Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings...
-
Upload
abraham-shaw -
Category
Documents
-
view
213 -
download
0
Transcript of Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings...
![Page 1: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/1.jpg)
Part II : Computer Security and the VVSG
October 15-17, 2007
Barbara GuttmanNelson Hastings
National Institute of Standards and Technology
![Page 2: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/2.jpg)
Oct 15-17, 2007Next VVSG Training Page 2
Agenda Security Requirements Overview
Review of Chapter 4: Security and Audit Architecture
Review of Chapter 5: General Security Requirements
![Page 3: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/3.jpg)
Oct 15-17, 2007Next VVSG Training Page 3
Security Requirements Overview
The security requirements of the next VVSG work together to support equipment security
Difficult to understand security provided by a single requirement or set of requirements without understanding how requirements relate to each other
![Page 4: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/4.jpg)
Oct 15-17, 2007Next VVSG Training Page 4
Security Requirements Overview
For example, Cryptography section addresses how cryptography is implemented by equipment
Software installation and electronic records sections address how cryptography, specifically digital signatures are use by equipment to support security
![Page 5: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/5.jpg)
Oct 15-17, 2007Next VVSG Training Page 5
Security Requirements Overview
Documentation requirements related to security Part 2: Documentation Requirements System Security Specification
Section 3.5 of the Technical Data Package (TDP)
Section 4.3 of the user documentation
![Page 6: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/6.jpg)
Oct 15-17, 2007Next VVSG Training Page 6
Security Requirements Overview
Section 3.5 System Security Specification (TDP) Provided to test lab to assist in the testing campaign
General documentation about security including
Security Architecture Security Threat Controls Security Testing and vulnerability analysis
Detailed implementation specification for each security mechanism
![Page 7: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/7.jpg)
Oct 15-17, 2007Next VVSG Training Page 7
Security Requirements Overview
Section 4.3: System Security Specification (User documentation) Provided to user of the voting system including test labs
How security mechanism are to be used Information needed to support a features use such as a list of software to be installed
![Page 8: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/8.jpg)
Oct 15-17, 2007Next VVSG Training Page 8
Chapter 4: Security and Audit Architecture Section 4.2: Requirements to support auditing
Section 4.3: Electronic Records Section 4.4 Independent Voter Verifiable Records (IVVR) VVPAT PCOS
![Page 9: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/9.jpg)
Oct 15-17, 2007Next VVSG Training Page 9
Software Independence TGDC Resolution 06-06 requires software independence (SI)
Software Independence means that changes must be detectable
Detectable, in practice, means auditable
SI = Auditable
![Page 10: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/10.jpg)
Oct 15-17, 2007Next VVSG Training Page 10
Why Does the TGDC Want SI?
With software, it is pretty easy to make a screen say one thing, but record another thing inside the computer.
The hard part is making plausible, directed changes.
![Page 11: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/11.jpg)
Oct 15-17, 2007Next VVSG Training Page 11
Auditing Records Two types of records: Electronic & Independent
4.3 address electronic records
4.4 addresses independent records
![Page 12: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/12.jpg)
Oct 15-17, 2007Next VVSG Training Page 12
Won’t a Test Lab Catch This?
No, software, especially the software that runs the user interface, is really complicated.
![Page 13: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/13.jpg)
Oct 15-17, 2007Next VVSG Training Page 13
Famous Software that wasn’t doing what we thought it was doing
Some trojan horse (or 2) NC voting example Therac 25 phishing
![Page 14: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/14.jpg)
Oct 15-17, 2007Next VVSG Training Page 14
Therac 25 After this second Tyler accident, the ETCC physicist
immediately took the machine out of service and called AECL to alert the company to this second apparent overexposure. The Tyler physicist then began his own careful investigation. He worked with the operator, who remembered exactly what she had done on this occasion. After a great deal of effort, they were eventually able to elicit the Malfunction 54 message. They determined that data-entry speed during editing was the key factor in producing the error condition: If the prescription data was edited at a fast pace (as is natural for someone who has repeated the procedure a large number of times), the overdose occurred.
http://courses.cs.vt.edu/~cs3604/lib/Therac_25/Therac_2.html
![Page 15: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/15.jpg)
Oct 15-17, 2007Next VVSG Training Page 15
How Does the VVSG Address Auditability?
