Post on 18-May-2018
Pattern Recognitionand Applications Lab
Universityof Cagliari, Italy
Department of Electrical and Electronic
Engineering
CYBERSECURITYCERTIFICATIONS
Giorgio Giacinto
giacinto@diee.unica.it
ComputerSecurity2017
http://pralab.diee.unica.it 2
Whatisthemeaningofcertification?
• Needtodefinethemeaningofsecurity– Whicharethecharacteristicsofasecuresystem?– Howtodefinedifferentlevels ofsecurity?
• Needtoregulateahierarchyofcertification services– Whoistitledtoassigntherolesforissuingcertificates– Thecharacteristicsneededtoapplytotheroleofcertificationbody
• Professionalcertification
• ProductandProcessCertifications
http://pralab.diee.unica.it 4
CISSPCertifiedInformationSystemsSecurityProfessional
• Managedbythenot-for-profitorganization(ISC)²InternationalInformationSystemsSecurityCertificationConsortium.
• Since2004theCISSPcertificationiscompliantwiththeANSIISO/IECStandard17024– Currentversion:ISO/IEC17024:2012
• ThiscertificationiscompliantwiththerequirementsoftheUSDepartmentofDefense(DoD)
http://pralab.diee.unica.it 5
HowtoobtaintheCISSPcertification• Candidatesmusthaveaminimumof5yearscumulativepaidfull-timework
experiencein2ormoreofthefollowing8domainsoftheCISSPCBK(CommonBodyofKnowledge),thenpasstheexamonthe8domains– SecurityandRiskManagement
• Security,Risk,Compliance,Law,Regulations,BusinessContinuity– AssetSecurity
• ProtectingSecurityofAssets– SecurityEngineering
• EngineeringandManagementofSecurity– CommunicationsandNetworkSecurity
• DesigningandProtectingNetworkSecurity– IdentityandAccessManagement
• ControllingAccessandManagingIdentity– SecurityAssessmentandTesting
• Designing,Performing,andAnalyzingSecurityTesting– SecurityOperations
• FoundationalConcepts,Investigations,IncidentManagement,DisasterRecovery– SoftwareDevelopmentSecurity
• Understanding,Applying,andEnforcingSoftwareSecurity
http://pralab.diee.unica.it 6
CISSPinItaly• Thereisa(ISC)2 Italysectionthatorganizestraining
sessionstopreparefortheCISSPexam
http://pralab.diee.unica.it
OrangeBook• Thefirstdocumentonsoftware
certificationistheso-calledOrangeBook – USDepartmentofDefense(DoD)
http://www.dynamoo.com/orange
• Thisdocumentprovidedthecriteriatoevaluatethesecurityofoperatingsystems,andprovidedacategorizationinsevenclassesD,C1,C2,B1,B2,B3,A1
8GiorgioGiacinto 2014Certificazione
http://pralab.diee.unica.it
OrangeBook• D:MinimalProtection
– Thesecurityoftheoperatingsystemsinthiscategorycannotbeevaluted• MS-DOS,Windows95/98/ME
• C:DiscretionaryProtection– Theadministratorcanapplyprotectionmechanismstoobjects
– Theoperatingsystemsprovidessomebasicloggingcapabilities• C1:DiscretionarySecurityProtectionearlyUNIXversions
• C2:ControlledAccessProtectionIBMOS/400,WinNT/2000/XP,NovellNetware
9GiorgioGiacinto 2014Certificazione
http://pralab.diee.unica.it
OrangeBook• B:MandatoryProtection
– Theoperatingsystemrequiresthatprotectionlevelsareassignedtoeachobject• B1:LabeledSecurityProtectionHP-UX,CrayResearchTrustedUnicos 8.0,DigitalSEVMS
• B2:StructuredProtectionHoneywellMultics,Cryptek VSLAN,trustedXENIX
• B3:SecurityDomainsGetronics/WangFederalXTS-300
• A:VerifiedProtection– Thetrustworthinessoftheoperatingsystemisverifiedthroughformalmethods• A1:VerifiedProtectionBoeingMSLLAN,HoneywellSCOMP
10GiorgioGiacinto 2014Certificazione
http://pralab.diee.unica.it
CommonCriteria• ThenationalsecurityauthoritiesofUSA,Canadaand
Europehaveworkedtoproduceacommonsetofcriteriaforevaluatingthesecurityofcomputersystems
