Pattern Recognition and Applications Lab CYBER...

Pattern Recognitionand Applications Lab

Universityof Cagliari, Italy

Department of Electrical and Electronic

Engineering

CYBERSECURITYCERTIFICATIONS

Giorgio Giacinto

[email protected]

ComputerSecurity2017

http://pralab.diee.unica.it 2

Whatisthemeaningofcertification?

• Needtodefinethemeaningofsecurity– Whicharethecharacteristicsofasecuresystem?– Howtodefinedifferentlevels ofsecurity?

• Needtoregulateahierarchyofcertification services– Whoistitledtoassigntherolesforissuingcertificates– Thecharacteristicsneededtoapplytotheroleofcertificationbody

• Professionalcertification

• ProductandProcessCertifications

http://pralab.diee.unica.it

ProfessionalCertifications


CISSPCertifiedInformationSystemsSecurityProfessional

• Managedbythenot-for-profitorganization(ISC)²InternationalInformationSystemsSecurityCertificationConsortium.

• Since2004theCISSPcertificationiscompliantwiththeANSIISO/IECStandard17024– Currentversion:ISO/IEC17024:2012

• ThiscertificationiscompliantwiththerequirementsoftheUSDepartmentofDefense(DoD)


HowtoobtaintheCISSPcertification• Candidatesmusthaveaminimumof5yearscumulativepaidfull-timework

experiencein2ormoreofthefollowing8domainsoftheCISSPCBK(CommonBodyofKnowledge),thenpasstheexamonthe8domains– SecurityandRiskManagement

• Security,Risk,Compliance,Law,Regulations,BusinessContinuity– AssetSecurity

• ProtectingSecurityofAssets– SecurityEngineering

• EngineeringandManagementofSecurity– CommunicationsandNetworkSecurity

• DesigningandProtectingNetworkSecurity– IdentityandAccessManagement

• ControllingAccessandManagingIdentity– SecurityAssessmentandTesting

• Designing,Performing,andAnalyzingSecurityTesting– SecurityOperations

• FoundationalConcepts,Investigations,IncidentManagement,DisasterRecovery– SoftwareDevelopmentSecurity

• Understanding,Applying,andEnforcingSoftwareSecurity


CISSPinItaly• Thereisa(ISC)2 Italysectionthatorganizestraining

sessionstopreparefortheCISSPexam


SoftwareCertifications


OrangeBook• Thefirstdocumentonsoftware

certificationistheso-calledOrangeBook – USDepartmentofDefense(DoD)

http://www.dynamoo.com/orange

• Thisdocumentprovidedthecriteriatoevaluatethesecurityofoperatingsystems,andprovidedacategorizationinsevenclassesD,C1,C2,B1,B2,B3,A1

8GiorgioGiacinto 2014Certificazione


OrangeBook• D:MinimalProtection

– Thesecurityoftheoperatingsystemsinthiscategorycannotbeevaluted• MS-DOS,Windows95/98/ME

• C:DiscretionaryProtection– Theadministratorcanapplyprotectionmechanismstoobjects

– Theoperatingsystemsprovidessomebasicloggingcapabilities• C1:DiscretionarySecurityProtectionearlyUNIXversions

• C2:ControlledAccessProtectionIBMOS/400,WinNT/2000/XP,NovellNetware



OrangeBook• B:MandatoryProtection

– Theoperatingsystemrequiresthatprotectionlevelsareassignedtoeachobject• B1:LabeledSecurityProtectionHP-UX,CrayResearchTrustedUnicos 8.0,DigitalSEVMS

• B2:StructuredProtectionHoneywellMultics,Cryptek VSLAN,trustedXENIX

• B3:SecurityDomainsGetronics/WangFederalXTS-300

• A:VerifiedProtection– Thetrustworthinessoftheoperatingsystemisverifiedthroughformalmethods• A1:VerifiedProtectionBoeingMSLLAN,HoneywellSCOMP



CommonCriteria• ThenationalsecurityauthoritiesofUSA,Canadaand

Europehaveworkedtoproduceacommonsetofcriteriaforevaluatingthesecurityofcomputersystems

• CommonCriteria– Firstversionin1996– CurrentVersion:3.1Release5(April2017)– ISO/IEC15408-1:2009- ISO/IEC15408-2:2008ISO/IEC15408-3:2008



CommonCriteriaMembers• 17CertificateAuthorizingMembers

– Australia– Canada– SouthKorea– France– Germany– India– Italy (5October2009)– Japan– Malaysia

