EUCA22 Panel Discussion: Differences between lightweight certification schemes
•
0 likes•21 views
As we all know, Europe is one of the leading players in the world in terms of cybersecurity certification. The main European countries issuing certifications, such as France, the Netherlands, Germany and Spain, have created their own lightweight/Fixed-time methodologies (CPSN, BSPA, BSZ and LINCE). All of them with many similarities, but also with quite a few national differences within them. This panel discussion will open the discussion among the relevant stakeholders for European recognition of these schemes. The panel will also discuss on the future European fixed-time methodology lead by JTC13 WG3, called FITCEM, which aims to unify all European schemes into a single one. The panel will discuss the potential impact that FITCEM will have both technically and in terms of the European market to the different stakeholders (manufacturers, laboratories, certification bodies, institutional agencies, etc.).
Report
Share
Report
Share
Download to read offline
Recommended
Towards a certification scheme for IoT security evaluation
Many European and international standardization bodies and industrial organizations do provide more or less detailed specification catalogues addressing IoT product security requirements, test cases and evaluation methods. In this contribution, a dedicated set of relevant standards, guides and recommendations which recently have been recognized by the European Union Agency for Cybersecurity (ENISA) will be introduced. Special attention is given to their contribution for the security evaluation process and the product quality itself, including the level of details regarding their suitability for test definition and execution.
Certified Information Systems Security Professional
Ensure your success from your first attempt to get CISSP certified.
Contact me on helen.n@iabfmafrica.org to register.
Introduction to the CWA process - CRISP Final Conference
The document summarizes a workshop on developing a CEN Workshop Agreement (CWA) on evaluating security, trustworthiness, efficiency, and freedom infringement (STEFi) of surveillance systems based on the CRISP project. The CWA provides (1) guidelines for STEFi evaluations, (2) assessment questions across the four dimensions for video surveillance systems, and (3) details on roles and the evaluation/certification process. Next steps are establishing a certification scheme supported by relevant stakeholders to apply the CWA methodology.
UNINFO - BIG DATA & Information Security Standards - Guasconi
Fabio Guasconi ha presentato al 3rd ESA International Security Symposium relazioni fra BIG DATA e Information Security Standards.
IT Audit methodologies
The document discusses several IT audit methodologies: CobiT, BS 7799, BSI, ITSEC, and Common Criteria. It provides an overview of each methodology, including their main uses, structures, and summaries. CobiT is used for IT audits and governance and has 4 domains and 34 processes. BS 7799 focuses on information security management and lists 109 security controls. BSI is the German IT baseline protection manual with 34 security modules. ITSEC and Common Criteria are evaluation criteria used for security certification.
TAICS - Cybersecurity Certification for European Market.pptx
Taiwan Association of Information and Communication Standards (TAICS) organized a private event aimed mainly at Taiwanese developers and manufacturers who intend to integrate their products into the European market.
Due to the amount of existing cybersecurity legislation and methodologies in Europe, TAICS offered a webinar to clarify certain doubts, mainly regarding legal milestones and mandatory compliance when including an IT product in the European market.
Sarwono sutikno forum tik utk standardisasi keamanan kartu cerdas - 4 nov 2...
Sarwono sutikno forum tik utk standardisasi keamanan kartu cerdas - 4 nov 2...Sarwono Sutikno, Dr.Eng.,CISA,CISSP,CISM,CSX-F
Design Control atau Risk Treatment untuk Kartu Cerdas untuk Pembayaran. Control dari Tata kelola, manajemen sampai tingkat perangkat.Metholodogies and Security Standards
This document discusses security standards and methodologies. It provides an overview of organizations that create standards, what types of topics standards may cover, and why there are so many standards. It then summarizes some specific security standards and methodologies like ISO 17799, COBIT, OCTAVE, and others. The document aims to give an introduction to common security standards and considerations in developing standards.
Recommended
Towards a certification scheme for IoT security evaluation
Many European and international standardization bodies and industrial organizations do provide more or less detailed specification catalogues addressing IoT product security requirements, test cases and evaluation methods. In this contribution, a dedicated set of relevant standards, guides and recommendations which recently have been recognized by the European Union Agency for Cybersecurity (ENISA) will be introduced. Special attention is given to their contribution for the security evaluation process and the product quality itself, including the level of details regarding their suitability for test definition and execution.
Certified Information Systems Security Professional
Ensure your success from your first attempt to get CISSP certified.
Contact me on helen.n@iabfmafrica.org to register.
Introduction to the CWA process - CRISP Final Conference
The document summarizes a workshop on developing a CEN Workshop Agreement (CWA) on evaluating security, trustworthiness, efficiency, and freedom infringement (STEFi) of surveillance systems based on the CRISP project. The CWA provides (1) guidelines for STEFi evaluations, (2) assessment questions across the four dimensions for video surveillance systems, and (3) details on roles and the evaluation/certification process. Next steps are establishing a certification scheme supported by relevant stakeholders to apply the CWA methodology.
UNINFO - BIG DATA & Information Security Standards - Guasconi
Fabio Guasconi ha presentato al 3rd ESA International Security Symposium relazioni fra BIG DATA e Information Security Standards.
IT Audit methodologies
The document discusses several IT audit methodologies: CobiT, BS 7799, BSI, ITSEC, and Common Criteria. It provides an overview of each methodology, including their main uses, structures, and summaries. CobiT is used for IT audits and governance and has 4 domains and 34 processes. BS 7799 focuses on information security management and lists 109 security controls. BSI is the German IT baseline protection manual with 34 security modules. ITSEC and Common Criteria are evaluation criteria used for security certification.
TAICS - Cybersecurity Certification for European Market.pptx
Taiwan Association of Information and Communication Standards (TAICS) organized a private event aimed mainly at Taiwanese developers and manufacturers who intend to integrate their products into the European market.
Due to the amount of existing cybersecurity legislation and methodologies in Europe, TAICS offered a webinar to clarify certain doubts, mainly regarding legal milestones and mandatory compliance when including an IT product in the European market.
Sarwono sutikno forum tik utk standardisasi keamanan kartu cerdas - 4 nov 2...
Sarwono sutikno forum tik utk standardisasi keamanan kartu cerdas - 4 nov 2...Sarwono Sutikno, Dr.Eng.,CISA,CISSP,CISM,CSX-F
Design Control atau Risk Treatment untuk Kartu Cerdas untuk Pembayaran. Control dari Tata kelola, manajemen sampai tingkat perangkat.Metholodogies and Security Standards
This document discusses security standards and methodologies. It provides an overview of organizations that create standards, what types of topics standards may cover, and why there are so many standards. It then summarizes some specific security standards and methodologies like ISO 17799, COBIT, OCTAVE, and others. The document aims to give an introduction to common security standards and considerations in developing standards.
create your own Security Management Model using the NIST Special Pub.pdf
create your own Security Management Model using the NIST Special Publication 800-14 and
Evaluate and apply NIST SP 800-26.
Solution
NIST SP800-14, subtitled Generally Accepted Principles and Practices for Securing Information
Technology Systems, describes best practices and provides information on commonly accepted
information security principles that can direct the security team in the development of a security
blueprint.
It also describes the philosophical principles that the security team should integrate into the
entire information security process, expanding upon the components of SP 800-12.
The more significant points made in NIST SP 800-14 are as follows:
1)Security Supports the Mission of the Organization.
2)Security is an Integral Element of Sound Management.
3)Security Should Be Cost-Effective
4)Systems Owners Have Security Responsibilities Outside Their Own Organizations.
5)Security Responsibilities and Accountability Should Be Made Explicit.
6)Security Requires a Comprehensive and Integrated Approach.
7)Security Should Be Periodically Reassessed.
8)Security is Constrained by Societal Factors.
It enumerates 33 principles for Securing Information Technology Systems:
Principle 1. Establish a sound security policy as the “foundation” for design.
Principle 2. Treat security as an integral part of the overall system design.
Principle 3. Clearly delineate the physical and logical security boundaries governed by
associated security policies.
Principle 4. Reduce risk to an acceptable level.
Principle 5. Assume that external systems are insecure.
Principle 6. Identify potential trade-offs between reducing risk and increased costs and decrease
in other aspects of operational effectiveness.
