1 / 39

Security Criteria, Certifications, and Training

Security Criteria, Certifications, and Training. Lesson 25. The “Rainbow Series”. NSA Documents, varied color covers Orange: Trusted System Security Evaluation Criteria Green: Password Management Yellow: Guidance for applying Orange Book Tan: Guide to understand audit in trusted system

yasuo
Download Presentation

Security Criteria, Certifications, and Training

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Criteria, Certifications, and Training Lesson 25

  2. The “Rainbow Series” • NSA Documents, varied color covers • Orange: Trusted System Security Evaluation Criteria • Green: Password Management • Yellow: Guidance for applying Orange Book • Tan: Guide to understand audit in trusted system • Red: Trusted Network Interpretation • Purple: Formal Verification • Aqua: Understanding Security Modeling • Pink: Ratings Maintenance Phase Program • Forest Green: Magnetic remanence

  3. The “Orange Book” • The NCSC (NSA) developed the Trusted Computer System Evaluation Criteria (TCSEC) • Designed to meet three objectives • to provide guidance to manufacturers as to what security features to build into their products • to provide the DoD customers with a metric to evaluate the degree of trust they could place in a computer system • to provide a basis for specifying security requirements in acquisition specifications

  4. The Orange Book • Particular emphasis is on preventing unauthorized disclosure of information. • Based on Bell-La Padula security model • Simple Security Condition • allows a subject read access to an object only if the security level of the subject dominates the security level of the object. • *-Property • allows a subject write access to an object only if the security level of the subject is dominated by the security level of the object. Also known as the Confinement Property. • “No Read Up/No Write Down”

  5. The Orange Book • “Trusted Computing Base” Concept • 7 Levels • D: Minimal Protection • C1: Discretionary Security Protection • C2: Controlled Access Protection • B1: Labeled Security Protection • B2: Structured Protection • B3: Security Domains • A1: Verified Protection

  6. The Orange Book

  7. Division C Class C1

  8. Division C Class C1

  9. Division C Class C2

  10. Division B Class B1

  11. The “Red Book” • Trusted Network Interpretation (TNI) • Two parts • Interprets Orange book for networks • interpretation • rationale • Describes additional security services that arise with networks.

  12. Division C Class C1

  13. The Network Security Services

  14. Issues with Any Certification • Certifications take time • thus they generally have a hefty price associated with them. • By the time the product is evaluated, its obsolete. • Who gets to do the evaluation? • Lots of folks don’t want the government poking around their product, but can you trust some other company? • Certifications are for a single release, if you release a new version it will need to be evaluated too.

  15. The ITSEC and Common Criteria • After the TCSEC was published, several European countries issued their own criteria. • The Information Technology Security Evaluation Criteria (ITSEC). Had a number of improvements. • Permitted new feature definitions and functionalities. • Accommodated commercial evaluation facilities • Soon the U.S. was preparing to update the TCSEC. • Instead of multiple standards, how about a joint one? • Thus, the birth of the Common Criteria

  16. Common Criteria

  17. Common Criteria • Has 7 Evaluation Assurance Levels (EAL) • EAL1: functionally tested • EAL2: Structurally tested • EAL3: Methodologically tested and checked • EAL4: Methodologically designed, tested, & reviewed • EAL5: Semiformally designed and tested • EAL6: Semiformally verified design and tested • EAL7: Formally verified design and tested • Any collection of components can be combined with an EAL to form a Protection Profile. • Defines an implementation-independent set of security requirements and objectives.

  18. ICSA Certification • ICSA Inc. initiated a program for certifying IT products against a set of industry accepted, de facto standards. • Standards are developed with input from security experts, vendors, developers, and users. • Targets threats that actually occur frequently, not postulated ones (think covert channels). • Goal is criteria appropriate for 80% of customers. • Has mechanism for certification of future versions.

  19. ICSA

  20. ICSA

  21. ICSA

  22. Security Awareness and Training • We keep saying that people are the biggest problem, so… • Why not train them so we can get rid of (or reduce) the problem???? • What types of things would be useful? • General security training • passwords, social engineering, viruses • Administrator training • specialized training for specific OS and security devices (e.g. firewalls, IDS…), vulnerability/risk assessments,

  23. Type of training • Formal Courses • Online Courses • CD-based instruction • (Security Awareness Programs)

  24. Checkpoint Firewall Training • The first class yields a Check Point Certified Security Administrator (CCSA) degree. It provides a complete overview of FireWall-1 and focuses the hands-on training on stand-alone systems. This class is for end-users and resellers who need a good technical understanding of FireWall-1 and need to install and set up simple configurations. • The second more advanced class yields a Check Point Certified Security Engineer (CCSE) degree and dwells more in depth on setting up multiple firewall systems, using different encryption schemes, alternative key management schemes, certificate of authorities, etc., and includes hands-on practice of many of these advanced security techniques. The CCSA degree is a pre-requisite to sign up for this class. This advanced class is for end-users who have sophisticated security requirements for their enterprise networks and for resellers who seek Certified Check Point Partner status.

