Orange Book is Dead

[Marjorie Simmons <lawyer () carpereslegalis com>]

(excerpt from January 18, 2001issue of Security Wire Digest and Information
Security magazine)

The article concludes with the following piece of insight as to why
corporate America is paying about as much interest in the CC as it did to
the TCSEC:

'The fault doesn't lie within the CC; rather, it reflects the reality that
any attempt to both quantify and standardize present-day information
security is a digital violation of the Heisenberg uncertainty principle in
quantum mechanics. Just as the position and momentum of an electron can't be
measured simultaneously, neither can information security be both codified
and standardized. Unfortunately, infosec changes far too quickly to be
etched in stone. In this dynamic environment, it's only a matter of time
before we ask, "When shall we hold a wake for the Common Criteria?"'

========================
3. SECURITY PERSPECTIVES

THE ORANGE BOOK IS DEAD, LONG LIVE THE COMMON CRITERIA?
By Ben Rothke

A wake was held at the Computer Security Applications Conference in
December, but don't think it was a gloomy event, as music played and spirits
flowed. It was not for a person; rather, this send off was for the Orange
Book, a security standard that was recently pronounced dead (though some
would argue it had been lifeless since conception).

The Orange Book, officially titled the Trusted Computer Standards Evaluation
Criteria (TCSEC), was the most noteworthy part of the Rainbow Series
(http://www.radium.ncsc.mil/tpep/library/rainbow) of security standards
developed by the U.S. Department of Defense in the early 1980s. It defined
seven security levels for trusted hardware, software and data components of
a system, namely:

1. Verified design, which demands the highest level.
2. Formal security verification methods to ensure that security controls can
protect classified and other sensitive information
3. Mandatory protection, specifying that the Trusted Computer Base (TCB)
protection systems should be mandatory, not discretionary.
4. Discretionary protection, which applies to the TCB with optional object
(e.g. file, directory, devices) protection.
5. Minimal protection, reserved for systems that have been evaluated, but
have failed to meet the requirements for a higher evaluation class
(operating systems such as MS-DOS and Windows 95/98 fall into this
category).

The Orange Book's noble goal was to provide a level of measurement and
guidance in designing secure systems. So why did corporate America turn a
blind eye to it? Some of the reasons include:

--Information security standards are inherently difficult to create. Imagine
thousands of companies from scores of different sectors, all with different
needs, attempting to formulate a common security framework.

--It was designed for government installations, not corporate networks. The
security threats, vulnerabilities and requirements of the government and
military are radically different from those of corporate America.

--It's based on the 1973 Bell-LaPadula model, which was the first
mathematical model of a multilevel secure computer system. Such formal
systems simply don't scale well in corporate environments because they don't
really address many day-to-day security concerns outside the military
sphere. The most significant flaw is the omission of a solidly defined
initial secure state and problems with the concept of what exactly
constitutes a user.

--The Orange Book, expressly designed for standalone systems, was doomed by
the advent of client-server computing. With today's systems connecting users
to varied intranets, extranets and the Internet, a standalone host in
today's world offers a lot of security, but little functionality.

Seeing the deficiencies in the Rainbow Series (and the fact that most
government facilities failed to implement them), the DoD made several
attempts over the years to update the standards, but they never got beyond
an initial draft. At that point, the designers forgot W.C. Fields' adage "If
at first you don't succeed, quit. There's no use being a damn fool about
it." Ignoring this pearl of wisdom, the National Institute of Standards and
Technology (NIST) joined forces with their counterparts at the European
Commission (http://europa.eu.int/comm/index_en.htm) and entered into the
Common Criteria (CC) Initiative (http://www.commoncriteria.org) in 1993.

The CC is collectively an ISO, based on the Europe Information Technology
Security Evaluation Criteria. Officially started in 1993, the CC was
designed to bring security standardization efforts together into a single
international standard. Providing a general model of assessment by defining
general concepts and principles of security evaluation, it also presents
constructs for expressing IT security objectives, for selecting and defining
IT security requirements, and for writing high-level specifications for
products and systems. Despite all of the interest that the CC is garnering
in the government sector, corporate America is still ignoring it.

What does the CC offer that the Orange Book didn't? In truth, not
much--certainly nothing that is persuading corporate America to embrace it.
The CC, like the Orange Book, is heavy on generalities, but light on
specifics. If you want to know how to securely deploy H.323 applications on
a Cisco PIX, or how to configure a Microsoft proxy server to interoperate
with Check Point's FW-1, don't look to the CC.

. . . .

Marjorie Simmons, Esq.
lawyer () carpereslegalis com
http://www.carpereslegalis.com

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".