Security Managment - Common Criteria Flashcards
What are typical products which would need certification ?
Network connectors for e-health Smart metering gateways Digital tachographs E-passports Smart cards Card readers
What are the Common Criteria (CC) ?
de-facto standard for product evaluations
What is a Target of Evaluation (TOE) ?
The product or system that is the
subject of the evaluation, e.g. „MinuteGap Firewall“
What is a Protection Profile (PP) ?
Document that identifies security
requirements relevant to a user community for a particular purpose, e.g. „Firewall Protection Profile“
What is the Security Target (ST) ?
Product specification explaining how
security functionality is delivered by the product, e.g.
„MinuteGap Firewall ST“ Can be standalone, can conform to one or more PPs
What is an Evaluation assurance level (EAL)?
a numerical rating (1-7)
reflecting assurance requirements fulfilled during evaluation
Which EAL levels are often used ?
Often used: EAL2, EAL4;
for smartcards also >EAL4 often used
Which augments for the EAL are often used ?
AVA_VAN.5 – vulnerability analysis with high
attack potential
ALC_FLR – flaw remediation process for
security issues detected after certification
What does EAL1 include ?
EAL1 – functionally tested („low assurance“)
- Review of functional and interface specifications
- Some independent testing
What does EAL2 include ?
EAL2 – structurally tested („minimal serious level“)
- Analysis of security functions including high-level design
- Independent testing, review of developer testing
- Penetration testing with „basic“ attack potential
What does EAL3 include ?
EAL3 – methodically tested and checked
- More testing, some development environment controls
- Site visit of development/manufacturing sites
What does EAL4 include ?
EAL4 – methodically designed, tested, and reviewed
- Source code inspections
- Pentesting „Extended-basic“ attack potential
What does EAL5 include ?
EAL5 – semiformally designed and tested
- Formal model, modular design
- Systematic vulnerability search, covert channel analysis
What does EAL6 include ?
EAL6 – semiformally verified design and tested
- Structured development process
- Pentesting with „high“ attack potential
What does EAL7 include ?
EAL7 – formally verified design and tested
- Formal presentation of functional specification
- Product or system design must be simple
- Independent confirmation of developer tests