  25. Foundstone

  26. Training Courses

  27. SecureInfo

  28. MIS Training Institute • Auditing Your Web Server • Internet and Web Security • Introduction to Network Security • Network Intrusion Detection • Protecting Your Networks with Firewalls • Remote Access Services and Virtual Private Network • Security • Securing TCP/IP Networks • Security and Audit of TCP/IP Networks • SWITS Network Security Advanced Class • Audit and Security of Windows NT Server V.4 • Control Analysis of Enterprise-wide Telecommunications • Controlling and Securing Unix-Based Operating Systems • Controlling and Securing Windows 2000 • Controlling Client/Server Environments • Unix Workshop

  29. Training as a Business • There is a bunch of money to be made in training: • let’s assume • 50 hour work weeks, 48 work weeks a year • for a consultant, at $200/hour, 75% utilization = $360,000/year • 2 weeks/month teaching, 2 weeks preparing • for a trainer, 20 students/course, $1500/student = $720,000/year • Obviously there are other considerations, • marketing & sales • overhead • competition and demand

  30. (ISC)2 • (ISC)2 - International Information Systems Security Certifications Consortium • (ISC)² offers two certification examinations: • the Certified Information Systems Security Professional (CISSP) • the Systems Security Certified Practitioner (SSCP) • The CISSP program certifies IT professionals who are responsible for developing the information security policies, standards, and procedures and managing their implementation across an organization. • The SSCP program certifies network and systems administrators who implement those policies, standards, and procedures on the various hardware and software programs for which they are responsible.

  31. CISSP • The (ISC)², working with a professional testing service, has developed a certification examination based on the information systems security Common Body of Knowledge (CBK). Candidates have up to 6 hours to complete the examination . . . which consists of 250 multiple choice questions that address the ten topical test domains of the CBK. The information systems security test domains are: • Access Control Systems & Methodology • {Computer} Operations Security • Application & Systems Development • Business Continuity & Disaster Recovery Planning • Telecommunications & Network Security • Security Architecture & Models • Physical Security -- Cryptography • Security Management Practices -- Law, Investigations & Ethics

  32. SSCP • The (ISC)², working with a professional testing service, has developed a certification examination based on the SSCP Common Body of Knowledge (CBK). Candidates have up to 3 hours to complete the examination . . . which consists of multiple choice questions that address the seven topical test domains of the CBK. The information systems security test domains are: • Access Control • Administration • Audit and Monitoring • Risk, Response, and Recovery • Cryptography • Data Communications • Malicious Code

  33. SANS Institute • Conferences – Ontario, May 13-18 • GIAC Training and Certification Program • SANS' GIAC Training and Certification Program is designed to serve the people who are or will be responsible for managing and protecting important information systems and networks. GIAC course specifications were developed through a consensus process that involved more than a hundred members of SANS' faculty and other experienced security practitioners. They combine the opinions, knowledge, and expertise of many of the world's most experienced front-line security and system administrators, intrusion detection analysts, consultants, auditors, and managers. • The GIAC certification program consists of: • Information Security KickStart • LevelOne Security Essentials • LevelTwo subject area modules

  34. SANS Institute

  35. GIAC Training • Information Security KickStart • Are you looking for a way to "break in" to the information security field? Did your manager just walk up to you and say, "Congratulations, you are the new security officer"? Then Information Security KickStart is for you! KickStart was designed for the professional who needs to get up to speed fast on the terminology, concepts, issues, tools, and technology of the field. A student who completes the Information Security KickStart and GIAC Security Essentials Certification possesses the foundational skills that no information security professional should be without. KickStart and Security Essentials also prepare you for the more advanced, in-depth LevelTwo training.

  36. GIAC Training • Welcome to SANS Security Essentials • SANS Security Essentials offers a strong technical foundation for all areas of system and network security. Similar to KickStart, Security Essentials provides broad coverage of information security topics, but begins to go more in-depth. Each of the eighteen course units offers practical, from-the-trenches, "how-to" information, not just theory. Security Essentials includes the following units: • 1: Information Assurance Foundations 2: IP Concepts • 3: IP Behavior 4: Internet Threat • 5: Basic Security Policy 6: Malicious Software and Anti-Virus Tools • 7: Host Based Perimeter Protection 8: Windows NT Password Management • 9: Unix Password Management 10: Introduction To Pretty Good Privacy (PGP) • 11: Introduction To Cryptography 1 12: Introduction To Cryptography 2 • 13: Securing Windows NT Step-by-Step 14: Securing Linux Step-by-Step • 15: Backups For Windows NT 16: Backups For Linux • 17: Basic Windows NT Auditing 18: Basic Linux Auditing • SANS Security Essentials is available through a three-day class.

  37. GIAC Training • Intrusion Detection in Depth On-Line Training is one of SANS’ signature courses, and offers an immersion in the world of intrusion detection. Like all GIAC programs, Intrusion Detection in Depth is continually revised to include the latest attack patterns. We strongly recommend that students spend some time getting familiar with tcpdump, Windump, or other network analyzer output before taking this course. Intrusion Detection in Depth covers: • Essential TCP/IP concepts for intrusion detection and network traffic analysis • Configuration and use of tcpdump, the most widely used freeware traffic analysis tool • Log file interpretation and analysis • Configuration and use of Snort, the freeware intrusion detection system for both UNIX and Windows • Intrusion detection signatures and analysis, including samples and explanation of numerous real-world traces

  38. GIAC Training

  39. Security+ Certification

More Related