• 10CertificateConsumingMembers– Austria,CzechRepublic,Denmark,Finland,Greece,

Hungary,Israel,Pakistan,Qatar,Singapore

12

– Norway– NewZeland– Netherlands– UnitedKingdom– Spain– USA– Sweden– Turkey

GiorgioGiacinto 2014Certificazione


EvaluationAssuranceLevel(EAL)• SevenEvaluationLevels

– EAL1,lowerlevel– EAL7,upperlevel

EAL1- functionallytestedEAL2- structurallytestedEAL3- methodicallytestedandcheckedEAL4- methodicallydesigned,testedandreviewedEAL5- semiformally designedandtestedEAL6- semiformally verifieddesignandtestedEAL7- formallyverifieddesignandtested


ProtectionProfiles• Documentdescribingacategoryofproductstoidentifythe

elementssubjectofevaluationfortheCCcertification– AccessControlDevicesandSystems(3PP)– BiometricSystemsandDevices(2PP)– BoundaryProtectionDevicesandSystems(11PP)– DataProtection(7PP)– Databases(1PP)– ICs,SmartCardsandSmartCard-RelatedDevicesandSystems

(67PP)– KeyManagementSystems(4PP)– Mobility(2PP)– Multi-FunctionDevices(1PP)– NetworkandNetwork-RelatedDevicesandSystems(10PP)– OperatingSystems(2PP)– OtherDevicesandSystems(41PP)– ProductsforDigitalSignatures(19PP)– TrustedComputing(5PP)

14


CertifiedProductsbyCategory

15


CertifiedProductsbyEAL

16


CertifiedProductsbycountry

17


ExamplesofcertifiedproductsEAL7+

– FortFoxHardwareDataDiode,versie FFHDD2+

EAL7– VirtualMachineofMultos M3G230MmaskwithAMD113v4– MemoryManagementUnitdesmicrocontrôleurs SAMSUNGS3FT9KF/

S3FT9KT/S3FT9KSen révision 1

EAL6+– GreenHillsSoftwareINTEGRITY-178BSeparationKernel,comprising:

INTEGRITY-178BRealTimeOperatingSystem(RTOS),versionIN-ICR750-0101-GH01_RelrunningonCompactPCIcard,versionCPN944-2021-021withPowerPC,version750CXe

– InfineonSecurityControllerM7893B11withoptionalRSA2048/4096v1.03.006,ECv1.03.006,SHA-2v1.01librariesandToolboxv1.03.006andwithspecificICdedicatedsoftware(firmware)



ExamplesofcertifiedproductsEAL4+– RedHatEnterpriseLinuxVersion7.1– SUSELinuxEnterpriseServerVersion12– JBoss EnterpriseApplicationPlatform6Version6.2.2– MicrosoftSQLServer2014DatabaseEngineEnterpriseEditionx64– FINXRTOSSecurityEnhanced(SE)v3.1

OperatingSystemscompliantwiththeProtectionProfile– MicrosoftWindows10AnniversaryUpdateHomeEdition,ProEdition

andEnterpriseEdition(32and64bits),andMicrosoftWindowsServer2016StandardEditionandDatacenterEdition

– IBMz/OSVersion2Release1

19


OCSIOrganismo Certificazione Sicurezza Informatica• InItaly,OCSI isinchargeofmaintainingtheNational

SchemefortheevaluationandcertificationofthesecurityofsystemsandproductsintheICTsector(DPCMdel30.10.2003- G.U.n.9827.04.2004)

• OCSI iswithinISCOM(Istituto Superiore delleComunicazioni edelle Tecnologie dell’Informazione)oftheMinistryfortheEconomicDevelopment(MISE)

• CurrentlysixlaboratoriesinItalyprovidestheservicesforsystemandproductevaluationfortheassignmentoftheEAL


CertificationsforProcesses

21


LimitsofCommonCriteria• CommonCriteria drawbacks

– Longtimerequiredtoperformtheevaluation– Highcosts

• IturnsoutthatproductevaluationthroughtheCCschemaisappropriate– equipmentformilitaryforces– criticalinfrastructure(nuclearandchemicalplants,etc.)

• Theconnectionofeverythingtothenetworkrequiresnovelcertificationschemes– fastenoughtocopewiththereleaseofnewversions– withalargerbaseofcertificationlaboratories

22


JoshuaCorman @OneConferenceDirector|CyberStatecraftInitiative|atAtlanticCouncil

23


Public-Privateinitiatives• USAandUKestablishedpublic-privateworkinggroupsto

definenovelcertificationschemes– NISTistheUSagencyinchargeforthisaction– InUKthehome-affairsministrycarriedouttheinitiative

• InEurope

24


NIST– CyberSecurity Framework• Version1.0- February2014

FrameworkforImprovingCriticalInfrastructureCybersecurity

25


ItalianCyberSecurity Frameworkhttp://www.cybersecurityframework.it

• February2016

• CIS-SapienzaandCININationalCybersecurityLab

• BasedontheNISTCybersecurityframework

• Mainfeature:focusonSME

26


UKCyberEssentials• UKGovernment

FirstproposedinJune2014• CyberEssential

SelfCertification• CyberEssentialPlus

Certifiedbyanexternalorganization• EssentialRequirements

– Boundaryfirewallsandinternetgateways– Secureconfiguration– Accesscontrol– Malwareprotection– Patchmanagement

