Malaysian Common Criteria Evaluation & Certification (MyCC) Scheme Activities and Updates Copyright 2010 CyberSecurity Malaysia
Agenda 1. Understand Why we need product evaluation and certification ICT Product Certification Benchmark Common Criteria Recognition Arrangement 2. What is the MyCC Scheme and its components? 3. What is the potential market for certified CC products? 4. Way forward Copyright 2010 CyberSecurity Malaysia 2
Security Objectives Question is. Are those ICT products are secure enough from threats and vulnerabilities?????? Try to answer the requirement of CIA triad. Copyright 2010 CyberSecurity Malaysia 3
Security Techniques Prevention Detection Tolerance access control auditing practicality good prevention and detection both require good authentication as a foundation Copyright 2010 CyberSecurity Malaysia 4
International VS Local ICT Products Which one is better? Who are we trusted most? What is the criteria needed to standing on same level? Copyright 2010 CyberSecurity Malaysia 5
Unseen Danger Software and hardware may contain hidden functions Danger exists when these secret codes are not revealed Many incidents happened when attackers use these secret codes to gain access to the system Some ICT products claimed they have all the security functions, in fact they re not. Copyright 2010 CyberSecurity Malaysia 6
Direct Impact Loss of money Low of Performance Bad reputation Copyright 2010 CyberSecurity Malaysia 7
Current Pattern of Vulnerabilities Figure 1: Number of Vulnerabilities in Network, OS and Applications Source from: SANS top cyber security risks Copyright 2010 CyberSecurity Malaysia 8
Why IT Security Evaluation is Important? Meet government requirements Easier product selection process Reduce vulnerabilities IT Security Evaluation Increased confidence in claimed security functionality Access international markets Continuous improvement of security technology IT Security Evaluation is one method of gaining confidence in the security functions implemented by a product or system Copyright 2010 CyberSecurity Malaysia 9
ICT Product Certification Benchmark
Comparisons of the available ICT product certification Description Common Criteria (CC) Standard for gaining assurance in the security of IT products and systems through independent evaluation. To prove the validity of security functionality claims made by developers. CESG Claims Tested Mark (CCTM) Provides UK government quality mark for the public and private sectors based on accredited independent testing, designed to prove the validity of security functionality claims made by vendors. In more colloquial terms, the CCTM is designed to assure public bodies that a product or service does what it says on the box. TUVIT Trusted Product Demonstrates the trustworthiness of products and systems. This trustworthiness is established on the basis of standards, technical directives and guidelines, lists of criteria or individual rules which correspond to the TÜViT product qualification concept. ICSA Labs Product Certification Intended to significantly improve commercial computer security and trust. Copyright 2010 CyberSecurity Malaysia 11 Recognition Globally UK Germany US
Comparisons of the available ICT product certification Common Criteria (CC) CESG Claims Tested Mark (CCTM) TUVIT Trusted Product ICSA Labs Product Certification List of products certified Access control, detection, boundary protection, smart card, network devices and systems, data protection, databases, key mgmt systems, OS, digital signatures products Connection protection, erasure and disposal, integrity protection, media & device authentication, media & information protection, netwrok link protection Domain registration system, web kiosk, Tri- Party Collateral Management, Bank Management Console portal Anti-virus, firewall, IPSec VPN, cryptography, SSL VPN, network IPS, anti-spyware and PC firewall products Link http://www.common criteriaportal.org/ http://www.cctmark. gov.uk/ http://www.tuvit.d e/english/overview.asp http://www.icsalab s.com/ Logo Copyright 2010 CyberSecurity Malaysia 12