• CommonCriteria– Firstversionin1996– CurrentVersion:3.1Release5(April2017)– ISO/IEC15408-1:2009- ISO/IEC15408-2:2008ISO/IEC15408-3:2008
11GiorgioGiacinto 2014Certificazione
http://pralab.diee.unica.it
CommonCriteriaMembers• 17CertificateAuthorizingMembers
– Australia– Canada– SouthKorea– France– Germany– India– Italy (5October2009)– Japan– Malaysia
• 10CertificateConsumingMembers– Austria,CzechRepublic,Denmark,Finland,Greece,
Hungary,Israel,Pakistan,Qatar,Singapore
12
– Norway– NewZeland– Netherlands– UnitedKingdom– Spain– USA– Sweden– Turkey
GiorgioGiacinto 2014Certificazione
http://pralab.diee.unica.it 13
EvaluationAssuranceLevel(EAL)• SevenEvaluationLevels
– EAL1,lowerlevel– EAL7,upperlevel
EAL1- functionallytestedEAL2- structurallytestedEAL3- methodicallytestedandcheckedEAL4- methodicallydesigned,testedandreviewedEAL5- semiformally designedandtestedEAL6- semiformally verifieddesignandtestedEAL7- formallyverifieddesignandtested
http://pralab.diee.unica.it
ProtectionProfiles• Documentdescribingacategoryofproductstoidentifythe
elementssubjectofevaluationfortheCCcertification– AccessControlDevicesandSystems(3PP)– BiometricSystemsandDevices(2PP)– BoundaryProtectionDevicesandSystems(11PP)– DataProtection(7PP)– Databases(1PP)– ICs,SmartCardsandSmartCard-RelatedDevicesandSystems
(67PP)– KeyManagementSystems(4PP)– Mobility(2PP)– Multi-FunctionDevices(1PP)– NetworkandNetwork-RelatedDevicesandSystems(10PP)– OperatingSystems(2PP)– OtherDevicesandSystems(41PP)– ProductsforDigitalSignatures(19PP)– TrustedComputing(5PP)
14
http://pralab.diee.unica.it
ExamplesofcertifiedproductsEAL7+
– FortFoxHardwareDataDiode,versie FFHDD2+
EAL7– VirtualMachineofMultos M3G230MmaskwithAMD113v4– MemoryManagementUnitdesmicrocontrôleurs SAMSUNGS3FT9KF/
S3FT9KT/S3FT9KSen révision 1
EAL6+– GreenHillsSoftwareINTEGRITY-178BSeparationKernel,comprising:
INTEGRITY-178BRealTimeOperatingSystem(RTOS),versionIN-ICR750-0101-GH01_RelrunningonCompactPCIcard,versionCPN944-2021-021withPowerPC,version750CXe
– InfineonSecurityControllerM7893B11withoptionalRSA2048/4096v1.03.006,ECv1.03.006,SHA-2v1.01librariesandToolboxv1.03.006andwithspecificICdedicatedsoftware(firmware)
18GiorgioGiacinto 2014Certificazione
http://pralab.diee.unica.it
ExamplesofcertifiedproductsEAL4+– RedHatEnterpriseLinuxVersion7.1– SUSELinuxEnterpriseServerVersion12– JBoss EnterpriseApplicationPlatform6Version6.2.2– MicrosoftSQLServer2014DatabaseEngineEnterpriseEditionx64– FINXRTOSSecurityEnhanced(SE)v3.1
OperatingSystemscompliantwiththeProtectionProfile– MicrosoftWindows10AnniversaryUpdateHomeEdition,ProEdition
andEnterpriseEdition(32and64bits),andMicrosoftWindowsServer2016StandardEditionandDatacenterEdition
– IBMz/OSVersion2Release1
19
http://pralab.diee.unica.it 20
OCSIOrganismo Certificazione Sicurezza Informatica• InItaly,OCSI isinchargeofmaintainingtheNational
SchemefortheevaluationandcertificationofthesecurityofsystemsandproductsintheICTsector(DPCMdel30.10.2003- G.U.n.9827.04.2004)
• OCSI iswithinISCOM(Istituto Superiore delleComunicazioni edelle Tecnologie dell’Informazione)oftheMinistryfortheEconomicDevelopment(MISE)
• CurrentlysixlaboratoriesinItalyprovidestheservicesforsystemandproductevaluationfortheassignmentoftheEAL
http://pralab.diee.unica.it
LimitsofCommonCriteria• CommonCriteria drawbacks
– Longtimerequiredtoperformtheevaluation– Highcosts
• IturnsoutthatproductevaluationthroughtheCCschemaisappropriate– equipmentformilitaryforces– criticalinfrastructure(nuclearandchemicalplants,etc.)
