» » EVALUATION CRITERIA OF SYSTEMS SECURITY CONTROLS

EVALUATION CRITERIA OF SYSTEMS SECURITY CONTROLS

By Lawrence C. Miller, Peter H. Gregory


Evaluation criteria provide a standard for quantifying the security of a computer system or network. These criteria include the Trusted Computer System Evaluation Criteria (TCSEC), Trusted Network Interpretation (TNI), European Information Technology Security Evaluation Criteria (ITSEC), and the Common Criteria.

TRUSTED COMPUTER SYSTEM EVALUATION CRITERIA (TCSEC)

The Trusted Computer System Evaluation Criteria (TCSEC), commonly known as the Orange Book, is part of the Rainbow Series developed for the U.S. DoD by the National Computer Security Center (NCSC). It’s the formal implementation of the Bell-LaPadula model. The evaluation criteria were developed to achieve the following objectives:
  • Measurement: Provides a metric for assessing comparative levels of trust between different computer systems.
  • Guidance: Identifies standard security requirements that vendors must build into systems to achieve a given trust level.
  • Acquisition: Provides customers a standard for specifying acquisition requirements and identifying systems that meet those requirements.
The four basic control requirements identified in the Orange Book are
  • Security policy: The rules and procedures by which a trusted system operates. Specific TCSEC requirements include
    • Discretionary access control (DAC): Owners of objects are able to assign permissions to other subjects.
    • Mandatory access control (MAC): Permissions to objects are managed centrally by an administrator.
    • Object reuse: Protects confidentiality of objects that are reassigned after initial use. For example, a deleted file still exists on storage media; only the file allocation table (FAT) and first character of the file have been modified. Thus residual data may be restored, which describes the problem of data remanence. Object-reuse requirements define procedures for actually erasing the data.
    • Labels: Sensitivity labels are required in MAC-based systems. Specific TCSEC labeling requirements include integrity, export, and subject/object labels.
  • Assurance: Guarantees that a security policy is correctly implemented. Specific TCSEC requirements (listed here) are classified as operational assurance requirements:
    • System architecture: TCSEC requires features and principles of system design that implement specific security features.
    • System integrity: Hardware and firmware operate properly and are tested to verify proper operation.
    • Covert channel analysis: TCSEC requires covert channel analysis that detects unintended communication paths not protected by a system’s normal security mechanisms. A covert storage channel conveys information by altering stored system data. A covert timing channel conveys information by altering a system resource’s performance or timing.

    • REMEMBER
    • A systems or security architect must understand covert channels and how they work in order to prevent the use of covert channels in the system environment
  • º Trusted facility management: The assignment of a specific individual to administer the security-related functions of a system. Closely related to the concepts of least privilege, separation of duties, and need-to-know.
    º Trusted recovery: Ensures that security isn’t compromised in the event of a system crash or failure. This process involves two primary activities: failure preparation and system recovery.
    º Security testing: Specifies required testing by the developer and the National Computer Security Center (NCSC).
    º Design specification and verification: Requires a mathematical and automated proof that the design description is consistent with the security policy.
    º Configuration management: Identifying, controlling, accounting for, and auditing all changes made to the Trusted Computing Base (TCB) during the design, development, and maintenance phases of a system’s lifecycle.
    º Trusted distribution: Protects a system during transport from a vendor to a customer.
    • Accountability: The ability to associate users and processes with their actions. Specific TCSEC requirements include
      • Identification and authentication (I&A): Systems need to track who performs what activities.
      • Trusted Path: A direct communications path between the user and the Trusted Computing Base (TCB) that doesn’t require interaction with untrusted applications or operating-system layers.
      • Audit: Recording, examining, analyzing, and reviewing security-related activities in a trusted system.
    • Documentation: Specific TCSEC requirements include
      • Security Features User’s Guide (SFUG): User’s manual for the system.
      • Trusted Facility Manual (TFM): System administrator’s and/or security administrator’s manual.
      • Test documentation: According to the TCSEC manual, this documentation must be in a position to “show how the security mechanisms were tested, and results of the security mechanisms’ functional testing.”
      • Design documentation: Defines system boundaries and internal components, such as the Trusted Computing Base (TCB)
      • D: Minimal protection
      • C: Discretionary protection (C1 and C2)
      • B: Mandatory protection (B1, B2, and B3)
      • A: Verified protection (A1)
        • These classes are further defined in this table.
        TCSEC Classes

