CESG Launches Commercial Product Assurance

April 2, 2011 at 12:35 am | Posted in Security Product Testing | Leave a comment
Tags: , , , , ,

I’m a regular reader (and subscriber) to Phil Stewart’s Excelgate Blog here on WordPress, since I met Phil through the UK Chapter of ISSA.  In his latest post, Phil describes the launch by CESG of the CPA: Commercial Product Assurance scheme.

Over the last 20 years or so, I’ve had a hand in the design and delivery of a wide variety of systems for handling Protectively Marked or otherwise sensitive data, from both the vendor side and the customer side.   In every case, it was easier to prove the required level of assurance to the Accreditor, when the solution was built on certified products.

However, the certification schemes available – principally the internationally supported Common Criteria (ISO 15408 – originally ITSEC in the UK) and the UK’s CESG Assisted Product Scheme (CAPS) for crypto products – are aimed mainly at the higher Impact Levels.  As a consequence, certification is a lengthy and expensive process for the vendor.  This commitment of cost and time must inevitably be passed on to the purchaser.  For systems handling data up to Impact Level 3 (or Protectively Marked as Restricted), the level of both functionality and assurance offered by CC or CAPS products is more than is needed and the cost often prohibitive.

Such systems form the bulk of deployments in the UK’s Public Sector and Critical National Infrastructure, so what has long been needed is a catalogue of commercial security products, approved for use at the lower Impact Levels.  The progress from the Claims Test Mark Scheme, piloted by CSIA and the Cabinet Office from 2004 to this new scheme is well documented in the Excelgate blog.  For me though, the most attractive attributes of the CPA scheme include:

  • CPA products are approved for use up to IL3 (CTM products may be used up to IL2);
  • The criteria for approval recognise that threat levels differ even at the same Impact Level and provide for a Foundation and Augmented level of approval for each product.  This allows a product to be awarded Foundation level approval (relatively) quickly, while evaluation continues for Augmented level.
  • The process will accept evidence generated for other certification schemes, greatly reducing both the time and the cost to vendors of the approval process.  Hopefully this will be reflected in a much wider range of security enabling products being submitted for approval.
  • A wide range of security characteristics have been defined against which products can be tested.  The scheme has established 3 tiers of priority for initial product testing, ensuring that the most commonly required security mitigations are served first.

What Next?

Details of the transition from the CCTM scheme to CPA were published by CESG in February 2011.  Acceptance of new products for CCTM evaluation will end in December 2011, with no product certificates remaining in force after December 2012.  The CPA scheme goes live this month (April 2011) and of course, it remains to be seen how it works in practice.  In my opinion, it will stand or fall by how well it succeeds in reducing the time and cost burden on vendors seeking approval.  Success in that will ensure a wider range of solutions with security adequate to meet the business risk will be available to public sector customers, removing the need to over engineer their solutions in order to achieve accreditation.  When that happens, everyone wins, not least the UK tax payer.

Advertisements

Do as I Say …

February 11, 2010 at 6:33 pm | Posted in Cyber Security, Endpoint Security | Leave a comment
Tags: , , , , , , , ,

…not as I do, as Mrs V1951 the Elder (my Mum) used to say to me regularly.

I’ve discussed before how I went about organising news feeds when I started my new life as an independent consultant.  One of the first blogs I subscribed to was the BBC’s dot.Life blog (now renamed “dot.Rory” to distinguish it from posts by US correspondent Maggie Shiels), written by technology correspondent Rory Cellan Jones.  That in turn prompted to to join Twitter to follow Rory’s updates.   His position gives him great access to what’s happening particularly amongst the vendors and his articles are thorough, well written and humerous.

However (you knew this was coming, didn’t you?) I have to take issue with a recent post on his blog.  The debate over Google’s troubles in China and the vulnerability in Internet Explorer v6 rumbles on and Mr Cellan Jones decided to investigate what advice the UK government is offering to its citizens and how that advice squares with what government departments are doing with their own computer systems.  So far, so good. 

Both the German and French governments advised their citizens to switch to an alternative browser (Firefox, Opera or Safari for example), implying that the flaw exposed in the attack on Google is common to all versions of the Microsoft browser.  However, when questioned the UK’s Cabinet Office, which takes the lead on matters related to digital technology, confirmed that it is directing people to the web site for the Get Safe Online campaign.  The advice here is “All web browsers are at ongoing risk to vulnerabilities and as such Get Safe Online’s recommended advice to consumers and small business is always to use the most up-to-date version.”   It also suggests that “… there is no evidence that moving from the latest fully patched versions of Internet Explorer to other browsers will make users more secure.” 