What is the Common Criteria? A common structure & language for expressing product/system IT security requirements (CC Part 1) A catalogue of standardised IT security requirement components & packages (security functional and security assurance requirements) (CC Part 2 & Part 3) Supported by a common methodology for gaining assurance that IT security requirements have been satisfied (CEM) Copyright 2010 CyberSecurity Malaysia 13
How did we get here? Canadian Initiatives 89-93 CTCPEC 3 93 The Orange Book US Common CC 2.X TCSEC Federal Criteria CC 1.0 ISO15408 CC 3.1 Criteria Project 96 83, 85 93-- 99 06 92 European National & Regional Initiatives 89-93 ITSEC 1.2 91 ISO Initiatives 92--
Common Criteria Standard for gaining assurance in the security of IT products through independent evaluation. A specifications language: Functionality. What is being evaluated? Assurance. How much and what type of confidence is required in the TOE? A methodology Repeatable. Same results different time. Comparable. Same process different product. Allows mutual recognition among CCRA nations. Copyright 2010 CyberSecurity Malaysia 15
Mutual Recognition Certificate Authorising Participants UK USA AUSTRALIA CANADA FRANCE GERMANY Participants that represent a compliant Certification Body Mutually recognizes certified products/systems produced by the Certificate Authorising Participants based on ISO/IEC 15408 ITALY SPAIN JAPAN NORWAY NEW ZEALAND SWEDEN NETHERLANDS KOREA Acceptance As of Oct 2009 Certificate Consuming Participants TURKEY AUSTRIA DENMARK GREECE INDIA Participants that have a national interest in recognising CC certificates produced by the Certificate Authorising Participants based on ISO/IEC 15408 CZECH REPUBLIC FINLAND HUNGARY ISRAEL SINGAPORE MALAYSIA PAKISTAN Copyright 2010 CyberSecurity Malaysia 16
Agenda 1. Understand Why we need product evaluation and certification ICT Product Certification Benchmark Common Criteria Recognition Arrangement 2. What is the MyCC Scheme and its components? 3. What is the potential market for certified CC products? 4. Way forward Copyright 2010 CyberSecurity Malaysia 17
MyCC Scheme Common Criteria CCRA STANDARDS MALAYSIA (MS ISO/IEC Guide 65) STANDARDS MALAYSIA (MS ISO/IEC 17025) MyCC Scheme ICT Product or System Published under Jemaah Menteri, pada 8 Okt 08, menimbangkan Memorandum daripada Menteri Sains, Malaysian Teknologi Common dan Criteria Inovasi No. 592/2618/2008 dan bersetuju: Certification Body (MyCB) i. Supaya CyberSecurity Malaysia, sebuah agensi di bawah CC Kementerian Sains, Teknologi dan Inovasi dilantik sebagai Certificate Badan Pensijilan Nasional tunggal bagi Skim Penilaian dan Malaysian Security Pensijilan Keselamatan Evaluation ICT Facility berdasarkan MS ISO/IEC 15408: 2005 Information Evaluation Facility (EF) Evaluation (MySEF) Technology Facility (EF) Security Techniques Evaluation Criteria for IT Security; dan ii. Supaya Badan Pensijilan Nasional ini dinamakan Badan Pensijilan Common Criteria Malaysia (Malaysian Common Criteria Certification Body) Issued for Copyright 2010 CyberSecurity Malaysia 18
MyCC Scheme Mission to increasemalaysia s competitiveness in quality assurance of information security based on the Common Criteria (CC) standard and to build consumers confidence towards Malaysian information security products Copyright 2010 CyberSecurity Malaysia 19
MyCC Scheme Background Project commenced in 2006 to establish the MyCC Scheme Driven from 9 th Malaysian Plan (2006-2010) Supported by the National Cyber Security Policy Malaysia accepted as certificate consumer under the CCRA on 28 March 2007. Malaysian Government accepted the Memorandum Jemaah Menteri No 592/2618/2008 from MOSTI and appointed CyberSecurity Malaysia as the sole certification body for MyCC Scheme. The MyCC commenced operations in August 2008. First evaluations commenced at EAL3/EAL4 to support application for certificate authorising status. Copyright 2010 CyberSecurity Malaysia 20
