The use of cryptographic primitives to safeguard sensitive information in hardware, software, and firmware products is witnessing widespread adoption. Recognizing the increasing cryptographic requirements, CCN (Certification Body for National Cryptology) has developed a methodology in collaboration with jtsec. This methodology encompasses conformance testing, identification of common implementation pitfalls, and implementation requirements for cryptographic primitives.
The primary objective of this cryptographic methodology is to establish a standardized framework for conducting cryptographic evaluations of Target of Evaluations (TOEs). These evaluations aim to obtain Common Criteria certificates and other certifications. The methodology specifically targets products in which cryptographic mechanisms form a crucial part of their core functionality, such as VPNs, HSMs, ciphers, communication apps, and more.
During the talk, the speakers will introduce the new approach to evaluate cryptography in Spain, following the jointly created methodology by CCN and jtsec. They will also demonstrate a tool designed to verify the compliance of cryptographic primitives. This presentation will be particularly beneficial for product developers, as they will learn about the requirements that will be demanded in Spain going forward. It will also be of interest to other Certification Bodies (CBs) who may find this methodology and tool valuable in their own evaluations.
EUCA23 - Evolution of cryptographic evaluation in Europe.pdfJavier Tallón
The draft of the URWP (Union Rolling Work Programme) of the European commission suggests a European Crypto Scheme as one of the potential schemes to be created under the CSA. The use of cryptographic modules to protect sensitive information in hardware, software and firmware products is becoming increasingly widespread. Until now, there has been a reference methodology for cryptographic evaluation at international level, FIPS 140-3. Nonetheless, at the SOG-IS level, there have been efforts to harmonize evaluations in Europe. The publication of the SOGIS Agreed Cryptographic Mechanisms or the SOGIS Harmonised cryptographic Evaluation Procedures show the efforts conducted in Europe during the last years. However, the pandemic situation has slowed down the progress. This talk will present the new approach to evaluate cryptography in Spain according to the methodology created jointly by CCN (Spanish CB) and jtsec, which could serve as a base for a potential European scheme. In addition, this talk will show the tool created to verify the conformance of cryptographic primitives.
This presentation will be especially useful for schemes and government entities to check if the approach could fit their needs.
Experiences evaluating cloud services and productsJavier Tallón
The market for IT products is constantly evolving. More and more vendors are developing products and services deployed only in the cloud (Cloud Native). This implies a paradigm shift in the way assessments are carried out, in the methodology to be followed and in the tests to be performed.
Today, it is NOT possible to use Common Criteria to evaluate cloud services, despite many administrations are migrating to cloud solutions.
This talk will not talk about Cloud programs such as FedRamp, ENS, C5, SecNumCloud or ENISA EUCS scheme. All these schemes, evaluate the clod infrastructure and the controls specified in the respective standards.
But in those standards, we cannot find assurance requirements related to the product/service itself. e.g. If your WAF (Web Application Firewall) is cloud native and deployed in the cloud, you could obtain those cloud certifications but it would be NOT possible to obtain a CC certification using NIAP PPs.
To solve this problematic, a practical approach has been followed in Spain, evaluating the cloud services using the LINCE methodology but obtaining a qualification mark (instead of a certification). Several vendors such as AWS, Google or Microsoft have already undergone this kind of processes.
In this talk, we want to show jtsec’s hands-on experience evaluating cloud services and discuss the main issues that have been faced and the solutions that have been found (TOE definition, Test environment, TOE identification, permission to test, etc…).
We would like also to discuss how the experience obtained using the LINCE methodology could be extrapolated (or NOT) to the CC World.
The importance of a robust cybersecurity strategy cannot be overstated. Learning on the effective measures to be taken and tools needed to navigate the evolving cybersecurity landscape successfully is essential.
Amongst others, the webinar covers:
• ISO/IEC 27002 and ISO/IEC 27032 and their key components
• Key Components of a Resilient Cybersecurity Strategy
• CMMC Frameworks
Presenters:
Dr. Oz Erdem
Governance, Risk and Compliance (GRC) consultant, trainer, auditor, and speaker
Dr. Erdem has over 25 years of experience in information security, trade compliance, data privacy, and risk management. He took leadership roles in governance and compliance at various Fortune 100-500 companies and SMBs, including Siemens Corporation, Siemens Industry, Linqs, Texas Instruments, Rtrust, ICEsoft Technologies, NATO C3A, and BILGEM. In addition, successfully managed software development (i.e., embedded, cloud, and SaaS) and digital product projects involving information security, mobile networks, and IoT networks. Further, Dr. Erdem led several non-profit organizations, such as National Association of District Export Councils (NADEC), Government Contractors Council (GovConCouncil), and Central-North Florida District Export Council as the Chairman of the Board.
Peter Geelen
Peter Geelen is the director and managing consultant at CyberMinute and Owner of Quest for Security, Belgium. Over more than 20 years, Peter has built strong experience in enterprise security & architecture, Identity & Access management, but also privacy, information & data protection, cyber- and cloud security. Last few years, the focus is on ISO/IEC 27001 and other ISO certification mechanisms. Peter is accredited Lead Auditor for ISO/IEC 27001, ISO 9001, PECB Trainer and Fellow in Privacy. Committed to continuous learning, Peter holds renowned security certificates as certified ISO/IEC 27701 lead implementer and lead auditor, ISO/IEC 27001 Master, Sr. Lead Cybersecurity Manager, ISO/IEC 27002 lead manager, ISO/IEC 27701 Lead Implementer, cDPO, Risk management, Lead Incident Mgr., Disaster Recovery, and many more.
George Usi - CEO of Omnistruct
An internet pioneer and award-winning leader in internet governance with over 25 years of experience, George Usi knows that getting hacked is not a matter of ‘if’ but, ‘when’ and the fiscal and reputational effects that has on a business, the executives, and the board. George is the Co-Founder of Omnistruct, a cyber risk company. Omnistruct protects and expands revenue creation, reputation, and customer retention through cyber risk transference, governance, and compliance. We ensure that security and privacy programs work.
Date: January 24, 2024
YouTube Video: https://youtu.be/9i5p5WFExT4
Website: https://bit.ly/3SjovIP
The document discusses ISO 27002 and ISO 27032 standards for information security and cybersecurity. It provides an overview of the Cybersecurity Maturity Model Certification (CMMC) program, including the evolution of CMMC, proposed rule, and certification levels. It also discusses applying the appropriate NIST cybersecurity framework and performing a risk assessment to select standards and frameworks to address cybersecurity risks.
TAICS - Cybersecurity Certification for European Market.pptxJavier Tallón
Taiwan Association of Information and Communication Standards (TAICS) organized a private event aimed mainly at Taiwanese developers and manufacturers who intend to integrate their products into the European market.
Due to the amount of existing cybersecurity legislation and methodologies in Europe, TAICS offered a webinar to clarify certain doubts, mainly regarding legal milestones and mandatory compliance when including an IT product in the European market.
Spanish catalogue of qualified products - a new way of using CC for procurementJavier Tallón
The acquisition of an IT security product handling national or sensitive information must be preceded by verification process warranting that the security mechanisms implemented in the product are adequate to protect such information.
Over the past year, the Spanish state, through its certification body, is making a considerable effort to encourage and facilitate the use of certified products in the National Administration. Different strategic lines have been used to achieve this:
• The creation of the ENS: a scheme that determines the security policy to be applied in the use of information technology, including the promotion of the use of certified or qualified devices and software.
• The promotion of Common Criteria as de facto standard for IT security certifications.
• The creation of a taxonomy and a catalogue of qualified products.
In this presentation we will focus on this last point:
The Spanish Reference taxonomy for IT security products has a set of product categories which, in turn, are divided into families: product type according to their main functionality (e. g. router, firewall, proxy, secure deletion tool, etc.).
For each product family of the taxonomy, a document has been defined containing the expected Fundamental Security Requirements (FSR), which should be taken as a reference for the development, evaluation and secure use of the products within each family, as well as a series of cases of intended use and expected operational environments.
These Fundamental Security Requirements are perfectly aligned with the Common Criteria standard, indicating for each product family the Protection Profile or requirements applicable allowing direct inclusion in the catalogue.
The development of this evaluation and certification scheme is allowing the Spanish administration to procure itself with IT equipment that has passed state-of-art security controls while providing manufacturers greater flexibility to evaluate their products quickly and efficiently, responding to fast changing market demands. The final consumer, the Spanish Administration, will have a simple and manageable catalogue that allows them to know what equipment they need to purchase in order to guarantee the security of the citizen.
Our speech will present this innovative approach for procurement that could be used by other different countries.
TAS-S Seminar “From Continuous Monitoring to Continuous Cloud Cybersecurity C...MEDINA
This document summarizes the results of an experiment conducted to test requirements for continuous monitoring and certification from the European Union's Cloud Services (EUCS) certification scheme. The experiment found that:
1) Existing tools can automate assessment of some EUCS requirements, but coverage is currently limited.
2) A machine-readable format like NIST's OSCAL shows promise for specifying and reporting on automated assessments.
3) While some level of automation is possible now, auditors will still need to review evidence to ensure trustworthy compliance. Standardization of audit processes could help leverage the full potential of automation in the future.
Cross standard and scheme composition - A needed cornerstone for the European...Javier Tallón
The proliferation of new cybersecurity standards/schemes shows the interest of all the stakeholders to require cybersecurity for ICT products. On the other hand, a need for harmonization/recognition between standards/schemes is needed. Otherwise, there could be too many standards that become non-cost-effective for developers certifying their products.
For instance, almost every IoT vertical has its own set of cybersecurity standards. But IoT devices and it’s supply chain is not limited within a single vertical. In fact the contrary holds, that building blocks of an IoT device find appliance in a couple of other verticals. Assuming that these building blocks demonstrated cybersecurity compliance of some form, say for a particular vertical, it will be key for the economy to not repeat those proofs of compliance but instead accept across standards and schemes where applicable.
This talk will highlight the importance of the acceptance of certification and standard compliance results across different schemes or security standards. We will show examples (e.g., smart metering in France with de-facto acceptance of underlying CC results, SESIP to IEC62443-4-2) where this has been applied successfully, but will also look at existing standards or schemes where this would be possible (e.g. EUCC, FITCEM, etc‚) or proposals on how to apply this for Industrial IoT (IACS ERNCIP recommendations to the EU commission).