Requires equipment to have features that can be used for various types of audits
Requires documentation NOTE – The VVSG itself does not require auditing – This is procedural and outside the scope.
![Page 16: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/16.jpg)
Oct 15-17, 2007Next VVSG Training Page 16
4.2 Requirements for Supporting Audits
Types of Audits Pollbook Audit Hand Audit of Independent Record Ballot Count and Vote Total Audit Observational Testing
Note: Parallel Testing is another type of audit, but it is not included because it does not levy requirements on the equipment
![Page 17: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/17.jpg)
Oct 15-17, 2007Next VVSG Training Page 17
Audit Records Two types of records:
Electronic records Independent Voter Verifiable Records (IVVR)
4.3 address electronic records 4.4 addresses independent records
![Page 18: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/18.jpg)
Oct 15-17, 2007Next VVSG Training Page 18
4.3 Electronic Records General Requirements
Open Format Printable Digitally signed for Integrity & Authenticity
![Page 19: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/19.jpg)
Oct 15-17, 2007Next VVSG Training Page 19
4.3 Electronic Records Information/data requirements
Contain all relevant data List for Tabulator (4.3.2) List for EMS (4.3.3) Generally:
Totals Read ballots Counted ballots Rejected ballots Overvotes/undervotes Write-ins
![Page 20: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/20.jpg)
Oct 15-17, 2007Next VVSG Training Page 20
4.4 Independent Voter Verifiable Records
(IVVR) What is an independent voter verifiable record? (4.4.1) Direct verification by voter Support for hand auditing Various security and operational properties (can be rejected/durable)
Doesn’t this mean paper?
![Page 21: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/21.jpg)
Oct 15-17, 2007Next VVSG Training Page 21
4.4 Independent Voter Verifiable Records
(IVVR) Direct review (by voter & election official)
Can support a hand audit Can support a recount Durable Tamper evidence Support for Privacy
![Page 22: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/22.jpg)
Oct 15-17, 2007Next VVSG Training Page 22
4.4 Independent Voter Verifiable Records
(IVVR) Public Format Sufficient Information (ballot configuration, not just selections)
No codebook required Support for multiple physical media Able to be accepted or reject (per media)
Non-human readable allowed (public format)
![Page 23: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/23.jpg)
Oct 15-17, 2007Next VVSG Training Page 23
4.4 Independent Voter Verifiable Records
(IVVR) Two current types of IVVR
VVPAT Optical Scan
![Page 24: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/24.jpg)
Oct 15-17, 2007Next VVSG Training Page 24
4.4.2 VVPAT VVPAT & Accessibility addressed by Sharon.
Note need for observational testing
Many operational requirements Paper rolls allowed
![Page 25: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/25.jpg)
Oct 15-17, 2007Next VVSG Training Page 25
4.4.3 PCOS Few additional security requirements
Allow non-human readable marks (record identifiers, batch information, integrity checks)
![Page 26: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/26.jpg)
Oct 15-17, 2007Next VVSG Training Page 26
Chapter 5: General Security Requirements
Section 5.1: Cryptography Section 5.2: Setup Inspection Section 5.3: Software Installation Section 5.4: Access Control Section 5.5: System Integrity Management Section 5.6: Communication Security Section 5.7: System Event Logging Section 5.8: Physical Security for Voting Devices
![Page 27: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/27.jpg)
Oct 15-17, 2007Next VVSG Training Page 27
5.1 Cryptography Powerful basic security control
Integrity of information Authentication of information
Requirements developed to provide easy use and maintenance
Use strength of existing federal standards
![Page 28: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/28.jpg)
Oct 15-17, 2007Next VVSG Training Page 28
5.1 Cryptography Implementation of cryptography
Public and Secret Key cryptography Not cryptographic voting protocols (a.k.a End-to-End voting systems)
Many sections of the next VVSG leverage the security features supported by cryptography
![Page 29: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/29.jpg)
Oct 15-17, 2007Next VVSG Training Page 29
5.1 Cryptography FIPS 140-2 validated cryptographic module A cryptographic module is hardware, firmware, and/or software that implements cryptographic functions (such as encryption, decryption, and key generation).
