Pattern Recognition and Applications Lab

Universityof Cagliari, Italy

Department of Electrical and Electronic Engineering

Cybersecurity Certificationsand Standards

Giorgio Fumera

fumera@unica.it

http://pralab.diee.unica.it

What is the meaning of certification?

• Defining the meaning of security– what are the characteristics of a secure system?– how to define different levels of security?

• Regulating a hierarchy of certification services– who is entitled to assign the roles for issuing certificates– characteristics of certification bodies

• Kinds of certifications– professional certification: assigning a qualification– product (hardware and software) and process certification: certifying

the presence of certain features

2

http://pralab.diee.unica.it

Professional Certifications

http://pralab.diee.unica.it 4

CISSP

Certified Information Systems Security Professional– https://www.isc2.org/– managed by the International Information Systems Security

Certification Consortium (ISC)² – a not-for-profit organization founded in 1989

– compliant with the ANSI ISO/IEC Standard 17024 since 2004 – current version: ISO/IEC 17024:2012 (confirmed in 2018) Conformity assessment -- General requirements for bodies operating certification of persons

– compliant with the requirements of the US Department of Defense(DoD)

http://pralab.diee.unica.it

CISSP target professionals

Experienced security practitioners, managers and executives, including those in the following positions:

– Chief Information Security Officer– Chief Information Officer– Director of Security– IT Director/Manager– Security Systems Engineer– Security Analyst– Security Manager– Security Auditor– Security Architect– Security Consultant– Network Architect

5

http://pralab.diee.unica.it 6

How to obtain the CISSP certification

Minimum of 5 years cumulative paid full-time work experience (4-year college degree = 1 year of work experience) in 2 or more of the following 8 domains of the CISSP CBK(Common Body of Knowledge), then pass an exam on all domains

– Security and Risk Management • security, risk, compliance, law, regulations, business continuity

– Asset Security • protecting security of assets

– Security Engineering • engineering and management of security

– Communications and Network Security • designing and protecting network security

– Identity and Access Management • controlling access and managing identity

– Security Assessment and Testing• designing, performing, and analyzing security testing

– Security Operations• foundational concepts, investigations, incident management, disaster recovery

– Software Development Security • understanding, applying, and enforcing software security

http://pralab.diee.unica.it 7

CISSP in Italy

(ISC)2 Italy chapter: https://www.isc2chapter-italy.it

Not-for-profit organization founded in 2011

Activities include the organization of courses to prepare for the CISSP exam

http://pralab.diee.unica.it

Product Certification: Introduction

8

http://pralab.diee.unica.it

ICT product certification

Product certification– outcome of an assessment activity carried out by an independent

third party (certification body)– certification bodies have to be authorized by specific accreditation

bodies– based on standards and established methodologies

Security certificationactivity which provides a probabilistic assurance of the capability of a system to comply with security specifications related to its operation or use

9

http://pralab.diee.unica.it

Normative context• Reference regulations: what needs

to be certified and how• Certification scheme: rules

governing the process of applying reference regulations

• Scheme manager: local, independent body that– guarantees the correct application of

the scheme by all subjects involved– negotiates mutual acknowledgment

agreements with peer bodies in other countries

• Scheme guarantor: independent body (usually, an international one) in charge of settling disputes involving the scheme manager

Subjects involved• Accreditation body: initial accreditation

and periodic evaluation of certification bodies

• Certification body: issues certifications based on evaluation outcomes by evaluators, guarantees the correct management of certificates

• Evaluator• Client: owner of certification object,

recruits the evaluator• Object to be evaluated or certified• Certification user: the body that will

make use of the certification: the client itself (e.g., the manufacturer), a supplier or the final user

10

ICT product certification

http://pralab.diee.unica.it

Characteristics of product certifications

• Impartiality: accreditation body, certification body and evaluator must be an independent third party with respect to the client (no common commercial of financial interests related to the certification outcome)

