1

11

Proposal of a Creation Method for Secure Proposal of a Creation Method for Secure and Trusted IT Environment Based on and Trusted IT Environment Based on

Multiple International StandardsMultiple International Standards

Guillermo Guillermo HoracioHoracio RAMIREZ CACERES and Yoshimi TESHIGAWARARAMIREZ CACERES and Yoshimi TESHIGAWARAGraduate School of Engineering, Graduate School of Engineering, SokaSoka UniversityUniversity

EE--mail:{guillerm,teshiga}@soka.ac.jpmail:{guillerm,teshiga}@soka.ac.jphttp://http://www.teshilab.netwww.teshilab.net

AbstractActually, many international standards exist in IT security field. In this research, we are working

based on ISO/IEC 15408, ISO/IEC 15446, ISO/IEC 13335, ISO/IEC 17799 and ISO/IEC TR 19791. In this paper, we propose security policy making flexibly adaptable to users‘ environments to defend them against the information system environment threats, creating a safely networking environment. This proposed model allows a user to select the appropriate policy agilely and effectively according to the user’s environment. In addition, in order to identify the threats of the IT environment, we are using a Threat Model based on ISO/IEC 15446 and ISO/IEC 13335. Each of the identified threats to security is addressed by one or more security policies based on evaluated IT products by Common Criteria (CC) and also based on ISO/IEC 17799. At the same time, this model allows the user to select the appropriate IT products evaluated by Common Criteria (CC) or in the future operational systems evaluated by ISO/IEC TR 19791. There are to many combinations of Security Policy for each IT environment, we have been developed a knowledge based tool to select most appropriate security policy for specific environment. The tool can be used as a Web Application and is online at our laboratory web page

2

22

Vulnerabilities

Purpose of ResearchPurpose of Research

Threats

Security Policy

User

ThreatAgents Assets

1. Purpose of Research and Expected EffectsSecurity is concerned with the protection of assets from threats, where threats are categorized

as the potential for abuse of protected assets. Safeguarding assets of interest is the responsibility of owners who place value on those assets.Owners will perceive such threats as potential for impairment of the assets such that the value of

the assets to the owners would be reduced. Security specific impairment includes loss of confidentiality, integrity, or availability. The owners of the assets will know the possible threats to determine which countermeasures apply to their environments. These countermeasures are imposed to reduce vulnerabilities and to meet security policies of the owners of the assets. Computers today in every kind of company take more and more importance than they ever had in the past. Formerly auditing was used to control the economic aspects of the company and to grade the level of indebtedness or uncertainty. But today since the responsibility of computers has greatly increased, it is vital to protect the information contained in those machines. For example, an employer could be calm since the security system of his company is trustworthy,

but when he returns home he cannot be so sure that the information in his computer is safe. With the use of social engineer a person without knowledge of technology may be able to take some information from his computer and use this information to violate the privacy of the company. We propose security policy making flexibly adaptable to users’ environments to defend against

the information system environment threats. The users’ environments may change but these security policies are flexible and change according to the new environment.

3

33

Security PolicySecurity PolicyEnvironmentEnvironment Security ObjectivesSecurity Objectives

Fundamental Research TargetFundamental Research Target

OutdoorOutdoor OfficeOfficeHomeHome

Security Policy Level

2. Fundamental Research TargetOur fundamental research target is the construction of security policy for secure and trustable IT

environment based on multiples international standards. In this section, we introduce the policy making architecture. Our proposed method have been divided in three steps.

- First step is to identify and specify the threat that affect the IT environment. Each of the identified threats to security is addressed by one or more security objectives. - Next step is to specify the security objectives. These objectives are suitable to counter all identified threats. - Last step is to create a security policy.

4

44

Authenticated

Unidentified

Unauthenticated

Local

Remote

Constructive

Negligent

Hostile

Human

Other

Display Data

Data on StorageMedia

Printer Data

Confidentiality

Integrity

Availability

Agent

WHO?

