Evaluation criteria provide a standard for quantifying the security of a computer system or network. These include the Trusted Computer System Evaluation Criteria (TCSEC), Trusted Network Interpretation (TNI), European Information Technology Security Evaluation Criteria (ITSEC), and the Common Criteria.
The Trusted Computer System Evaluation Criteria (TCSEC), commonly known as the Orange Book, is part of the Rainbow Series developed for the U.S. DoD by the National Computer Security Center (NCSC) in 1983. (The current issue was published in 1985.) It is the formal implementation of the Bell-LaPadula model. The evaluation criteria were developed to achieve the following objectives:
Measurement: Provides a metric for assessing comparative levels of trust between different computer systems.
Guidance: Identifies standard security requirements that vendors must build into systems to achieve a given trust level.
Acquisition: Provides customers a standard for specifying acquisition requirements and identifying systems that meet those requirements.
The four basic control requirements identified in the Orange Book are
Security policy: The rules and procedures by which a trusted system operates. Specific TCSEC requirements include:
Cross-Reference Discretionary access control (DAC): Read more about this in Chapter 4.
Mandatory access control (MAC): Read more about this in Chapter 4.
Object reuse: This protects confidentiality of objects that are reassigned after initial use. For example, a deleted file still exists on storage media; only the file allocation table (FAT) and first character of the file have been modified. Thus, residual data may be restored. This describes the problem of data remanence. Object reuse requirements define procedures for actually erasing the data.
Cross-Reference Labels: Sensitivity labels are required in MAC-based systems. (Read more about this topic in Chapter 4.) Specific TCSEC labeling requirements include integrity, export, and subject/object labels.
Assurance: This guarantees that a security policy is correctly implemented. Specific TCSEC requirements (listed here) are classified as operational assurance requirements:
System architecture: System design features and principles that implement specific security features.
System integrity: Hardware and firmware operate properly and are tested to verify proper operation.
Covert channel analysis: An unintended communication path not protected by a system’s normal security mechanisms. A covert storage channel conveys information by altering stored system data. A covert timing channel conveys information by altering a system resource’s performance or timing.
Remember A systems or security architect must understand covert channels and how they work in order to prevent the use of covert channels in the system environment.
Cross-Reference Trusted facility management: The assignment of a specific individual to administer the security-related functions of a system. Closely related to the concepts of least privilege, separation of duties, and need-to-know, which we discuss in Chapters 6 and 10.
Trusted recovery: Ensures that security isn’t compromised in the event of a system crash or failure. This involves two primary activities: failure preparation and system recovery, which we discuss in Chapter 10.
Security testing: Specifies required testing by the developer and NCSC.
Design specification and verification: Requires a mathematical and automated proof that the design description is consistent with the security policy.
Configuration management: Identifying, controlling, accounting for, and auditing all changes made to the TCB during the design, development, and maintenance phases of a system life cycle.
Trusted distribution: Protects a system during transport from a vendor (protection) to a customer (site validation).
Accountability: The ability to associate users and processes with their actions. Specific TCSEC requirements include
Identification and authentication (I&A): We discuss this topic in Chapter 4.
Trusted Path: A direct communications path between the user and the TCB that doesn’t require interaction with untrusted applications or operating system layers.
Cross-Reference Audit: Recording, examination, analysis, and review of security-related activities in a trusted system, which we discuss in Chapters 4, 10, and 12.
Documentation: Specific TCSEC requirements include:
Security Features User’s Guide (SFUG): User’s manual.
Trusted Facility Manual (TFM): System administrator’s and/or security administrator’s manual.
Test documentation: According to the TSCES manual, must “show how the security mechanisms were tested, and results of the security mechanisms’ functional testing.”
Design documentation: Defines system boundaries and internal components, such as the TCB.
Instant Answer The Orange Book defines four major hierarchical classes of security protection and numbered subclasses, as follows. Higher numbers indicate higher security:
D: Minimal protection
C: Discretionary protection (C1 and C2)
B: Mandatory protection (B1, B2, and B3)
A: Verified protection (A1)
These classes are further defined in Table 9-2.