• Objectivity of the evaluation: based on empirical evidence• Repeatability of the evaluation by the same evaluator on the

same product with respect to the same security requirements

• Reproducibility: same as above, by a different evaluator

11

http://pralab.diee.unica.it

Software Certifications

http://pralab.diee.unica.it

Orange Book (1985)

Trusted Computer Security Evaluation Criteria (TCSEC) – developed by the US Department of Defense (DoD) since 1985– focused on military applications– used until 2000, then replaced by Common Criteria (CC)– first document on software certification, focused on computers

and then extended to other security domains– defines criteria to probabilistically evaluate the security of

operating systems, subdivided into seven classes – outdated categorization, but still valid principles: early stage of ISO 27001 security domains• Security Policy • Identification • Labels • Documentations • Accountability • Life Cycle Assurance • Continous Protection

13Giorgio Giacinto 2014Certificazione

http://pralab.diee.unica.it

Orange Book (1985)

14Giorgio Giacinto 2014Certificazione

Currently available at:• http://www.dynamoo.com/orange• https://csrc.nist.gov/csrc/media/publica

tions/conference-paper/1998/10/08/proceedings-of-the-21st-nissc-1998/documents/early-cs-papers/dod85.pdf

http://pralab.diee.unica.it

Orange Book categorization

• D: Minimal Protection– OSs that fail to meet the requirements for a higher evaluation class,

e.g.: MS-DOS, Windows 95/98/ME

• C: Discretionary Protection– administrators can apply protection mechanisms to objects– the OS provides some basic logging capabilities

• C1 – Discretionary Security Protection, e.g.: users – data separation in early UNIX versions

• C2 – Controlled Access Protection: fine-grained access control, e.g., IBM OS/400, Win NT/2000/XP, Novell Netware

15Giorgio Giacinto 2014Certificazione

http://pralab.diee.unica.it

Orange Book categorization

• B: Mandatory Protection– the OS requires to assign protection levels to each object

• B1 – Labeled Security Protection (process, file, device, etc.), e.g.:HP-UX, Cray Research Trusted Unicos 8.0, Digital SEVMS

• B2 – Structured Protection: formal security policy model, e.g.:Honeywell Multics, Cryptek VSLAN, trusted XENIX

• B3 – Security Domains: mediation of accesses of subjects to objects, e.g.: Getronics/Wang Federal XTS-300

• A (A1): Verified Protection– trustworthiness of the OS is verified through formal methods, e.g.:

Boeing MSL LAN, Honeywell SCOMP

16Giorgio Giacinto 2014Certificazione

http://pralab.diee.unica.it

Information Technology Security Evaluation (ITSEC)The European analogous of US's TCSEC

– developed by France, Germany, UK and The Netherlands– published in 1991– the "father" of modern evaluation criteria for IT products and systems– widely used in the military sector and for digital signature– now replaced by Common Criteria (CC)

17

http://pralab.diee.unica.it

Common Criteria (CC)

A common set of criteria for evaluating the security of computer systems, developed by the national security authorities of USA, Canada and Europehttps://www.commoncriteriaportal.org

Common Criteria Recognition Agreement (CCRA)– product evaluation by independent, licensed laboratories– documents defining the certification process– certifications issued by Certificate Authorizing Schemes (subset of

CCRA members)– certifications recognized by all CCRA members

18Giorgio Giacinto 2014Certificazione

http://pralab.diee.unica.it

Common Criteria

• First version: 1996

• Used in ISO/IEC 15408-3:2008 standardInformation technology -- Security techniques -- Evaluation criteria for IT security -- Part 3: Security assurance componentspublicly available at: https://standards.iso.org/ittf/PubliclyAvailableStandards/index.html

• Current version: 3.1 Release 5 (April 2017)– Part 1: Introduction and general model– Part 2: Security functional requirements– Part 3: Security assurance requirements

19Giorgio Giacinto 2014Certificazione

http://pralab.diee.unica.it

Common Criteria members

• 18 Certificate Authorizing Members (schemes)– Australia– Canada– France– Germany– India– Italy (since 5 October 2009)– Japan– Malaysia– Norway

