Security Managment - Common Criteria Flashcards

1
Q

What are typical products which would need certification ?

A
Network connectors for e-health
Smart metering gateways
Digital tachographs
E-passports
Smart cards
Card readers
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are the Common Criteria (CC) ?

A

de-facto standard for product evaluations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is a Target of Evaluation (TOE) ?

A

The product or system that is the

subject of the evaluation, e.g. „MinuteGap Firewall“

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is a Protection Profile (PP) ?

A

Document that identifies security

requirements relevant to a user community for a particular purpose, e.g. „Firewall Protection Profile“

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is the Security Target (ST) ?

A

Product specification explaining how
security functionality is delivered by the product, e.g.
„MinuteGap Firewall ST“ Can be standalone, can conform to one or more PPs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is an Evaluation assurance level (EAL)?

A

a numerical rating (1-7)

reflecting assurance requirements fulfilled during evaluation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which EAL levels are often used ?

A

Often used: EAL2, EAL4;

for smartcards also >EAL4 often used

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Which augments for the EAL are often used ?

A

AVA_VAN.5 – vulnerability analysis with high
attack potential
ALC_FLR – flaw remediation process for
security issues detected after certification

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What does EAL1 include ?

A

EAL1 – functionally tested („low assurance“)

  • Review of functional and interface specifications
  • Some independent testing
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What does EAL2 include ?

A

EAL2 – structurally tested („minimal serious level“)

  • Analysis of security functions including high-level design
  • Independent testing, review of developer testing
  • Penetration testing with „basic“ attack potential
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What does EAL3 include ?

A

EAL3 – methodically tested and checked

  • More testing, some development environment controls
  • Site visit of development/manufacturing sites
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What does EAL4 include ?

A

EAL4 – methodically designed, tested, and reviewed

  • Source code inspections
  • Pentesting „Extended-basic“ attack potential
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What does EAL5 include ?

A

EAL5 – semiformally designed and tested

  • Formal model, modular design
  • Systematic vulnerability search, covert channel analysis
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What does EAL6 include ?

A

EAL6 – semiformally verified design and tested

  • Structured development process
  • Pentesting with „high“ attack potential
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What does EAL7 include ?

A

EAL7 – formally verified design and tested

  • Formal presentation of functional specification
  • Product or system design must be simple
  • Independent confirmation of developer tests
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What does High attack potential mean in relation to augmentation AVA_VAN.5 ?

A

High attack potential e.g.

  • Multiple experts
  • Only public knowledge of TOE
  • Easy access to TOE (e.g. connected to internet)
  • Only standard equipment
  • Up to six months effort to identify and exploit
17
Q

What does a Vulnerability analysis for developer´s code include ?

A

Vulnerability analysis for developer‘s code
- Flaw hypotheses, interfaces to security functionality,
circumvention of mechanisms, correctness of data
parsing and control flow, cryptographic mechanisms
- Detailed notes/recommendations for some
mechanisms

18
Q

What does a Vulnerability analysis for third party libraries include ?

A

Vulnerability analysis for third-party libraries
- CVE search: Are there known vulnerabilities for the
specific versions of integrated libraries?
- Long term support and availability of security
patches?

19
Q

What does a high EAL mean ?

A

High EAL = high assurance (confidence)

  • How reliable are the evaluation results?
  • How thorough was the testing?
20
Q

Does a high EAL automatically mean high security ?

A

EAL has nothing to do with security functional
requirements
- Need to look at SFR
- Possible to have very few requirements (i.e. little
functionality) evaluated at high EAL, i.e. very likely that
(albeit few) requirements are correctly implemented
- Often adversaries excluded from PP/ST that are hard to protect
against
- Need to look for assumptions, objectives for environment