The talk will be given from the developer perspective (Georg Stütz from NXP) and lab perspective (Jose Ruiz from jtsec)
EUCA23 - Evolution of cryptographic evaluation in Europe.pdfJavier Tallón
The draft of the URWP (Union Rolling Work Programme) of the European commission suggests a European Crypto Scheme as one of the potential schemes to be created under the CSA. The use of cryptographic modules to protect sensitive information in hardware, software and firmware products is becoming increasingly widespread. Until now, there has been a reference methodology for cryptographic evaluation at international level, FIPS 140-3. Nonetheless, at the SOG-IS level, there have been efforts to harmonize evaluations in Europe. The publication of the SOGIS Agreed Cryptographic Mechanisms or the SOGIS Harmonised cryptographic Evaluation Procedures show the efforts conducted in Europe during the last years. However, the pandemic situation has slowed down the progress. This talk will present the new approach to evaluate cryptography in Spain according to the methodology created jointly by CCN (Spanish CB) and jtsec, which could serve as a base for a potential European scheme. In addition, this talk will show the tool created to verify the conformance of cryptographic primitives.
This presentation will be especially useful for schemes and government entities to check if the approach could fit their needs.
Experiences evaluating cloud services and productsJavier Tallón
The market for IT products is constantly evolving. More and more vendors are developing products and services deployed only in the cloud (Cloud Native). This implies a paradigm shift in the way assessments are carried out, in the methodology to be followed and in the tests to be performed.
Today, it is NOT possible to use Common Criteria to evaluate cloud services, despite many administrations are migrating to cloud solutions.
This talk will not talk about Cloud programs such as FedRamp, ENS, C5, SecNumCloud or ENISA EUCS scheme. All these schemes, evaluate the clod infrastructure and the controls specified in the respective standards.
But in those standards, we cannot find assurance requirements related to the product/service itself. e.g. If your WAF (Web Application Firewall) is cloud native and deployed in the cloud, you could obtain those cloud certifications but it would be NOT possible to obtain a CC certification using NIAP PPs.
To solve this problematic, a practical approach has been followed in Spain, evaluating the cloud services using the LINCE methodology but obtaining a qualification mark (instead of a certification). Several vendors such as AWS, Google or Microsoft have already undergone this kind of processes.
In this talk, we want to show jtsec’s hands-on experience evaluating cloud services and discuss the main issues that have been faced and the solutions that have been found (TOE definition, Test environment, TOE identification, permission to test, etc…).
We would like also to discuss how the experience obtained using the LINCE methodology could be extrapolated (or NOT) to the CC World.
The importance of a robust cybersecurity strategy cannot be overstated. Learning on the effective measures to be taken and tools needed to navigate the evolving cybersecurity landscape successfully is essential.
Amongst others, the webinar covers:
• ISO/IEC 27002 and ISO/IEC 27032 and their key components
• Key Components of a Resilient Cybersecurity Strategy
• CMMC Frameworks
Presenters:
Dr. Oz Erdem
Governance, Risk and Compliance (GRC) consultant, trainer, auditor, and speaker
Dr. Erdem has over 25 years of experience in information security, trade compliance, data privacy, and risk management. He took leadership roles in governance and compliance at various Fortune 100-500 companies and SMBs, including Siemens Corporation, Siemens Industry, Linqs, Texas Instruments, Rtrust, ICEsoft Technologies, NATO C3A, and BILGEM. In addition, successfully managed software development (i.e., embedded, cloud, and SaaS) and digital product projects involving information security, mobile networks, and IoT networks. Further, Dr. Erdem led several non-profit organizations, such as National Association of District Export Councils (NADEC), Government Contractors Council (GovConCouncil), and Central-North Florida District Export Council as the Chairman of the Board.
Peter Geelen
Peter Geelen is the director and managing consultant at CyberMinute and Owner of Quest for Security, Belgium. Over more than 20 years, Peter has built strong experience in enterprise security & architecture, Identity & Access management, but also privacy, information & data protection, cyber- and cloud security. Last few years, the focus is on ISO/IEC 27001 and other ISO certification mechanisms. Peter is accredited Lead Auditor for ISO/IEC 27001, ISO 9001, PECB Trainer and Fellow in Privacy. Committed to continuous learning, Peter holds renowned security certificates as certified ISO/IEC 27701 lead implementer and lead auditor, ISO/IEC 27001 Master, Sr. Lead Cybersecurity Manager, ISO/IEC 27002 lead manager, ISO/IEC 27701 Lead Implementer, cDPO, Risk management, Lead Incident Mgr., Disaster Recovery, and many more.
George Usi - CEO of Omnistruct
An internet pioneer and award-winning leader in internet governance with over 25 years of experience, George Usi knows that getting hacked is not a matter of ‘if’ but, ‘when’ and the fiscal and reputational effects that has on a business, the executives, and the board. George is the Co-Founder of Omnistruct, a cyber risk company. Omnistruct protects and expands revenue creation, reputation, and customer retention through cyber risk transference, governance, and compliance. We ensure that security and privacy programs work.
Date: January 24, 2024
YouTube Video: https://youtu.be/9i5p5WFExT4
Website: https://bit.ly/3SjovIP
The document discusses ISO 27002 and ISO 27032 standards for information security and cybersecurity. It provides an overview of the Cybersecurity Maturity Model Certification (CMMC) program, including the evolution of CMMC, proposed rule, and certification levels. It also discusses applying the appropriate NIST cybersecurity framework and performing a risk assessment to select standards and frameworks to address cybersecurity risks.
TAICS - Cybersecurity Certification for European Market.pptxJavier Tallón
Taiwan Association of Information and Communication Standards (TAICS) organized a private event aimed mainly at Taiwanese developers and manufacturers who intend to integrate their products into the European market.
Due to the amount of existing cybersecurity legislation and methodologies in Europe, TAICS offered a webinar to clarify certain doubts, mainly regarding legal milestones and mandatory compliance when including an IT product in the European market.
Spanish catalogue of qualified products - a new way of using CC for procurementJavier Tallón
The acquisition of an IT security product handling national or sensitive information must be preceded by verification process warranting that the security mechanisms implemented in the product are adequate to protect such information.
Over the past year, the Spanish state, through its certification body, is making a considerable effort to encourage and facilitate the use of certified products in the National Administration. Different strategic lines have been used to achieve this:
• The creation of the ENS: a scheme that determines the security policy to be applied in the use of information technology, including the promotion of the use of certified or qualified devices and software.
• The promotion of Common Criteria as de facto standard for IT security certifications.
• The creation of a taxonomy and a catalogue of qualified products.
In this presentation we will focus on this last point:
The Spanish Reference taxonomy for IT security products has a set of product categories which, in turn, are divided into families: product type according to their main functionality (e. g. router, firewall, proxy, secure deletion tool, etc.).
For each product family of the taxonomy, a document has been defined containing the expected Fundamental Security Requirements (FSR), which should be taken as a reference for the development, evaluation and secure use of the products within each family, as well as a series of cases of intended use and expected operational environments.
These Fundamental Security Requirements are perfectly aligned with the Common Criteria standard, indicating for each product family the Protection Profile or requirements applicable allowing direct inclusion in the catalogue.
The development of this evaluation and certification scheme is allowing the Spanish administration to procure itself with IT equipment that has passed state-of-art security controls while providing manufacturers greater flexibility to evaluate their products quickly and efficiently, responding to fast changing market demands. The final consumer, the Spanish Administration, will have a simple and manageable catalogue that allows them to know what equipment they need to purchase in order to guarantee the security of the citizen.
Our speech will present this innovative approach for procurement that could be used by other different countries.
TAS-S Seminar “From Continuous Monitoring to Continuous Cloud Cybersecurity C...MEDINA
This document summarizes the results of an experiment conducted to test requirements for continuous monitoring and certification from the European Union's Cloud Services (EUCS) certification scheme. The experiment found that:
1) Existing tools can automate assessment of some EUCS requirements, but coverage is currently limited.
2) A machine-readable format like NIST's OSCAL shows promise for specifying and reporting on automated assessments.
3) While some level of automation is possible now, auditors will still need to review evidence to ensure trustworthy compliance. Standardization of audit processes could help leverage the full potential of automation in the future.
Cross standard and scheme composition - A needed cornerstone for the European...Javier Tallón
The proliferation of new cybersecurity standards/schemes shows the interest of all the stakeholders to require cybersecurity for ICT products. On the other hand, a need for harmonization/recognition between standards/schemes is needed. Otherwise, there could be too many standards that become non-cost-effective for developers certifying their products.
For instance, almost every IoT vertical has its own set of cybersecurity standards. But IoT devices and it’s supply chain is not limited within a single vertical. In fact the contrary holds, that building blocks of an IoT device find appliance in a couple of other verticals. Assuming that these building blocks demonstrated cybersecurity compliance of some form, say for a particular vertical, it will be key for the economy to not repeat those proofs of compliance but instead accept across standards and schemes where applicable.
This talk will highlight the importance of the acceptance of certification and standard compliance results across different schemes or security standards. We will show examples (e.g., smart metering in France with de-facto acceptance of underlying CC results, SESIP to IEC62443-4-2) where this has been applied successfully, but will also look at existing standards or schemes where this would be possible (e.g. EUCC, FITCEM, etc‚) or proposals on how to apply this for Industrial IoT (IACS ERNCIP recommendations to the EU commission).
The talk will be given from the developer perspective (Georg Stütz from NXP) and lab perspective (Jose Ruiz from jtsec)
The document outlines work packages 4 and 5 of the SCADALab project. Work package 4 involves implementing the SCADA laboratory designed in work package 3, including setting up the laboratory area and connecting it to various test beds. Work package 5 focuses on pilot testing and experimentation using the new SCADA laboratory to conduct security assessments and tests on the connected infrastructure test beds. The work will validate the SCADA laboratory design and help refine it for future use in assessing the security of critical infrastructure systems.
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and DifferencesPECB
After the last 2020 Global Leading voices webinar, comparing ISO27001 with CCPA and NYC Shield Act, we're taking a look at the next level of information and cybersecurity management.
How can you assess your security management? The CMMI model (using the 1 to 5 grading) is a well-known system. Early 2020 the US DOD launched the CMMC, Cybersecurity Maturity Model Certification which matches the same levels for cybersecurity. This session we'll discuss the maturity evaluation principles for information security, cybersecurity and application security and how you can use it in practice.
The webinar covers:
- What's the CMMI?
- What's the CMMC?
