IEEE 2600-series Standards for Hardcopy Device Security

Transcription

1 IEEE 2600-series Standards for Hardcopy Device Security Brian Smithson PM, Security Research Ricoh Americas Corporation Lead Editor IEEE P2600 Standards Working Group 17 November, 2010 Ottawa, ON

2 Agenda Overview of hardcopy device security A very brief introduction to the Common Criteria The IEEE 2600-series standards Hardcopy device security and the Common Criteria How to use the IEEE 2600-series standards Summary and Q&A 2

3 Overview of hardcopy device security Early history of hardcopy device security Do you remember when copiers were analog devices, connected only to a power source, often managed by the Facilities department... and printers were write-only devices? No security issues, right? 3

4 Overview of hardcopy device security Sniffing data during the Cold War In 1961, copiers were a target for espionage: The CIA found Soviet embassies to be inaccessible to anyone except to the copier repairman. The CIA and Xerox fashioned an 8mm movie camera set to take single frames, triggered by a photocell. A Xerox repairman could install and replenish this camera in Soviet embassy copiers under the watchful eye of security guards, because nobody knew what components should or should not be inside a copier. Soviet cipher clerks, secretaries, and KGB agents photocopied secret orders, decoded messages, and lists of spies. Every copy was captured on film. For eight years. Details and photos from: 4

5 Overview of hardcopy device security What can be learned from the CIA? Q: What do people print, scan, copy, and fax? A: Their most current, important documents! Hardcopy devices are often: Shared, ownerless devices Placed in open, common areas Inadequately monitored Trusted on the network If you can: install a network sniffer, redirect fax or scanner output, steal the hard disk drive, pwn the whole thing, or just hang out near the output tray, an unprotected MFP is still An old security awareness poster, source unknown 5

6 Overview of hardcopy device security How has industry addressed this? Initially, manufacturers responded with data security kits Later, manufacturers started to claim whole MFP security However Whole MFP security may not address all of the threats Typically addressed: Residual document data Fax-network separation Incoming port filtering Administrator authentication Attacking the HCD from the network Often not addressed: Persistent and non-document data Separation and control of all interfaces Audit logs User authentication Attacking the network from the HCD 6

7 Overview of hardcopy device security What was needed for hardcopy device security A common agreement on what constitutes baseline security A standard or specification which describes that baseline For use by manufacturers: What security functions must be provided What additional security is recommended A way to independently test whether the required functions have been implemented For use by customers: What security functions to require when procuring HCDs Guidance on how to use those functions A way to reference that baseline and independent testing in procurement specifications 7

8 Overview of hardcopy device security Background of the IEEE P2600 Working Group The IEEE P2600 working group was organized in early 2004: Open standards process and international recognition Virtually all HCD manufacturers participated Face-to-face meetings every 6~8 weeks Produced five standards: IEEE Std (standard for hardcopy device security) IEEE Std (standard for a Protection Profile) IEEE Std (standard for a Protection Profile) IEEE Std (standard for a Protection Profile) IEEE Std (standard for a Protection Profile) 8

9 A very brief overview of the Common Criteria Overview of ISO/IEC and the The Common Criteria (CC) is an internationally recognized methodology for: expressing security requirements for IT products, evaluating products to see if they meet those requirements, and mutually recognizing certified products among the participating nations. CC is not a prescriptive security standard; it is a process standard ISO/IEC is ISO s adoption of Common Criteria ISO adoption follows CC Current version is 3.1 release 3 Preparation Evaluation Certification Recognition Manufacturer chooses product(s) to certify Manufacturer prepares a Security Target document and other evidence to support their product s security claims Manufacturer submits product and documents to a licensed CC laboratory Laboratory performs evaluation under observation of a national CC scheme The national CC scheme (e.g. NIAP CCEVS in US, BSI in Germany, IPA in Japan) oversees evaluation and reviews evaluation reports CC scheme issues a certificate Product and certification reports are listed on web sites (scheme and CC portal) All 26 CCRA member countries recognize the product certification 9 9

10 A very brief overview of the Common Criteria Two ways to evaluate products 1. Without a Protection Profile: A manufacturer writes a Security Target document that describes the security claims of their product. Evaluation is based solely on the manufacturer s claims, not on a standard: it certifies only that the product fulfills the manufacturer claims. 2. With a Protection Profile: Somebody writes a Protection Profile describing the security requirements for a class of products. Manufacturers write Security Target documents that make security claims conforming to those requirements. Evaluation ensures that the product fulfills the manufacturer s claims, and that the manufacturer s claims fulfill those requirements. 10 You need a Protection Profile to enforce uniform baseline security requirements. The US and other governments prefer to buy products that have been evaluated based on a Protection Profile (if one exists) for its class of products.