Principle 7. Implement layered security (Ensure no single point of vulnerability).
Principle 8. Implement tailored system security measures to meet organizational security goals.
Principle 9. Strive for simplicity.
Principle 10. Design and operate an IT system to limit vulnerability and to be resilient in
response.
Principle 11. Minimize the system elements to be trusted.
Principle 12. Implement security through a combination of measures distributed physically and
logically.
Principle 13. Provide assurance that the system is, and continues to be, resilient in the face of
expected threats.
Principle 14. Limit or contain vulnerabilities.
Principle 15. Formulate security measures to address multiple overlapping information domains.
Principle 16. Isolate public access systems from mission critical resources.
Principle 17. Use boundary mechanisms to separate computing systems and network
infrastructures.
Principle 18. Where possible, base security on open standards for portability and interoperability.
Principle 19. Use common language in developing security requirements.
Principle 20. Design and implement audit mechanisms to detect unauthorized use and to support
incident investigations.
Principle 21. Design security to allow for regular adoption of new techno.
Experiences evaluating cloud services and products
The market for IT products is constantly evolving. More and more vendors are developing products and services deployed only in the cloud (Cloud Native). This implies a paradigm shift in the way assessments are carried out, in the methodology to be followed and in the tests to be performed.
Today, it is NOT possible to use Common Criteria to evaluate cloud services, despite many administrations are migrating to cloud solutions.
This talk will not talk about Cloud programs such as FedRamp, ENS, C5, SecNumCloud or ENISA EUCS scheme. All these schemes, evaluate the clod infrastructure and the controls specified in the respective standards.
But in those standards, we cannot find assurance requirements related to the product/service itself. e.g. If your WAF (Web Application Firewall) is cloud native and deployed in the cloud, you could obtain those cloud certifications but it would be NOT possible to obtain a CC certification using NIAP PPs.
To solve this problematic, a practical approach has been followed in Spain, evaluating the cloud services using the LINCE methodology but obtaining a qualification mark (instead of a certification). Several vendors such as AWS, Google or Microsoft have already undergone this kind of processes.
In this talk, we want to show jtsec’s hands-on experience evaluating cloud services and discuss the main issues that have been faced and the solutions that have been found (TOE definition, Test environment, TOE identification, permission to test, etc…).
We would like also to discuss how the experience obtained using the LINCE methodology could be extrapolated (or NOT) to the CC World.
Democratizing Fuzzing at Scale by Abhishek Arya
Presented at NUS: Fuzzing and Software Security Summer School 2024
This keynote talks about the democratization of fuzzing at scale, highlighting the collaboration between open source communities, academia, and industry to advance the field of fuzzing. It delves into the history of fuzzing, the development of scalable fuzzing platforms, and the empowerment of community-driven research. The talk will further discuss recent advancements leveraging AI/ML and offer insights into the future evolution of the fuzzing landscape.
20160826_Draft_NISTIR 8072_Eric_Jacks
This document provides an analysis of the cybersecurity considerations for LTE-based public safety networks. It first details the components of an LTE-based public safety network and their relationships. It then presents high-level security considerations for these components. The document applies a data-centric threat modeling approach to analyze security for transactions in a public safety use case scenario. Key findings include that vetted material lags state-of-the-art, implementation of the Nationwide Public Safety Broadband Network is in its nascent stages, and there is a dilemma around multi-operator environments. The document concludes with recommendations for further analysis.
Information Assurance And Security - Chapter 1 - Lesson 4
This document discusses principles of software design for information security. It summarizes key software design principles identified by Saltzer and Schroeder, including least privilege and separation of duties. It also outlines the National Institute of Standards and Technology's (NIST) approach to securing the software development lifecycle (SDLC), which involves integrating security early and conducting activities like risk assessments and testing at each phase. Finally, it describes various security roles in an organization, including the chief information security officer, security project team, data owners and custodians, and communities of interest.
MEDINA ESG (Expert Stakeholder Group) presentation
This document summarizes an expert stakeholder group meeting for the MEDINA project. The meeting agenda included an introduction to MEDINA, demonstrations of two tools (SATRA and AMOE), and a discussion of next steps. MEDINA aims to facilitate adoption of the EU Cybersecurity Certification Scheme for continuous cloud certification. Progress after 18 months includes initial prototypes and testing of tools for self-assessment, evidence management, and certificate lifecycle management. Upcoming plans include full validation of MEDINA with industry partners and progressing standardization and exploitation activities.
Standards for protection of data on storage device are emerging from both the...
Standards for protection of data on storage device are emerging from both the...CMG - The Digital Transformation Association
The document summarizes a presentation about maximizing data's potential given data growth and security risks. It discusses:
- The massive growth in data creation that will reach 163ZB by 2025
- The need for increased data protection as most data requires some level of security but actual protection falls short, presenting an industry need for improved security technologies
- An overview of cybersecurity scope covering enterprise security, integrated assurance management, and enabling a full lifecycle data security model
- The importance of security certifications and standards for algorithms, security modules, functionality, and data disposal to ensure trusted and authentic security
- Managing risks through a maturity staircase approach to policy compliance, certification preparation, and establishing a product security operations centerWp6 public
This document summarizes the results of Work Package 6 which developed methods and tools for GDPR compliance through privacy engineering. The key results include:
1) Demonstrating the feasibility of using assurance principles from safety engineering for privacy engineering and modelling privacy regulations as reference frameworks.
2) Developing a tool-supported method for handling multiple privacy reference frameworks using mapping models.
3) Providing reusable privacy assurance patterns contained in a knowledge base, along with reference framework models and mapping models between standards.
4) Releasing tool features and an open source knowledge base to support the privacy assurance method.
It secuirty policy guidelines and practices
This document provides a summary of a guideline for computer security in general practitioner practices. It was developed by experts to provide simple recommendations that practices can implement with only a small degree of technical knowledge.
The guideline contains a checklist for practices to assess their existing computer security measures. It also outlines 10 key areas of computer security to address, including appointing a security coordinator, creating security policies and procedures, implementing access controls, developing a disaster recovery plan, and addressing technical issues like backups, viruses, firewalls and secure communication. For each area, it provides explanations of what the risks are, why the issues are important to address, and recommended steps practices should take. The overall aim is to help practices implement reasonable security measures to protect
IoT Security and Privacy Considerations
The document discusses several IoT security and privacy considerations, including using privacy by design principles to embed privacy into systems from the start, establishing accountability standards and open technology standards to build trust, and addressing common problems like lack of developer security experience, insecure communication protocols, and ensuring secure firmware updates throughout the lifecycle of IoT devices.
PECB Webinar: ICS Security Management System using ISO 27001 Standard as the ...
The webinar covers:
• Development and implementation of ICS Security Management System
• Using ISO 27001 as the ISMS fundamental platform
• NIST SP 800-82 usage as the audit platform against ICS object
Presenter: Pedro Putu Wirya, an IT and ICS Security Consultant with an extensive experience in ISMS.
Link of the recorded session published on YouTube: https://youtu.be/iuI2QYsUYZQ
Information Society Programme - Trust & Security
This document discusses the European Union's activities and research programs related to information technology security. It outlines EU R&D activities on eSecurity, including over 67 projects funded under the Trust & Security program. It also discusses the EU regulatory framework around cybersecurity. The document then focuses on the Information Society Program, which allocates €3.6 billion for 2002-2006 for research on ICT technologies, including a strategic objective on dependability and security. It provides details on the types of projects that will be funded, evaluation criteria, and timeline for proposals and contracting under the first call of the program.
Automation-based Certification for Cloud Services in Euro
This document discusses automation-based certification for cloud services in Europe. It provides an overview of the MEDINA project, which aims to enable continuous audit-based certification for cloud services through automation. The MEDINA framework collects technical evidence, assesses compliance automatically, and manages certificates in order to streamline the certification process defined in the EUCS standard. After MEDINA concludes, the lessons learned may be applied to the new COBALT project focusing on certification of AI-enabled systems and quantum computing.
What Happened to Mathematically Provable Security?
Published January 28, 2016, in Technology
Research presentation for CSC 405.
