malaysian common criteria evaluation & certification (mycc) … · 2014-01-21 · •...
Post on 13-Apr-2020
13 Views
Preview:
TRANSCRIPT
Malaysian Common Criteria Evaluation
& Certification (MyCC) Scheme
– Activities and Updates –
Copyright © 2010 CyberSecurity Malaysia
Agenda
1. Understand
– Why we need product evaluation and certification
– ICT Product Certification Benchmark
– Common Criteria Recognition Arrangement– Common Criteria Recognition Arrangement
2. What is the MyCC Scheme and its components?
3. What is the potential market for certified CC products?
4. Way forward
Copyright © 2010 CyberSecurity Malaysia 2
Security Objectives
Question is….
Are those ICT products are secure enough
from threats and vulnerabilities??????
Copyright © 2010 CyberSecurity Malaysia 3
Try to answer the requirement of CIA triad….
Security Techniques
Prevention access control
Detection auditing
Tolerance practicality
Copyright © 2010 CyberSecurity Malaysia 4
good prevention and detection both require good authentication as a foundation
• Which one is better?
• Who are we trusted most?
• What is the criteria needed to standing on
International VS Local ICT Products
• What is the criteria needed to standing on same level?
Copyright © 2010 CyberSecurity Malaysia 5
• Software and hardware may containhidden functions
•Danger exists when these secretcodes are not revealed
•Many incidents happened when
Unseen Danger
•Many incidents happened when attackers use these secret codes to gain access to the system
• Some ICT products claimed they have all the security functions, in fact they’re not.
Copyright © 2010 CyberSecurity Malaysia 6
Direct Impact
Loss of
money
Copyright © 2010 CyberSecurity Malaysia 7
Bad
reputation
Low of Performance
Current Pattern of Vulnerabilities
Copyright © 2010 CyberSecurity Malaysia 8
Figure 1: Number of Vulnerabilities in Network, OS and Applications
Source from: SANS – top
cyber security risks
Why IT Security Evaluation is Important?
IT Security
Evaluation
Meet
government
requirements
Reduce
vulnerabilities
Easier product
selection process
Increased
confidence in
claimed security
Copyright © 2010 CyberSecurity Malaysia 9
Evaluationvulnerabilities
Access
international
markets
claimed security
functionality
Continuous
improvement of
security technology
IT Security Evaluation is one method of gaining confidence in the security
functions implemented by a product or system
ICT Product Certification ICT Product Certification
BenchmarkBenchmark
Comparisons of the available ICT product certification
Common Criteria
(CC)
CESG Claims
Tested Mark
(CCTM)
TUVIT Trusted
Product
ICSA Labs
Product
Certification
Description Standard for gaining assurance in the security of IT products and systems through
Provides UKgovernment quality mark for the public and private sectors based on accredited
Demonstrates the trustworthiness of products and systems. This trustworthiness is
Intended to significantly improve commercial computer security
Copyright © 2010 CyberSecurity Malaysia 11
systems through independent evaluation. To prove the validity of security functionality claims made by developers.
based on accredited independent testing, designed to prove the validity of security functionality claims made by vendors. In more colloquial terms, the CCTM is designed to assure public bodies that a product or service does ‘what it says on the box’.
trustworthiness is established on the basis of standards, technical directives and guidelines, lists of criteria or individual rules which correspond to the TÜViT product qualification concept.
computer security and trust.
Recognition Globally UK Germany US
Comparisons of the available ICT product certification
Common Criteria
(CC)
CESG Claims Tested
Mark (CCTM)
TUVIT Trusted
Product
ICSA Labs
Product
Certification
List of products certified
Access control, detection, boundary protection, smart card, network devices and systems, data protection,
Connection protection, erasure and disposal, integrity protection, media & device authentication, media
Domain registration system, web kiosk , Tri-Party Collateral Management, Bank Management
Anti-virus, firewall, IPSec VPN, cryptography, SSL VPN, network IPS, anti-spyware and PC firewall
Copyright © 2010 CyberSecurity Malaysia 12
protection, databases, key mgmt systems, OS, digital signatures products
authentication, media & information protection, netwroklink protection
Management Console portal
PC firewall products
Link http://www.commoncriteriaportal.org/
http://www.cctmark.gov.uk/
http://www.tuvit.de/english/Overview.asp
http://www.icsalabs.com/
Logo
What is the Common Criteria?
• A common structure & language for expressing product/system IT security requirements
(CC Part 1)
• A catalogue of standardised IT security requirement components & packages (security functional and security assurance requirements)
Copyright © 2010 CyberSecurity Malaysia 13
• Supported by a common methodology for gaining assurance that IT security requirements have been satisfied (CEM)
functional and security assurance requirements)
(CC Part 2 & Part 3)
How did we get here?