- Maturity in security governance (ISMS, cyber, application)
- Security maturity vs audit cycles
Recorded Webinar: https://youtu.be/9BpETh_nAOw
Vulnerability Detection Based on Git HistoryKenta Yamamoto
This document discusses a methodology for detecting vulnerabilities in software based on analysis of the project's Git history. It proposes an approach called HVD that considers whether lines of code were added or removed in code changes, which could improve precision over existing techniques. An evaluation using a dataset of over 350,000 commits found that HVD increased the area under the precision-recall curve by 18.8% compared to a baseline that ignores line additions and removals. Features related to computer resources like memory, CPU and networking were found to most significantly contribute to the classification model. The study demonstrates that automatically detecting vulnerabilities from Git data can produce results aligned with human intuition.
Common Criteria is the most used international standard for cybersecurity certification for ICT products. CC has lights and shadows and for most of the stakeholders the main drawback might be the assurance continuity process. The application of CC for re-certifications of updates or security-patched products is very slow and not adapted to the time to market of new versions of products. EUCC includes patch management as an activity that may be assessed as part of the evaluation process. ISO SC27 WG3 have been working hard in the last years to prepare the technical specification that could be used to evaluate the TOE’s patching functionality and the developer’s patch management by adding new modules that can be integrated into PPs and STs. This talk will explain the current status and news of the ISO Technical Specification, and explain how it address the patch management problem taking into account the Cyber Security Act requirements. The speakers will be Javier Tallon and Sebastian Fritsch, co-editors of the ISO/IEC TS 9565.
The document discusses various certification models for ensuring accountability and compliance with the GDPR. It describes EuroPrise and ISDP10003:2015 as examples of certification schemes that aim to provide accountability through a transparent certification process (EuroPrise), and through establishing technical and organizational measures and controls across an organization's data protection processes (ISDP10003). It also analyzes different certification models based on their scope - whether they take a multi-sector or single-sector approach, operate at an international, national or sub-national level, and whether they provide comprehensive certification of all GDPR aspects or focus on single issues.
CMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to KnowPECB
The CMMC, NIST 800-171, and ISO/IEC 27001 frameworks include the application of a structured approach to cybersecurity and a formal risk assessment process, and the implementation of customized security controls. However, each of them has a distinct scope.
The webinar covers
• US legislative overview, impacts and update in NIST adoption
• Weaving together NIST PF and NIST 800-171
• Quick definitions for CMMC / 27001 / 800-171
• Common scope elements between CMMC / 27001 / 800-171
• Differences in scope between CMMC / 27001 / 800-171
• When to implement each of the three
• How these three can support each other
• The link between these three and cyber insurance
• How each of these is used to measure and implement compliance
Presenters:
Anthony English
One of the top cybersecurity professionals in Atlantic Canada with extensive Canadian and International experience in cybersecurity covering risk assessment, management, mitigation, security testing, business continuity, information security management systems, architecture security reviews, project security, security awareness, lectures, presentations and standards-based compliance.
George Usi
George Usi is the CEO of Omnistruct Inc, a GaaS (cyber Governance as a Service) company with a vision to be the safety airbag of cyber risk and compliance.
After more than twenty-five years in internet open standards, networking, and security, George recognized that getting hacked in an Internet-delivered world was a matter of when. He also recognized that cyber laws with the potential of steep fines for business leaders who neglect to illustrate cyber security diligence would evolve with more aggressive sanctions in arrears of hacker success. So, he ideated a goal to eliminate cyber risk and set a mission for Omnistruct to be the “safety airbag” of cyber compliance. With a continuous audit and documentation approach, business owners can protect consumer privacy rights when they ideate, illustrate, and continuously measure their cyber posture using a new US guideline in cyber risk developed by NIST.
George attended California State University Chico, is a graduate of California State University Sacramento and a graduate of the Stanford Latino Executive Initiative (SLEI-ed) and Latino Business Action Network (LBAN) Graduate School of Business certificate program.
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: https://pecb.com/whitepaper/iso-27001-information-technology--security-techniques-information-security--management-systems---requirements
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27701
Webinars: https://pecb.com/webinars
Articles: https://pecb.com/article
Whitepapers: https://pecb.com/whitepaper
The document summarizes a presentation about maximizing data's potential given data growth and security risks. It discusses:
- The massive growth in data creation that will reach 163ZB by 2025
- The need for increased data protection as most data requires some level of security but actual protection falls short, presenting an industry need for improved security technologies
- An overview of cybersecurity scope covering enterprise security, integrated assurance management, and enabling a full lifecycle data security model
- The importance of security certifications and standards for algorithms, security modules, functionality, and data disposal to ensure trusted and authentic security
- Managing risks through a maturity staircase approach to policy compliance, certification preparation, and establishing a product security operations center
Strategies for Conducting GxP Vendor Assessment of Cloud Service Providers - ...Montrium
Want to deploy a new technology solution but not sure where to begin? These slides cover key considerations for choosing a vendor with cloud compliance and validation in mind. With the Office 365 subscription-based service gaining considerable momentum in the life sciences, it's important to stay ahead of the technological and regulatory curve and consider how an EDMS system will bring improvements to managing your GxP content.
Here we cover the following topics:
-Vendor assessment of Microsoft
-Subscription basics of Office 365
-Review of ISO/SOC audit reports
-Ensuring that no critical observations are made
-Security and quality controls in place
You can follow along with this presentation via webinar format:
https://info.montrium.com/strategies-for-conducting-gxp-vendor-assessment-of-cloud-service-providers
This document introduces the Industrial Automation and Control Systems (IACS) Compliance and Certification Framework (ICCF) which aims to establish a fully bridged European certification scheme for IACS cybersecurity. The ICCF proposes four certification schemes of increasing rigor. It involves compliance assessment, cyber resilience testing, and development process evaluation activities. The ICCF is supported by common assessment requirements, protection profiles, and a certification process. It establishes a structure for certifying IACS components and families of products based on their critical assets, operating conditions, protection assumptions, and security functions. Stakeholders are encouraged to join trials of the ICCF in 2017.
The emerging pci dss and nist standardsUlf Mattsson
PCI DSS and NIST standards are evolving to address modern payment environments and security risks. A draft of PCI DSS v4.0 proposes new requirements around scope validation, encryption of cardholder data transmissions, security awareness training, and risk assessments. It also offers a customized validation approach with more flexibility in how organizations meet requirements. Major changes in v4.0 focus on strengthening security, adding flexibility, and supporting new payment technologies and cloud environments.
Network Rail & Innovate UK: Scope of "SBRI Innovation in Rail Security Survei...KTN
Two new SBRIs have been announced to drive efficiency and safety in the rail industry. Network Rail will work with Innovate UK, part of UK Research and Innovation, to invest up to £3m to address two of the objectives identified in Network Rail’s CP6 funding strategy for research and development:
- Automated tunnel examination
- Security surveillance analytics for stations
This briefing event is an opportunity for you to find out more about the two SBRI competitions and how to apply, and there will be ample time for networking.
The webcast recording is now available: https://youtu.be/Uqq452lk90c
Find out more about the Transport Interest Group at https://ktn-uk.co.uk/interests/transport
Join the KTN Transport group on LinkedIn at https://www.linkedin.com/groups/4148691/
CCCAB (Common Criteria Conformity Assessment Body) Tool is a unique framework that will allow Common Criteria CABs to smooth the certification process for ICT products, reducing the cost and time required in each single certification process.
CCCAB will be developed to support NCCAs (National Cybersecurity Certification Authorities) when acting as CABs for level high and CABs (Conformity Assessment Bodies) for level substantial operating under the EUCC (Common Criteria based European candidate cybersecurity certification scheme) scheme.
CCCAB has been selected by the European Commission under the Connecting Europe Facility (CEF) programme as a granted project. Two European NCCAs are also supporting CCCAB: CCN (Spain) and OCSI (Italy), reflecting the magnitude of the project.
CCCAB will be released as an open source product and will be free to use allowing the community to improve the tool in the future. The presentation will show the objectives, status of the development and the potential of the tool and what it will mean for the different stakeholders involved in a Common Criteria certification process.
Day2.2 Paving the Road Towards Continuous Certification: OSCAL and the EUCSMaitena Ilardia
The European Project MEDINA is analysing how to leverage OSCAL to achieve a continuous certification, one step beyond continuous compliance, as required by the European cloud services certification scheme. Presented in the US NIST OSCAL Workshop on February 2021
Day2.2 Paving the Road Towards Continuous Certification: OSCAL and the EUCSMEDINA
The document discusses the EU Cybersecurity Scheme for Cloud Services (EUCS) and its requirements for continuous monitoring and certification. It introduces the MEDINA project, funded by the EU, which aims to develop a framework for achieving continuous audit-based certification aligned with the EUCS through continuous monitoring. The project will leverage the Open Security Controls Assessment Language (OSCAL) for machine-readable representation of security controls and certificates. It seeks collaboration with NIST on further development and adoption of OSCAL to support its goals.
This webinar provides an overview of the CMMC certification process and how ControlCase can help organizations achieve and maintain compliance. It discusses what CMMC is, who it applies to, the different certification levels, and the assessment process. ControlCase offers certification services to help clients become certified in CMMC and other standards with one audit. It also provides continuous compliance services through automated tools to address vulnerabilities and ensure ongoing compliance.
Industrial Automation Control Systems Cybersecurity Certification. Chapter IIJavier Tallón
The document summarizes a proposal for an EU Industrial Automation and Control Systems (IACS) Components Cybersecurity Certification Scheme (ICCS). It introduces Georgios Theodoridis from the EC and Jose Ruiz from jtsec who are involved in developing the ICCS. It then outlines the ICCS, including its goals of increasing EU cybersecurity and the internal market through a harmonized certification approach. The ICCS would define common certification criteria and assurance levels for IACS components and recommend how to implement the scheme in line with the EU Cybersecurity Act.
Digital Forensics Triage and Cyber SecurityAmrit Chhetri
Digital Forensics and Forensics Triage are important concepts in cyber security. Forensics Triage is the process of collecting, analyzing, and prioritizing digital evidence during an investigation. It aims to increase efficiency and reduce costs. There are different types of Forensics Triage including live and postmortem triage. Automating Forensics Triage using tools can further improve the process. Operational technology forensics related to industrial control systems also requires Forensics Triage. Standard tools and newer automated tools can be used for Forensics Triage.
04_a_CEPEJ(2021)5 EN - CEPEJ roadmap certification AI (1).docxPetruVrlan
This document outlines a roadmap for introducing a labelling mechanism within the CEPEJ to certify artificial intelligence tools and services used in the justice system. The proposed mechanism would involve setting up a labelling committee, defining label requirements, and establishing an application process. It would aim to promote compliance with the CEPEJ's Ethical Charter on AI through a simplified voluntary certification system. The roadmap describes necessary strategic, operational, and technical steps as well as anticipated resource needs to implement the labelling mechanism.