11 The IEEE 2600-series standards IEEE 2600 standard for hardcopy device security In 2008, the IEEE published a general standard for HCDs: IEEE Standard for Information Technology: Hardcopy Device and System Security Describes hardcopy devices Defines four typical operational environments Describes security threats for each environment Recommends mitigation approaches Specifies security objectives for compliance Includes an appendix of best practices It is mainly a guidance document It is possible to claim compliance to IEEE 2600 However, there is no requirement for independent verification 11

12 The IEEE 2600-series standards IEEE 2600 Operational environments IEEE 2600 operational environments are based on market segments: A. For use with highly proprietary or legally regulated documents B. For general enterprise use C. For public-facing use D. For small office / home office use The security requirements for environment are hierarchical: A is a superset of B, B is a superset of C, C is a superset of D. 12 The main difference between environments is the level of accountability for individual user actions.

13 The IEEE 2600-series standards IEEE 2600-series Protection Profiles There are four Common Criteria Protection Profiles, one for each of the typical operating environments that are defined in IEEE 2600: IEEE Protection Profile for Operational Environment A (published and certified in 2009) IEEE Protection Profile Operational Environment B (published in 2009, certified in 2010) IEEE Protection Profile for Operational Environment C (published in 2010, not certified) IEEE Protection Profile for Operational Environment D (published in 2010, not certified) IEEE is was adopted by the US Government as the U.S. Government Protection Profile for Hardcopy Devices in Basic Robustness Environments 13

14 The IEEE 2600-series standards Comparison of 2600-series Protection Profiles Protection Profile Requirement Evaluation assurance level Additional flaw remediation assurance User identification, authentication, authorization Administrator identification, authentication, authorization Level 2 (Procedural) Level 2 (Procedural) Level 1 (Basic) None Yes Yes Optional None Yes Yes Yes Yes User document protection At rest, in motion, residual At rest, residual Residual None Job data protection At rest, in motion At rest None None Security data protection Yes Yes Yes Yes Managed interfaces Yes Yes Yes Yes Software self-verification Yes Yes Yes Yes Logging Complete audit Exception / violation Exception / violation None Additional requirements packages used when specific functions are present Print, Scan, Copy, Fax, Doc Server, Removable HDD, Network Print, Scan, Copy, Fax, Doc Server, Removable HDD, Network Network Network 14

15 Hardcopy device security and the Common Criteria Evaluation without a Protection Profile Prior to June 2009, there was no Protection Profile for HCDs. Manufacturers certified products using data security kits, with very specific security claims such as HDD overwrite or faxnetwork separation, or whole MFPs that did not address all of an MFP s security issues. Most evaluations were performed at Evaluation Assurance Level (EAL) 2 to 3+. It is worth noting that: EAL does not indicate depth of security EAL indicates only the depth of evaluation In other words: Products that are evaluated without a Protection Profile only provide security that a manufacturer claims. Whole MFP may not address all of your security concerns. One manufacturer s whole MFP may not be equivalent to another manufacturer s whole MFP. Higher EAL does not equal higher security, it only means that security has been evaluated somewhat more rigorously. 15

16 Hardcopy device security and the Common Criteria Why Protection Profiles are important Security objective IEEE Protection Profile requirements Security functional requirements A whole MFP certified without protection profile Document protection Security data protection HDD data protection User authorization Administrator authorization Interface management Software verification Documents should not be disclosed or altered by anyone except the owner, administrator, or authorized delegate. Deleted data is inaccessible. Depending on the data, security data should not be disclosed or altered by anyone except administrators. Data on hard disks is protected from disclosure and alteration if the disk is removed from the MFP. All users are identified and authorized before being allowed to use the MFP. Authentication failures result in lockout. Inactive sessions are terminated. All administrators are identified and authorized before being allowed to manage the MFP. Authentication failures result in lockout. Inactive sessions are terminated. Data cannot pass from any interface to a network interface without being managed by the MFP. Software integrity is verified Deleted data is inaccessible for most kinds of data; data on networks is protected by SSL; protection of persistent data on the MFP is not evaluated. Alteration of security data is evaluated (by controlling access to management functions), but disclosure of security data is not evaluated. Only data that has been deleted is protected from disclosure (by overwriting). HDD data encryption is not evaluated. User identification and authorization is provided for network scanning, scan-to- , and network faxing. User identification and authentication for network printing and any non-network operation is not evaluated. All administrators are identified and authorized before being allowed to manage the MFP. Authentication failures result in lockout. Termination of inactive sessions is not evaluated. The MFP can perform IP filtering to limit communication between the MFP and network devices. PSTN-Network data flow is controlled, but control of other interfaces is not evaluated. Verification of software integrity is not evaluated. Audit logging Records are kept and protected for startup / shutdown, all job completion, identification / authentication, use of management functions, administrator role changes, time / date changes, session locking, and trusted channel failure. Records are kept for startup / shutdown, and job completion only for print, network scan, network fax, and . Other audit requirements are not evaluated. 16

