1 / 14

Evaluating CC Standard Practices: Successes and Missteps in Security Standards

This analysis delves into the Common Criteria (CC) and its relationship with various ISO security standards such as ISO 15408, ISO 27001, and others. It discusses the complexities of implementing these standards in the payment card industry, contrasting the approaches of organizations like APACS and the smartcard industry. The focus is on the effectiveness of the CC in providing a comprehensive security framework, exploring areas where adaptation has been beneficial and where misinterpretations or excessive prescriptiveness may have hindered progress.

feryal
Télécharger la présentation

Evaluating CC Standard Practices: Successes and Missteps in Security Standards

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Omissions and errors in the CC Who got it right? 8ICCC Denise Cater

  2. Security Standards ISO alone have issued: • ISO15408 – Common Criteria • ISO19092 – Financial Service – Security • ISO19790 – Security Requirements for Cryptographic modules (FIPS 140) • ISO27001 – Information Security Management • ISO27002 (formerly ISO 17799) – ISMS best practice

  3. Many standards: One CC • Catalogue of security components: • Functional • Assurance • Focus on repeatability • Voluminous guidance for consistent application • Scheme rules and interpretations =“Heavy” process

  4. APACS Payment Industry Security Standards • Payment Card Industry (PCI) Data Security Standard • EMV (Europay, Mastercard, Visa) Specifications • APACS PIN Entry Device PP

  5. APACS application of CC • Own Certification Body • Appointment of labs • Issuing of certificates • Focus on CC • Less emphasis on CEM • Concentration of efforts • Design and testing seen as paramount • Procedural requirements seen as supporting

  6. Smartcard Industry • Developed PPs • Generated own interpretations • Adopted as CC Supporting Documents • Included own Attack Potential Table • Examples of Smartcard Specific Attacks

  7. Smartcard Industry • Took the CC and gave specific guidance for their industry • A lot of focus placed on penetration testing • Identified additional stages in lifecycle/delivery

  8. Adapt to Adopt • Both industries have made changes to use CC • Interpretations • Greater emphasis in some areas, less in others

  9. Who got it right? • The CC of course! • Providing a catalogue that Industry and other schemes can draw upon • But, also Industry/other schemes • Focus on areas of specific interest • Light-touch on other areas

  10. Who got it wrong? • Those who requested EALs to be included in CC (for backwards compatibility) • Led to “incorrect” use of CC • Initially less PPs developed as just concentrated on assurance level

  11. Who got it wrong? • Authors of the CEM or CC Schemes? • Too prescriptive • Forcing evaluators to complete work units at level of detail that is not always necessary • Time spent on “meeting the CEM” that would be better spent on testing and vulnerability analysis

  12. In summary • CC got it right • CC got it wrong But, Industry can adapt the CC to adopt it

  13. Thank you Denise Cater denise@iconsecurity.co.uk

More Related