Evolucionando la evaluación criptográfica - Episodio IIJavier Tallón
A ningún fabricante le es ajeno que los requisitos criptográficos a la hora de desarrollar cualquier producto son cada vez mayores. Por ello, CCN ha desarrollado, con el soporte de jtsec, una metodología que incluye pruebas de conformidad, búsqueda de errores comunes en las implementaciones y requisitos de implementación de las primitivas criptográficas aplicados a la metodología LINCE. En esta charla explicaremos las principales novedades introducidas en la Metodología de Evaluación de Mecanismos Criptográficos presentada el año pasado, así como la definición de la nueva Metodología de Evaluación Criptográfica conforme a la CCN STIC-130.
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...Javier Tallón
En la actualidad existe un gran número de soluciones biométricas en el mercado, que se aplican cada vez más en sectores clave como la banca, la administración pública y los seguros.
El Ministerio de Asuntos Económicos y Transformación Digital publicó la primera orden ministerial, en el BOE núm. 115, de 14 de mayo de 2021, que regula los métodos de videoidentificación a distancia para la emisión de certificados electrónicos reconocidos. A raíz de esta legislación, el CCN, desarrolló un módulo de evaluación biométrica (MEB), que permite la evaluación de soluciones biométricas tanto para la metodología LINCE como para Common Criteria siguiendo la guía IT-014.
Durante la charla se explica cómo se aplica la guía IT-014 y los diferentes tipos de ataques de presentación que contempla; impostor, mediante vídeos, mediante máscaras, mediante herramientas deepfake, etc.
La charla es eminentemente técnica y mostrará ejemplos de ataques reales ejecutados durante las evaluaciones.
jtsec, con su experiencia en las primeras evaluaciones de soluciones biométricas, ofrecerá una visión general de cómo se han llevado a cabo dichas evaluaciones y los tipos de ataques más difíciles de mitigar para los proveedores.
La charla describe las particularidades de las evaluaciones en la nube tanto a nivel técnico como en el proceso. Además, pone de relieve los esfuerzos realizados a nivel nacional para que se puedan evaluar este tipo de soluciones.
More Related Content
Similar to ICCC23 -The new cryptographic evaluation methodology created by CCN
The document outlines work packages 4 and 5 of the SCADALab project. Work package 4 involves implementing the SCADA laboratory designed in work package 3, including setting up the laboratory area and connecting it to various test beds. Work package 5 focuses on pilot testing and experimentation using the new SCADA laboratory to conduct security assessments and tests on the connected infrastructure test beds. The work will validate the SCADA laboratory design and help refine it for future use in assessing the security of critical infrastructure systems.
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and DifferencesPECB
After the last 2020 Global Leading voices webinar, comparing ISO27001 with CCPA and NYC Shield Act, we're taking a look at the next level of information and cybersecurity management.
How can you assess your security management? The CMMI model (using the 1 to 5 grading) is a well-known system. Early 2020 the US DOD launched the CMMC, Cybersecurity Maturity Model Certification which matches the same levels for cybersecurity. This session we'll discuss the maturity evaluation principles for information security, cybersecurity and application security and how you can use it in practice.
The webinar covers:
- What's the CMMI?
- What's the CMMC?
- Maturity in security governance (ISMS, cyber, application)
- Security maturity vs audit cycles
Recorded Webinar: https://youtu.be/9BpETh_nAOw
Vulnerability Detection Based on Git HistoryKenta Yamamoto
This document discusses a methodology for detecting vulnerabilities in software based on analysis of the project's Git history. It proposes an approach called HVD that considers whether lines of code were added or removed in code changes, which could improve precision over existing techniques. An evaluation using a dataset of over 350,000 commits found that HVD increased the area under the precision-recall curve by 18.8% compared to a baseline that ignores line additions and removals. Features related to computer resources like memory, CPU and networking were found to most significantly contribute to the classification model. The study demonstrates that automatically detecting vulnerabilities from Git data can produce results aligned with human intuition.
Common Criteria is the most used international standard for cybersecurity certification for ICT products. CC has lights and shadows and for most of the stakeholders the main drawback might be the assurance continuity process. The application of CC for re-certifications of updates or security-patched products is very slow and not adapted to the time to market of new versions of products. EUCC includes patch management as an activity that may be assessed as part of the evaluation process. ISO SC27 WG3 have been working hard in the last years to prepare the technical specification that could be used to evaluate the TOE’s patching functionality and the developer’s patch management by adding new modules that can be integrated into PPs and STs. This talk will explain the current status and news of the ISO Technical Specification, and explain how it address the patch management problem taking into account the Cyber Security Act requirements. The speakers will be Javier Tallon and Sebastian Fritsch, co-editors of the ISO/IEC TS 9565.
The document discusses various certification models for ensuring accountability and compliance with the GDPR. It describes EuroPrise and ISDP10003:2015 as examples of certification schemes that aim to provide accountability through a transparent certification process (EuroPrise), and through establishing technical and organizational measures and controls across an organization's data protection processes (ISDP10003). It also analyzes different certification models based on their scope - whether they take a multi-sector or single-sector approach, operate at an international, national or sub-national level, and whether they provide comprehensive certification of all GDPR aspects or focus on single issues.
CMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to KnowPECB
The CMMC, NIST 800-171, and ISO/IEC 27001 frameworks include the application of a structured approach to cybersecurity and a formal risk assessment process, and the implementation of customized security controls. However, each of them has a distinct scope.
The webinar covers
• US legislative overview, impacts and update in NIST adoption
• Weaving together NIST PF and NIST 800-171
• Quick definitions for CMMC / 27001 / 800-171
• Common scope elements between CMMC / 27001 / 800-171
• Differences in scope between CMMC / 27001 / 800-171
• When to implement each of the three
• How these three can support each other
• The link between these three and cyber insurance
• How each of these is used to measure and implement compliance
Presenters:
Anthony English
One of the top cybersecurity professionals in Atlantic Canada with extensive Canadian and International experience in cybersecurity covering risk assessment, management, mitigation, security testing, business continuity, information security management systems, architecture security reviews, project security, security awareness, lectures, presentations and standards-based compliance.
George Usi
George Usi is the CEO of Omnistruct Inc, a GaaS (cyber Governance as a Service) company with a vision to be the safety airbag of cyber risk and compliance.
After more than twenty-five years in internet open standards, networking, and security, George recognized that getting hacked in an Internet-delivered world was a matter of when. He also recognized that cyber laws with the potential of steep fines for business leaders who neglect to illustrate cyber security diligence would evolve with more aggressive sanctions in arrears of hacker success. So, he ideated a goal to eliminate cyber risk and set a mission for Omnistruct to be the “safety airbag” of cyber compliance. With a continuous audit and documentation approach, business owners can protect consumer privacy rights when they ideate, illustrate, and continuously measure their cyber posture using a new US guideline in cyber risk developed by NIST.
George attended California State University Chico, is a graduate of California State University Sacramento and a graduate of the Stanford Latino Executive Initiative (SLEI-ed) and Latino Business Action Network (LBAN) Graduate School of Business certificate program.
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: https://pecb.com/whitepaper/iso-27001-information-technology--security-techniques-information-security--management-systems---requirements
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27701
Webinars: https://pecb.com/webinars
Articles: https://pecb.com/article
Whitepapers: https://pecb.com/whitepaper
The document summarizes a presentation about maximizing data's potential given data growth and security risks. It discusses:
- The massive growth in data creation that will reach 163ZB by 2025
- The need for increased data protection as most data requires some level of security but actual protection falls short, presenting an industry need for improved security technologies
- An overview of cybersecurity scope covering enterprise security, integrated assurance management, and enabling a full lifecycle data security model
- The importance of security certifications and standards for algorithms, security modules, functionality, and data disposal to ensure trusted and authentic security
- Managing risks through a maturity staircase approach to policy compliance, certification preparation, and establishing a product security operations center
Strategies for Conducting GxP Vendor Assessment of Cloud Service Providers - ...Montrium
Want to deploy a new technology solution but not sure where to begin? These slides cover key considerations for choosing a vendor with cloud compliance and validation in mind. With the Office 365 subscription-based service gaining considerable momentum in the life sciences, it's important to stay ahead of the technological and regulatory curve and consider how an EDMS system will bring improvements to managing your GxP content.
Here we cover the following topics:
-Vendor assessment of Microsoft
-Subscription basics of Office 365
-Review of ISO/SOC audit reports
-Ensuring that no critical observations are made
-Security and quality controls in place
You can follow along with this presentation via webinar format:
https://info.montrium.com/strategies-for-conducting-gxp-vendor-assessment-of-cloud-service-providers
This document introduces the Industrial Automation and Control Systems (IACS) Compliance and Certification Framework (ICCF) which aims to establish a fully bridged European certification scheme for IACS cybersecurity. The ICCF proposes four certification schemes of increasing rigor. It involves compliance assessment, cyber resilience testing, and development process evaluation activities. The ICCF is supported by common assessment requirements, protection profiles, and a certification process. It establishes a structure for certifying IACS components and families of products based on their critical assets, operating conditions, protection assumptions, and security functions. Stakeholders are encouraged to join trials of the ICCF in 2017.
The emerging pci dss and nist standardsUlf Mattsson
PCI DSS and NIST standards are evolving to address modern payment environments and security risks. A draft of PCI DSS v4.0 proposes new requirements around scope validation, encryption of cardholder data transmissions, security awareness training, and risk assessments. It also offers a customized validation approach with more flexibility in how organizations meet requirements. Major changes in v4.0 focus on strengthening security, adding flexibility, and supporting new payment technologies and cloud environments.
Network Rail & Innovate UK: Scope of "SBRI Innovation in Rail Security Survei...KTN
Two new SBRIs have been announced to drive efficiency and safety in the rail industry. Network Rail will work with Innovate UK, part of UK Research and Innovation, to invest up to £3m to address two of the objectives identified in Network Rail’s CP6 funding strategy for research and development:
- Automated tunnel examination
- Security surveillance analytics for stations
This briefing event is an opportunity for you to find out more about the two SBRI competitions and how to apply, and there will be ample time for networking.
The webcast recording is now available: https://youtu.be/Uqq452lk90c
Find out more about the Transport Interest Group at https://ktn-uk.co.uk/interests/transport
Join the KTN Transport group on LinkedIn at https://www.linkedin.com/groups/4148691/
CCCAB (Common Criteria Conformity Assessment Body) Tool is a unique framework that will allow Common Criteria CABs to smooth the certification process for ICT products, reducing the cost and time required in each single certification process.