MyCC Scheme Services Security evaluation and certification of ICT products, systems and protection profiles Certify results of evaluations conducted against v3.1 of the Common Criteria (ISO/IEC 15408) Results published on MyCC Scheme Certified Products Register (MyCPR) Maintenance of assurance for security certified ICT products and systems In accordance with CCRA requirements for assurance continuity Maintenance addenda published on MyCC Scheme Certified Products Register (MyCPR) Recognition of certificates for special purpose In accordance with MyCC Scheme Policy Copyright 2010 CyberSecurity Malaysia 21
MyCC Scheme Roles CyberSecurity Malaysia Owner of the MyCC Scheme CEO CyberSecurity Malaysia is the MyCC Scheme Head MyCC Scheme Management Board At least five members, chair of the Board will rotate annually Provide strategic advice, guidance and recommendations to the MyCC Scheme Head Malaysian Common Criteria Certification Body (MyCB) A department within CyberSecurity Malaysia Manages the MyCC Scheme Certifies results of evaluations performed by licensed MySEFs Manages CCRA requirements Copyright 2010 CyberSecurity Malaysia 22
MyCC Scheme Roles Malaysian Security Evaluation Facilities (MySEFs) Organisations licensed by the MyCB to conduct evaluations of products and systems using the Common Criteria Sponsor The person or organisation that engages a MySEF to perform an evaluation Developer The person or organisation that has developed the product, system or protection profile Consumer The person or organisation that procures or uses the product or system Copyright 2010 CyberSecurity Malaysia 23
MyCC Scheme Benefits Improve the competitiveness of Malaysian ICT products in a global ICT market Enhance Malaysia s reputation as a provider of ICT security assurance services globally Gain access to international markets for Malaysian ICT products Enhance the security of Malaysian information infrastructure Enhance the security of Malaysian ICT products Copyright 2010 CyberSecurity Malaysia 24
MyCC Scheme Process Overview Malaysian Common Criteria Evaluation and Certification (MyCC) Scheme Malaysian Common Criteria Certification Body (MyCB) Accept/ Reject Application Publish Evaluation Details Conduct Technical Review Attend Testing & Site Visit Review Technical Report Develop Certification Report Consumer Sponsor/ Developer Target of Evaluation (TOE) Protection Profile (PP) Accept Oversight Certify Plan Execute Close Certified Target of Evaluation (TOE) Certified Protection Profile (PP) Malaysian Security Evaluation Facility (MySEF) Review Inputs Submit Application Evaluate Evidence Submit to Technical Review Submit Technical Report Closedown Copyright 2010 CyberSecurity Malaysia 25
MyCC Scheme Publications Strategy Policy MyCCScheme Policy (MyCC_P1) Manual MyCCScheme Certified Products Register (MyCC_P2) MyCCScheme Evaluation Facility Manual (MyCC_P3) MyCCScheme Customer Manual (MyCC_P4) MyCCScheme Certification Manual (MyCC_P5) Procedures Publicly available documents at www.cybersecurity.my/mycc Copyright 2010 CyberSecurity Malaysia 26
Agenda 1. Understand Why we need product evaluation and certification ICT Product Certification Benchmark Common Criteria Recognition Arrangement 2. What is the MyCC Scheme and its components? 3. What is the potential market for certified CC products? 4. Way forward Copyright 2010 CyberSecurity Malaysia 27
International Market As of 21 July 2010, there are 1,265 CC certified products and systems in the world. These products are certified from 14 CCRA Authorising countries and recognised globally especially by 26 CCRA countries. Type of products being certified are: Access control devices and system Boundary protection devices and systems Database ICs, smart cards and smart card related devices and systems Network and network related devices and systems Biometric systems and devices Data protection Detection devices and systems Key Management systems Operating systems Products for Digital Signatures Other devices and systems Trusted Computing Reference: www.commoncriteriaportal.org Copyright 2010 CyberSecurity Malaysia 28
