia, 2009, “Common Criteria”,MySEF Evaluation Facilities web portal, http://www.cybersecurity.my/en/services/security_assurance/cc/main/detail/1494/index.html[6] Alex Ragen, 2007, “Manager’s Guide to CommonCriteria”, pp. 5[7] National Security Telecommunications andInformation Systems Security Committee (NSTISSC),2003, “National Information Assurance AcquisitionPolicy (NSTISSP) No. 11”, National Policy Governingthe Acquisition of Information Assurance (IA) andIA-Enabled Information Technology (IT) Products,pp. 2-3, http://www.niap-ccevs.org/cc-scheme/nstissp_11_revised_factsheet.pdf[8] Department of Defense (DoD), United Statesof America, 2003, “Information Assurance (IA)Implementation”, Department of Defense Instruction,NUMBER 8500.2, E3.2.5.1, pp. 34, http://www.niapccevs.org/cc-scheme/policy/dod/d85002p.pdfe-Security | CyberSecurity Malaysia | Volume 21 - (Q4/2009)
Page 1: Volume 21 - (Q4/2009)“Companies s
Page 4 and 5: 4.MyCERT 4th Quarter 2009 SummaryRe
Page 6 and 7: 6.USB PortA culprit to ICT Security
Page 8 and 9: 8.Specific device setup classes can
Page 10 and 11: 10.ConclusionReferencesUSB removabl
Page 12 and 13: 12.Figure 9: Interpreting “Active
Page 14 and 15: 14.7. A list of time zone propertie
Page 16 and 17: 16.allowing you to specify which da
Page 18: 18.Guide to Motion Compensation (Ph
Page 21 and 22: Graph 1 shows all the satisfied poi
Page 23 and 24: CyberdatingHow to Have Funbut Stay
Page 25 and 26: find them. If anything goes wrong,
Page 27 and 28: 27.What could be the threats to ena
Page 29 and 30: 29.InternetRadio Frequency Identifi
Page 31: Common Criteria andNational Cyber S
Page 35 and 36: has caused a US$2.25 million fine t
Page 37 and 38: 37.lewat sampai pada penerima ataup
Page 39 and 40: For instance TM, Malaysia’s large

Contributors - CyberSecurity Malaysia

Create successful ePaper yourself

Delete template?

Save as template?