CCCAB will be developed to support NCCAs (National Cybersecurity Certification Authorities) when acting as CABs for level high and CABs (Conformity Assessment Bodies) for level substantial operating under the EUCC (Common Criteria based European candidate cybersecurity certification scheme) scheme.
CCCAB has been selected by the European Commission under the Connecting Europe Facility (CEF) programme as a granted project. Two European NCCAs are also supporting CCCAB: CCN (Spain) and OCSI (Italy), reflecting the magnitude of the project.
CCCAB will be released as an open source product and will be free to use allowing the community to improve the tool in the future. The presentation will show the objectives, status of the development and the potential of the tool and what it will mean for the different stakeholders involved in a Common Criteria certification process.
Day2.2 Paving the Road Towards Continuous Certification: OSCAL and the EUCSMaitena Ilardia
The European Project MEDINA is analysing how to leverage OSCAL to achieve a continuous certification, one step beyond continuous compliance, as required by the European cloud services certification scheme. Presented in the US NIST OSCAL Workshop on February 2021
Day2.2 Paving the Road Towards Continuous Certification: OSCAL and the EUCSMEDINA
The document discusses the EU Cybersecurity Scheme for Cloud Services (EUCS) and its requirements for continuous monitoring and certification. It introduces the MEDINA project, funded by the EU, which aims to develop a framework for achieving continuous audit-based certification aligned with the EUCS through continuous monitoring. The project will leverage the Open Security Controls Assessment Language (OSCAL) for machine-readable representation of security controls and certificates. It seeks collaboration with NIST on further development and adoption of OSCAL to support its goals.
This webinar provides an overview of the CMMC certification process and how ControlCase can help organizations achieve and maintain compliance. It discusses what CMMC is, who it applies to, the different certification levels, and the assessment process. ControlCase offers certification services to help clients become certified in CMMC and other standards with one audit. It also provides continuous compliance services through automated tools to address vulnerabilities and ensure ongoing compliance.
Industrial Automation Control Systems Cybersecurity Certification. Chapter IIJavier Tallón
The document summarizes a proposal for an EU Industrial Automation and Control Systems (IACS) Components Cybersecurity Certification Scheme (ICCS). It introduces Georgios Theodoridis from the EC and Jose Ruiz from jtsec who are involved in developing the ICCS. It then outlines the ICCS, including its goals of increasing EU cybersecurity and the internal market through a harmonized certification approach. The ICCS would define common certification criteria and assurance levels for IACS components and recommend how to implement the scheme in line with the EU Cybersecurity Act.
Digital Forensics Triage and Cyber SecurityAmrit Chhetri
Digital Forensics and Forensics Triage are important concepts in cyber security. Forensics Triage is the process of collecting, analyzing, and prioritizing digital evidence during an investigation. It aims to increase efficiency and reduce costs. There are different types of Forensics Triage including live and postmortem triage. Automating Forensics Triage using tools can further improve the process. Operational technology forensics related to industrial control systems also requires Forensics Triage. Standard tools and newer automated tools can be used for Forensics Triage.
04_a_CEPEJ(2021)5 EN - CEPEJ roadmap certification AI (1).docxPetruVrlan
This document outlines a roadmap for introducing a labelling mechanism within the CEPEJ to certify artificial intelligence tools and services used in the justice system. The proposed mechanism would involve setting up a labelling committee, defining label requirements, and establishing an application process. It would aim to promote compliance with the CEPEJ's Ethical Charter on AI through a simplified voluntary certification system. The roadmap describes necessary strategic, operational, and technical steps as well as anticipated resource needs to implement the labelling mechanism.
Similar to ICCC23 -The new cryptographic evaluation methodology created by CCN (20)
Evolucionando la evaluación criptográfica - Episodio IIJavier Tallón
A ningún fabricante le es ajeno que los requisitos criptográficos a la hora de desarrollar cualquier producto son cada vez mayores. Por ello, CCN ha desarrollado, con el soporte de jtsec, una metodología que incluye pruebas de conformidad, búsqueda de errores comunes en las implementaciones y requisitos de implementación de las primitivas criptográficas aplicados a la metodología LINCE. En esta charla explicaremos las principales novedades introducidas en la Metodología de Evaluación de Mecanismos Criptográficos presentada el año pasado, así como la definición de la nueva Metodología de Evaluación Criptográfica conforme a la CCN STIC-130.
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...Javier Tallón
En la actualidad existe un gran número de soluciones biométricas en el mercado, que se aplican cada vez más en sectores clave como la banca, la administración pública y los seguros.
El Ministerio de Asuntos Económicos y Transformación Digital publicó la primera orden ministerial, en el BOE núm. 115, de 14 de mayo de 2021, que regula los métodos de videoidentificación a distancia para la emisión de certificados electrónicos reconocidos. A raíz de esta legislación, el CCN, desarrolló un módulo de evaluación biométrica (MEB), que permite la evaluación de soluciones biométricas tanto para la metodología LINCE como para Common Criteria siguiendo la guía IT-014.
Durante la charla se explica cómo se aplica la guía IT-014 y los diferentes tipos de ataques de presentación que contempla; impostor, mediante vídeos, mediante máscaras, mediante herramientas deepfake, etc.
La charla es eminentemente técnica y mostrará ejemplos de ataques reales ejecutados durante las evaluaciones.
jtsec, con su experiencia en las primeras evaluaciones de soluciones biométricas, ofrecerá una visión general de cómo se han llevado a cabo dichas evaluaciones y los tipos de ataques más difíciles de mitigar para los proveedores.
La charla describe las particularidades de las evaluaciones en la nube tanto a nivel técnico como en el proceso. Además, pone de relieve los esfuerzos realizados a nivel nacional para que se puedan evaluar este tipo de soluciones.
ICCC2023 Statistics Report, has Common Criteria reached its peak?Javier Tallón
As is customary in the last editions of ICCC, the statistics related to Common Criteria provide significant market data. This year, stable data is presented. Data collection is done using CC Scraper, a tool developed by jtsec that automatically analyzes information from the CC and CBs portals using OCR capabilities and other features. Would you like to know the data for the first three quarters of 2023 and the evolution in recent years in terms of the number of certifications? Other data will also be disclosed, such as top labs and vendors, most used assurance levels, or most used protection profiles. This presentation showcases Common Criteria’s data in a year when the market has stabilized after several years of political and health instability.
La ventaja de implementar una solución de ciberseguridad certificada por el C...Javier Tallón
El documento introduce el Centro Criptológico Nacional (CCN) y el Esquema Nacional de Seguridad (ENS), y explica que el CCN-STIC 105 Catálogo de Productos y Servicios de Seguridad de las Tecnologías de la Información y la Comunicación (CPSTIC) ofrece un listado de productos con garantías de seguridad contrastadas por el CCN. También describe los procesos de certificación LINCE y Common Criteria para incluir productos en el catálogo, y los beneficios que esto conlleva para las organizaciones.
Seguro que has visto cómo cada vez más sectores como la banca o los seguros permiten abrir cuentas legalmente vinculadas sin la intervención (a priori) de un operador humano gracias a procesos de videoidentificación, pero, ¿te has preguntado qué tan seguros son?
El Ministerio de Asuntos Económicos y Transformación Digital, en el BOE núm. 115, de 14 de mayo de 2021 y con motivo de la emergencia sanitaria generada por la crisis de la COVID-19, regulaba los métodos de identificación remota por vídeo para la expedición de certificados electrónicos cualificados, lo que obliga a los prestadores de este tipo de servicios a validar sus soluciones en los términos que establece el anexo F11 de la Guía CCN-STIC-140, del Centro Criptológico Nacional.
Dicho anexo requiere que un laboratorio acreditado realice ataques de presentación a este tipo de soluciones para verificar su resistencia a técnicas como máscaras hiperrealistas, deepfake o contouring. Durante esta charla ahondaremos en los detalles técnicos de dichos ataques, y te contaremos cómo hemos conseguido inyectar vídeo en muchas de estas soluciones.
Evolucionado la evaluación CriptográficaJavier Tallón
El uso de módulos criptográficos para proteger información sensible en productos hardware, software y firmware es cada vez más extendido. Por ello CCN, desarrolló en su Guía de Seguridad de las TIC CCN-STIC 2002 un Módulo de Evaluación Criptográfico (MEC) que se aplica a diferentes soluciones que implementan algoritmos criptográficos. Este módulo sirve de referencia en numerosas evaluaciones bajo la metodología LINCE en las que se aplica de forma adicional.
Debido al aumento cada vez mayor de requisitos criptográficos, CCN ha desarrollado, con el soporte de jtsec, una metodología que incluye pruebas de conformidad, búsqueda de errores comunes en las implementaciones y requisitos de implementación de las primitivas criptográficas.
El objetivo de la metodología criptográfica es el de establecer un marco común para llevar a cabo las evaluaciones criptográficas de los TOEs que van a ser evaluados para la obtención de un certificado Common Criteria, LINCE con validación criptográfica o STIC con validación Criptográfica.
En esta charla se presentará la nueva aproximación para evaluar la criptografía en España según la metodología creada conjuntamente por CCN y jtsec. Además, mostraremos la herramienta creada para verificar la conformidad de las primitivas criptográficas. Esta ponencia será especialmente útil para los desarrolladores de productos que conocerán los requisitos que se pedirán a partir de ahora.
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...Javier Tallón
El desarrollo de productos creados directamente en la nube (cloud nativo) es una práctica cada vez más extendida en la industria. La administración española no escapa a esa tendencia y es cada vez más habitual las migraciones a la nube. El despliegue y gestionado se realiza en la nube y normalmente son desarrollos en constante evolución, permitiendo a los fabricantes más flexibilidad para la continua mejora de sus productos.
Ante el continuo incremento de productos desarrollados en la nube, en febrero de 2020, el CCN publicaba el Anexo G de la “Guía de Seguridad de las TIC CCN-STIC 140” para la Taxonomía de productos de STIC - Servicios en la nube, donde se reflejan los Requisitos Fundamentales de Seguridad (RFS) para este tipo de servicios, considerándose requisitos adicionales que complementan a los requisitos definidos para cada una de las familias de productos. Una guía pionera a nivel internacional para la evaluación de servicios cloud, por lo que cabe destacar que España es el primer país en crear una metodología de evaluación para este tipo de servicios. Normalmente las evaluaciones en la nube, se centran en la gestión e infraestructura del servicio/producto dejando de lado la funcionalidad de seguridad implementada por el mismo.
