Omissions and errors in the CC Who got

  • Slides: 14
Download presentation
Omissions and errors in the CC Who got it right? 8 ICCC Denise Cater

Omissions and errors in the CC Who got it right? 8 ICCC Denise Cater 1

Security Standards ISO alone have issued: • ISO 15408 – Common Criteria • ISO

Security Standards ISO alone have issued: • ISO 15408 – Common Criteria • ISO 19092 – Financial Service – Security • ISO 19790 – Security Requirements for Cryptographic modules (FIPS 140) • ISO 27001 – Information Security Management • ISO 27002 (formerly ISO 17799) – ISMS best practice 2

3

3

Many standards: One CC • Catalogue of security components: – Functional – Assurance •

Many standards: One CC • Catalogue of security components: – Functional – Assurance • Focus on repeatability – Voluminous guidance for consistent application – Scheme rules and interpretations =“Heavy” process 4

Payment Industry Security Standards • Payment Card Industry (PCI) Data Security Standard • EMV

Payment Industry Security Standards • Payment Card Industry (PCI) Data Security Standard • EMV (Europay, Mastercard, Visa) Specifications • APACS PIN Entry Device PP APACS 5

APACS application of CC • Own Certification Body – Appointment of labs – Issuing

APACS application of CC • Own Certification Body – Appointment of labs – Issuing of certificates • Focus on CC – Less emphasis on CEM • Concentration of efforts – Design and testing seen as paramount – Procedural requirements seen as supporting 6

Smartcard Industry • Developed PPs • Generated own interpretations – Adopted as CC Supporting

Smartcard Industry • Developed PPs • Generated own interpretations – Adopted as CC Supporting Documents – Included own Attack Potential Table • Examples of Smartcard Specific Attacks 7

Smartcard Industry • Took the CC and gave specific guidance for their industry •

Smartcard Industry • Took the CC and gave specific guidance for their industry • A lot of focus placed on penetration testing • Identified additional stages in lifecycle/delivery 8

Adapt to Adopt • Both industries have made changes to use CC – Interpretations

Adapt to Adopt • Both industries have made changes to use CC – Interpretations – Greater emphasis in some areas, less in others 9

Who got it right? • The CC of course! – Providing a catalogue that

Who got it right? • The CC of course! – Providing a catalogue that Industry and other schemes can draw upon • But, also Industry/other schemes – Focus on areas of specific interest – Light-touch on other areas 10

Who got it wrong? • Those who requested EALs to be included in CC

Who got it wrong? • Those who requested EALs to be included in CC (for backwards compatibility) – Led to “incorrect” use of CC – Initially less PPs developed as just concentrated on assurance level 11

Who got it wrong? • Authors of the CEM or CC Schemes? – Too

Who got it wrong? • Authors of the CEM or CC Schemes? – Too prescriptive – Forcing evaluators to complete work units at level of detail that is not always necessary – Time spent on “meeting the CEM” that would be better spent on testing and vulnerability analysis 12

In summary • CC got it right • CC got it wrong But, Industry

In summary • CC got it right • CC got it wrong But, Industry can adapt the CC to adopt it 13

Thank you Denise Cater denise@iconsecurity. co. uk 14

Thank you Denise Cater denise@iconsecurity. co. uk 14

Joint Meeting Highlights Apologies for errors and omissionsJoint Meeting Highlights Apologies for errors and omissions
Exposing Uncomfortable Topics Errors and Omissions with ScalingExposing Uncomfortable Topics Errors and Omissions with Scaling
ODOT Errors Omissions Policy ODOTACEC Conference Presentation AprilODOT Errors Omissions Policy ODOTACEC Conference Presentation April
Errors Omissions Insurance coverage solutions designed specifically forErrors Omissions Insurance coverage solutions designed specifically for
Coronavirus COVID19 CRISIS MANAGEMENT Errors Omissions Liability EOCoronavirus COVID19 CRISIS MANAGEMENT Errors Omissions Liability EO
TOPICS Errors Omissions Submissions Utility Generate SASAMS ErrorTOPICS Errors Omissions Submissions Utility Generate SASAMS Error
ERRORS AND APPROXIMATIONS ERRORS AND APPROXIMATIONS INTRODUCTION ERRORSERRORS AND APPROXIMATIONS ERRORS AND APPROXIMATIONS INTRODUCTION ERRORS
have got I have got You have gothave got I have got You have got
HMI GOT 1000 HMI GOT 1000 HMI GOTHMI GOT 1000 HMI GOT 1000 HMI GOT
HAVE GOT HAVE GOT I have got YouHAVE GOT HAVE GOT I have got You
HMI GOT 1000 HMI GOT 1000 HMI GOTHMI GOT 1000 HMI GOT 1000 HMI GOT
Data Errors Model Errors and Estimation Errors FrontiersData Errors Model Errors and Estimation Errors Frontiers
Syntax Errors Runtime Errors and Logic Errors YouSyntax Errors Runtime Errors and Logic Errors You