Method

HOW?

Assets

WHAT?

ISO/IEC 15408ISO/IEC 15408 ISO/IEC 17799ISO/IEC 17799ISO/IEC TR 15446ISO/IEC TR 15446 ISO/IEC TR 13335ISO/IEC TR 13335

UserUser’’s Environments Environment

Threats“An attacker or an authorized user may gain unauthorized

access to information or resources by impersonating

an authorized user”

3. User’s EnvironmentFirst step is to identify and specify the threats that affect the IT environment. Based on the

security concept described before, we has been developed a threat model. Our developed threats model is based on multiple international standards. To identify and specify the threats is necessary to know “WHO" is the threat agent, “HOW” the agent or malicious attackers can gain access or deny services, and finally “WHAT” kinds of security issues could occur. For example: An attacker or an authorized user may gain unauthorized access to information or

resources by impersonating an authorized user.How should threats be specified?WHO: An attacker or an authorized userHOW: Impersonation of an authorized userWHAT: Confidential or sensitive dataThe threats are also displayed in categories like administrator, authorized user, physical

environment, system, hardware, software, and malicious user. This model was created principally to help developers to create Security Target (ST) according to the ISO/IEC 15408. The relationship between Who, How, and What are based on ISO/IEC 15446. The asset classification was based on the ISO/IEC 17799. Finally, the risk evaluation was based on ISO/IEC 13335. This threat model combines multiples parameters in order to identify the threats. This model was created to be used for home users, who do not have the special knowledge.

5

55

Security Objectives

Security ObjectivesSecurity Objectives

ISO/IECISO/IEC1779917799

ISO/IECISO/IEC1540815408

Part 2

Part 3

Part 1

STSTPart 4Part 4

ISO/IEC TRISO/IEC TR1333513335

Part 5

Part 4

Preventives CorrectivesDetectives

PROACTIVO REACTIVOAUTO

Corrective“Detection of events that

are indicative of an imminent security violation, take appropriate steps to

curtail the attack.”

Detective “Generate evidence which can be used as proof of the origin of that information.”

Preventive“Ensure that each user is uniquely identified, and

authenticated, before the user is granted to access

to the system.”

Threats“An unauthorized person may

gain logical access tothe system.”

4. Security ObjectivesThe security objectives provide a concise statement of the intended response to the environment

threats. Usually the security objective can not be satisfied only with technical countermeasures or functional requirements as described in ISO/IEC 15408. For example, an administrator creates a great password, but the user may not be able to remember and may write the password in a memo. In this case, it is necessary to re-educate the user about the security issues. There are too many security objectives in different international standards. For this reason we have been developed a Knowledge Base for security objective including:– ISO/IEC 17799– ISO/IEC 13335 part 4 and 5– Security objectives described in part 4 of ST evaluated by CCIn some cases, security objectives would be identified or sub-classified in three categories. The

possible security objectives to protect the system against the threats “An unauthorized person may gain logical access to the system.” are showing below.Preventative: To prevent a threat from being carried. For example: “Ensure that each user is uniquely identified, and authenticated, before the user is granted to access to the system.”Detective: To detect and monitor the occurrence of events relevant to the secure operation. For example: “Generate evidence which can be used as proof of the origin of that information.”Corrective: To take actions in response to potential security violations. For example: "Detection of events that are indicative of an imminent security violation, take appropriate steps to curtail the attack.”

