Security Baselines

One of the first steps in developing a secure environment is to develop a baseline of the minimum security needs of your organization. This baseline provides the input needed to design, implement, and support a secure network. The baseline includes gathering data on the specific security implementation of the systems with which you will be working.

The newest standard for security is Common Criteria (CC). This document is a joint effort between Canada, France, Germany, the Netherlands, the United Kingdom, and the United States. The version 2.1 standard outlines a comprehensive set of evaluation criteria. These criteria are broken down into seven Evaluation Assurance Levels (EAL). EAL 1 to EAL 7 are discussed here:

EAL 1 EAL 1 is primarily used where the user wants assurance that the system will operate correctly, but threats to security are not viewed as serious.

EAL 2 EAL 2 requires product developers to use good design practices. Security is not considered a high priority in EAL 2 certification.

EAL 3 EAL 3 requires conscientious development efforts to provide moderate levels of security.

EAL 4 EAL 4 requires positive security engineering based on good commercial development practices. It anticipates that EAL 4 will be the common benchmark for commercial systems.

EAL 5 EAL 5 is intended to assure that security engineering has been implemented in a product from the early design phases. EAL 5 is intended for high levels of security assurance. The EAL documentation indicates that EAL 5 will most likely require that special design considerations be made to achieve this level of certification.

EAL 6 EAL 6 provides high levels of assurance of specialized security engineering. EAL 6 will be certified to provide high levels of protection against significant risks. These systems will be highly secure from penetration attackers.

EAL 7 EAL 7 is intended for extremely high levels of security. The certification requires that extensive testing, measurement, and complete independent testing of every component be performed.

EAL certification has replaced the Trusted Computer Systems Evaluation Criteria (TCSEC) system for certification. The recommended level of certification for commercial systems is EAL 4.

You have been appointed to the panel that will make decisions regarding the purchase of a new server for your organization. The new server needs to be relatively secure and suitable for storing sensitive information. It will also be part of an e-commerce environment. How can you assist the panel?

You can be of real value to the panel by determining the operating systems that have been certified to the common criteria. You can visit the website www.commoncriteria.org to identify which operating systems and products have been EAL 4 certified. Encourage your IT staff members to make their decision based on the data available about security, as opposed to vendor claims. Most vendors claim to have a secure environment when in fact they do not. The CC certification proves that an impartial third party did an evaluation.

Currently, only a very few operating systems have been approved at the EAL 4 level. Sun Microsystems, as of September 2002, offers two EAL 4 approved operating systems. These Sun systems are Sun Solaris 8 Operating Environment and Sun Trusted Solaris Version 8 4/01. Microsoft has indicated that Windows 2000 is under evaluation, and they are hoping to certify Windows 2000 at the EAL 4 level, according to a statement released in January 2002.