Minimum strength of cryptography
![Page 30: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/30.jpg)
Oct 15-17, 2007Next VVSG Training Page 30
5.1 Cryptography Signature Module
A hardware cryptographic module FIPS 140-2 Level 2 (out of 4) with physical security being Level 3
Generates digital signatures Generates and stores private signature keys
Permanently attached the equipment
![Page 31: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/31.jpg)
Oct 15-17, 2007Next VVSG Training Page 31
5.1 Cryptography Types of keys within a Signature Module (SM) Device Signature Key (DSK)
Associated with a device for its lifetime Signatures traceable to specific pieces of equipment
Election Signature Key (ESK) Generated once per election cycle Associated with a device’s specific election cycle Signatures traceable to electronic records for a given election
![Page 32: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/32.jpg)
Oct 15-17, 2007Next VVSG Training Page 32
5.1 Cryptography Device Signature Key (DSK)
Generate using a nondeterministic random number generator
Public Key certificate - self signed or CA
Unique identifier on an external surface of the equipment and in certificate
Signing of Election signature key certificate Election key closeout records Device signature key certificates
![Page 33: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/33.jpg)
Oct 15-17, 2007Next VVSG Training Page 33
5.1 Cryptography Election Signature Key (ESK)
Generate using a nondeterministic random number generator
Used to digitally sign electronic records for an election cycle
Destroyed as part of election close out Counters to keep track of the number of ESKs generated and signatures generated by a given ESK
![Page 34: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/34.jpg)
Oct 15-17, 2007Next VVSG Training Page 34
5.1 Cryptography Election Signature Key (ESK) Certificates are signed by Device Signature Key (DSK)
DeviceSignature
(private) key
Election Signature(Public) Key:
SignatureDSK
![Page 35: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/35.jpg)
Oct 15-17, 2007Next VVSG Training Page 35
5.1 Cryptography Election key closeout record
Electronic record Public key of Election Signature Key (ESK) (certificate or message digest/hash???)
Number of signatures generated by Election Signature Key (ESK)
Election Signature Key (ESK) number of the device
Signed by the Device Signature Key (DSK)
![Page 36: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/36.jpg)
Oct 15-17, 2007Next VVSG Training Page 36
5.1 Cryptography Technical Date Package (TDP) requirements Certificate fields for Device Signature Key (DSK) and Election Signature Key (ESK)
Specific cryptographic algorithms used
Election Closeout Record format specification
![Page 37: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/37.jpg)
Oct 15-17, 2007Next VVSG Training Page 37
5.2 Setup Inspection Requirements related to the capabilities to inspect properties of voting devices Improves voting device management and maintenance
Reflects new focus of requirements in light of software independence (SI) approach Called Setup Validation in VVSG 2005
![Page 38: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/38.jpg)
Oct 15-17, 2007Next VVSG Training Page 38
5.2 Setup Inspection Inspections generate system event log entries
Time and date Information related to the specific inspection
Location of software files Component calibration Result of inspection
Voting device unique identification Individual (or role) that performed inspection
![Page 39: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/39.jpg)
Oct 15-17, 2007Next VVSG Training Page 39
5.2 Setup Inspections Software identification verification
Ability to query/inspect the voting device to determine what software is installed
Software integrity verification Using digital signatures and hash
Designated repositories such as National Software Reference Library (NSRL)
Voting Device Owner - Jurisdiction SI approach allows for internal verification
NO external interface requirement like in VVSG 2005
![Page 40: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/40.jpg)
Oct 15-17, 2007Next VVSG Training Page 40
5.2 Setup Inspection Voting device election information inspection Ability to query/inspect the storage locations containing information that changes during an election
Number of ballots cast Totals for a given contest
Generalized register and variable terminology from VVSG 2005
Support zero total inspections prior to use in election
![Page 41: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/41.jpg)
Oct 15-17, 2007Next VVSG Training Page 41
5.2 Setup Inspection Inspection of properties of voting device components Backup power supply level Cabling connectivity indicator Communications operational status and on/off indicators
Consumables remaining indicator Calibration determination and adjustments
![Page 42: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/42.jpg)
Oct 15-17, 2007Next VVSG Training Page 42
5.2 Setup Inspection User documentation requirements
Model setup inspection process supported by voting device