USTCSEC CC 1.0
CanadianInitiatives
‘89-’93
CTCPEC3
‘93
CommonCriteriaProject
FederalCriteria
CC 2.XISO15408CC 3.1
‘83, ‘85
The Orange
Book
‘96
ITSEC1.2
‘91
EuropeanNational
& RegionalInitiatives
‘89-’93
Project‘93--
ISOInitiatives
‘92--
Criteria
‘92
‘99 ‘06
Common Criteria
Standard for gaining assurance in the security of IT products
through independent evaluation.
• A specifications language:
– Functionality. What is being evaluated?
Copyright © 2010 CyberSecurity Malaysia 15
– Functionality. What is being evaluated?
– Assurance. How much and what type of confidence is required in the TOE?
• A methodology
– Repeatable. Same results different time.
– Comparable. Same process different product.
– Allows mutual recognition among CCRA nations.
Mutual Recognition
•Participants that represent a compliant Certification Body
•Mutually recognizes certified products/systems produced by the Certificate Authorising
Participants based on ISO/IEC 15408
UK
USAAUSTRALIA
CANADA FRANCEGERMANY
SPAIN
NORWAYNEW ZEALAND NETHERLANDS
KOREA
JAPAN
Certificate Authorising Participants
ITALY
SWEDEN
Copyright © 2010 CyberSecurity Malaysia 16
DENMARK GREECEINDIA
FINLAND HUNGARY
ISRAELSINGAPORE
TURKEY
Certificate Consuming Participants
Acceptance
As of Oct 2009
AUSTRIA
MALAYSIA
PAKISTAN
•Participants that have a national interest in recognising CC certificates produced by
the Certificate Authorising Participants based on ISO/IEC 15408
CZECH
REPUBLIC
1. Understand
– Why we need product evaluation and certification
– ICT Product Certification Benchmark
– Common Criteria Recognition Arrangement
Agenda
– Common Criteria Recognition Arrangement
2. What is the MyCC Scheme and its components?
3. What is the potential market for certified CC products?
4. Way forward
Copyright © 2010 CyberSecurity Malaysia 17
MyCC Scheme
MyCC Scheme
STANDARDS MALAYSIA
(MS ISO/IEC
Malaysian Common Criteria
Certification Body (MyCB)
Common Criteria CCRA
Published
underJemaah Menteri, pada 8 Okt 08, menimbangkan Memorandum
daripada Menteri Sains, Teknologi dan Inovasi No.
592/2618/2008 dan bersetuju:
Copyright © 2010 CyberSecurity Malaysia 18
ICT Product or System
Evaluation Facility (EF)Evaluation Facility (EF)
Malaysian Security
Evaluation Facility
(MySEF)
STANDARDS MALAYSIA
(MS ISO/IEC 17025)
(MS ISO/IEC Guide 65)
Issued for
CC
Certificate
592/2618/2008 dan bersetuju:
i. Supaya CyberSecurity Malaysia, sebuah agensi di bawah
Kementerian Sains, Teknologi dan Inovasi dilantik sebagai
Badan Pensijilan Nasional tunggal bagi Skim Penilaian dan
Pensijilan Keselamatan ICT berdasarkan MS ISO/IEC
15408: 2005 Information Technology – Security Techniques
– Evaluation Criteria for IT Security; dan
ii. Supaya Badan Pensijilan Nasional ini dinamakan Badan
Pensijilan Common Criteria Malaysia (Malaysian Common
Criteria Certification Body)
MyCC Scheme Mission
“to increase Malaysia’s competitiveness in
quality assurance of information security
based on the Common Criteria (CC)
Copyright © 2010 CyberSecurity Malaysia 19
based on the Common Criteria (CC)
standard and to build consumers’
confidence towards Malaysian
information security products”
MyCC Scheme Background
• Project commenced in 2006 to establish the MyCC Scheme
– Driven from 9th Malaysian Plan (2006-2010)
– Supported by the National Cyber Security Policy
• Malaysia accepted as certificate consumer under the CCRA on 28 March 2007.CCRA on 28 March 2007.
• Malaysian Government accepted the Memorandum Jemaah Menteri No 592/2618/2008 from MOSTI and appointed CyberSecurity Malaysia as the sole certification body for MyCC Scheme.
• The MyCC commenced operations in August 2008.
• First evaluations commenced at EAL3/EAL4 to support application for certificate authorising status.