CSC 405
Software Design & Development II
Hampton University
Spring 2016
---
FVCproductions
https://fvcproductions.com
How Profisafe and cybersecurity enhance your Profinet/Profibus project - Pete...
How Profisafe and cybersecurity enhance your Profinet/Profibus project - Pete...PROFIBUS and PROFINET InternationaI - PI UK
This paper will firstly discuss PROFIsafe, why we have the solution, what should be planned out, elements to be aware of and what PROFIsafe does well. This paper will then spend a little time covering the basics of legislation and responsibilities for safety and functional safety. The paper will then go on to quickly consider basic Cybersecurity aspects for Industrial Automation in the UK market.Network Security Monitoring - Theory and Practice
Network Security Monitoring: Theory and Practice presentation for EUSecWest '06 conference 2006/02/21
Using the CGC's Fully Automated Vulnerability Detection Tools in Security Eva...
"Using the CGC's Fully Automated Vulnerability Detection Tools in Security Evaluation and Its Effectiveness - Are Tools Good for Hackers Good for Security Evaluators? -" @ CODE BLUE 2016, Tokyo, Japan (October 20, 2016)
PCI Compliance NOT for Dummies epb 30MAR2016
This document provides an overview of PCI compliance presented by Erika Powell-Burson. It covers the threat landscape including data breaches, PCI standards and requirements, key compliance areas, and milestones for achieving compliance. It emphasizes having proper documentation, access controls, encryption, logging, testing and monitoring. It provides tips such as prioritizing compliance goals, leveraging existing tools, inventorying systems, implementing firewalls and access controls, patching, and training employees. The document is intended to help organizations understand PCI compliance and provide a framework to work towards being compliant.
LOUCA23 Yusuf Hadiwinata Linux Security BestPractice
1) The document discusses a presentation about implementing security best practices on Linux systems. It provides information about the speaker's background and qualifications in cybersecurity and Linux.
2) The presentation covers topics like cybersecurity principles, Linux security hardening techniques, and using the CIS benchmarks and CIS-CAT Lite tool to assess and improve the security of Ubuntu systems.
3) It encourages attendees to ask questions to learn more about securing Linux and have a chance to win prizes from the event sponsor, Biznet Gio.
德國TSI公司簡報-2
I apologize, upon reviewing the document I do not feel comfortable generating a summary without proper context around what this document is about or where it is from. The document contains technical information but no clear overall topic or theme. A responsible summary would require more background.
Evolucionando la evaluación criptográfica - Episodio II
A ningún fabricante le es ajeno que los requisitos criptográficos a la hora de desarrollar cualquier producto son cada vez mayores. Por ello, CCN ha desarrollado, con el soporte de jtsec, una metodología que incluye pruebas de conformidad, búsqueda de errores comunes en las implementaciones y requisitos de implementación de las primitivas criptográficas aplicados a la metodología LINCE. En esta charla explicaremos las principales novedades introducidas en la Metodología de Evaluación de Mecanismos Criptográficos presentada el año pasado, así como la definición de la nueva Metodología de Evaluación Criptográfica conforme a la CCN STIC-130.
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
En la actualidad existe un gran número de soluciones biométricas en el mercado, que se aplican cada vez más en sectores clave como la banca, la administración pública y los seguros.
El Ministerio de Asuntos Económicos y Transformación Digital publicó la primera orden ministerial, en el BOE núm. 115, de 14 de mayo de 2021, que regula los métodos de videoidentificación a distancia para la emisión de certificados electrónicos reconocidos. A raíz de esta legislación, el CCN, desarrolló un módulo de evaluación biométrica (MEB), que permite la evaluación de soluciones biométricas tanto para la metodología LINCE como para Common Criteria siguiendo la guía IT-014.
Durante la charla se explica cómo se aplica la guía IT-014 y los diferentes tipos de ataques de presentación que contempla; impostor, mediante vídeos, mediante máscaras, mediante herramientas deepfake, etc.
La charla es eminentemente técnica y mostrará ejemplos de ataques reales ejecutados durante las evaluaciones.
jtsec, con su experiencia en las primeras evaluaciones de soluciones biométricas, ofrecerá una visión general de cómo se han llevado a cabo dichas evaluaciones y los tipos de ataques más difíciles de mitigar para los proveedores.
La charla describe las particularidades de las evaluaciones en la nube tanto a nivel técnico como en el proceso. Además, pone de relieve los esfuerzos realizados a nivel nacional para que se puedan evaluar este tipo de soluciones.
More Related Content
Similar to EUCA22 Panel Discussion: Differences between lightweight certification schemes
create your own Security Management Model using the NIST Special Pub.pdf
create your own Security Management Model using the NIST Special Publication 800-14 and
Evaluate and apply NIST SP 800-26.
Solution
NIST SP800-14, subtitled Generally Accepted Principles and Practices for Securing Information
Technology Systems, describes best practices and provides information on commonly accepted
information security principles that can direct the security team in the development of a security
blueprint.
It also describes the philosophical principles that the security team should integrate into the
entire information security process, expanding upon the components of SP 800-12.
The more significant points made in NIST SP 800-14 are as follows:
1)Security Supports the Mission of the Organization.
2)Security is an Integral Element of Sound Management.
3)Security Should Be Cost-Effective
4)Systems Owners Have Security Responsibilities Outside Their Own Organizations.
5)Security Responsibilities and Accountability Should Be Made Explicit.
6)Security Requires a Comprehensive and Integrated Approach.
7)Security Should Be Periodically Reassessed.
8)Security is Constrained by Societal Factors.
It enumerates 33 principles for Securing Information Technology Systems:
Principle 1. Establish a sound security policy as the “foundation” for design.
Principle 2. Treat security as an integral part of the overall system design.
Principle 3. Clearly delineate the physical and logical security boundaries governed by
associated security policies.
Principle 4. Reduce risk to an acceptable level.
Principle 5. Assume that external systems are insecure.
Principle 6. Identify potential trade-offs between reducing risk and increased costs and decrease
in other aspects of operational effectiveness.
Principle 7. Implement layered security (Ensure no single point of vulnerability).
Principle 8. Implement tailored system security measures to meet organizational security goals.
Principle 9. Strive for simplicity.
Principle 10. Design and operate an IT system to limit vulnerability and to be resilient in
response.
Principle 11. Minimize the system elements to be trusted.
Principle 12. Implement security through a combination of measures distributed physically and
logically.
Principle 13. Provide assurance that the system is, and continues to be, resilient in the face of
expected threats.
Principle 14. Limit or contain vulnerabilities.
Principle 15. Formulate security measures to address multiple overlapping information domains.
Principle 16. Isolate public access systems from mission critical resources.
Principle 17. Use boundary mechanisms to separate computing systems and network
infrastructures.
Principle 18. Where possible, base security on open standards for portability and interoperability.
Principle 19. Use common language in developing security requirements.
Principle 20. Design and implement audit mechanisms to detect unauthorized use and to support
incident investigations.
Principle 21. Design security to allow for regular adoption of new techno.
Experiences evaluating cloud services and products
The market for IT products is constantly evolving. More and more vendors are developing products and services deployed only in the cloud (Cloud Native). This implies a paradigm shift in the way assessments are carried out, in the methodology to be followed and in the tests to be performed.
Today, it is NOT possible to use Common Criteria to evaluate cloud services, despite many administrations are migrating to cloud solutions.
This talk will not talk about Cloud programs such as FedRamp, ENS, C5, SecNumCloud or ENISA EUCS scheme. All these schemes, evaluate the clod infrastructure and the controls specified in the respective standards.
But in those standards, we cannot find assurance requirements related to the product/service itself. e.g. If your WAF (Web Application Firewall) is cloud native and deployed in the cloud, you could obtain those cloud certifications but it would be NOT possible to obtain a CC certification using NIAP PPs.
To solve this problematic, a practical approach has been followed in Spain, evaluating the cloud services using the LINCE methodology but obtaining a qualification mark (instead of a certification). Several vendors such as AWS, Google or Microsoft have already undergone this kind of processes.
In this talk, we want to show jtsec’s hands-on experience evaluating cloud services and discuss the main issues that have been faced and the solutions that have been found (TOE definition, Test environment, TOE identification, permission to test, etc…).