Minimally includes items mentioned previously Manufacturer provided
Model inspection check list of other properties supported by the voting device
Manufacturer provided Risks related to not performing a given inspection
![Page 43: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/43.jpg)
Oct 15-17, 2007Next VVSG Training Page 43
5.3 Software Installation
Requirements related to the installation of software on voting devices Also covers access and modification of configuration files
Uses digital signatures to provide the ability to verify the authentication and integrity of the software National Software Reference Library (NSRL) Designated repositories
![Page 44: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/44.jpg)
Oct 15-17, 2007Next VVSG Training Page 44
5.3 Software Installation
Software installation only when in pre-voting state
Only individuals with an administrator or central election official role can install software Central Election Officials limited to election specific software or data files
![Page 45: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/45.jpg)
Oct 15-17, 2007Next VVSG Training Page 45
5.3 Software Installation
Digital signature verification of software before installation
Externally visible alert when software installation fails
Software to only be able to be installed using documented procedures
![Page 46: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/46.jpg)
Oct 15-17, 2007Next VVSG Training Page 46
5.3 Software Installation
Software installation generates system event log entries Time and date Software name and version Location of installation - directory path
Digital signature verification - result and signature source
Result of software installation
![Page 47: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/47.jpg)
Oct 15-17, 2007Next VVSG Training Page 47
5.3 Software Installation
Technical Data Package (TDP) requirements List of all software to be installed on voting system
Name and version Manufacturer contract information Type of software Software documentation
Location software is to be installed Functionality provided by the software Dependences and interactions between the software
![Page 48: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/48.jpg)
Oct 15-17, 2007Next VVSG Training Page 48
5.3 Software Installation
User documentation List of all software to be installed on voting system particularly election specific software
Hardware and software need to install software
![Page 49: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/49.jpg)
Oct 15-17, 2007Next VVSG Training Page 49
5.3 Software Installation
Procedures used to perform software installation
No use of compilers COTS software to be obtained via open market
How to create a baseline binary image for replication
Preparations of erasable media Software from unalterable media - CDs Record resulting from the installation procedure
![Page 50: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/50.jpg)
Oct 15-17, 2007Next VVSG Training Page 50
5.4 Access Control The management of three basic elements
Identification Authentication Authorization
Supports the ability of the voting system to Account for users actions Limits use of resources
Applies to individuals, applications, and processes of the voting system
![Page 51: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/51.jpg)
Oct 15-17, 2007Next VVSG Training Page 51
5.4 Access Control Management of identification information Creating and disabling identities or roles
Failed attempts lock out Number of failures within in a time period
Length of lockout time
![Page 52: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/52.jpg)
Oct 15-17, 2007Next VVSG Training Page 52
5.4 Access Control Role identification
Required for voting devices and election management systems
Roles specified: Voter, Election Judge, Poll Worker, Central Election Official, and Administrator
Individual identification Required by election management systems
![Page 53: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/53.jpg)
Oct 15-17, 2007Next VVSG Training Page 53
5.4 Access Control Management of authentication information Setting and changing authentication information
Protection of authentication data by system
Password management - strength, reuse, and expiration.
![Page 54: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/54.jpg)
Oct 15-17, 2007Next VVSG Training Page 54
5.4 Access Control Authentication requirements by role
Voter in Section 7.5.1 Issuance of voting credentials and ballot activation
Poll Worker - N/A Election Judge and Central
Something you know Administrator
Multi-factor authentication - smartcard, biometric
Application or Process - Digital certificate or signature - ????
![Page 55: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/55.jpg)
Oct 15-17, 2007Next VVSG Training Page 55
5.4 Access Control Authorization Management
By voting system state, time interval, or specific time
Dual person control Separation of duties Type of functionality and data accessed Explicitly allowed or disallowed Least privilege, Privilege escalation, prevent modification or tampering of software/firmware ???
