Security Evaluation

Security Evaluation - Computer Security Security Evaluation...

Info iconThis preview shows pages 1–10. Sign up to view the full content.

View Full Document Right Arrow Icon
11/07/11 1 Computer Security Security Evaluation
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
2 Security Evaluation How do you get assurance that your computer systems are adequately secure? You could trust your software providers. You could check the software yourself, but you would have to be a real expert. You could rely on an impartial security evaluation by an independent body. Security evaluation schemes have evolved since the 1980s; currently the Common Criteria are used internationally.
Background image of page 2
3 Objectives Examine the fundamental problems any security evaluation process has to address. Propose a framework for comparing evaluation criteria. Overview of the major evaluation criteria. Assess the merits of evaluated products and systems.
Background image of page 3

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
4 Agenda History Framework for the comparison of criteria Orange Book ITSEC Federal Criteria Common Criteria Quality Standards? Summary
Background image of page 4
5 Security Evaluation – History  TCSEC (Orange Book): criteria for the US defense sector, predefined evaluation classes linking functionality and assurance ITSEC: European criteria separating functionality and assurance so that very specific targets of evaluation can be specified and commercial needs can better addressed TCSEC and ITSEC no longer in use; replaced by the Common Criteria (CC): http://www.commoncriteria.org/, http://niap.nist.gov/cc-scheme
Background image of page 5

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
6 Framework for Security Evaluation What is the target of the evaluation? What is the purpose of an evaluation? What is the method of the evaluation? What is the organizational framework for the evaluation process? What is the structure of the evaluation criteria? What are the costs and benefits of evaluation?
Background image of page 6
7 Target of evaluation Product: “off-the-shelf” software component to be used in a variety of applications; has to meet generic security requirements System: collection of products assembled to meet the specific requirements of a given application Purpose of evaluation Evaluation: assesses whether a product has the security properties claimed for it Certification: assesses suitability of a product (system) for a given application Accreditation: decide to use a certain system
Background image of page 7

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
8 Method Evaluations should not miss problems, different evaluations of the same product should give the same result. Product oriented: examine and test the product; better at finding problems. Process oriented: check documentation & product development process; cheaper and better for repeatable results. Repeatability and reproducibility often desired properties of an evaluation methodology.
Background image of page 8
9 Organizational Framework Public service: evaluation by government agency; can be slow, may be difficult to retain qualified staff.
Background image of page 9

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Image of page 10
This is the end of the preview. Sign up to access the rest of the document.

Page1 / 25

Security Evaluation - Computer Security Security Evaluation...

This preview shows document pages 1 - 10. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online