1 omissions and errors in the cc who got it right? 8iccc denise cater
TRANSCRIPT
![Page 1: 1 Omissions and errors in the CC Who got it right? 8ICCC Denise Cater](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56649e9d5503460f94b9f065/html5/thumbnails/1.jpg)
1
Omissions and errors in the CC
Who got it right?
8ICCCDenise Cater
![Page 2: 1 Omissions and errors in the CC Who got it right? 8ICCC Denise Cater](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56649e9d5503460f94b9f065/html5/thumbnails/2.jpg)
2
Security Standards
ISO alone have issued:• ISO15408 – Common Criteria• ISO19092 – Financial Service – Security• ISO19790 – Security Requirements for
Cryptographic modules (FIPS 140)• ISO27001 – Information Security Management• ISO27002 (formerly ISO 17799) – ISMS best
practice
![Page 3: 1 Omissions and errors in the CC Who got it right? 8ICCC Denise Cater](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56649e9d5503460f94b9f065/html5/thumbnails/3.jpg)
3
![Page 4: 1 Omissions and errors in the CC Who got it right? 8ICCC Denise Cater](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56649e9d5503460f94b9f065/html5/thumbnails/4.jpg)
4
Many standards: One CC
• Catalogue of security components:– Functional– Assurance
• Focus on repeatability– Voluminous guidance for consistent
application– Scheme rules and interpretations
=“Heavy” process
![Page 5: 1 Omissions and errors in the CC Who got it right? 8ICCC Denise Cater](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56649e9d5503460f94b9f065/html5/thumbnails/5.jpg)
5
Payment Industry Security Standards
• Payment Card Industry (PCI) Data Security Standard
• EMV (Europay, Mastercard, Visa) Specifications
• APACS PIN Entry Device PP
APACS
![Page 6: 1 Omissions and errors in the CC Who got it right? 8ICCC Denise Cater](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56649e9d5503460f94b9f065/html5/thumbnails/6.jpg)
6
APACS application of CC
• Own Certification Body– Appointment of labs– Issuing of certificates
• Focus on CC– Less emphasis on CEM
• Concentration of efforts– Design and testing seen as paramount– Procedural requirements seen as supporting
![Page 7: 1 Omissions and errors in the CC Who got it right? 8ICCC Denise Cater](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56649e9d5503460f94b9f065/html5/thumbnails/7.jpg)
7
Smartcard Industry
• Developed PPs
• Generated own interpretations– Adopted as CC Supporting
Documents– Included own Attack Potential
Table
• Examples of Smartcard Specific Attacks
![Page 8: 1 Omissions and errors in the CC Who got it right? 8ICCC Denise Cater](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56649e9d5503460f94b9f065/html5/thumbnails/8.jpg)
8
Smartcard Industry
• Took the CC and gave specific guidance for their industry
• A lot of focus placed on penetration testing
• Identified additional stages in lifecycle/delivery
![Page 9: 1 Omissions and errors in the CC Who got it right? 8ICCC Denise Cater](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56649e9d5503460f94b9f065/html5/thumbnails/9.jpg)
9
Adapt to Adopt
• Both industries have made changes to use CC– Interpretations– Greater emphasis in some areas, less in
others
![Page 10: 1 Omissions and errors in the CC Who got it right? 8ICCC Denise Cater](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56649e9d5503460f94b9f065/html5/thumbnails/10.jpg)
10
Who got it right?
• The CC of course!– Providing a catalogue that Industry and
other schemes can draw upon
• But, also Industry/other schemes– Focus on areas of specific interest– Light-touch on other areas
![Page 11: 1 Omissions and errors in the CC Who got it right? 8ICCC Denise Cater](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56649e9d5503460f94b9f065/html5/thumbnails/11.jpg)
11
Who got it wrong?
• Those who requested EALs to be included in CC (for backwards compatibility)– Led to “incorrect” use of CC– Initially less PPs developed as just
concentrated on assurance level
![Page 12: 1 Omissions and errors in the CC Who got it right? 8ICCC Denise Cater](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56649e9d5503460f94b9f065/html5/thumbnails/12.jpg)
12
Who got it wrong?
• Authors of the CEM or CC Schemes?– Too prescriptive– Forcing evaluators to complete work units
at level of detail that is not always necessary
– Time spent on “meeting the CEM” that would be better spent on testing and vulnerability analysis
![Page 13: 1 Omissions and errors in the CC Who got it right? 8ICCC Denise Cater](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56649e9d5503460f94b9f065/html5/thumbnails/13.jpg)
13
In summary
• CC got it right
• CC got it wrong
But, Industry can adapt the CC to adopt it