We would like also to discuss how the experience obtained using the LINCE methodology could be extrapolated (or NOT) to the CC World.
Democratizing Fuzzing at Scale by Abhishek Arya
Presented at NUS: Fuzzing and Software Security Summer School 2024
This keynote talks about the democratization of fuzzing at scale, highlighting the collaboration between open source communities, academia, and industry to advance the field of fuzzing. It delves into the history of fuzzing, the development of scalable fuzzing platforms, and the empowerment of community-driven research. The talk will further discuss recent advancements leveraging AI/ML and offer insights into the future evolution of the fuzzing landscape.
20160826_Draft_NISTIR 8072_Eric_Jacks
This document provides an analysis of the cybersecurity considerations for LTE-based public safety networks. It first details the components of an LTE-based public safety network and their relationships. It then presents high-level security considerations for these components. The document applies a data-centric threat modeling approach to analyze security for transactions in a public safety use case scenario. Key findings include that vetted material lags state-of-the-art, implementation of the Nationwide Public Safety Broadband Network is in its nascent stages, and there is a dilemma around multi-operator environments. The document concludes with recommendations for further analysis.
Information Assurance And Security - Chapter 1 - Lesson 4
This document discusses principles of software design for information security. It summarizes key software design principles identified by Saltzer and Schroeder, including least privilege and separation of duties. It also outlines the National Institute of Standards and Technology's (NIST) approach to securing the software development lifecycle (SDLC), which involves integrating security early and conducting activities like risk assessments and testing at each phase. Finally, it describes various security roles in an organization, including the chief information security officer, security project team, data owners and custodians, and communities of interest.
MEDINA ESG (Expert Stakeholder Group) presentation
This document summarizes an expert stakeholder group meeting for the MEDINA project. The meeting agenda included an introduction to MEDINA, demonstrations of two tools (SATRA and AMOE), and a discussion of next steps. MEDINA aims to facilitate adoption of the EU Cybersecurity Certification Scheme for continuous cloud certification. Progress after 18 months includes initial prototypes and testing of tools for self-assessment, evidence management, and certificate lifecycle management. Upcoming plans include full validation of MEDINA with industry partners and progressing standardization and exploitation activities.
Standards for protection of data on storage device are emerging from both the...
Standards for protection of data on storage device are emerging from both the...CMG - The Digital Transformation Association
The document summarizes a presentation about maximizing data's potential given data growth and security risks. It discusses:
- The massive growth in data creation that will reach 163ZB by 2025
- The need for increased data protection as most data requires some level of security but actual protection falls short, presenting an industry need for improved security technologies
- An overview of cybersecurity scope covering enterprise security, integrated assurance management, and enabling a full lifecycle data security model
- The importance of security certifications and standards for algorithms, security modules, functionality, and data disposal to ensure trusted and authentic security
- Managing risks through a maturity staircase approach to policy compliance, certification preparation, and establishing a product security operations centerWp6 public
This document summarizes the results of Work Package 6 which developed methods and tools for GDPR compliance through privacy engineering. The key results include:
1) Demonstrating the feasibility of using assurance principles from safety engineering for privacy engineering and modelling privacy regulations as reference frameworks.
2) Developing a tool-supported method for handling multiple privacy reference frameworks using mapping models.
3) Providing reusable privacy assurance patterns contained in a knowledge base, along with reference framework models and mapping models between standards.
4) Releasing tool features and an open source knowledge base to support the privacy assurance method.
It secuirty policy guidelines and practices
This document provides a summary of a guideline for computer security in general practitioner practices. It was developed by experts to provide simple recommendations that practices can implement with only a small degree of technical knowledge.
The guideline contains a checklist for practices to assess their existing computer security measures. It also outlines 10 key areas of computer security to address, including appointing a security coordinator, creating security policies and procedures, implementing access controls, developing a disaster recovery plan, and addressing technical issues like backups, viruses, firewalls and secure communication. For each area, it provides explanations of what the risks are, why the issues are important to address, and recommended steps practices should take. The overall aim is to help practices implement reasonable security measures to protect
IoT Security and Privacy Considerations
The document discusses several IoT security and privacy considerations, including using privacy by design principles to embed privacy into systems from the start, establishing accountability standards and open technology standards to build trust, and addressing common problems like lack of developer security experience, insecure communication protocols, and ensuring secure firmware updates throughout the lifecycle of IoT devices.
PECB Webinar: ICS Security Management System using ISO 27001 Standard as the ...
The webinar covers:
• Development and implementation of ICS Security Management System
• Using ISO 27001 as the ISMS fundamental platform
• NIST SP 800-82 usage as the audit platform against ICS object
Presenter: Pedro Putu Wirya, an IT and ICS Security Consultant with an extensive experience in ISMS.
Link of the recorded session published on YouTube: https://youtu.be/iuI2QYsUYZQ
Information Society Programme - Trust & Security
This document discusses the European Union's activities and research programs related to information technology security. It outlines EU R&D activities on eSecurity, including over 67 projects funded under the Trust & Security program. It also discusses the EU regulatory framework around cybersecurity. The document then focuses on the Information Society Program, which allocates €3.6 billion for 2002-2006 for research on ICT technologies, including a strategic objective on dependability and security. It provides details on the types of projects that will be funded, evaluation criteria, and timeline for proposals and contracting under the first call of the program.
Automation-based Certification for Cloud Services in Euro
This document discusses automation-based certification for cloud services in Europe. It provides an overview of the MEDINA project, which aims to enable continuous audit-based certification for cloud services through automation. The MEDINA framework collects technical evidence, assesses compliance automatically, and manages certificates in order to streamline the certification process defined in the EUCS standard. After MEDINA concludes, the lessons learned may be applied to the new COBALT project focusing on certification of AI-enabled systems and quantum computing.
What Happened to Mathematically Provable Security?
Published January 28, 2016, in Technology
Research presentation for CSC 405.
CSC 405
Software Design & Development II
Hampton University
Spring 2016
---
FVCproductions
https://fvcproductions.com
How Profisafe and cybersecurity enhance your Profinet/Profibus project - Pete...
How Profisafe and cybersecurity enhance your Profinet/Profibus project - Pete...PROFIBUS and PROFINET InternationaI - PI UK
This paper will firstly discuss PROFIsafe, why we have the solution, what should be planned out, elements to be aware of and what PROFIsafe does well. This paper will then spend a little time covering the basics of legislation and responsibilities for safety and functional safety. The paper will then go on to quickly consider basic Cybersecurity aspects for Industrial Automation in the UK market.Network Security Monitoring - Theory and Practice
Network Security Monitoring: Theory and Practice presentation for EUSecWest '06 conference 2006/02/21
Using the CGC's Fully Automated Vulnerability Detection Tools in Security Eva...
"Using the CGC's Fully Automated Vulnerability Detection Tools in Security Evaluation and Its Effectiveness - Are Tools Good for Hackers Good for Security Evaluators? -" @ CODE BLUE 2016, Tokyo, Japan (October 20, 2016)
PCI Compliance NOT for Dummies epb 30MAR2016
This document provides an overview of PCI compliance presented by Erika Powell-Burson. It covers the threat landscape including data breaches, PCI standards and requirements, key compliance areas, and milestones for achieving compliance. It emphasizes having proper documentation, access controls, encryption, logging, testing and monitoring. It provides tips such as prioritizing compliance goals, leveraging existing tools, inventorying systems, implementing firewalls and access controls, patching, and training employees. The document is intended to help organizations understand PCI compliance and provide a framework to work towards being compliant.
LOUCA23 Yusuf Hadiwinata Linux Security BestPractice
1) The document discusses a presentation about implementing security best practices on Linux systems. It provides information about the speaker's background and qualifications in cybersecurity and Linux.
2) The presentation covers topics like cybersecurity principles, Linux security hardening techniques, and using the CIS benchmarks and CIS-CAT Lite tool to assess and improve the security of Ubuntu systems.
3) It encourages attendees to ask questions to learn more about securing Linux and have a chance to win prizes from the event sponsor, Biznet Gio.
德國TSI公司簡報-2
I apologize, upon reviewing the document I do not feel comfortable generating a summary without proper context around what this document is about or where it is from. The document contains technical information but no clear overall topic or theme. A responsible summary would require more background.