Class | Name | Sample Requirements |
---|---|---|
D | Minimal security | Reserved for systems that fail evaluation. |
C1 | Discretionary protection (DAC) | System doesn’t need to distinguish between individual users and types of access. |
C2 | Controlled access protection (DAC) | System must distinguish between individual users and types of access; object reuse security features required. |
B1 | Labeled security protection (MAC) | Sensitivity labels required for all subjects and storage objects. |
B2 | Structured protection (MAC) | Sensitivity labels required for all subjects and objects; trusted path requirements. |
B3 | Security domains (MAC) | ACLs are specifically required; system must protect against covert channels. |
A1 | Verified design (MAC) | Formal Top-Level Specification (FTLS) required; configuration management procedures must be enforced throughout entire system life cycle. |
Tip You don’t need to know specific requirements of each TCSEC level for the CISSP exam, but you should know at what levels DAC and MAC are implemented and the relative trust levels of the classes, including numbered sub-classes.
Major limitations of the Orange Book include that
It only addresses confidentiality issues: It doesn’t include integrity and availability.
It isn’t applicable to most commercial systems.
It emphasizes protection from unauthorized access, despite statistical evidence that most security violations involve insiders.
It doesn’t address networking issues.
Also part of the Rainbow Series, Trusted Network Interpretation (TNI) addresses confidentiality and integrity in trusted computer/communications network systems. Within the Rainbow Series, it’s known as the Red Book.
The European Information Technology Security Evaluation Criteria (ITSEC) was developed during the late 1980s, and the current issue was published in 1991. Unlike TCSEC, ITSEC addresses confidentiality, integrity, and availability, as well as evaluating an entire system, defined as a Target of Evaluation (TOE), rather than a single computing platform.
ITSEC evaluates functionality (security objectives, or why; security enforcing functions, or what; and security mechanisms, or how); and assurance (effectiveness and correctness) separately. The ten functionality (F) classes and seven evaluation (E) (assurance) levels are listed in Table 9-3.
(F) Class | (E) Level | Description |
---|---|---|
NA | E0 | Equivalent to TCSEC level D |
F-C1 | E1 | Equivalent to TCSEC level C1 |
F-C2 | E2 | Equivalent to TCSEC level C2 |
F-B1 | E3 | Equivalent to TCSEC level B1 |
F-B2 | E4 | Equivalent to TCSEC level B2 |
F-B3 | E5 | Equivalent to TCSEC level B3 |
F-B3 | E6 | Equivalent to TCSEC level A1 |
F-IN | NA | TOEs with high integrity requirements |
F-AV | NA | TOEs with high availability requirements |
F-DI | NA | TOEs with high integrity requirements during data communication |
F-DC | NA | TOEs with high confidentiality requirements during data communication |
F-DX | NA | Networks with high confidentiality and integrity requirements |
Tip You don’t need to know specific requirements of each ITSEC level for the CISSP exam, but you should know how the basic functionality levels (F–C1 through F–B3) and evaluation levels (E0–E6) correlate to TCSEC levels.
The Common Criteria for Information Technology Security Evaluation (usually just called Common Criteria) is an international effort to standardize and improve existing European and North American evaluation criteria. The final draft was published in 1997, and the Common Criteria has been adopted as an international standard in ISO15408. The Common Criteria defines eight assurance levels (EALs), which are listed in Table 9-4.
Level | TCSEC ITSEC Equivalent | Equivalent | Description |
---|---|---|---|
EAL0 | NA | NA | Inadequate assurance |
EAL1 | NA | NA | Functionally tested |
EAL2 | C1 | E1 | Structurally tested |
EAL3 | C2 | E2 | Methodically tested and checked |
EAL4 | B1 | E3 | Methodically designed, tested, and reviewed |
EAL5 | B2 | E4 | Semi-formally designed and tested |
EAL6 | B3 | E5 | Semi-formally verified design and tested |
EAL7 | A1 | E6 | Formally verified design and tested |
Tip You don’t need to know specific requirements of each Common Criteria level for the CISSP exam, but you should understand the basic evaluation hierarchy (EAL0–7, in order of increasing levels of trust).