By comparison, when asked by Mr Cellan Jones, the Ministry of Defence confirmed that, based on advice from the Communications Electronic Security Group, it is considered that IE6 is suitable for use in central government.  Later, the Cabinet Office explained further that  “A government user working on government systems will benefit from additional security systems unlikely to be available to the average home computer user. These include tools that actively monitor for any malicious attack.”

So, on the face of it, the UK Government is ignoring the advice it gives to its citizens.  But is this really as unreasonable as the blog suggests?  Let’s look at the issues:

  • Context:  The Ministry of Defence IT systems form the Defence Information Infrastructure (DII), serving 300,000 users on 150,000 end point systems, spread across more than 2,000 locations (fixed and mobile) world-wide.  This massive infrastructure is managed by the Atlas Consortium, under a 10 year contract worth £4.8Bn.  While the programme has been criticised for slow progress, a National Audit Office report in 2009 concluded that important benefits are being delivered and (unusual for a government IT project) costs are predicted to be within 3% of the original budget approved in 2005.
  • Guidance:  The Ministry of Defence and other front line government departments is guided by CESG, which is the UK’s National Technical Authority on information assurance.   This same support is also available to other public bodies and private concerns which form the Critical National Infrastructure, through the Centre for the Protection of National Infrastructure (CPNI) and some is available to the general public through the CPNI web site.
  • Assurance:  Systems and networks designed for use in front line departments (MoD, FCO, Home Office ..) are:
    • Built where possible using certified components  that have been rigorously tested for correct operation of their security functions, based on the internationally accepted Common Criteria  (ISO/IEC 15408);
    • Subjected to accreditation, to prove that their security functions are adequate to protect the classified information they will process;
      • Organised into distinct security “zones” separated by specialised devices, which are not available to most organisations.  Some of these devices are designed and tested  using formal methods like Z  or Vienna Development Method (VDM) to mathematically prove the correctness of their security functions.
  • Restricted Access:  Access to these systems is strictly controlled, based on security clearance (granted based on rigorous and repeated vetting checks), “need to know” and finally subject to the formal approval of the system owner.  Social engineering played a significant role in the Google attack and this is at least mitigated by these formal processes.

 As well as being a front line government department, with special security requirements and the processes and procedures to enforce them, it is also a very large organisation (300,000 users) and faces the same problems as its private sector counterparts:

  • Compatibility:  These days, the browser is used to access a wide range of applications, many of them missions critical.  As Gartner’s Neil MacDonald said in his blog, the application vendors are a big part of the problem in getting organisations to move off of Internet Explorer  v6.  Often the applications use proprietary mechanisms in IE6, making it difficult or impossible to upgrade to a later browser version, unless you at least upgrade the application as well.
  • Inertia:  Large organisations are notoriously slow to migrate to later versions.  Desktop upgrade programmes are costly, time consuming and riddled with unforeseen complications.  That in part is why large organisations didn’t migrate to Vista on the desktop, and why they’ll take their time before moving to Windows 7.

These considerations have to be fed into the change management process.  The resulting change (assuming it gets approval) will inevitably delay the already planned packages within the DII programme and will with equal inevitability result in additional costs to the customers (that’s the taxpayer – you and me!).

 So, is the Cabinet Office right to claim that the MoD is safe to carrying on using IE6?  At least they’re right to draw a distinction between the level of protection achieved through “defence in depth” and what’s available to the average home user.  David Lacey, in his recent book “Managing the Human Factor in Information Security”,  points out that  baseline security measures, a collection of standard  proven security controls, is the fastest most reliable (and often cheapest) means for improving security.  He compares it with the “trajectory of accident opportunity” described by James Reason in his book “Human Error”.  His premise is that multiple, simultaneous failures or compromises would be needed to Allow an attack to be pressed home.  Gartner’s Neil MacDonald says that there are 3 lessons to be drawn from the attack on Google:

  1. Run users as standard not administrator
  2. Get off IE6 – using Win7 migration to justify budget if necessary
  3. Use defence in depth at the end point.

 In conclusion, for the risk of compromise to materialise, there has to be both vulnerability and the means to exploit it.  In the case of the Google attack, neither of these was known until the incident happened – a zero day attack.  There also has to be a threat, someone with the means, skills and motive to mount an attack.  Again, in the case of Google, this appeared to be a targeted attack.  But risk efficiency demands that the cost of the countermeasure be proportionate to the cost of the damage resulting from a successful exploit.  For a large organisation (like MoD) replacing the browser isn’t going to pass that test.  But careful design and baseline security measures will prevent the hacker from reaching the vulnerable component. 

And the last word goes to Neil MacDonald of Gartner again, who points out that application white listing has to become a fundamental part of endpoint securityIf a zero day attack is mounted and if the attacker succeeds in dropping malicious code onto the browser, white listing would prevent it from running.

Blog at WordPress.com.
Entries and comments feeds.