![Page 56: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/56.jpg)
Oct 15-17, 2007Next VVSG Training Page 56
5.4 Access Control Technical Date Package (TDP) requirements Descriptions and specifications of all access control mechanisms used
Descriptions and specification of all voting system mechanisms that rely on access control
Mapping of all voting system operations and default roles with permissions to perform operations
![Page 57: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/57.jpg)
Oct 15-17, 2007Next VVSG Training Page 57
5.4 Access Control User documentation requirements
Instructions for implementing, configuring, and managing
Model access control policy Templates or instructions for custom access control policy creation
Disclosure of all default privileged roles
![Page 58: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/58.jpg)
Oct 15-17, 2007Next VVSG Training Page 58
5.5 System Integrity Management
Security controls that do not fit into other sections of the VVSG Boot, load, and execute process protection
Removable media interface protection
Backup and recovery capabilities Malicious software protection
![Page 59: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/59.jpg)
Oct 15-17, 2007Next VVSG Training Page 59
5.5 System Integrity Management
Boot process process protection Process used when a system is powered on
Integrity verification of software initialization components
Hardware cryptographic module - digital signature/hashes
![Page 60: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/60.jpg)
Oct 15-17, 2007Next VVSG Training Page 60
5.5 System Integrity Management
Load and execute process protection Process used to load software into memory for execution
Integrity verification of any software before loading into memory for execution
Hardware cryptographic module - digital signature/hashes
![Page 61: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/61.jpg)
Oct 15-17, 2007Next VVSG Training Page 61
5.5 System Integrity Management
Removable media interface protection Other than physical security mechanisms
Ability to disable removable media interfaces when not required
CDs, Flash memory, PCIMIA, etc. May only need a CDs interface to be enabled during software installation
![Page 62: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/62.jpg)
Oct 15-17, 2007Next VVSG Training Page 62
5.5 System Integrity Management
Backup and recovery mechanisms Limited to election management systems Permitted only when not capturing votes Integrity verification information (digital signatures, hashes, MACs) created with backup information
Backup information authentication and integrity verification before used for recovery
![Page 63: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/63.jpg)
Oct 15-17, 2007Next VVSG Training Page 63
5.5 System Integrity Management
Malicious software protection Limited to election management systems
Use of malware detection software Ability to update as new threats appear over time
Executed at least once every 24 hours and before loading and execution of software
Executed against removable media
![Page 64: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/64.jpg)
Oct 15-17, 2007Next VVSG Training Page 64
5.5 System Integrity Management
Technical Date Package (TDP) requirements List of all software required to be executed
![Page 65: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/65.jpg)
Oct 15-17, 2007Next VVSG Training Page 65
5.6 Communication Security
Protection of voting system communications Transmission of information Communications based threats
No use of wireless technology Except for infrared technology
![Page 66: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/66.jpg)
Oct 15-17, 2007Next VVSG Training Page 66
5.6 Communication Security
No remote communication to voting devices during election day Exceptions for devices used to transmit end of day results and communication with voter registration databases
However, these devices cannot be connected to other polling place devices
![Page 67: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/67.jpg)
Oct 15-17, 2007Next VVSG Training Page 67
5.6 Communication Security
Polling Place Remote Locations
Registration Database
ElectronicPoll Book
Central Count
VotingDevices
Accumulator
![Page 68: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/68.jpg)
Oct 15-17, 2007Next VVSG Training Page 68
5.6 Communication Security
Network interface protection Ability to disable physical network interfaces when not required
Prohibit flow of network traffic from one interface to another on multiple interface devices
Unique physical identifier (address) for each interface
![Page 69: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/69.jpg)
Oct 15-17, 2007Next VVSG Training Page 69
5.6 Communication Security
Limit communications to only devices that are required to communicate with each other
Integrity information for data Generate integrity information for data sent
Verify integrity information for data received
Digital signature, hashes, MACs
![Page 70: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/70.jpg)
Oct 15-17, 2007Next VVSG Training Page 70
5.6 Communication Security
Mutual authentication between devices before exchange of information Part of connection establishment Unique identifier for devices Limit amount of information needed for authentication
Limit devices to only required network ports, active shares, and services
![Page 71: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/71.jpg)
Oct 15-17, 2007Next VVSG Training Page 71
5.6 Communication Security
Monitor network interfaces for evidence of attack When attacks are detected, devices need to respond to stop attack
Shutting down network interface