6

66

ISO/IEC 15408ISO/IEC 15408

Security PolicySecurity Policy

Part 2 SFR

Part 3 SAR

Security PolicyIT software

Hardware UsersAdministrators

ISO/IEC 19791ISO/IEC 19791Sec. Control

FTA_TSE.1Time of day restriction of access to information

FTP_TRP.1-2Trusted path for logon

FIA_AFL.1Limits on repeated login failures (e.g. enforcement of lockout or time delay)

FIA_UAU.1-2Authentication of users

FIA_UID.1-2Identification of users

Logincontrols

FunctionalComponentSecurity Requirement

Identification and authenticationIdentification and authenticationISO 15408ISO 15408

１ 2

Class

Family1

Family3

Family2１

2 3

2

3１

5. Security Policy MakingFinally, our proposed model allows a user to select the appropriate policy agilely and effectively

according to the user’s environment.A Security policy is an organizational tool to inform the user of the system about the importance

and sensibility of the information and critical services that allow to the company to grow and to stay competitive. Before this situation, the propose to identify a security policy requires a high commitment with the organization, technical sharpness to establish flaws and weaknesses, and perseverance to renovate and to upgrade this security policies in function of the dynamic environment that surrounds the modern organizations. We have classified the security policy in three groups.Security policies for the IT Environment: This policies was created based on ISO/IEC 15408. The products evaluated by CC have included a list of security objectives, each of the security objectives are met by a set of Security Functional Requirements (SFRs) and Security Assurance Requirements (SARs) which are drawn from part 2 and part 3 of the ISO 15408. Theserequirements are relevant to supporting the security objective.Security policies for Administrators: This policies was created based on ISO/IEC 15408 part 3 basically in the Class AGD “Guidance documents”.Security policies for Users: A security policy will be defined as clear instruction that provides the guidelines for users’ behavior for safeguarding information, and is a fundamental building block in developing effective control to counter potential security threats. It is very important that the security policies are easy to maintain because the methods and tools of security can change depending on necessities and new challenges. The security policy would have to be constructed with an approach toward the minimization of the impact that the changes will have in their systems and its users.

7

77

ISO/IECISO/IEC1540815408

Environment ThreatsEnvironment Threats

ConclusionConclusion

Part 2 SFR

Part 3 SAR

Security ObjectivesPreventives CorrectivesDetectives

PROACTIVO REACTIVOAUTO

WHO HOW WHAT

Security PolicyIT software

HardwareUsersAdministrators

Part 1ISO/IECISO/IEC1779917799

ISO/IEC TRISO/IEC TR1544615446

ISO/IEC TRISO/IEC TR1333513335

ISO/IECISO/IEC1979119791

Sec. Control

6. Conclusion and Future WorkThis proposed model allows the user to select the appropriate policy agilely and effectively

according to the user’s environment, because the user works only for a minimal set of security policies. In addition, all security policies in this model are created for respective environment threats.All security policies created by this architecture are supported by SFRs and SARs. This threats-

policy relationship is based on ISO/IEC TR 15446. At the same time, this model allows the user to know the necessary SFRs for his or her environment and to select the appropriate systems or products evaluated by Common Criteria (CC) or ISO/IEC 15408.The present research was destined to home users or small networks. In the future we would like

to implement this policy making architecture in a large scale networks like universities, hospitals or small/medium size companies.In order to create this new system, it is necessary to work on threats modeling to simplify the

study of the new large-scale environment. We are working on a new threat architecture to create an interactive application to select the policy according to change of environments. This threats model architecture is based on ISO/IEC 15446 and ISO/IEC TR 13335. Safeguarding assets of interest is responsibility of owners or users who place value on those assets. The value of these assets can vary according to the company or the network environments. We would like to include an asset value modeling and risk management.Finally, we are working on a new security policy model based on the new version of ISO/IEC

15408. On the other hand, we are also working on a new security policy making model based on ISO/IEC 17799. The purpose of this research is to fuse ISO/IEC 15408 with ISO/IEC 17799 to create more effective security policies.

8

88

Knowledge Based ToolKnowledge Based Tool

Annex: Knowledge Based ToolWe have been working to create a set of security policies for systems of home users based on

International Standards. We construct a knowledge base to be used as a security guideline for home users as well as ST developers. This knowledge base works on Web base. Knowledge Based tool allows home users to access to information of the threats that affect the home user environment. They can search for some threats and select the security objectives based on this environment. Moreover, this system shows how to implement these policies with IT components enunciated in the ISO/IEC 15408.This Knowledge-based tool is provided as a Web Application, and is open to public at

http://www.teshilab.net.