• 12 Certificate Consuming MembersAustria, Czech Republic, Denmark, Ethiopia, Finland, Greece, Hungary, Indonesia, Israel, Pakistan, Poland, Qatar

20

– New Zealand– Netherlands– Singapore– South Korea– Spain– Sweden– United Kingdom – Turkey– USA

Giorgio Giacinto 2014Certificazione

http://pralab.diee.unica.it 21

Common Criteria members – Italy

• Organismo Certificazione Sicurezza Informatica (OCSI)http://www.ocsi.isticom.it/

• OCSI is in charge of maintaining the National Scheme for the evaluation and certification of the security of systems and products in the ICT sector (DPCM 30.10.2003 - G.U. n.98 27.04.2004)

• OCSI is within ISCOM (Istituto Superiore delleComunicazioni e delle Tecnologie dell’Informazione) of the Ministry for the Economic Development (MISE)

• Currently six laboratories in Italy provide services for system and product evaluation for the assignment of the Evaluation Assurance Level (see below)

http://pralab.diee.unica.it 22

CC: Evaluation Assurance Level (EAL)

• EAL1 – functionally tested (lower level)• EAL2 – structurally tested• EAL3 – methodically tested and checked• EAL4 – methodically designed, tested and reviewed• EAL5 – semiformally designed and tested• EAL6 – semiformally verified design and tested• EAL7 – formally verified design and tested (upper level)

http://pralab.diee.unica.it

CC: Protection Profiles

Document describing a category of products to identify the elements

subject to evaluation for the CC certification

– Access Control Devices and Systems (3 PP)

– Biometric Systems and Devices (2 PP)

– Boundary Protection Devices and Systems (11 PP)

– Data Protection (7 PP)

– Databases (1 PP)

– ICs, Smart Cards and Smart Card-Related Devices and Systems (67 PP)

– Key Management Systems (4 PP)

– Mobility (2 PP)

– Multi-Function Devices (1 PP)

– Network and Network-Related Devices and Systems (10 PP)

– Operating Systems (2 PP)

– Other Devices and Systems (41 PP)

– Products for Digital Signatures (19 PP)

– Trusted Computing (5 PP)

23

http://pralab.diee.unica.it

CC: Certified products by category

24

http://pralab.diee.unica.it

CC: Certified products by EAL

25

http://pralab.diee.unica.it

CC: Certified products by country

26

http://pralab.diee.unica.it

CC: examples of certified products

EAL 7+– Fort Fox Hardware Data Diode, versie FFHDD2+

EAL 7– Virtual Machine of Multos M3 G230M mask with AMD 113v4– Memory Management Unit des microcontrôleurs SAMSUNG S3FT9KF/

S3FT9KT/ S3FT9KS en révision 1

EAL6+– Green Hills Software INTEGRITY-178B Separation Kernel, comprising:

INTEGRITY-178B Real Time Operating System (RTOS), version IN-ICR750-0101-GH01_Rel running on Compact PCI card, version CPN 944-2021-021 with PowerPC, version 750CXe

– Infineon Security Controller M7893 B11 with optional RSA2048/4096 v1.03.006, EC v1.03.006, SHA-2 v1.01 libraries and Toolbox v1.03.006 and with specific IC dedicated software (firmware)

27Giorgio Giacinto 2014Certificazione

http://pralab.diee.unica.it

CC: examples of certified products

EAL4+– Red Hat Enterprise Linux Version 7.1– SUSE Linux Enterprise Server Version 12– JBoss Enterprise Application Platform 6 Version 6.2.2– Microsoft SQL Server 2014 Database Engine Enterprise Edition x64– FINX RTOS Security Enhanced (SE) v3.1

EAL4– Microsoft Windows 10 Anniversary Update Home Edition, Pro Edition

and Enterprise Edition (32 and 64 bits), and Microsoft Windows Server 2016 Standard Edition and Datacenter Edition

– IBM z/OS Version 2 Release 1

28

http://pralab.diee.unica.it

Process Certifications

29

http://pralab.diee.unica.it

Limits of Common Criteria

• CC evaluation process requires– long time– high costs

• Product evaluation through the CC schema is suitable to– equipment for military forces – critical infrastructures (nuclear and chemical plants, etc.)