        Class        		NameSample Requirements
        DMinimal protectionReserved for systems that fail evaluation.
        C1Discretionary protection (DAC)System doesn’t need to distinguish between individual users and types of access.
        C2Controlled access protection (DAC)System must distinguish between individual users and types of access; object reuse security features required.
        B1Labeled security protection (MAC)Sensitivity labels required for all subjects and storage objects.
        B2Structured protection (MAC)Sensitivity labels required for all subjects and objects; trusted path requirements.
        B3Security domains (MAC)Access control lists (ACLs) are specifically required; system must protect against covert channels.
        A1Verified design (MAC)Formal Top-Level Specification (FTLS) required; configuration management procedures must be enforced throughout entire system lifecycle.
        Beyond A1Self-protection and reference monitors are implemented in the Trusted Computing Base (TCB). TCB verified to source-code level.
        Major limitations of the Orange Book include that
        • It addresses only confidentiality issues. It doesn’t include integrity and availability.
        • It isn’t applicable to most commercial systems.
        • It emphasizes protection from unauthorized access, despite statistical evidence that many security violations involve insiders.
        • It doesn’t address networking issues.

        TRUSTED NETWORK INTERPRETATION (TNI)

        Part of the Rainbow Series, like TCSEC (discussed in the preceding section), Trusted Network Interpretation (TNI) addresses confidentiality and integrity in trusted computer/communications network systems. Within the Rainbow Series, it’s known as the Red Book.
        Part I of the TNI is a guideline for extending the system protection standards defined in the TCSEC (the Orange Book) to networks. Part II of the TNI describes additional security features such as communications integrity, protection from denial of service, and transmission security.

        EUROPEAN INFORMATION TECHNOLOGY SECURITY EVALUATION CRITERIA (ITSEC)

        Unlike TCSEC, the European Information Technology Security Evaluation Criteria (ITSEC) addresses confidentiality, integrity, and availability, as well as evaluating an entire system, defined as a Target of Evaluation (TOE), rather than a single computing platform.
        ITSEC evaluates functionality (security objectives, or why; security-enforcing functions, or what; and security mechanisms, or how) and assurance(effectiveness and correctness) separately. The ten functionality (F) classes and seven evaluation (E) (assurance) levels are listed in the following table.
        ITSEC Functionality (F) Classes and Evaluation (E) Levels mapped to TCSEC levels
        (F) Class(E) LevelDescription
        NAE0Equivalent to TCSEC level D
        F-C1E1Equivalent to TCSEC level C1
        F-C2E2Equivalent to TCSEC level C2
        F-B1E3Equivalent to TCSEC level B1
        F-B2E4Equivalent to TCSEC level B2
        F-B3E5Equivalent to TCSEC level B3
        F-B3E6Equivalent to TCSEC level A1
        F-INNATOEs with high integrity requirements
        F-AVNATOEs with high availability requirements
        F-DINATOEs with high integrity requirements during data communication
        F-DCNATOEs with high confidentiality requirements during data communication
        F-DXNANetworks with high confidentiality and integrity requirements
        You don’t need to know specific requirements of each ITSEC level for the CISSP exam, but you should know how the basic functionality levels (F-C1 through F-B3) and evaluation levels (E0 through E6) correlate to TCSEC levels.