En las evaluaciones de ciberseguridad, existe la particularidad de que estos servicios/productos no pueden ser completamente controlados/instalados en el laboratorio a la hora de realizar la evaluación, por lo que no se puede certificar usando las metodologías LINCE o Common Criteria. Este problema existe a nivel internacional.
Para solventar esta casuística, CCN diseño una estrategia de evaluación de servicios en la nube mediante evaluaciones STIC complementarias haciendo uso de la metodología LINCE.
Esta vía ha permitido la cualificación en el catálogo CPSTIC / CCN-STIC 105 de servicios en la nube. A día de hoy, hay 6 servicios en la nube incluidos en el catálogo CPSTIC. Todos ellos han sido evaluados por jtsec.
En jtsec nos hemos tenido que adaptar tecnológicamente para afrontar este tipo de evaluaciones, puesto que alrededor del 70% de evaluaciones iniciadas en 2022 por jtsec corresponden a servicios en la nube.
La charla describirá las particularidades de las evaluaciones en la nube tanto a nivel técnico como en el proceso. Además, pondrá de relieve los esfuerzos realizados a nivel nacional para que se puedan evaluar este tipo de soluciones.
EUCA 22 - Let's harmonize labs competence ISO 19896Javier Tallón
Harmonization on the competence of the different labs/evaluators have been always a topic for discussion in the Cybersecurity Certification community.
At ISO level, a new standard has been approved aiming to support this goal: ISO 19896.
ISO/IEC 19896 orders the requirements for information security testers and evaluators, including a set of concepts and relationships to understand the competency for individuals performing Common Criteria evaluations.
The requirements of this new ISO standard allows verifying that laboratories and personnel have sufficient capacity to handle a Common Criteria evaluation. However, there are some controversial points regarding this ISOs and how to apply it in Common Criteria, which will be explained during the talk.
Other topics to be addressed during the talk will be how EUCC, the first European cybersecurity scheme for ICT products, will cover the requirements of this ISO and other related standards.
EUCA22 Panel Discussion: Differences between lightweight certification schemesJavier Tallón
As we all know, Europe is one of the leading players in the world in terms of cybersecurity certification. The main European countries issuing certifications, such as France, the Netherlands, Germany and Spain, have created their own lightweight/Fixed-time methodologies (CPSN, BSPA, BSZ and LINCE). All of them with many similarities, but also with quite a few national differences within them. This panel discussion will open the discussion among the relevant stakeholders for European recognition of these schemes. The panel will also discuss on the future European fixed-time methodology lead by JTC13 WG3, called FITCEM, which aims to unify all European schemes into a single one. The panel will discuss the potential impact that FITCEM will have both technically and in terms of the European market to the different stakeholders (manufacturers, laboratories, certification bodies, institutional agencies, etc.).
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?Javier Tallón
Incluir productos y servicios en el catálogo de ciberseguridad de referencia para la Administración Pública no resulta sencillo.
Se ha de superar una evaluación LINCE o Common Criteria para poder acceder a dicho catálogo.
En el catálogo CPSTIC se pueden incluir tanto para soluciones on premise como en la nube, siendo una gran ventaja para aquellos desarrolladores cloud native.
En esta presentación explicamos las diferentes maneras de incluir una solución en el catálogo CPSTIC, así como los pasos a seguir.
Is Automation Necessary for the CC Survival?Javier Tallón
The use of different automation tools in Common Criteria is a reality. In recent years, it has been demonstrated that the capacity to take on a large number of Common Criteria evaluations, both by laboratories and by the Certification Bodies, is limited. The automation of certain processes through the use of tools created specifically for this purpose is seen as the only possible way to speed up the process, both in terms of time and workload. How will the use of tools affect the immediate future of the different stakeholders in Common Criteria? Will automation lead to an increase in the number of certifications and the possibility that more companies will be able to become certified?
CCCAB tool - Making CABs life easy - Chapter 2Javier Tallón
CCCAB (Common Criteria Conformity Assessment Body) Tool is a unique framework that will allow Common Criteria CABs to smooth the certification process for ICT products, reducing the cost and time required in each single certification process.
CCCAB will be developed to support NCCAs (National Cybersecurity Certification Authorities) when acting as CABs for level high and CABs (Conformity Assessment Bodies) for level substantial operating under the EUCC (Common Criteria based European candidate cybersecurity certification scheme) scheme. CCCAB has been selected by the European Commission under the Connecting Europe Facility (CEF) programme as a granted project. Two European NCCAs are also supporting CCCAB: CCN (Spain) and OCSI (Italy), reflecting the magnitude of the project. CCCAB will be released as an open source product and will be free to use allowing the community to improve the tool in the future. This tool was presented at last ICCC.
In this year presentation, we will be able to show the specifications that have been defined to interact with the tool. We will be able to present the current status of the development showing the first operational version of CCCAB. Finally, we will discuss the challenges to make the tool accessible widely.
2022 CC Statistics report: will this year beat last year's record number of c...Javier Tallón
CC Scraper is a tool developed by jtsec 5 years ago that that analyses automatically the information from the CC and CBs portals using OCR capabilities and other features. Including detailed insights about Common Criteria like certification per assurance level, trends by Protection Profile, ranking of manufacturer, among others. We have published free annually reports regarding. In last year’s edition, we presented the statistics for 2021, the year with the most Common Criteria certifications in history. Would you like to know the data of the first three quarters of 2022? Will this year beat last year’s record number of certifications? Which labs and vendors will be in the top?
This presentation will show Common Criteria’s data in a year that has taken place against a context of global uncertainty and instability.
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...Javier Tallón
Artículo publicado en la edición nº 148 de la Revista SIC, donde presentamos la herramientas que estamos desarrollando, pionera en el mercado.
CCCAB es un proyecto financiado por la Comisión Europea en el marco del programa Connecting Europe Faciclity (CEF), que permite ahorrar tiempo y esfuerzo a los CABs (Certification Assessments Bodies), aligerando su carga de trabajo para optimizar la fase de certificación.
This document discusses José Ruiz and his experience with Common Criteria and FIPS certification standards. It then summarizes the need for automation tools to streamline the certification process, addressing issues like a lack of engineers and high paperwork demands. Specific tools are mentioned, including NIAP's tool for automating security targets and CCToolbox, which the document's author developed. CCToolbox aims to simplify and automate documentation, evaluation activities, and the overall certification workflow. Benefits discussed include reduced time and costs for manufacturers and laboratories.
This document summarizes Common Criteria certification statistics from various sources including the CCScraper tool. It provides statistics for 2021 based on data collected up to September 30th, highlighting the top certification schemes, assurance levels, laboratories, product categories and manufacturers. It also analyzes trends over the past 5 years and discusses the impact of the COVID-19 pandemic on certification numbers.
The document discusses cybersecurity certification standards. It provides a brief history of early certification standards from the 1980s to the present Common Criteria standard. It notes that certification involves an accredited third party audit against a standard to issue a conformity certificate. Successful standards are cost-effective, provide value, and have properties like those in the Kama Sutra. The document also introduces the jtsec cybersecurity company, describing their evaluation, consultancy, and development teams and some of their projects involving major tech companies.
III Encuentro del ENS- Usando el CPSTIC/ENECSTI en la administración - Herram...Javier Tallón
Este documento presenta información sobre el Catálogo de Productos de Seguridad TIC (CPSTIC), incluyendo las certificaciones válidas para incluir productos en el catálogo, como LINCE y Common Criteria. También describe casos de éxito del uso del catálogo en la administración pública española para productos como herramientas de videoidentificación, cortafuegos y cargadores de vehículos eléctricos. El objetivo del catálogo es proporcionar una lista de productos con garantías de seguridad para su uso en el sector públic
Demostrando la ciberseguridad de tus productos y sistemas mediante auditoría ...Javier Tallón
Charla ofrecida para profesionales de la salud gracias a la colaboración del PTS (Parque Tecnológico de la Salud). En el que se detallan los diferentes tipos de auditorías y certificaciones aptas para el ámbito de la e-health.
La certificación de ciberseguridad en Europa, un desafío común.Javier Tallón
Europa es una potencia mundial en cuanto a certificaciones de ciberseguridad se refiere, por eso existen iniciativas y planes de desarrollo comunes impulsados por la Unión Europea para crear marcos y certificaciones comunes en los próximos años.
Project Management: The Role of Project Dashboards.pdfKarya Keeper
Project management is a crucial aspect of any organization, ensuring that projects are completed efficiently and effectively. One of the key tools used in project management is the project dashboard, which provides a comprehensive view of project progress and performance. In this article, we will explore the role of project dashboards in project management, highlighting their key features and benefits.
Flutter is a popular open source, cross-platform framework developed by Google. In this webinar we'll explore Flutter and its architecture, delve into the Flutter Embedder and Flutter’s Dart language, discover how to leverage Flutter for embedded device development, learn about Automotive Grade Linux (AGL) and its consortium and understand the rationale behind AGL's choice of Flutter for next-gen IVI systems. Don’t miss this opportunity to discover whether Flutter is right for your project.
How Can Hiring A Mobile App Development Company Help Your Business Grow?ToXSL Technologies
ToXSL Technologies is an award-winning Mobile App Development Company in Dubai that helps businesses reshape their digital possibilities with custom app services. As a top app development company in Dubai, we offer highly engaging iOS & Android app solutions. https://rb.gy/necdnt
Mobile App Development Company In Noida | Drona InfotechDrona Infotech
Drona Infotech is a premier mobile app development company in Noida, providing cutting-edge solutions for businesses.
Visit Us For : https://www.dronainfotech.com/mobile-application-development/
Using Query Store in Azure PostgreSQL to Understand Query PerformanceGrant Fritchey
Microsoft has added an excellent new extension in PostgreSQL on their Azure Platform. This session, presented at Posette 2024, covers what Query Store is and the types of information you can get out of it.
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdfVALiNTRY360
Salesforce Healthcare CRM, implemented by VALiNTRY360, revolutionizes patient management by enhancing patient engagement, streamlining administrative processes, and improving care coordination. Its advanced analytics, robust security, and seamless integration with telehealth services ensure that healthcare providers can deliver personalized, efficient, and secure patient care. By automating routine tasks and providing actionable insights, Salesforce Healthcare CRM enables healthcare providers to focus on delivering high-quality care, leading to better patient outcomes and higher satisfaction. VALiNTRY360's expertise ensures a tailored solution that meets the unique needs of any healthcare practice, from small clinics to large hospital systems.