27


ItalianCybersecurityEssentialshttp://www.cybersecurityframework.it/csr2016

• February2017

• 15EssentialSecurityMeasuresin8areas– Inventoryofdevicesandsoftware(4Measures)– Governance(1Measure)– MalwareProtection(1Measure)– PasswordandAccountManagement(3Measures)– TrainingandAwareness(1Measure)– DataProtection(2Measures)– NetworkProtection(1Measure)– PreventionandMitigation(2Measures)

28


WebAppCertification


OWASPSecurityVerificationStandard

• OWASPApplicationSecurityVerificationStandard3.0.1– 3SecurityVerificationLayers


OWASPASVSLevels• Level1 – Opportunistic

– allsoftware

• Level2 – Standard– applicationsthatcontainsensitivedata

• Level3 – Advanced– mostcriticalapplications,i.e.,applicationsthatperformhighvaluetransactions,containsensitivemedicaldata,etc.

31


Level1- Opportunistic• Theapplicationadequatelydefendsagainst

vulnerabilitiesthatareeasytodiscover,andincludedintheOWASPTop10.

• Appropriateforapplicationswherelowconfidenceinthecorrectuseofsecuritycontrolsisrequired,

• Ensuredeitherautomaticallybytoolsorsimplymanuallywithoutaccesstosourcecode.

• Threatstotheapplicationwillmostlikelybefromattackerswhoareusingsimpleandlowefforttechniquestoidentifyeasy-to-findandeasy-to-exploitvulnerabilities.

32


Level2- Standard• Theapplicationadequatelydefendsagainstmostofthe

knownrisks.• Level2ensuresthatsecuritycontrolsareinplace,

effective,andusedwithintheapplication.• Appropriateforapplicationsthathandlesignificant

business-to-businesstransactions,includingthosethatprocesshealthcareinformation,orprocessothersensitiveassets.

• Threatswilltypicallybeskilledandmotivatedattackersfocusingonspecifictargetsusingtoolsandtechniquesthatarehighlypracticedandeffectiveatdiscoveringandexploitingweaknesseswithinapplications.

33


Level3- Advanced• Applicationsthatrequiresignificantlevelsofsecurity

verification– military,healthandsafety,criticalinfrastructure,etc.

• ToachieveLevel3,anapplicationmustundergoanindepthanalysis,architecture,coding,andtesting

• Asecureapplicationismodularizedinameaningfulway– eachmoduletakescareofitsownsecurityresponsibilities

• controlstoensureconfidentiality (e.g.encryption)• controlstoensureintegrity (e.g.transactions,inputvalidation)• controlstoensure availability (e.g.handlingloadgracefully)• controlstoensureauthentication (includingbetweensystems)• controlstoensure non-repudiation,authorization,andauditing(logging)

34


VerificationrequirementsV1. Architecture,design

andthreatmodellingV2. AuthenticationV3. SessionmanagementV4. AccesscontrolV5. Maliciousinput

handlingV7. CryptographyatrestV8. Errorhandlingand

loggingV9. Dataprotection

V10. CommunicationsV11. HTTPsecurity

configurationV13. MaliciouscontrolsV15. BusinesslogicV16. FileandresourcesV17. MobileV18. Webservices

(NEWfor3.0)V19. Configuration

(NEWfor3.0)

35


Verificationrequirementsandlevels

• Foreachlevel,therequirementschange– ExampleforV1.ArchitectureDesignandThreatModelling

36


Othercertifications

37


ISO27000sstandardsInformationsecuritymanagement

38

IES/IEC27000

27001

27002

27034

Familyofstandardsforthemanagementofinformationsecurity– theyarenotstrictlyrelatedtocomputersecurity

Standard concerningthesecuremanagementofinformation,regardlessofthetechnologyused

Securitymeasurestomitigatetheriskininformationmanagement,eachmeasurebeingrelatedtothespecifictechnologyused

ApplicationSecurityControls


FinancialSector• PCI(PaymentCardIndustry)SecurityStandard

– PCI-DSS(DataSecurityStandard)Standardformerchant thatprocesscardpayments

– PA-DSSStandardforsoftwaredevelopersofapplicationsthatprocesscardpayments

• SWIFT (SocietyforWorldwideInterbankFinancialTelecommunication)– Standardizethemessagesexchangedbyfinancialplayerstoperformcommonbusinessprocesses,suchasmakingpaymentsorconfirmingtrades.

– MaintainsISO20022

39

Pattern Recognition and Applications Lab CYBER...

Documents

Transcript of Pattern Recognition and Applications Lab CYBER...