1 / 5

Yesterday’s entertainment

Yesterday’s entertainment. Decided to remove Denial of Service threats, and related assets, objectives, etc., from the PPs DoS will remain in the P2600 best practices and mitigation techniques

marilu
Download Presentation

Yesterday’s entertainment

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Yesterday’s entertainment • Decided to remove Denial of Service threats, and related assets, objectives, etc., from the PPs • DoS will remain in the P2600 best practices and mitigation techniques • Decided to not consider the external network environment as a TOE asset, and to remove threats against that asset • Instead, use OSPs as the basis for security objectives related to the TOE doing no harm to external devices • Decided to use the proposed Family of PPs approach instead of the proposed Packages approach • Decided to use the organization/content of PPs that makes it possible to apply the FPP to any combination of Print, Scan, Copy, and Fax, with or without network, etc.

  2. Ideas for roundtable discussion • How to get assurances from schemes (US, JP, others?) that our FPP approach is acceptable • Would they certify this kind of FPP and conforming STs? • If the FPP was certified by another scheme, would they be comfortable certify conforming STs? • How to approach the problem of getting the FPPs evaluated by a CC lab and the P2600.* draft standards approved by the IEEE standards process? • Some comments/corrections will be made by different reviewing bodies and will need to be merged into a new draft • How to avoid (or negotiate away) conflicting comments? • How to minimize the number of iterations

  3. Ideas for roundtable discussion(2) • How to reward/acknowledge organizations that fund certification of the FPPs? • Funding is voluntary • We can have some acknowledgment of organizations in the front matter of IEEE standards that contain each of the four FPPs • We could also have some acknowledgment in the front matter of FPPs as they are published for the CC community (with CC front matter instead of IEEE front matter) • Strategies for dealing with NIAP CCEVS, IPA, or other schemes

  4. Ideas for roundtable discussion(3) • Which SFRs might be used to fulfill the objective that some data on hard disks must be protected from being salvaged from hard disks that are removed from the TOE • We already know about FDP_RIP for dereferenced data • We assume that encryption would be used, but FCS_ class does not specify what will be encrypted, it only specifies how crypto is handled • Even if we assume crypto is used in practice, can we do so without requiring cryptography? Or at least without using FCS_ class?

  5. Ideas for roundtable discussion(4) • Which SFRs might be used to fulfill the objective of preventing data from passing through the TOE (in one interface and out another) that hasn’t been mediated by the TSF? • We have a special case of fax modems, using ADV_ARC? • Others might use FDP_IFC/FDP_IFF • How should we handle threats related to installing software? • Re-installation or upgrade of the main HCD software • Downloading and executing applets

More Related