For more info visit us https://valintry360.com/solutions/health-life-sciences
E-commerce Development Services- Hornet DynamicsHornet Dynamics
For any business hoping to succeed in the digital age, having a strong online presence is crucial. We offer Ecommerce Development Services that are customized according to your business requirements and client preferences, enabling you to create a dynamic, safe, and user-friendly online store.
8 Best Automated Android App Testing Tool and Framework in 2024.pdfkalichargn70th171
Regarding mobile operating systems, two major players dominate our thoughts: Android and iPhone. With Android leading the market, software development companies are focused on delivering apps compatible with this OS. Ensuring an app's functionality across various Android devices, OS versions, and hardware specifications is critical, making Android app testing essential.
Artificia Intellicence and XPath Extension FunctionsOctavian Nadolu
The purpose of this presentation is to provide an overview of how you can use AI from XSLT, XQuery, Schematron, or XML Refactoring operations, the potential benefits of using AI, and some of the challenges we face.
Unveiling the Advantages of Agile Software Development.pdfbrainerhub1
Learn about Agile Software Development's advantages. Simplify your workflow to spur quicker innovation. Jump right in! We have also discussed the advantages.
Most important New features of Oracle 23c for DBAs and Developers. You can get more idea from my youtube channel video from https://youtu.be/XvL5WtaC20A
2. About me
• Cybersecurity evaluation & consultancy services
• Common Criteria, LINCE and ETSI EN 303 645
accredited lab.
• Developers of the most powerful tool for Common
Criteria, CCToolbox.
• Involved in standardization activities (ISO,
CEN/CENELEC, ISCI WGs, ENISA CSA WGs, CCUF,
CMUF, ERNCIP, …)
• Members of the SCCG (Stakeholder Cybersecurity
Certification Group)
• jtsec is part of the A+ group along with Lightship
Security. We have labs in Canada, USA and Spain.
About us
José Ruiz Gualda
jtsec Beyond IT Security
• Computer Engineer (University of Granada)
• Expert in Common Criteria, LINCE and FIPS 140-2 &
FIPS 140-3
• Member of the SCCG (Stakeholder Cybersecurity
Certification Group) at the European Commission.
• Secretary of SC3 at CTN320
• Editor of LINCE as UNE standard
• Editor in JTC13 WG3 of the FITCEM Methodology
• European Commission reviewer for the ERNCIP group
"IACS Cybersecurity Certification".
• Former ICCC program director
jruiz@jtsec.es
3. INDEX
1. History of Cryptographic Evaluation
2. Cryptographic Evaluation Today
3. Cryptographic Mechanisms Evaluation Methodology
4. Cryptographic Evaluation Tool
5. Cryptographic Evaluation Methodology
6. Conclusions
4. INDEX
1. History of Cryptographic Evaluation
2. Cryptographic Evaluation Today
3. Cryptographic Mechanisms Evaluation Methodology
4. Cryptographic Evaluation Tool
5. Cryptographic Evaluation Methodology
6. Conclusions
5. History of the Cryptographic Evaluation
José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN
5 / 41
NIST (National Institute
of Standards and
Technology)
Verification of Conformity
according to FIPS 140-1,
FIPS 140-2 and FIPS 140-3
CMVP - Designed for
certifying cryptographic
modules
CAVP - Designed to
certify cryptographic
algorithms
Publication of multiple "Special
Publications" specifying cryptographic
algorithms and how to test them
USA
6. History of the Cryptographic Evaluation
José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN
6 / 41
International
7. History of the Cryptographic Evaluation
Spain
José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN
7 / 41
Certification Body for cryptographic modules -
OC-CCN (Spanish National Cryptologic
Centre)
8. INDEX
1. History of Cryptographic Evaluation
2. Cryptographic Evaluation Today
3. Cryptographic Mechanisms Evaluation Methodology
4. Cryptographic Evaluation Tool
5. Cryptographic Evaluation Methodology
6. Conclusions
9. Cryptographic Evaluation Today
Europe
• SOG-IS Crypto Evaluation Scheme
Harmonised Cryptographic Evaluation
Procedures v0.16 (December 2020)
• First SOG-IS evaluation methodology
Implementation of cryptographic
mechanisms
Pitfalls Prevention Requirements
• SOG-IS Crypto Evaluation Scheme Agreed
Cryptographic Mechanisms v1.3 (February 2023)
Cryptographic mechanisms agreed and
recommended by SOG-IS
Acceptable level of security
Implementation guidelines
José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN
9 / 41
10. Cryptographic Evaluation Today
Spain
CCN-STIC 130 Guide
Cryptologic Evaluation Requirements
Guide (October 2017)
• Requirements for Approval of
Encryption Products to Handle
Classified National Information
• FIPS-like approach
• Security Requirements
MEC – LINCE
Cryptographic evaluation module
within the LINCE methodology
Very light cryptographic conformance
testing following the NIAP Protection
Profiles approach
José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN
10 / 41
Botan-CCN Cryptographic
Library
Reference implementation of CCN
to perform conformity testing of
the cryptographic mechanism in
cryptographic evaluations
11. Cryptographic Evaluation Today
Spain
CCN-STIC 221 Guide
Cryptographic Mechanisms authorized by CCN
Includes new CCN-authorized algorithms with
respect to the European ACM
Transversal use guide not limited to ENS
José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN
11 / 41
12. Cryptographic Evaluation Today
Evolution
José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN
12 / 34
Jan 1994
FIPS 140-
1
March 2006
ISO/IEC
19790:2006
May 2016
SOGIS Agreed
Cryptographic
Mechanisms
1.0
June 2018
SOGIS Agreed
Cryptographic
Mechanisms
1.1 Jan 2020
SOGIS Agreed
Cryptographic
Mechanisms
1.2
May 2022
CCN-STIC
807 March 2023...
CCN-STIC 221
Cryptographic
Mechanisms
Authorized by the CCN
Dec
2018
Lince
Aug 2012
ISO/IEC
19790:2012
Jan 2018
SP800-90B
Oct 2018
CCN-STIC-
130
March 2019
FIPS 140-3
Dec 2020
SOG-IS
HEP
Coming...
CCN Cryptographic
Mechanisms
Evaluation
Methodology
Dec
1999
AIS 20/31
May 2001
FIPS 140-
2
Feb 2023
SOGIS Agreed
Cryptographic
Mechanisms
1.3by the CCN
Coming… 2023...
CCN Cryptographic
Evaluation
Methodology
13. Cryptographic Evaluation Today
Is this only a Spanish issue? | Reasons why the cryptographic mechanisms methodology is necessary
FIPS and/or ISO FIPS:
• It only works when the module has been
created to meet FIPS requirements.
• It does not work well for products that
integrate cryptography but do not use a
third-party cryptographic module.
STIC 130
• Does not include algorithm-level conformity
and includes product implementation
requirements.
• Not 100% focused on cryptographic
implementation.
• Provides the security point of view.
José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN
13 / 41
We do not have a
methodology that evaluates
cryptographic algorithms
and protocols.
14. INDEX
1. History of Cryptographic Evaluation
2. Cryptographic Evaluation Today
3. Cryptographic Mechanisms Evaluation Methodology
4. Cryptographic Evaluation Tool
5. Cryptographic Evaluation Methodology
6. Conclusions
15. Usage
CCN Cryptographic Mechanisms Evaluation
Methodology
• Products whose main functionality
requires cryptography (e.g., VPNs,
ciphers, secure communications, etc.)
• According to three increasing
Certification Levels: CL1, CL2 & CL3
• During CC, LINCE and Complementary
STIC certification processes.
José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN
15 / 41
16. Definition
CCN Cryptographic Mechanisms Evaluation
Methodology
José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN
16 / 41
Document Structure
• Cryptographic Requirements
• Agreed Cryptographic Mechanisms
• Conformity Testing
• Common Implementation Pitfalls
Index
17. Evaluation tasks and evaluation test
Structure
José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN
16 / 41
Each section contains:
• One or several tasks are defined. They are
mandatory independently of the implementation and
shall be executed for the associated certification
level.
• One or several tests defined and associated to each
task. They are categorized as mandatory or
implementation dependant. Moreover, the required
vendor inputs are detailed for each test.
Some specific examples:
18. Cryptographic Mechanisms Evaluation Methodology
Structure
José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN
17 / 41
1. Cryptographic Requirements
Objective: To specify the requirements extracted by
CCN from the CCN-STIC 130 guide that apply to the
security of cryptographic products related to the
cryptographic mechanisms and primitives implemented
in relation to:
• Self-tests (not required by SOGIS nor CCN STIC-
221)
• Critical Security Parameters (CSP) Management
(with additional requirements than required by
SOGIS)
• Mitigation of Other Attacks (not required by SOGIS
nor CCN STIC-221)
Evaluation: The evaluator shall verify that the TOE
complies with the cryptographic requirements listed in
this section.
19. Cryptographic Mechanisms Evaluation Methodology
1. Cryptographic Requirements - Critical Security
Parameters (CSP) Management
José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN
18 / 41
The methodology not only evaluates the
SOGIS related Key Management
requirements, but also assesses the entire
life cycle of every SSP managed by the
TOE. Example: SSP Life Cycle Management for AES_EDK
M
This comprehensive approach ensures a
thorough evaluation of the security posture
of the TOE beyond just key management.
20. Cryptographic Mechanisms Evaluation
Methodology
Structure
José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN
19 / 41
2. Approved Cryptographic Mechanisms
Objective: To specify the cryptographic
mechanisms recognized and agreed by CCN
Evaluation: The evaluator shall verify that the
cryptographic mechanisms implemented by the
TOE comply with the guidelines presented by
the CCN in the CCN STIC-221 guide including
correct parametrization.
21. Cryptographic Mechanisms Evaluation Methodology
Structure
José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN
20 / 41
3. Conformance Testing
Objective: To specify the requirements
necessary to perform conformity testing of
the cryptographic primitives and
mechanisms implemented by the TOE.
These tests shall determine whether the
cryptographic primitives and mechanisms
used by the TOE are correctly
implemented. This is similar to what NIST
does but also verifying parameterizations
and limit values that often lead to errors.
Evaluation: The evaluation process is
divided into four steps:
1. Generation of Test Vectors: Request
and Sample files.
2. Generation of Results by the Vendor:
Response File
3. Generation of Results by the Evaluator:
Response File
4. Validation of Results by the Evaluator
22. Cryptographic Mechanisms Evaluation Methodology
Conformance Testing Evaluation Process Diagram
José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN
21 / 41
23. Cryptographic Mechanisms Evaluation Methodology
Test Vectors Generation
◦ The evaluator shall
generate a 'REQUEST' file
(in JSON format) for each
cryptographic mechanism
implemented by the TOE
containing the test vectors
associated to the supported
parameterization.