Copyright © 2010 CyberSecurity Malaysia 20
MyCC Scheme Services
• Security evaluation and certification of ICT products, systems and protection profiles
– Certify results of evaluations conducted against v3.1 of the Common Criteria (ISO/IEC 15408)
– Results published on MyCC Scheme Certified Products Register (MyCPR)
• Maintenance of assurance for security certified ICT products and systems
– In accordance with CCRA requirements for assurance continuity
– Maintenance addenda published on MyCC Scheme Certified Products Register (MyCPR)
• Recognition of certificates for special purpose
– In accordance with MyCC Scheme Policy
Copyright © 2010 CyberSecurity Malaysia 21
MyCC Scheme Roles
• CyberSecurity Malaysia– Owner of the MyCC Scheme
– CEO CyberSecurity Malaysia is the MyCC Scheme Head
• MyCC Scheme Management Board– At least five members, chair of the Board will rotate annually
– Provide strategic advice, guidance and recommendations to the – Provide strategic advice, guidance and recommendations to the MyCC Scheme Head
• Malaysian Common Criteria Certification Body (MyCB)– A department within CyberSecurity Malaysia
– Manages the MyCC Scheme
– Certifies results of evaluations performed by licensed MySEFs
– Manages CCRA requirementsCopyright © 2010 CyberSecurity Malaysia 22
MyCC Scheme Roles
• Malaysian Security Evaluation Facilities (MySEFs)– Organisations licensed by the MyCB to conduct evaluations of
products and systems using the Common Criteria
• Sponsor– The person or organisation that engages a MySEF to perform an – The person or organisation that engages a MySEF to perform an
evaluation
• Developer– The person or organisation that has developed the product,
system or protection profile
• Consumer– The person or organisation that procures or uses the product or
system
Copyright © 2010 CyberSecurity Malaysia 23
MyCC Scheme Benefits
• Improve the competitiveness of Malaysian ICT products in a global ICT
market
• Enhance Malaysia’s reputation as a provider of ICT security assurance
Copyright © 2010 CyberSecurity Malaysia 24
• Enhance Malaysia’s reputation as a provider of ICT security assurance
services globally
• Gain access to international markets for Malaysian ICT products
• Enhance the security of Malaysian information infrastructure
• Enhance the security of Malaysian ICT products
MyCC Scheme Process
Overview
Malaysian Common Criteria Certification Body (MyCB)
Accept/ Reject
Application
Accept
Malaysian Common Criteria Evaluation and Certification (MyCC) Scheme
Consumer
Certified Target of Evaluation
(TOE)Oversight Certify
Publish Evaluation Details
Conduct Technical Review
Attend Testing & Site Visit
Review Technical Report
Develop Certification
Report
Copyright © 2010 CyberSecurity Malaysia 25
Accept
Sponsor/ Developer
Target of Evaluation
(TOE)
Protection Profile (PP)
(TOE)
Certified Protection Profile (PP)
Oversight Certify
Plan Execute Close
Malaysian Security Evaluation Facility (MySEF)
Review Inputs
Submit Application
Evaluate Evidence
Submit to Technical Review
Submit Technical Report
Closedown
MyCC Scheme Publications
Policy
Strategy
MyCC Scheme Policy
(MyCC_P1)
MyCC Scheme
Certified Products
Register
MyCC Scheme
Evaluation Facility
MyCC Scheme
Customer Manual
Copyright © 2010 CyberSecurity Malaysia 26
Manual
Procedures
Register
(MyCC_P2)
Evaluation Facility
Manual (MyCC_P3)
Customer Manual
(MyCC_P4)
MyCC Scheme Certification Manual
(MyCC_P5)
Publicly available documents at www.cybersecurity.my/mycc
1. Understand
– Why we need product evaluation and certification
– ICT Product Certification Benchmark
– Common Criteria Recognition Arrangement
Agenda
– Common Criteria Recognition Arrangement
2. What is the MyCC Scheme and its components?
3. What is the potential market for certified CC products?
4. Way forward
Copyright © 2010 CyberSecurity Malaysia 27
International Market
As of 21 July 2010, there are 1,265 CC certified products and systems in the world. These products are certified from 14 CCRA Authorising countries and recognised globally especially by 26 CCRA countries. Type of products being certified are:
• Access control devices and system
• Boundary protection devices and systems
• Database
• ICs, smart cards and smart card related devices and systems
• Network and network related devices and systems
• Biometric systems and devices
• Data protection
• Detection devices and systems
• Key Management systems
• Operating systems
• Products for Digital Signatures
• Other devices and systems
• Trusted Computing Reference: www.commoncriteriaportal.org
Copyright © 2010 CyberSecurity Malaysia 28
International Market
Finding from the schemes benchmarking:
� the US Government mandated the use of CC certified products for
government agencies. Policies and instructions that are related with
the use of CC certified products that can be found from their web
site (http://www.niap-ccevs.org/)
Copyright © 2010 CyberSecurity Malaysia 29
� the Australia and New Zealand Government also established ACSI
33 and NZSIT 400: Australia and New Zealand ICT Security Policies
which provides policies and guidance to government agencies on
how to protect their ICT systems and guidance on ICT product
selection. CC Certified ICT products are the preferred choice for
securing government information because of the added assurance
that security evaluation provides.