Similar to EUCA22 Panel Discussion: Differences between lightweight certification schemes (20)
create your own Security Management Model using the NIST Special Pub.pdf
create your own Security Management Model using the NIST Special Pub.pdf
Experiences evaluating cloud services and products
Experiences evaluating cloud services and products
Information Assurance And Security - Chapter 1 - Lesson 4
Information Assurance And Security - Chapter 1 - Lesson 4
MEDINA ESG (Expert Stakeholder Group) presentation
MEDINA ESG (Expert Stakeholder Group) presentation
Standards for protection of data on storage device are emerging from both the...
Standards for protection of data on storage device are emerging from both the...
PECB Webinar: ICS Security Management System using ISO 27001 Standard as the ...
PECB Webinar: ICS Security Management System using ISO 27001 Standard as the ...
Automation-based Certification for Cloud Services in Euro
Automation-based Certification for Cloud Services in Euro
What Happened to Mathematically Provable Security?
What Happened to Mathematically Provable Security?
How Profisafe and cybersecurity enhance your Profinet/Profibus project - Pete...
How Profisafe and cybersecurity enhance your Profinet/Profibus project - Pete...
Using the CGC's Fully Automated Vulnerability Detection Tools in Security Eva...
Using the CGC's Fully Automated Vulnerability Detection Tools in Security Eva...
LOUCA23 Yusuf Hadiwinata Linux Security BestPractice
LOUCA23 Yusuf Hadiwinata Linux Security BestPractice
More from Javier Tallón
Evolucionando la evaluación criptográfica - Episodio II
A ningún fabricante le es ajeno que los requisitos criptográficos a la hora de desarrollar cualquier producto son cada vez mayores. Por ello, CCN ha desarrollado, con el soporte de jtsec, una metodología que incluye pruebas de conformidad, búsqueda de errores comunes en las implementaciones y requisitos de implementación de las primitivas criptográficas aplicados a la metodología LINCE. En esta charla explicaremos las principales novedades introducidas en la Metodología de Evaluación de Mecanismos Criptográficos presentada el año pasado, así como la definición de la nueva Metodología de Evaluación Criptográfica conforme a la CCN STIC-130.
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
En la actualidad existe un gran número de soluciones biométricas en el mercado, que se aplican cada vez más en sectores clave como la banca, la administración pública y los seguros.
El Ministerio de Asuntos Económicos y Transformación Digital publicó la primera orden ministerial, en el BOE núm. 115, de 14 de mayo de 2021, que regula los métodos de videoidentificación a distancia para la emisión de certificados electrónicos reconocidos. A raíz de esta legislación, el CCN, desarrolló un módulo de evaluación biométrica (MEB), que permite la evaluación de soluciones biométricas tanto para la metodología LINCE como para Common Criteria siguiendo la guía IT-014.
Durante la charla se explica cómo se aplica la guía IT-014 y los diferentes tipos de ataques de presentación que contempla; impostor, mediante vídeos, mediante máscaras, mediante herramientas deepfake, etc.
La charla es eminentemente técnica y mostrará ejemplos de ataques reales ejecutados durante las evaluaciones.
jtsec, con su experiencia en las primeras evaluaciones de soluciones biométricas, ofrecerá una visión general de cómo se han llevado a cabo dichas evaluaciones y los tipos de ataques más difíciles de mitigar para los proveedores.
La charla describe las particularidades de las evaluaciones en la nube tanto a nivel técnico como en el proceso. Además, pone de relieve los esfuerzos realizados a nivel nacional para que se puedan evaluar este tipo de soluciones.
ICCC2023 Statistics Report, has Common Criteria reached its peak?
As is customary in the last editions of ICCC, the statistics related to Common Criteria provide significant market data. This year, stable data is presented. Data collection is done using CC Scraper, a tool developed by jtsec that automatically analyzes information from the CC and CBs portals using OCR capabilities and other features. Would you like to know the data for the first three quarters of 2023 and the evolution in recent years in terms of the number of certifications? Other data will also be disclosed, such as top labs and vendors, most used assurance levels, or most used protection profiles. This presentation showcases Common Criteria’s data in a year when the market has stabilized after several years of political and health instability.
ICCC23 -The new cryptographic evaluation methodology created by CCN
The use of cryptographic primitives to safeguard sensitive information in hardware, software, and firmware products is witnessing widespread adoption. Recognizing the increasing cryptographic requirements, CCN (Certification Body for National Cryptology) has developed a methodology in collaboration with jtsec. This methodology encompasses conformance testing, identification of common implementation pitfalls, and implementation requirements for cryptographic primitives.
The primary objective of this cryptographic methodology is to establish a standardized framework for conducting cryptographic evaluations of Target of Evaluations (TOEs). These evaluations aim to obtain Common Criteria certificates and other certifications. The methodology specifically targets products in which cryptographic mechanisms form a crucial part of their core functionality, such as VPNs, HSMs, ciphers, communication apps, and more.
During the talk, the speakers will introduce the new approach to evaluate cryptography in Spain, following the jointly created methodology by CCN and jtsec. They will also demonstrate a tool designed to verify the compliance of cryptographic primitives. This presentation will be particularly beneficial for product developers, as they will learn about the requirements that will be demanded in Spain going forward. It will also be of interest to other Certification Bodies (CBs) who may find this methodology and tool valuable in their own evaluations.
La ventaja de implementar una solución de ciberseguridad certificada por el C...
El documento introduce el Centro Criptológico Nacional (CCN) y el Esquema Nacional de Seguridad (ENS), y explica que el CCN-STIC 105 Catálogo de Productos y Servicios de Seguridad de las Tecnologías de la Información y la Comunicación (CPSTIC) ofrece un listado de productos con garantías de seguridad contrastadas por el CCN. También describe los procesos de certificación LINCE y Common Criteria para incluir productos en el catálogo, y los beneficios que esto conlleva para las organizaciones.
EUCA23 - Evolution of cryptographic evaluation in Europe.pdf
The draft of the URWP (Union Rolling Work Programme) of the European commission suggests a European Crypto Scheme as one of the potential schemes to be created under the CSA. The use of cryptographic modules to protect sensitive information in hardware, software and firmware products is becoming increasingly widespread. Until now, there has been a reference methodology for cryptographic evaluation at international level, FIPS 140-3. Nonetheless, at the SOG-IS level, there have been efforts to harmonize evaluations in Europe. The publication of the SOGIS Agreed Cryptographic Mechanisms or the SOGIS Harmonised cryptographic Evaluation Procedures show the efforts conducted in Europe during the last years. However, the pandemic situation has slowed down the progress. This talk will present the new approach to evaluate cryptography in Spain according to the methodology created jointly by CCN (Spanish CB) and jtsec, which could serve as a base for a potential European scheme. In addition, this talk will show the tool created to verify the conformance of cryptographic primitives.
This presentation will be especially useful for schemes and government entities to check if the approach could fit their needs.
Hacking your jeta.pdf
Seguro que has visto cómo cada vez más sectores como la banca o los seguros permiten abrir cuentas legalmente vinculadas sin la intervención (a priori) de un operador humano gracias a procesos de videoidentificación, pero, ¿te has preguntado qué tan seguros son?
El Ministerio de Asuntos Económicos y Transformación Digital, en el BOE núm. 115, de 14 de mayo de 2021 y con motivo de la emergencia sanitaria generada por la crisis de la COVID-19, regulaba los métodos de identificación remota por vídeo para la expedición de certificados electrónicos cualificados, lo que obliga a los prestadores de este tipo de servicios a validar sus soluciones en los términos que establece el anexo F11 de la Guía CCN-STIC-140, del Centro Criptológico Nacional.
Dicho anexo requiere que un laboratorio acreditado realice ataques de presentación a este tipo de soluciones para verificar su resistencia a técnicas como máscaras hiperrealistas, deepfake o contouring. Durante esta charla ahondaremos en los detalles técnicos de dichos ataques, y te contaremos cómo hemos conseguido inyectar vídeo en muchas de estas soluciones.
