tcsec: the orange book. tcsec trusted computer system evaluation criteria
TRANSCRIPT
TCSEC: The Orange Book
TCSEC Purpose
- Establish best practices
- Requirements for assessing the effectiveness of security controls
- Measure computing resource security
- Evaluate, classify, and select systems considered for computing resources
TCSEC: Purpose
Guidance – provides guidance on how to design a trusted computing system along with their associated data and services
Metrics – provides a metric (classification) for determining the level of trust assigned to a computing system.
Orange Book: Metrics
Measurement of a system's security is quantified using a classification system.
The Classes are:D C1 & C2B1, B2, B3A1
A is more secure than D
2 is more secure than 1.
Orange Book: Metrics
The rating system is hierarchical
D applies to any system that fails to meet any of the higher level security classes.
The other levels have increasing security requirements.
A1 systems would be rare.
Disclaimer
An A1 system is not 100% secure.
The risk level is expected to be lower compared to the other levels
Metrics: C1
• Identification and authentication (user id & password)
• DAC – (Discretionary Access Controls)
– capable of enforcing access controls
– Example: Basic Unix/Linux OS, user, group, other.
Metrics: C2
• C1 plus
• Audit trails
• System documentation and user manuals.
Metrics B1
• C2 plus
• Discovered weaknesses must be mitigated
Metrics B2
• B1 plus
• Security policy must be defined and documented
• Access controls for all subjects and objects
Metrics: B3
• B2 plus
• Automated imminent intrusion detection, notification and response.
Metrics: A1
• B3 +
• System is capable of secure distribution (can be transported and delivered to a client with the assurance of being secure)
Orange Book Security Criteria
Security Policy
Accountability
Assurance
Documentation
1. Security Policy
The set of rules and practices that regulate how an organization manages, protects, and distributes information.
1. Security Policy
The policy is organized into subjects and objects.
Subjects act upon objectsSubjects – processes and users.Objects – data, directories, hardware, applications
A well defined access control model determines if a subject can be permitted access to an object.
Security Policy
Top secret, secret, classified, non-classified
Need-to-know, job division, job rotation, NDA, etc.
2. Accountability
The responsibilities of all who come in contact with the system must be well defined.
Identification (… the process to identify a user)
Auditing (...accumulating and reviewing log information and all actions can be traced to a subject)
Organizational chart
Job description contract, AUP, NDA, SLA
3. Assurance
The reasonable expectation that the security policy of a trusted system has been implemented correctly and works as intended.
Assurance is organized intoOperational assuranceLife-cycle assurance
3a. Organizational Assurance
Security policy is maintained in the overall design and operation of the system.Example: Users of the system have an assurance
that access controls are enforced
3b. Life-cycle Assurance
Insuring the system continues to meet the security requirements over the lifetime of the system. Updates to the software and hardware must be
consideredThe expectation that the system remains
operational (is available) over its lifetimeSustainability-cycle
4. Documentation Requirements
Security Features User's Guide
Trusted Facility Manual
Test Documentation
Design Documentation
Documentation: Security Features User's Guide
Aimed at the ordinary (non-privileged) users. General usage policy*Instructions on how to effectively use the systemDescription of relevant security features
Documentation: Trusted Facility Manual
Aimed at the S.A. StaffHow the system is configured and maintainedIncludes the day-to-day required activities
• Backups
• Reviewing security logs
Documentation: Test Documentation
Instructions on how to test the required security mechanisms
Documentation: Design Documentation
Define the boundaries of the system
A complete description of the hardware and software.
Complete system design specifications
Description of access controls
The Orange Book
• The Orange book has been superseded by the Common Criteria