        COMMON CRITERIA

        The Common Criteria for Information Technology Security Evaluation (usually just called Common Criteria) is an international effort to standardize and improve existing European and North American evaluation criteria. The Common Criteria has been adopted as an international standard in ISO 15408. The Common Criteria defines eight evaluation assurance levels (EALs), which are listed in the following table.
        The Common Criteria
        LevelTCSEC EquivalentITSEC EquivalentDescription
        EAL0N/AN/AInadequate assurance
        EAL1N/AN/AFunctionally tested
        EAL2C1E1Structurally tested
        EAL3C2E2Methodically tested and checked
        EAL4B1E3Methodically designed, tested, and reviewed
        EAL5B2E4Semi-formally designed and tested
        EAL6B3E5Semi-formally verified design and tested
        EAL7A1E6
        Major limitations of the Orange Book include that
        • It addresses only confidentiality issues. It doesn’t include integrity and availability.
        • It isn’t applicable to most commercial systems.
        • It emphasizes protection from unauthorized access, despite statistical evidence that many security violations involve insiders.
        • It doesn’t address networking issues.

        TRUSTED NETWORK INTERPRETATION (TNI)

        Part of the Rainbow Series, like TCSEC (discussed in the preceding section), Trusted Network Interpretation (TNI) addresses confidentiality and integrity in trusted computer/communications network systems. Within the Rainbow Series, it’s known as the Red Book.
        Part I of the TNI is a guideline for extending the system protection standards defined in the TCSEC (the Orange Book) to networks. Part II of the TNI describes additional security features such as communications integrity, protection from denial of service, and transmission security.

        EUROPEAN INFORMATION TECHNOLOGY SECURITY EVALUATION CRITERIA (ITSEC)

        Unlike TCSEC, the European Information Technology Security Evaluation Criteria (ITSEC) addresses confidentiality, integrity, and availability, as well as evaluating an entire system, defined as a Target of Evaluation (TOE), rather than a single computing platform.
        ITSEC evaluates functionality (security objectives, or why; security-enforcing functions, or what; and security mechanisms, or how) and assurance(effectiveness and correctness) separately. The ten functionality (F) classes and seven evaluation (E) (assurance) levels are listed in the following table.
        ITSEC Functionality (F) Classes and Evaluation (E) Levels mapped to TCSEC levels
        (F) Class(E) LevelDescription
        NAE0Equivalent to TCSEC level D
        F-C1E1Equivalent to TCSEC level C1
        F-C2E2Equivalent to TCSEC level C2
        F-B1E3Equivalent to TCSEC level B1
        F-B2E4Equivalent to TCSEC level B2
        F-B3E5Equivalent to TCSEC level B3
        F-B3E6Equivalent to TCSEC level A1
        F-INNATOEs with high integrity requirements
        F-AVNATOEs with high availability requirements
        F-DINATOEs with high integrity requirements during data communication
        F-DCNATOEs with high confidentiality requirements during data communication
        F-DXNANetworks with high confidentiality and integrity requirements
        You don’t need to know specific requirements of each ITSEC level for the CISSP exam, but you should know how the basic functionality levels (F-C1 through F-B3) and evaluation levels (E0 through E6) correlate to TCSEC levels.

        COMMON CRITERIA

        The Common Criteria for Information Technology Security Evaluation (usually just called Common Criteria) is an international effort to standardize and improve existing European and North American evaluation criteria. The Common Criteria has been adopted as an international standard in ISO 15408. The Common Criteria defines eight evaluation assurance levels (EALs), which are listed in the following table.
        The Common Criteria
        LevelTCSEC EquivalentITSEC EquivalentDescription
        EAL0N/AN/AInadequate assurance
        EAL1N/AN/AFunctionally tested
        EAL2C1E1Structurally tested
        EAL3C2E2Methodically tested and checked
        EAL4B1E3Methodically designed, tested, and reviewed
        EAL5B2E4Semi-formally designed and tested
        EAL6B3E5Semi-formally verified design and tested
        EAL7A1E6Formally verified design and tested
        		Formally verified design and tested

Subscribe to: Post Comments (Atom)