![Page 72: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/72.jpg)
Oct 15-17, 2007Next VVSG Training Page 72
5.6 Communication Security
Documentation requirements List of all network communication processes and applications required for proper operation
List of all network ports, shares, services, and protocols used
![Page 73: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/73.jpg)
Oct 15-17, 2007Next VVSG Training Page 73
5.7 System Event Logging
Provides accountability and supports the ability to reconstruct events and detect intrusions
Electronic audit trail Information to be generated Integrity protection of the information
Management of system event log
![Page 74: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/74.jpg)
Oct 15-17, 2007Next VVSG Training Page 74
5.7 System Event Logging
Log information must maintain voter privacy and ballot secrecy
Basic log entry information System Identifier Event Identifier Time Stamp Result of event When applicable, user that triggered event and requested resource
![Page 75: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/75.jpg)
Oct 15-17, 2007Next VVSG Training Page 75
5.7 System Event Logging
Time Stamp requirements Clock drift - 1 minute within 15 hours
Format of time stamp - give example ISO 8601 Date Time - hours, minutes, and seconds
Administrator role required to adjust clock
![Page 76: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/76.jpg)
Oct 15-17, 2007Next VVSG Training Page 76
5.7 System Event Logging
Minimum list of events to be logged General system functions events
Changes to configuration Device startup and shutdown Addition and deletion files System readiness results
Authentication and access control events Logon attempts Logout events Attempts to access system resources
![Page 77: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/77.jpg)
Oct 15-17, 2007Next VVSG Training Page 77
5.7 System Event Logging
Software events Installation, upgrades, and patches Changes to configuration settings Connection attempts to databases
Cryptographic events Changes to cryptographic keys
Voting events Opening and closing of polls Cast ballot Ballot definition and modification
![Page 78: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/78.jpg)
Oct 15-17, 2007Next VVSG Training Page 78
5.7 System Event Logging
Management of system event log Default setting of system event log Storage of log information in a publicly documented format such as XML
Event logs separable on an election and device basis
Retention of event log data from previous elections
![Page 79: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/79.jpg)
Oct 15-17, 2007Next VVSG Training Page 79
5.7 System Event Logging
Export of log information with digital signature
Rotation of log information internally
From primary file to new file Log capacity management
Alert as it reaches configurable intervals
Suspension of vote capturing when logs capacity reached
![Page 80: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/80.jpg)
Oct 15-17, 2007Next VVSG Training Page 80
5.7 System Event Logging
Ability to view, analyze, and search system event log while on device
Halt vote capturing when system log malfunctions or is disabled
Administrator role required to configure system event log and clear previous election event logs prior to new election cycle
![Page 81: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/81.jpg)
Oct 15-17, 2007Next VVSG Training Page 81
5.7 System Event Logging
Protection of log information Unauthorized access
Read only for administrator roles Write or append only for processes
Unauthorized modification Use of cryptography, append only media, operating system
Unauthorized Deletion Integrity and [[availability]] protection of archived log information
![Page 82: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/82.jpg)
Oct 15-17, 2007Next VVSG Training Page 82
5.8 Physical Security for Voting Devices
Prevent undetected, unauthorized physical access Must be able to differentiate authorized from unauthorized access
Unauthorized access must leave physical evidence
Requirements recognize use of a combination of procedures and physical countermeasures without prescribing either
![Page 83: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/83.jpg)
Oct 15-17, 2007Next VVSG Training Page 83
5.8 Physical Security for Voting Devices
Unauthorized physical access must leave physical evidence
Physical port access and least functionality Essential to operations, testing and auditing
Boundary protection Broken connection → port automatically
disabled, alarm, event log, authorization to re-enable
![Page 84: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/84.jpg)
Oct 15-17, 2007Next VVSG Training Page 84
5.8 Physical Security for Voting Devices
Information flow Restricted access to ports with removable media
Tamper evidence Manually disable
Door covers and panels Monitor access
Ballot boxes Tamper evident
![Page 85: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/85.jpg)
Oct 15-17, 2007Next VVSG Training Page 85
5.8 Physical Security for Voting Devices
Secure physical locks and keys Meet UL standards and be tamper evident Keyed per System Owner’s preference
Physical encasement locks (fasteners) Must not compromise security
Power supplies If the power goes out, physical countermeasures should not fail
![Page 86: Part II : Computer Security and the VVSG October 15-17, 2007 Barbara Guttman Nelson Hastings National Institute of Standards and Technology barbara.guttman@nist.govbarbara.guttman@nist.gov.](https://reader036.fdocuments.in/reader036/viewer/2022081519/56649e7c5503460f94b7ec9d/html5/thumbnails/86.jpg)
Oct 15-17, 2007Next VVSG Training Page 86
Questions
End of Day One???