Local Market
• Malaysian Government is encouraging local ICT products to be evaluated and certified:
• Development of policy of buy Malaysian ICT security products or solution for the CNII. This policy encourage the use of certified ICT security products.encourage the use of certified ICT security products.
• Security evaluation and certification financial assistance for local ICT developers.
Copyright © 2010 CyberSecurity Malaysia 30
1. Understand
– Why we need product evaluation and certification
– ICT Product Certification Benchmark
– Common Criteria Recognition Arrangement
Agenda
– Common Criteria Recognition Arrangement
2. What is the MyCC Scheme and its components?
3. What is the potential market for certified CC products?
4. Way forward
Copyright © 2010 CyberSecurity Malaysia 31
MyCC Scheme Implementation Plan
• Implementation will occur in three phases spanning five years and beyond
• Development – ends with CCRA certificate authorising acceptance
• Growth – ends with establishment of at least one MySEF external to CyberSecurity Malaysia
• Maturity – sufficient range of certified products and
Copyright © 2010 CyberSecurity Malaysia 32
• Maturity – sufficient range of certified products and several licensed MySEFs operating such that policy mandate is possible Jan - Dec 2008Aug - Dec 07
1: Development
Jan - Dec 2009 Jan - Dec 2010 Jan - Dec 2011 Jan - Dec 2012 Jan - Dec 2013 Jan - Dec 2014 Jan - Dec 2014
2 Growth
3 Maturity
Overlap because of possible
early increase in number of labs
10thMalaysian Plan9
thMalaysian Plan
MyCC Scheme Objective
MyCC SCHEME
Certifying ICT products against CC Standard and using CC
MyCBMyCB
(MALAYSIAN COMMON CRITERIA (MALAYSIAN COMMON CRITERIA
CERTIFICATION BODY)CERTIFICATION BODY)
MySEFsMySEFs
(MALAYSIAN SECURITY (MALAYSIAN SECURITY
EVALUATION FACILITIES)EVALUATION FACILITIES)
ICT products security evaluation against CC Standard and using CC Standard and using CC
Evaluation Methodology (CEM)against CC Standard and using CC Evaluation Methodology
(CEM)
CCRA CERTIFICATE AUTHORISING PARTICIPANT
Security Evaluation and Certification Project (1)
• To become the CCRA Authorising member, we need to
evaluate and certify 2 ICT products for at least 1 EAL3
and 1 EAL4. This is called Trial Evaluation and
Certification.
• There are 3 ICT products in evaluation:
– Firewall (EAL3)– Firewall (EAL3)
– Single sign-on application (EAL4)
– Smartcard OS (EAL4+)
Security Evaluation and Certification Project (2)
• To stimulate the Malaysian economy, Malaysian
Government has accepted CyberSecurity Malaysia
proposal on ICT product security evaluation and
certification.
• The implementation of the Malaysia 2nd Economic • The implementation of the Malaysia 2 Economic
Stimulus Package is 2 years (2009 – 2010).
• Under this project, MyCC Scheme has to evaluates and
certifies local ICT products for EAL1 and EAL2.
Security Evaluation and Certification Project (2)
As of July 2010 No of Product
Registered financial assistance application 103
Selected for pitching 44
Successful financial assistance application 27
• Status of 2nd Economic Stimulus Package projects:
Products in acceptance phase (evaluation application review by MyCB)
13
Products accepted by MyCC Scheme and kickoff evaluation
5
CCRA Certificate Authorising Participant
• Malaysia has submitted the application for CCRA
Certificate Authorising membership in Dec 2009.
• The application has been accepted by CCRA in March
2010.2010.
• Shadow Certification assessment by CCRA members
for MyCC Scheme is planned to be conducted in Oct
2010.
1. Understand
– Why we need product evaluation and certification
– ICT Product Certification Benchmark
– Common Criteria Recognition Arrangement
Agenda
– Common Criteria Recognition Arrangement
2. What is the MyCC Scheme and its components?
3. What is the potential market for certified CC products?
4. Way forward
Copyright © 2010 CyberSecurity Malaysia 38
Corporate Office:
CyberSecurity Malaysia,
Level 8, Block A,Mines Waterfront Business Park,No 3 Jalan Tasik, The Mines Resort City,43300 Seri Kembangan,43300 Seri Kembangan,Selangor Darul Ehsan, Malaysia.
T +603 8946 0999F +603 8946 0888
www.cybersecurity.my
Copyright © 2010 CyberSecurity Malaysia 40
top related