17 Hardcopy device security and the Common Criteria Evaluations with a Protection Profile Now that the IEEE Protection Profile for hardcopy devices has been published, manufacturers can submit products for evaluation based on a Protection Profile. For manufacturers, Protection Profiles create a level competitive playing field. For customers, the create a uniform baseline of security expectations for hardcopy devices that can be referenced by name in procurement specifications. For all, they reduce confusion over what constitutes better security, more security coverage or higher EAL: They define what security claims must be made in every evaluation. They define the assurance level that must be used for every evaluation. 17

18 How to use the IEEE 2600-series standards Interpreting manufacturers security claims The primary use of these standards is that manufacturers can claim product certification conforming to IEEE Std (or ) Conformance to IEEE implies operational environment A Conformance to IEEE implies operational environment B Certified products will be listed on the Common Criteria Portal web site Manufacturers can also claim product compliance to IEEE Std They must specify one or more of the four operational environments Such claims do not require independent testing and verification At present, manufacturers should not claim conformance to IEEE Std or Links to test labs, CC schemes, and the CC portal, are listed on the last page of this presentation 18

19 How to use the IEEE 2600-series standards Procuring secure hardcopy devices Customers can use the IEEE 2600-series standards to help streamline the process of procuring appropriately secure HCDs: 1. Review IEEE Std to determine which of the four operational environments most closely matches your needs. You may find that you have different environments in different parts of your organization. 2. For independently tested and verified products, specify products that have been Common Criteria certified conforming to IEEE Std (environment A) or IEEE Std (environment B). 3. If no suitable certified products are available for your environment, then you can specify products that comply with IEEE Std for your operational environment. 4. If no suitable products comply with IEEE Std for your environment, then use the security objectives and other guidance in IEEE Std to help you identify products or specify requirements. 19

20 How to use the IEEE 2600-series standards Secure configuration and operation HCD administrators and other security professionals can use the IEEE 2600-series to help securely configure and operate HCDs: Follow the guidance in IEEE Std Clause 7 contains mitigation techniques for IT professionals Clause 8.2 contains compliance security objectives for IT professionals Annex A contains security best practices Uphold the assumptions and fulfill the security objectives for the IT and non-it environment defined in IEEE Std (environment A) or IEEE Std (environment B) This is important if you are using Common Criteria certified products and want to operate them in the certified configuration 20

21 How to use the IEEE 2600-series standards Conforming products One MFP has already been Common Criteria certified to be in conformance to IEEE Std At least four manufacturers have multiple products in evaluation In the next six to nine months, an estimated eight to ten Common Criteria certificates will be issued certifying product models that conform to the IEEE protection profile Refer to the links on the last page of this presentation to find products that have been certified or that are in evaluation Certified products are listed on the Common Criteria Portal Products in evaluation may be listed by national CC schemes (it is the manufacturers option) Contact individual manufacturers for details 21

22 Summary / Q&A Summary Hardcopy devices need to be secured! The IEEE P2600 working group created a baseline security standard for hardcopy devices: IEEE Std , and two Protection Profiles which are certified for evaluating hardcopy devices: IEEE Std and IEEE Std Common Criteria certification provides a method for independent testing and verification of manufacturers security claims A Protection Profile provides a minimum set of security claims so that all conforming hardcopy devices can be compared Manufacturers can get their products certified as conforming to one of the two Protection Profiles, or they can self-claim that their products comply with the baseline standard IEEE Customers have several options for how to use the IEEE series of standards to help procure secure hardcopy devices Administrators and other IT professionals can use the standards to securely configure and operate hardcopy devices 22

23 Summary / Q&A Questions? For more information: IEEE P2600 web site: IEEE Std : click on Shop, and search for IEEE Std : (free download) IEEE Std : (free download) IEEE Std : click on Shop, and search for IEEE Std : click on Shop, and search for Sponsor s certified products: All Common Criteria certified products: Common Criteria testing labs: Common Criteria national schemes: Contact information: brian.smithson@ieee.org brian.smithson@ricoh-usa.com Thank you 23