The ISC Handlers from SANS Internet Storm Center made a series of diaries called Cyber Security Awareness Month trough out October. The goal was to promote standards and security. Once again they made very good diaries and you can see a list of the published diaries here.
Considering this, I decided to write a small article also on this matter. The idea is to promote the knowledge about Common Criteria Standard. This is an international standard which specify security requirements and defines evaluation criteria to measure the security of a system product (hardware and software). I also briefly write a small background on what existed before this this standard.
Among others Common Criteria has the goal to be the world standard for security specifications and evaluations. To accomplish this, the different national organizations that constitute the Common Criteria consortium worked with the International Organization for Standards (ISO) in order for the standard to be accepted by them. This was a step in the right direction and Common Criteria version 2.1 is formally recognized as ISO 15408.
But let’s get back 30 years ago where at the National Computer Security Center (NCSC), at that time a branch of the National Security Agency (NSA). The center was established and was responsible for the United States government trusted computer program known as TCSEC (Trusted Computer System Evaluation Criteria). The center was also responsible to evaluate commercial security products, publish and sponsor research and promote technical guidelines. In 1985 the NSCS published the famous “Orange book”. The book goal was to define security requirements giving the security industry an instrument to measure the security of their system. This the book which specifies the well-known Class C2 rating. It can be downloaded here.
The Orange Book got this name basically due to its cover which was orange. This book was part of the Rainbow series, a set of security requirements and guidelines documented named after its colorful covers. All books were produced by National Security Agency and all products were tested by them. Over time, the TCSEC security evaluation lost interest by the security industry because there was little return on investment, it only covered US market and it was a time consuming process that caused products to gain the assurance certification levels when they were already end of life.
The next step made by government intuitions was the evaluation criteria known as ITSEC. It was created by Canada, UK, France, Spain, Germany and United States. These security evaluation criteria addressed some of the limitations of the TCSEC, it covered integrity and confidentiality but the process didn’t last long.
After that, discussions started in order to develop a common set of standards that could be agreed by an association of countries. The necessity of having a program that would evaluate and quantify the assurance levels of a security product which would be recognized across different countries was needed and Common Criteria was born. The goal of the program was to establish a high degree of assurance that products would consistently perform the security function safely and securely when handling data and, that failures would not result in the compromise of sensitive information. The expansion of the program also provided a broader market for those products completing the evaluation process by allowing international sales to the nation participating in the program. Some participating nations mandate the use of these products in their information systems. This mandate has translated into requirements for the system under development.
So, this is where we are today in terms of security evaluation criteria for IT systems. The CC philosophy is to provide assurance based on an evaluation (active investigation) of the IT product that is to be trusted. Evaluation is the traditional means of providing assurance and is the basis for prior evaluation criteria documents. The CC propose to use expert evaluators to measure the validity of the documentation and the resulting IT product with increasing emphasis on score, depth and rigor [Common Criteria part 3, 2006]. The score, depth and rigor increases along with the levels of assurance known as EALs (Evaluation Assurance Levels). There are seven hierarchically ordered evaluation assurance levels defined in the CC to rate a TOE (Target of Evaluation) which could be a software application, an operating system, a software application in combination with an operating system, a smart card integrated circuit, a database application etc.
The list of EALs is as follows:
Evaluation assurance level 1 (EAL1) – functionally tested
Evaluation assurance level 2 (EAL 2) – structurally tested
Evaluation assurance level 3 (EAL 3) – methodically tested and checked
Evaluation assurance level 4 (EAL 4) – methodically designed, tested and reviewed
Evaluation assurance level 5 (EAL 5) = semi formally designed and tested
Evaluation assurance level 6 (EAL 6) – semi formally verified design and tested
Evaluation assurance level 7 (EAL 7) – formally verified design and tested
The intent of the higher levels is to provide higher confidence that the system’s principal security features are reliably implemented. The EAL level does not measure the security of the system itself, it simply states at what level the system was tested. Achieving a higher EAL certification generally costs more money and takes more time than achieving a lower one. The EAL number assigned to a certified system indicates that the system completed all requirements for that level.
The CC evaluated products begin the process by being evaluated in a certified laboratory. These commercial laboratories are approved by the National Information Assurance Partnership Program (NIAP) members. The National Voluntary Laboratory Accreditation Program (NVLAP) provides third-party accreditation to testing and calibration laboratories. NVLAP accreditation is the primary requirement for becoming a Common Criteria Testing Laboratory.
How to configure your IT systems using CC is provided by the vendors for example, there are Microsoft operating systems or Red Hat Operating systems or Checkpoint Firewalls among several others with EAL4 certification. The CC program provides you with a wealth of information that can help enable higher security in their implementation and deployment of evaluated products.
Windows Server 2003 Common Criteria Configuration Guide.
Windows Server 2003 Common Criteria Administrator’s Guide.
Checkpoint R7x Installation Guide for Common Criteria Evaluated Configuration.
Checkpoint R7x Administrator Guide for Common Criteria Evaluated Configuration.
Cisco ASA 7.0.6 Installation and Configuration Guide for Common Criteria Evaluated Configuration.
The list of certified products can be accessed on the Common Criteria Portal.
Official (ISC)2 Guide to ISSAP CBK
Common Criteria for Information Technology Security Evaluation Part 1 : Introduction and General Model, version 3.1 Revision 4
Common Criteria for Information Technology Security Evaluation Part 3 : Security Assurance Requirements, version 2.3