• Theconnectionofeverythingtothenetworkrequiresnovelcertificationschemes– fastenoughtocopewiththereleaseofnewversions– withalargerbaseofcertificationlaboratories
22
http://pralab.diee.unica.it
JoshuaCorman @OneConferenceDirector|CyberStatecraftInitiative|atAtlanticCouncil
23
http://pralab.diee.unica.it
Public-Privateinitiatives• USAandUKestablishedpublic-privateworkinggroupsto
definenovelcertificationschemes– NISTistheUSagencyinchargeforthisaction– InUKthehome-affairsministrycarriedouttheinitiative
• InEurope
24
http://pralab.diee.unica.it
NIST– CyberSecurity Framework• Version1.0- February2014
FrameworkforImprovingCriticalInfrastructureCybersecurity
25
http://pralab.diee.unica.it
ItalianCyberSecurity Frameworkhttp://www.cybersecurityframework.it
• February2016
• CIS-SapienzaandCININationalCybersecurityLab
• BasedontheNISTCybersecurityframework
• Mainfeature:focusonSME
26
http://pralab.diee.unica.it
UKCyberEssentials• UKGovernment
FirstproposedinJune2014• CyberEssential
SelfCertification• CyberEssentialPlus
Certifiedbyanexternalorganization• EssentialRequirements
– Boundaryfirewallsandinternetgateways– Secureconfiguration– Accesscontrol– Malwareprotection– Patchmanagement
27
http://pralab.diee.unica.it
ItalianCybersecurityEssentialshttp://www.cybersecurityframework.it/csr2016
• February2017
• 15EssentialSecurityMeasuresin8areas– Inventoryofdevicesandsoftware(4Measures)– Governance(1Measure)– MalwareProtection(1Measure)– PasswordandAccountManagement(3Measures)– TrainingandAwareness(1Measure)– DataProtection(2Measures)– NetworkProtection(1Measure)– PreventionandMitigation(2Measures)
28
http://pralab.diee.unica.it 30
OWASPSecurityVerificationStandard
• OWASPApplicationSecurityVerificationStandard3.0.1– 3SecurityVerificationLayers
http://pralab.diee.unica.it
OWASPASVSLevels• Level1 – Opportunistic
– allsoftware
• Level2 – Standard– applicationsthatcontainsensitivedata
• Level3 – Advanced– mostcriticalapplications,i.e.,applicationsthatperformhighvaluetransactions,containsensitivemedicaldata,etc.
31
http://pralab.diee.unica.it
Level1- Opportunistic• Theapplicationadequatelydefendsagainst
vulnerabilitiesthatareeasytodiscover,andincludedintheOWASPTop10.
• Appropriateforapplicationswherelowconfidenceinthecorrectuseofsecuritycontrolsisrequired,
• Ensuredeitherautomaticallybytoolsorsimplymanuallywithoutaccesstosourcecode.
• Threatstotheapplicationwillmostlikelybefromattackerswhoareusingsimpleandlowefforttechniquestoidentifyeasy-to-findandeasy-to-exploitvulnerabilities.
32
http://pralab.diee.unica.it
Level2- Standard• Theapplicationadequatelydefendsagainstmostofthe
knownrisks.• Level2ensuresthatsecuritycontrolsareinplace,
effective,andusedwithintheapplication.• Appropriateforapplicationsthathandlesignificant
business-to-businesstransactions,includingthosethatprocesshealthcareinformation,orprocessothersensitiveassets.
• Threatswilltypicallybeskilledandmotivatedattackersfocusingonspecifictargetsusingtoolsandtechniquesthatarehighlypracticedandeffectiveatdiscoveringandexploitingweaknesseswithinapplications.
33
http://pralab.diee.unica.it
Level3- Advanced• Applicationsthatrequiresignificantlevelsofsecurity
verification– military,healthandsafety,criticalinfrastructure,etc.
• ToachieveLevel3,anapplicationmustundergoanindepthanalysis,architecture,coding,andtesting
• Asecureapplicationismodularizedinameaningfulway– eachmoduletakescareofitsownsecurityresponsibilities
• controlstoensureconfidentiality (e.g.encryption)• controlstoensureintegrity (e.g.transactions,inputvalidation)• controlstoensure availability (e.g.handlingloadgracefully)• controlstoensureauthentication (includingbetweensystems)• controlstoensure non-repudiation,authorization,andauditing(logging)
34
http://pralab.diee.unica.it
VerificationrequirementsV1. Architecture,design
andthreatmodellingV2. AuthenticationV3. SessionmanagementV4. AccesscontrolV5. Maliciousinput
handlingV7. CryptographyatrestV8. Errorhandlingand
loggingV9. Dataprotection
V10. CommunicationsV11. HTTPsecurity
configurationV13. MaliciouscontrolsV15. BusinesslogicV16. FileandresourcesV17. MobileV18. Webservices
(NEWfor3.0)V19. Configuration
(NEWfor3.0)
35
http://pralab.diee.unica.it
Verificationrequirementsandlevels
• Foreachlevel,therequirementschange– ExampleforV1.ArchitectureDesignandThreatModelling
36
http://pralab.diee.unica.it
ISO27000sstandardsInformationsecuritymanagement
38
IES/IEC27000
27001
27002
27034
Familyofstandardsforthemanagementofinformationsecurity– theyarenotstrictlyrelatedtocomputersecurity
Standard concerningthesecuremanagementofinformation,regardlessofthetechnologyused
Securitymeasurestomitigatetheriskininformationmanagement,eachmeasurebeingrelatedtothespecifictechnologyused
ApplicationSecurityControls
http://pralab.diee.unica.it
FinancialSector• PCI(PaymentCardIndustry)SecurityStandard
– PCI-DSS(DataSecurityStandard)Standardformerchant thatprocesscardpayments
– PA-DSSStandardforsoftwaredevelopersofapplicationsthatprocesscardpayments
• SWIFT (SocietyforWorldwideInterbankFinancialTelecommunication)– Standardizethemessagesexchangedbyfinancialplayerstoperformcommonbusinessprocesses,suchasmakingpaymentsorconfirmingtrades.
– MaintainsISO20022
39