References[1] ISO/IEC 15408. Common Criteria for Information Technology Security Evaluation Part 1-3. Version 3 CCIMB-99-031, August 1999[2] ISO/IEC TR 15446. Information technology - Security techniques - Guide for the production of protection profiles and security targets, 2004[3] ISO/IEC TR 13335-1-5, Information technology - Guidelines for the management of IT Security[4] ISO/IEC 17799. Information technology - Code of practice for information security management, 2000[5] ISO/IEC TR 19791. Information technology - Security techniques - Security assessment of operational systems, 2005[6] Ramirez Guillermo and Yoshimi Teshigawara, “A Study of Threat Modeling Based on International Standards for Production of Security Targets” DICOMO 2005, pp.189-192, July 2005[7] Guillermo Horacio RAMIREZ CACERES, Yoshimi TESHIGAWARA, "A Study on Security Policy Making Adaptable to Users’ Environments Based on International Standards“ LANOMS 2005 - Porto Alegre, Brazil August 29-31, 2005 [8] Guillermo Horacio RAMIREZ CACERES, Yoshimi TESHIGAWARA, “Design and Development of a Knowledge-based Tool for ST Developers Based on the New Common Criteria” WMSCI 2006 - Orlando, Florida, USA. July 16-19,2006

Program

/ColorImageDict > /JPEG2000ColorACSImageDict > /JPEG2000ColorImageDict > /AntiAliasGrayImages false /CropGrayImages true /GrayImageMinResolution 300 /GrayImageMinResolutionPolicy /OK /DownsampleGrayImages true /GrayImageDownsampleType /Bicubic /GrayImageResolution 300 /GrayImageDepth -1 /GrayImageMinDownsampleDepth 2 /GrayImageDownsampleThreshold 1.50000 /EncodeGrayImages true /GrayImageFilter /DCTEncode /AutoFilterGrayImages true /GrayImageAutoFilterStrategy /JPEG /GrayACSImageDict > /GrayImageDict > /JPEG2000GrayACSImageDict > /JPEG2000GrayImageDict > /AntiAliasMonoImages false /CropMonoImages true /MonoImageMinResolution 1200 /MonoImageMinResolutionPolicy /OK /DownsampleMonoImages true /MonoImageDownsampleType /Bicubic /MonoImageResolution 1200 /MonoImageDepth -1 /MonoImageDownsampleThreshold 1.50000 /EncodeMonoImages true /MonoImageFilter /CCITTFaxEncode /MonoImageDict > /AllowPSXObjects false /CheckCompliance [ /None ] /PDFX1aCheck false /PDFX3Check false /PDFXCompliantPDFOnly false /PDFXNoTrimBoxError true /PDFXTrimBoxToMediaBoxOffset [ 0.00000 0.00000 0.00000 0.00000 ] /PDFXSetBleedBoxToMediaBox true /PDFXBleedBoxToTrimBoxOffset [ 0.00000 0.00000 0.00000 0.00000 ] /PDFXOutputIntentProfile () /PDFXOutputConditionIdentifier () /PDFXOutputCondition () /PDFXRegistryName () /PDFXTrapped /False

/Description > /Namespace [ (Adobe) (Common) (1.0) ] /OtherNamespaces [ > /FormElements false /GenerateStructure false /IncludeBookmarks false /IncludeHyperlinks false /IncludeInteractive false /IncludeLayers false /IncludeProfiles false /MultimediaHandling /UseObjectSettings /Namespace [ (Adobe) (CreativeSuite) (2.0) ] /PDFXOutputIntentProfileSelector /DocumentCMYK /PreserveEditing true /UntaggedCMYKHandling /LeaveUntagged /UntaggedRGBHandling /UseDocumentProfile /UseDocumentBleed false >> ]>> setdistillerparams> setpagedevice