• The "connection of everything" to the network requires novel certification schemes– fast enough to cope with the release of new versions– larger base of certification laboratories

30

http://pralab.diee.unica.it

Public-private initiatives

• USA and UK established public-private working groups to define novel certification schemes– USA: NIST– UK: Home Office

• In Europe: European Cyber Security Organisation (ECSO)https://www.ecs-org.eu/

31

http://pralab.diee.unica.it

NIST Cybersecurity Framework

Framework for Improving Critical Infrastructure CybersecurityVersion 1.1 – April 2018

32

http://pralab.diee.unica.it

NIST Cybersecurity Framework

Framework for Improving Critical Infrastructure CybersecurityVersion 1.1 – April 2018

33

http://pralab.diee.unica.it

Italian Cybersecurity Framework

Public-private-partnership promoted by– Research Center of Cyber Intelligence and Information Security (CIS) of

the University of Rome – Sapienza– Cybersecurity National Laboratory of the National Interuniversity

Consortium for Informatics (CINI)

http://www.cybersecurityframework.it

Main facts– established in February 2016– based on the NIST Cybersecurity framework– focus on small and medium enterprises (SMEs)

34

http://pralab.diee.unica.it

UK Cyber Essentials

• UK Government – First proposed in June 2014https://www.cyberessentials.ncsc.gov.uk/

• Cyber EssentialSelf certification

• Cyber Essential Plus Certified by an external organization

• Essential requirements– boundary firewalls and internet gateways– secure configuration– access control– malware protection– patch management

35

http://pralab.diee.unica.it

Italian Cybersecurity Essentials

• Managed by CIS (Italian Cybersecurity Framework)http://www.cybersecurityframework.it/csr2016

• Established in February 2017

• 15 essential security measures in 8 areas– Inventory of devices and software (4 Measures)– Governance (1 Measure)– Malware Protection (1 Measure)– Password and Account Management (3 Measures)– Training and Awareness (1 Measure)– Data Protection (2 Measures)– Network Protection (1 Measure)– Prevention and Mitigation (2 Measures)

36

http://pralab.diee.unica.it

Web App Certification

http://pralab.diee.unica.it 38

OWASP Security Verification Standard

• Application Security Verification Standard 4.0 (March 2019)https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project

• Security Verification Layers

– Level 1: low assurance levels, completely penetration testable

– Level 2: applications with sensitive data, recommended for most apps

– Level 3: most critical applications, requiring the highest level of trust

(high value transactions, sensitive medical data)

OWASP Application Security Verification Standard 4.0 9

containers, CI/CD and DevSecOps, federation and more, we cannot continue to ignore modern application architecture. Modern applications are designed very differently to those built when the original ASVS was released in 2009. The ASVS must always look far into the future so that we provide sound advice for our primary audience - developers. We have clarified or dropped any requirement that assumes that applications are executed on systems owned by a single organization.

Due to the size of the ASVS 4.0, as well as our desire to become the baseline ASVS for all other ASVS efforts, we have retired the mobile section, in favor of the Mobile Application Security Verification Standard (MASVS). The Internet of Things appendix will appear in a future IoT ASVS care of the OWASP Internet of Things Project. We have included an early preview of the IoT ASVS in Appendix C. We thank both the OWASP Mobile Team and OWASP IoT Project Team for their support of the ASVS, and look forward to working with them in the future to provide complementary standards.