Evolucionado la evaluación Criptográfica
El uso de módulos criptográficos para proteger información sensible en productos hardware, software y firmware es cada vez más extendido. Por ello CCN, desarrolló en su Guía de Seguridad de las TIC CCN-STIC 2002 un Módulo de Evaluación Criptográfico (MEC) que se aplica a diferentes soluciones que implementan algoritmos criptográficos. Este módulo sirve de referencia en numerosas evaluaciones bajo la metodología LINCE en las que se aplica de forma adicional.
Debido al aumento cada vez mayor de requisitos criptográficos, CCN ha desarrollado, con el soporte de jtsec, una metodología que incluye pruebas de conformidad, búsqueda de errores comunes en las implementaciones y requisitos de implementación de las primitivas criptográficas.
El objetivo de la metodología criptográfica es el de establecer un marco común para llevar a cabo las evaluaciones criptográficas de los TOEs que van a ser evaluados para la obtención de un certificado Common Criteria, LINCE con validación criptográfica o STIC con validación Criptográfica.
En esta charla se presentará la nueva aproximación para evaluar la criptografía en España según la metodología creada conjuntamente por CCN y jtsec. Además, mostraremos la herramienta creada para verificar la conformidad de las primitivas criptográficas. Esta ponencia será especialmente útil para los desarrolladores de productos que conocerán los requisitos que se pedirán a partir de ahora.
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
El desarrollo de productos creados directamente en la nube (cloud nativo) es una práctica cada vez más extendida en la industria. La administración española no escapa a esa tendencia y es cada vez más habitual las migraciones a la nube. El despliegue y gestionado se realiza en la nube y normalmente son desarrollos en constante evolución, permitiendo a los fabricantes más flexibilidad para la continua mejora de sus productos.
Ante el continuo incremento de productos desarrollados en la nube, en febrero de 2020, el CCN publicaba el Anexo G de la “Guía de Seguridad de las TIC CCN-STIC 140” para la Taxonomía de productos de STIC - Servicios en la nube, donde se reflejan los Requisitos Fundamentales de Seguridad (RFS) para este tipo de servicios, considerándose requisitos adicionales que complementan a los requisitos definidos para cada una de las familias de productos. Una guía pionera a nivel internacional para la evaluación de servicios cloud, por lo que cabe destacar que España es el primer país en crear una metodología de evaluación para este tipo de servicios. Normalmente las evaluaciones en la nube, se centran en la gestión e infraestructura del servicio/producto dejando de lado la funcionalidad de seguridad implementada por el mismo.
En las evaluaciones de ciberseguridad, existe la particularidad de que estos servicios/productos no pueden ser completamente controlados/instalados en el laboratorio a la hora de realizar la evaluación, por lo que no se puede certificar usando las metodologías LINCE o Common Criteria. Este problema existe a nivel internacional.
Para solventar esta casuística, CCN diseño una estrategia de evaluación de servicios en la nube mediante evaluaciones STIC complementarias haciendo uso de la metodología LINCE.
Esta vía ha permitido la cualificación en el catálogo CPSTIC / CCN-STIC 105 de servicios en la nube. A día de hoy, hay 6 servicios en la nube incluidos en el catálogo CPSTIC. Todos ellos han sido evaluados por jtsec.
En jtsec nos hemos tenido que adaptar tecnológicamente para afrontar este tipo de evaluaciones, puesto que alrededor del 70% de evaluaciones iniciadas en 2022 por jtsec corresponden a servicios en la nube.
La charla describirá las particularidades de las evaluaciones en la nube tanto a nivel técnico como en el proceso. Además, pondrá de relieve los esfuerzos realizados a nivel nacional para que se puedan evaluar este tipo de soluciones.
EUCA 22 - Let's harmonize labs competence ISO 19896
Harmonization on the competence of the different labs/evaluators have been always a topic for discussion in the Cybersecurity Certification community.
At ISO level, a new standard has been approved aiming to support this goal: ISO 19896.
ISO/IEC 19896 orders the requirements for information security testers and evaluators, including a set of concepts and relationships to understand the competency for individuals performing Common Criteria evaluations.
The requirements of this new ISO standard allows verifying that laboratories and personnel have sufficient capacity to handle a Common Criteria evaluation. However, there are some controversial points regarding this ISOs and how to apply it in Common Criteria, which will be explained during the talk.
Other topics to be addressed during the talk will be how EUCC, the first European cybersecurity scheme for ICT products, will cover the requirements of this ISO and other related standards.
EUCA22 - Patch Management ISO_IEC 15408 & 18045
Common Criteria is the most used international standard for cybersecurity certification for ICT products. CC has lights and shadows and for most of the stakeholders the main drawback might be the assurance continuity process. The application of CC for re-certifications of updates or security-patched products is very slow and not adapted to the time to market of new versions of products. EUCC includes patch management as an activity that may be assessed as part of the evaluation process. ISO SC27 WG3 have been working hard in the last years to prepare the technical specification that could be used to evaluate the TOE’s patching functionality and the developer’s patch management by adding new modules that can be integrated into PPs and STs. This talk will explain the current status and news of the ISO Technical Specification, and explain how it address the patch management problem taking into account the Cyber Security Act requirements. The speakers will be Javier Tallon and Sebastian Fritsch, co-editors of the ISO/IEC TS 9565.
Cross standard and scheme composition - A needed cornerstone for the European...
The proliferation of new cybersecurity standards/schemes shows the interest of all the stakeholders to require cybersecurity for ICT products. On the other hand, a need for harmonization/recognition between standards/schemes is needed. Otherwise, there could be too many standards that become non-cost-effective for developers certifying their products.
For instance, almost every IoT vertical has its own set of cybersecurity standards. But IoT devices and it’s supply chain is not limited within a single vertical. In fact the contrary holds, that building blocks of an IoT device find appliance in a couple of other verticals. Assuming that these building blocks demonstrated cybersecurity compliance of some form, say for a particular vertical, it will be key for the economy to not repeat those proofs of compliance but instead accept across standards and schemes where applicable.
This talk will highlight the importance of the acceptance of certification and standard compliance results across different schemes or security standards. We will show examples (e.g., smart metering in France with de-facto acceptance of underlying CC results, SESIP to IEC62443-4-2) where this has been applied successfully, but will also look at existing standards or schemes where this would be possible (e.g. EUCC, FITCEM, etc‚) or proposals on how to apply this for Industrial IoT (IACS ERNCIP recommendations to the EU commission).
The talk will be given from the developer perspective (Georg Stütz from NXP) and lab perspective (Jose Ruiz from jtsec)
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?
Incluir productos y servicios en el catálogo de ciberseguridad de referencia para la Administración Pública no resulta sencillo.
Se ha de superar una evaluación LINCE o Common Criteria para poder acceder a dicho catálogo.
En el catálogo CPSTIC se pueden incluir tanto para soluciones on premise como en la nube, siendo una gran ventaja para aquellos desarrolladores cloud native.
En esta presentación explicamos las diferentes maneras de incluir una solución en el catálogo CPSTIC, así como los pasos a seguir.
Is Automation Necessary for the CC Survival?
The use of different automation tools in Common Criteria is a reality. In recent years, it has been demonstrated that the capacity to take on a large number of Common Criteria evaluations, both by laboratories and by the Certification Bodies, is limited. The automation of certain processes through the use of tools created specifically for this purpose is seen as the only possible way to speed up the process, both in terms of time and workload. How will the use of tools affect the immediate future of the different stakeholders in Common Criteria? Will automation lead to an increase in the number of certifications and the possibility that more companies will be able to become certified?
CCCAB tool - Making CABs life easy - Chapter 2
CCCAB (Common Criteria Conformity Assessment Body) Tool is a unique framework that will allow Common Criteria CABs to smooth the certification process for ICT products, reducing the cost and time required in each single certification process.
CCCAB will be developed to support NCCAs (National Cybersecurity Certification Authorities) when acting as CABs for level high and CABs (Conformity Assessment Bodies) for level substantial operating under the EUCC (Common Criteria based European candidate cybersecurity certification scheme) scheme. CCCAB has been selected by the European Commission under the Connecting Europe Facility (CEF) programme as a granted project. Two European NCCAs are also supporting CCCAB: CCN (Spain) and OCSI (Italy), reflecting the magnitude of the project. CCCAB will be released as an open source product and will be free to use allowing the community to improve the tool in the future. This tool was presented at last ICCC.