International Market Finding from the schemes benchmarking: the US Government mandated the use of CC certified products for government agencies. Policies and instructions that are related with the use of CC certified products that can be found from their web site (http://www.niap-ccevs.org/) the Australia and New Zealand Government also established ACSI 33 and NZSIT 400: Australia and New Zealand ICT Security Policies which provides policies and guidance to government agencies on how to protect their ICT systems and guidance on ICT product selection. CC Certified ICT products are the preferred choice for securing government information because of the added assurance that security evaluation provides. Copyright 2010 CyberSecurity Malaysia 29
Local Market Malaysian Government is encouraging local ICT products to be evaluated and certified: Development of policy of buy Malaysian ICT security products or solution for the CNII. This policy encourage the use of certified ICT security products. Security evaluation and certification financial assistance for local ICT developers. Copyright 2010 CyberSecurity Malaysia 30
Agenda 1. Understand Why we need product evaluation and certification ICT Product Certification Benchmark Common Criteria Recognition Arrangement 2. What is the MyCC Scheme and its components? 3. What is the potential market for certified CC products? 4. Way forward Copyright 2010 CyberSecurity Malaysia 31
Aug - Dec 07 MyCC Scheme Implementation Plan Implementation will occur in three phases spanning five years and beyond Development ends with CCRA certificate authorising acceptance Growth ends with establishment of at least one MySEF external to CyberSecurity Malaysia Maturity sufficient range of certified products and several licensed MySEFs operating such that policy mandate is possible Jan - Dec 2008 Jan - Dec 2009 Jan - Dec 2010 Jan - Dec 2011 Jan - Dec 2012 Jan - Dec 2013 Jan - Dec 2014 Jan - Dec 2014 Overlap because of possible early increase in number of labs 1: Development 2 Growth 9 th Malaysian Plan 10 th Malaysian Plan 3 Maturity Copyright 2010 CyberSecurity Malaysia 32
MyCC Scheme Objective MyCC SCHEME MyCB (MALAYSIAN COMMON CRITERIA CERTIFICATION BODY) Certifying ICT products against CC Standard and using CC Evaluation Methodology (CEM) MySEFs (MALAYSIAN SECURITY EVALUATION FACILITIES) ICT products security evaluation against CC Standard and using CC Evaluation Methodology (CEM) CCRA CERTIFICATE AUTHORISING PARTICIPANT
Security Evaluation and Certification Project (1) To become the CCRA Authorising member, we need to evaluate and certify 2 ICT products for at least 1 EAL3 and 1 EAL4. This is called Trial Evaluation and Certification. There are 3 ICT products in evaluation: Firewall (EAL3) Single sign-on application (EAL4) Smartcard OS (EAL4+)
Security Evaluation and Certification Project (2) To stimulate the Malaysian economy, Malaysian Government has accepted CyberSecurity Malaysia proposal on ICT product security evaluation and certification. The implementation of the Malaysia 2 nd Economic Stimulus Package is 2 years (2009 2010). Under this project, MyCC Scheme has to evaluates and certifies local ICT products for EAL1 and EAL2.
Security Evaluation and Certification Project (2) Status of 2 nd Economic Stimulus Package projects: As of July 2010 No of Product Registered financial assistance application 103 Selected for pitching 44 Successful financial assistance application 27 Productsin acceptance phase (evaluation application review by MyCB) Productsaccepted by MyCCScheme and kickoff evaluation 13 5
CCRA Certificate Authorising Participant Malaysia has submitted the application for CCRA Certificate Authorising membership in Dec 2009. The application has been accepted by CCRA in March 2010. Shadow Certification assessment by CCRA members for MyCC Scheme is planned to be conducted in Oct 2010.
Agenda 1. Understand Why we need product evaluation and certification ICT Product Certification Benchmark Common Criteria Recognition Arrangement 2. What is the MyCC Scheme and its components? 3. What is the potential market for certified CC products? 4. Way forward Copyright 2010 CyberSecurity Malaysia 38
Corporate Office: CyberSecurity Malaysia, Level 8, Block A, Mines Waterfront Business Park, No 3 Jalan Tasik, The Mines Resort City, 43300 Seri Kembangan, Selangor Darul Ehsan, Malaysia. T +603 8946 0999 F +603 8946 0888 www.cybersecurity.my Copyright 2010 CyberSecurity Malaysia 40