Lastly, we have de-duped and retired less impactful controls. Over time, the ASVS started being a comprehensive set of controls, but not all controls are equal at producing secure software. This effort to eliminate low impact items could go further. In a future edition of the ASVS, the Common Weakness Scoring System (CWSS) will help prioritize further those controls which are truly important and those that should be retired.

As of version 4.0, the ASVS will focus solely on being the leading web apps and service standard, covering traditional and modern application architecture, and agile security practices and DevSecOps culture.

Using the ASVS ASVS has two main goals:

• to help organizations develop and maintain secure applications.

• to allow security service vendors, security tools vendors, and consumers to align their requirements and offerings.

Application Security Verification Levels The Application Security Verification Standard defines three security verification levels, with each level increasing in depth.

• ASVS Level 1 is for low assurance levels, and is completely penetration testable

• ASVS Level 2 is for applications that contain sensitive data, which requires protection and is the recommended level for most apps

• ASVS Level 3 is for the most critical applications - applications that perform high value transactions, contain sensitive medical data, or any application that requires the highest level of trust.

Each ASVS level contains a list of security requirements. Each of these requirements can also be mapped to security-specific features and capabilities that must be built into software by developers.

Figure 1 - OWASP Application Security Verification Standard 4.0 Levels

http://pralab.diee.unica.it

Level 1

First steps, automated, or whole of portfolio view– bare minimum that all applications should strive for– the application adequately defends against easy to discover

vulnerabilities included in the OWASP Top 10– also useful as a first step in multi-phase efforts or when applications

do not store or handle sensitive data– ensured either by automatic tools or simply manually without access

to source code– threats to the application will most likely be from attackers who are

using simple and low effort techniques to identify easy-to-find and easy-to-exploit vulnerabilities

39

http://pralab.diee.unica.it

Level 2

Most applications– the application adequately defends against most of the known risks– security controls are in place, effective, and used within the

application– appropriate for applications that handle significant business-to-

business transactions, including those that process healthcare information, or process other sensitive assets

– threats will typically be skilled and motivated attackers focusing on specific targets using tools and techniques that are highly practiced and effective at discovering and exploiting weaknesses within applications

40

http://pralab.diee.unica.it

Level 3

High value, high assurance, or high safety– applications that require high levels of security verification

• military, health and safety, critical infrastructure, etc. – in depth analysis, architecture, coding, and testing– a secure application is modularized in a meaningful way,e ach module

takes care of its own security responsibilities (defense in depth), through controls to ensure• confidentiality (e.g., encryption)• integrity (e.g., transactions, input validation)• availability (e.g., handling load gracefully)• authentication (also between systems)• non-repudiation, authorization, and auditing (logging)

41

http://pralab.diee.unica.it

Verification requirements

V1. Architecture, Design and Threat Modelling

V2. Authentication

V3. Session management

V4. Access control

V5. Validation, Sanitization and Encoding

V6. Stored Cryptography

V7. Error Handling and Logging

V8. Data Protection

V9. Communications

V10. Malicious Code

V11. Business Logic

V12. File and Resources

V13. API and Web Service

V14. Configuration

42

http://pralab.diee.unica.it

Verification requirements and levels

For each level, the requirements changeexample for V1 – Architecture Design and Threat Modelling:

43

...

http://pralab.diee.unica.it

Other certifications

44

http://pralab.diee.unica.it

ISO 27000 standardsInformation security management

45

IES/IEC 27000

27001

27002

27034

Family of standards for the management of information security – not limited to computer security

Secure management of information, regardless of the technology used

Security measures to mitigate the risk in information management, each measure being related to the specific technology used

Application security controls

http://pralab.diee.unica.it

Financial sector

• PCI (Payment Card Industry) Security Standard– PCI-DSS (Data Security Standard)

Standard for merchants that process card payments– PA-DSS (Payment Application DSS)

Standard for software developers of applications that process card payments

• SWIFT (Society for Worldwide Interbank Financial Telecommunication)– standardizes the messages exchanged by financial players to perform

common business processes, such as making payments or confirming trades

– maintains ISO 20022

46