In this year presentation, we will be able to show the specifications that have been defined to interact with the tool. We will be able to present the current status of the development showing the first operational version of CCCAB. Finally, we will discuss the challenges to make the tool accessible widely.
2022 CC Statistics report: will this year beat last year's record number of c...
CC Scraper is a tool developed by jtsec 5 years ago that that analyses automatically the information from the CC and CBs portals using OCR capabilities and other features. Including detailed insights about Common Criteria like certification per assurance level, trends by Protection Profile, ranking of manufacturer, among others. We have published free annually reports regarding. In last year’s edition, we presented the statistics for 2021, the year with the most Common Criteria certifications in history. Would you like to know the data of the first three quarters of 2022? Will this year beat last year’s record number of certifications? Which labs and vendors will be in the top?
This presentation will show Common Criteria’s data in a year that has taken place against a context of global uncertainty and instability.
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...
Artículo publicado en la edición nº 148 de la Revista SIC, donde presentamos la herramientas que estamos desarrollando, pionera en el mercado.
CCCAB es un proyecto financiado por la Comisión Europea en el marco del programa Connecting Europe Faciclity (CEF), que permite ahorrar tiempo y esfuerzo a los CABs (Certification Assessments Bodies), aligerando su carga de trabajo para optimizar la fase de certificación.
Automating Common Criteria
This document discusses José Ruiz and his experience with Common Criteria and FIPS certification standards. It then summarizes the need for automation tools to streamline the certification process, addressing issues like a lack of engineers and high paperwork demands. Specific tools are mentioned, including NIAP's tool for automating security targets and CCToolbox, which the document's author developed. CCToolbox aims to simplify and automate documentation, evaluation activities, and the overall certification workflow. Benefits discussed include reduced time and costs for manufacturers and laboratories.
CCCAB - Making CABs life easy
CCCAB (Common Criteria Conformity Assessment Body) Tool is a unique framework that will allow Common Criteria CABs to smooth the certification process for ICT products, reducing the cost and time required in each single certification process.
CCCAB will be developed to support NCCAs (National Cybersecurity Certification Authorities) when acting as CABs for level high and CABs (Conformity Assessment Bodies) for level substantial operating under the EUCC (Common Criteria based European candidate cybersecurity certification scheme) scheme.
CCCAB has been selected by the European Commission under the Connecting Europe Facility (CEF) programme as a granted project. Two European NCCAs are also supporting CCCAB: CCN (Spain) and OCSI (Italy), reflecting the magnitude of the project.
CCCAB will be released as an open source product and will be free to use allowing the community to improve the tool in the future. The presentation will show the objectives, status of the development and the potential of the tool and what it will mean for the different stakeholders involved in a Common Criteria certification process.
ICCC21 2021 statistics report
This document summarizes Common Criteria certification statistics from various sources including the CCScraper tool. It provides statistics for 2021 based on data collected up to September 30th, highlighting the top certification schemes, assurance levels, laboratories, product categories and manufacturers. It also analyzes trends over the past 5 years and discusses the impact of the COVID-19 pandemic on certification numbers.
More from Javier Tallón (20)
Evolucionando la evaluación criptográfica - Episodio II
Evolucionando la evaluación criptográfica - Episodio II
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
ICCC2023 Statistics Report, has Common Criteria reached its peak?
ICCC2023 Statistics Report, has Common Criteria reached its peak?
ICCC23 -The new cryptographic evaluation methodology created by CCN
ICCC23 -The new cryptographic evaluation methodology created by CCN
La ventaja de implementar una solución de ciberseguridad certificada por el C...
La ventaja de implementar una solución de ciberseguridad certificada por el C...
EUCA23 - Evolution of cryptographic evaluation in Europe.pdf
EUCA23 - Evolution of cryptographic evaluation in Europe.pdf
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
EUCA 22 - Let's harmonize labs competence ISO 19896
EUCA 22 - Let's harmonize labs competence ISO 19896
Cross standard and scheme composition - A needed cornerstone for the European...
Cross standard and scheme composition - A needed cornerstone for the European...
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?
2022 CC Statistics report: will this year beat last year's record number of c...
2022 CC Statistics report: will this year beat last year's record number of c...
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...
Recently uploaded
A Comprehensive Guide to DeFi Development Services in 2024
DeFi represents a paradigm shift in the financial industry. Instead of relying on traditional, centralized institutions like banks, DeFi leverages blockchain technology to create a decentralized network of financial services. This means that financial transactions can occur directly between parties, without intermediaries, using smart contracts on platforms like Ethereum.
In 2024, we are witnessing an explosion of new DeFi projects and protocols, each pushing the boundaries of what’s possible in finance.
In summary, DeFi in 2024 is not just a trend; it’s a revolution that democratizes finance, enhances security and transparency, and fosters continuous innovation. As we proceed through this presentation, we'll explore the various components and services of DeFi in detail, shedding light on how they are transforming the financial landscape.
At Intelisync, we specialize in providing comprehensive DeFi development services tailored to meet the unique needs of our clients. From smart contract development to dApp creation and security audits, we ensure that your DeFi project is built with innovation, security, and scalability in mind. Trust Intelisync to guide you through the intricate landscape of decentralized finance and unlock the full potential of blockchain technology.
Ready to take your DeFi project to the next level? Partner with Intelisync for expert DeFi development services today!
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
Folding is a recent technique for building efficient recursive SNARKs. Several elegant folding protocols have been proposed, such as Nova, Supernova, Hypernova, Protostar, and others. However, all of them rely on an additively homomorphic commitment scheme based on discrete log, and are therefore not post-quantum secure. In this work we present LatticeFold, the first lattice-based folding protocol based on the Module SIS problem. This folding protocol naturally leads to an efficient recursive lattice-based SNARK and an efficient PCD scheme. LatticeFold supports folding low-degree relations, such as R1CS, as well as high-degree relations, such as CCS. The key challenge is to construct a secure folding protocol that works with the Ajtai commitment scheme. The difficulty, is ensuring that extracted witnesses are low norm through many rounds of folding. We present a novel technique using the sumcheck protocol to ensure that extracted witnesses are always low norm no matter how many rounds of folding are used. Our evaluation of the final proof system suggests that it is as performant as Hypernova, while providing post-quantum security.
Paper Link: https://eprint.iacr.org/2024/257
Building Production Ready Search Pipelines with Spark and Milvus
Spark is the widely used ETL tool for processing, indexing and ingesting data to serving stack for search. Milvus is the production-ready open-source vector database. In this talk we will show how to use Spark to process unstructured data to extract vector representations, and push the vectors to Milvus vector database for search serving.
TrustArc Webinar - 2024 Global Privacy Survey
How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024?
In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores.
See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe.
This webinar will review:
- The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey
- The top challenges for privacy leaders, practitioners, and organizations in 2024
- Key themes to consider in developing and maintaining your privacy program
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays, June 2024 with Maria Copot 20
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
This case study explores designing a scalable e-commerce platform, covering key requirements, system components, and best practices.
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI, built on the robust SAP Business Technology Platform (SAP BTP), is the latest and most advanced version of our AI development, reaffirming our commitment to delivering top-tier AI solutions. Skybuffer AI harnesses all the innovative capabilities of the SAP BTP in the AI domain, from Conversational AI to cutting-edge Generative AI and Retrieval-Augmented Generation (RAG). It also helps SAP customers safeguard their investments into SAP Conversational AI and ensure a seamless, one-click transition to SAP Business AI.
With Skybuffer AI, various AI models can be integrated into a single communication channel such as Microsoft Teams. This integration empowers business users with insights drawn from SAP backend systems, enterprise documents, and the expansive knowledge of Generative AI. And the best part of it is that it is all managed through our intuitive no-code Action Server interface, requiring no extensive coding knowledge and making the advanced AI accessible to more users.
June Patch Tuesday
Ivanti’s Patch Tuesday breakdown goes beyond patching your applications and brings you the intelligence and guidance needed to prioritize where to focus your attention first. Catch early analysis on our Ivanti blog, then join industry expert Chris Goettl for the Patch Tuesday Webinar Event. There we’ll do a deep dive into each of the bulletins and give guidance on the risks associated with the newly-identified vulnerabilities.
Digital Marketing Trends in 2024 | Guide for Staying Ahead
https://www.wask.co/ebooks/digital-marketing-trends-in-2024
Feeling lost in the digital marketing whirlwind of 2024? Technology is changing, consumer habits are evolving, and staying ahead of the curve feels like a never-ending pursuit. This e-book is your compass. Dive into actionable insights to handle the complexities of modern marketing. From hyper-personalization to the power of user-generated content, learn how to build long-term relationships with your audience and unlock the secrets to success in the ever-shifting digital landscape.
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...Edge AI and Vision Alliance
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/temporal-event-neural-networks-a-more-efficient-alternative-to-the-transformer-a-presentation-from-brainchip/
Chris Jones, Director of Product Management at BrainChip , presents the “Temporal Event Neural Networks: A More Efficient Alternative to the Transformer” tutorial at the May 2024 Embedded Vision Summit.
The expansion of AI services necessitates enhanced computational capabilities on edge devices. Temporal Event Neural Networks (TENNs), developed by BrainChip, represent a novel and highly efficient state-space network. TENNs demonstrate exceptional proficiency in handling multi-dimensional streaming data, facilitating advancements in object detection, action recognition, speech enhancement and language model/sequence generation. Through the utilization of polynomial-based continuous convolutions, TENNs streamline models, expedite training processes and significantly diminish memory requirements, achieving notable reductions of up to 50x in parameters and 5,000x in energy consumption compared to prevailing methodologies like transformers.
Integration with BrainChip’s Akida neuromorphic hardware IP further enhances TENNs’ capabilities, enabling the realization of highly capable, portable and passively cooled edge devices. This presentation delves into the technical innovations underlying TENNs, presents real-world benchmarks, and elucidates how this cutting-edge approach is positioned to revolutionize edge AI across diverse applications.Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Main news related to the CCS TSI 2023 (2023/1695)
An English 🇬🇧 translation of a presentation to the speech I gave about the main changes brought by CCS TSI 2023 at the biggest Czech conference on Communications and signalling systems on Railways, which was held in Clarion Hotel Olomouc from 7th to 9th November 2023 (konferenceszt.cz). Attended by around 500 participants and 200 on-line followers.
The original Czech 🇨🇿 version of the presentation can be found here: https://www.slideshare.net/slideshow/hlavni-novinky-souvisejici-s-ccs-tsi-2023-2023-1695/269688092 .
The videorecording (in Czech) from the presentation is available here: https://youtu.be/WzjJWm4IyPk?si=SImb06tuXGb30BEH .
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks creates AI-boosted business software that helps employees work more efficiently and effectively. Managing data across multiple RDBMS and NoSQL databases was already a challenge at their current scale. To prepare for 10X growth, they knew it was time to rethink their database strategy. Learn how they architected a solution that would simplify scaling while keeping costs under control.
Dandelion Hashtable: beyond billion requests per second on a commodity server
This slide deck presents DLHT, a concurrent in-memory hashtable. Despite efforts to optimize hashtables, that go as far as sacrificing core functionality, state-of-the-art designs still incur multiple memory accesses per request and block request processing in three cases. First, most hashtables block while waiting for data to be retrieved from memory. Second, open-addressing designs, which represent the current state-of-the-art, either cannot free index slots on deletes or must block all requests to do so. Third, index resizes block every request until all objects are copied to the new index. Defying folklore wisdom, DLHT forgoes open-addressing and adopts a fully-featured and memory-aware closed-addressing design based on bounded cache-line-chaining. This design offers lock-free index operations and deletes that free slots instantly, (2) completes most requests with a single memory access, (3) utilizes software prefetching to hide memory latencies, and (4) employs a novel non-blocking and parallel resizing. In a commodity server and a memory-resident workload, DLHT surpasses 1.6B requests per second and provides 3.5x (12x) the throughput of the state-of-the-art closed-addressing (open-addressing) resizable hashtable on Gets (Deletes).
Trusted Execution Environment for Decentralized Process Mining
Presentation of the paper "Trusted Execution Environment for Decentralized Process Mining" given during the CAiSE 2024 Conference in Cyprus on June 7, 2024.
Generating privacy-protected synthetic data using Secludy and Milvus
During this demo, the founders of Secludy will demonstrate how their system utilizes Milvus to store and manipulate embeddings for generating privacy-protected synthetic data. Their approach not only maintains the confidentiality of the original data but also enhances the utility and scalability of LLMs under privacy constraints. Attendees, including machine learning engineers, data scientists, and data managers, will witness first-hand how Secludy's integration with Milvus empowers organizations to harness the power of LLMs securely and efficiently.
FREE A4 Cyber Security Awareness Posters-Social Engineering part 3
Free A4 downloadable and printable Cyber Security, Social Engineering Safety and security Training Posters . Promote security awareness in the home or workplace. Lock them Out From training providers datahops.com
SAP S/4 HANA sourcing and procurement to Public cloud
SAP S4 HANA to Public cloud data object differences
Recently uploaded (20)
A Comprehensive Guide to DeFi Development Services in 2024
A Comprehensive Guide to DeFi Development Services in 2024
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying Ahead
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
Trusted Execution Environment for Decentralized Process Mining
Trusted Execution Environment for Decentralized Process Mining
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
FREE A4 Cyber Security Awareness Posters-Social Engineering part 3
FREE A4 Cyber Security Awareness Posters-Social Engineering part 3
SAP S/4 HANA sourcing and procurement to Public cloud
SAP S/4 HANA sourcing and procurement to Public cloud
EUCA22 Panel Discussion: Differences between lightweight certification schemes
- 2. Panelists ISO/IEC 19896 José Ruiz (Moderator) Co-founder and CTO, jtsec Beyond IT Security, Spain Helge Kreutzmann Senior Expert Bundesamt für Sicherheit in der Informationstechnik, Germany Philippe Magnabosco Policy Advisor for External Standards, ANSSI, France Maria Christofi ITSEF COO, Oppida, France Pablo Franco Head of Certification Body, CCN, Spain Petr Kazil Security Consultant, NLNCSA, Netherlands
- 3. ❑ CSPN –Certification de Sécurité de Premier Niveau ❑ BSPA –Baseline Security Product Assessment ❑ LINCE –National Essential Security Evaluation ❑ BSZ –Beschleunigte Sicherheitszertifizierung ❑ and possibly more … ❑ … and then came the “Cybersecurity Act” with 3 assurance levels. ❑ … and possible verticals using them (e.g. IACS). The fixed-time cybersecurity certification landscape in Europe *Information taken from the presentation INTRODUCING FITCEM (FIXED-TIME CYBERSECURITY EVALUATION METHODOLOGY FOR ICT PRODUCTS) by Dr. Helge Kreutzmann at EUCA 2021
- 4. ❑ Flexible application: ❑ All CSA evaluation assurance levels, including self-assessment ❑ Horizontals and verticals ❑ Adaptable by parameters where possible ❑ Bare minimum required by CSA shall be possible ❑ Existing methodologies (LINCE, CSPN, …) should be reproducible ❑ The workload on the developer shall be reduced where possible ❑ This might imply higher work load for evaluators ❑ Evaluator competence is important ❑ This is not a “lightweight” CEM (ISO/IEC 18045) Design principles of EN 17640 (extract) *Information taken from the presentation INTRODUCING FITCEM (FIXED-TIME CYBERSECURITY EVALUATION METHODOLOGY FOR ICT PRODUCTS) by Dr. Helge Kreutzmann at EUCA 2021 EN 17640
- 5. ❑ Completeness check ❑ Protection Profile / Security Target evaluation / Review of security functionalities ❑ Development documentation ❑ Evaluation of the TOE installation ❑ Conformance testing ❑ Vulnerability review ❑ Vulnerability testing ❑ Penetration testing ❑ (Basic) crypto analysis ❑ Extended crypto analysis Evaluation Tasks *Information taken from the presentation INTRODUCING FITCEM (FIXED-TIME CYBERSECURITY EVALUATION METHODOLOGY FOR ICT PRODUCTS) by Dr. Helge Kreutzmann at EUCA 2021