◦ Additionally, the evaluator
shall generate the
'SAMPLE' file (in JSON
format) for each
cryptographic mechanism
implemented by the TOE
containing an example
solution to indicate the
format of the expected
result.
José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN
22 / 41
The evaluator shall send to the
vendor a file package containing
the 'REQUEST' and 'SAMPLE'
files associated to all
cryptographic mechanisms
implemented by the TOE.
24. Cryptographic Mechanisms Evaluation Methodology
Generation of Results by the Vendor
José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN
23 / 41
◦ The vendor shall generate a
'RESPONSE' file associated with each
cryptographic mechanism implemented,
containing the output provided by the
TOE for each of the test vectors provided
in the 'REQUEST' file.
◦ The vendor shall retain the JSON format
presented in the 'REQUEST' and
'SAMPLE' files for the generation of the
'RESPONSE' file.
The vendor shall send to the evaluator a file
package containing the 'RESPONSE' files
associated with all cryptographic mechanisms
implemented by the TOE.
25. Cryptographic Mechanisms
Evaluation Methodology
Generation of Results by the Evaluator
The evaluator shall generate the 'RESPONSE'
file associated to each cryptographic mechanism
implemented by the TOE, using the Botan-CCN
library as reference cryptographic
implementation.
The evaluator shall retain the JSON format
presented in the 'REQUEST' and 'SAMPLE' files
for the generation of the 'RESPONSE' file.
José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN
24 / 41
26. Cryptographic
Mechanisms Evaluation
Methodology
Validation of Results by the Evaluator
José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN
25 / 41
The evaluator shall validate the 'RESPONSE'
files provided by the vendor for each
cryptographic mechanism implemented by the
TOE, comparing the results provided with those
obtained in the previous step using the Botan-
CCN cryptographic library.
The evaluator shall determine whether the TOE
correctly implements the cryptographic
mechanisms and primitives used and declared.
27. Cryptographic Mechanisms Evaluation Methodology
José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN
26 / 41
4. Common Implementation Pitfalls
Objective: To specify the requirements
necessary to avoid implementation pitfalls
in the cryptographic primitives and
mechanisms implemented by the TOE.
Evaluation: The evaluator shall verify that
the cryptographic mechanisms
implemented by the TOE comply with the
implementation pitfall avoidance guidelines
presented by the SOG-IS in the SOG-IS
Harmonized Cryptographic Evaluation
Procedures guide.
Structure
28. Cryptographic Mechanisms Evaluation Methodology
Common Implementation Pitfalls - Example:
Key Derivation Implementation Pitfall
José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN
27 / 41
29. Cryptographic Mechanisms Evaluation Methodology
Advantages of the Cryptographic Mechanisms Evaluation Methodology over SOG-IS
Cryptographic Mechanisms Evaluation
Methodology
• Complete evaluation methodology. It establishes
concrete evaluation tasks depending on the certification
level (CL1,CL2 or CL3) to be followed by the evaluator
for each cryptographic mechanism to assess:
• Cryptographic Management requirements
• Mitigation of other attacks.
• Usage of approved mechanisms, including post
quantum algorithms and specific entropy
requirements
• Conformity Testing
• Common implementation pitfalls avoidance.
• Self-tests. It is verified that the self-tests are properly
implemented for each algorithm according to CCN
requirements. Several evaluation tasks are designed to
evaluate their implementation and correct operation.
SOG-IS HEP and ACM
• Provides the agreed mechanisms and their associated
requirements, and the evaluation tasks to:
• Verify their correct implementation according
to their associated standard
• Perform the conformity testing.
• Avoid implementation pitfalls.
• Verify key management (with less
requirements than the CCN evaluation
methodology)
• Self-tests requirements and Mitigation of other attacks
are not specified.
José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN
28 / 41
30. Cryptographic Mechanisms Evaluation
Methodology
Cryptographic Mechanisms Evaluation Methodology
Advantages of the Cryptographic Mechanisms Evaluation Methodology over SOG-IS
José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN
29 / 41
SOG-IS HEP and ACM
SOG-IS HEP and ACM
• List of classical algorithms without including
references to post-quantum algorithms
•New Algorithms: The Cryptographic Mechanisms
Evaluation Methodology includes new "classical" and post-
quantum algorithms recommended by the Spanish CCN in
the new STIC 221 guide.
New recommended classical
algorithms:
SCRYPT,
ChaCha20_Poly1305
EdDSA
Post-Quantum Algorithms
•CRYSTALS-
Kyber,
CRYSTALS-
Dilithium,
Falcon,
SPHINCS+
•FrodoKEM is also
recommended. It will not
be standardised as part
of NIST’s PQC project,
mainly due to efficiency
considerations, but there
are currently no doubts
about its security.
31. Cryptographic Mechanisms Evaluation
Methodology
• Life cycle management of each SSP
managed by the TOE. For each SSP, its
strength, generation, entry/output, storage
and zeroization methods are evaluated.
• Complete list of conformity test vectors for
all the agreed cryptographic mechanisms.
Example: AES Key Wrapping.
SOG-IS HEP and ACM
• Establishes general Key Management
requirements, specifying only the
recommended mechanism for each stage.
• The conformity test vectors of several
algorithms are not defined or are not
complete.
Cryptographic Mechanisms Evaluation Methodology
Advantages of the Cryptographic Mechanisms Evaluation Methodology over SOG-IS
José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN
29 / 41
32. Cryptographic Mechanisms Evaluation Methodology
• The methodology will be used in Common Criteria evaluations at the national
level if crypto is a core component of the product (e.g. VPN, Ciphers, etc...)
• The methodology could be considered a supporting document to harmonize
how to evaluate crypto mechanisms.
Cryptographic Mechanisms Evaluation Methodology
Link with Common Criteria
José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN
29 / 41
33. INDEX
1. History of Cryptographic Evaluation
2. Cryptographic Evaluation Today
3. Cryptographic Mechanisms Evaluation Methodology
4. Cryptographic Evaluation Tool
5. Cryptographic Evaluation Methodology
6. Conclusions
34. CCN Cryptographic Evaluation
Tool
Definition
Performing Conformity Testing
Structure of the Tool
o JSON test files: test vectors in hexadecimal format
according to SOG-IS methodology.
o ACVP-Parser: JSON file processing and extraction of
parameters needed to invoke the cryptographic
reference implementation.
o Botan-CCN Cryptographic Library: cryptographic
reference implementation used to generate test vectors
results and validate the correct cryptographic
implementation of the TOE.
José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN
31 / 41
35. CCN Cryptographic
Evaluation Tool
José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN
32 / 41
1. Processing of the test vectors to extract the
parameters using the ACVP-Parser.
2. Invocation of the Botan-CCN cryptographic
library to perform the generation of test
vector results using the associated
'REQUEST' file.
3. Generation of the 'RESPONSE' file
associated to a cryptographic mechanism
using the associated 'REQUEST' file and the
results obtained using the Botan-CCN
cryptographic library.
Flowchart
36. Cryptographic Evaluation Tool
Cryptographic Evaluation Tool - Usage Example: SHA-256
José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN
33 / 41
‘REQUEST’ file ‘RESPONSE' file generated by the Tool
37. Cryptographic Evaluation Tool
Cryptographic Evaluation Tool - Usage Example: SHA-256
José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN
34 / 41
‘RESPONSE' file generated by TOE
Validation of results
38. Cryptographic Evaluation Tool
Cryptographic Evaluation Tool - Usage Example: SHA-256
José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN
35 / 41
‘RESPONSE' file generated by TOE
Validation of results
ERROR
39. INDEX
1. History of Cryptographic Evaluation
2. Cryptographic Evaluation Today
3. Cryptographic Mechanisms Evaluation Methodology
4. Cryptographic Evaluation Tool
5. Cryptographic Evaluation Methodology
6. Conclusions
40. Cryptographic Evaluation Methodology
José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN
38 / 41
1. Usage
Cryptographic evaluation methodology to address the
security requirements of the CCN-STIC 130 guidance.
This methodology aims to evaluate the implementation of
a TOE beyond the requirements associated with
cryptographic mechanisms such as:
- Cryptographic Module Design
- Authentication
- Physical Security
- Logical Security
- RNG design
- Configuration management system
- Etc…
41. Cryptographic Evaluation Methodology
José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN
38 / 41
2. Security Levels:
CCN STIC-130 defines 3 increasing qualitative levels of
security that are directly mapped to the 3 evaluation levels
of the Cryptographic Mechanisms Evaluation Methodology:
- CL1: Low Level of CCN-STIC 130 (Restricted)
- CL2: High Level of CCN-STIC 130
- CL3: Advanced Level of CCN-STIC 130
Each TOE will be evaluated according to the level of
sensitivity of the information it handles and the global
evaluation methodology to which the Cryptographic
Methodology is being applied to.
Some evaluation tasks will be common for all levels and
others will only apply depending on the security level.
42. INDEX
1. History of Cryptographic Evaluation
2. Cryptographic Evaluation Today
3. Cryptographic Mechanisms Evaluation Methodology
4. Cryptographic Evaluation Tool
5. Cryptographic Evaluation Methodology
6. Conclusions
43. Conclusions
José Ruiz | JTSEC The new cryptographic evaluation methodology created by CCN
40 / 41
• Spain is pioneer in creating a Cryptographic
Evaluation Methodology for mechanisms.
• The usage in Common Criteria
evaluations is straight forward.
• The methodology is in trial usage and will
be published soon
• All this work is a contribution to complement
European efforts
• This effort is necessary to unify criteria in
the sector in order to make life easier for
laboratories and vendors.
Let me briefly present myself:
I’m José Manuel Pulido, currently Lead Cybersecurity Consultant at jtsec.
I have been involved in the Common Criteria, cybersecurity in general and development of tools for CC professionals for several years.
And I also have participated in various conferences, being this my third year in ICCC.
The statistics that I Will present to you today, and the tools used to create them are elaborated in jtsec, an accredited CC laboratory, deeply involved in various standardization groups related to cybersecurity certification as you can see I.
I won’t take too much time from you for this presentation. You are welcome to check this slide or the jtsec website after the talk if you want to know more about us.
Los Power-up son verificación de integridad del módulo, DRBG test y algoritmos relacionados con critical funcitons
Los conditional contemplan la ejecución de los de los algoritmos antes del primer uso, DRBG de nuevo antes de generar una clave, los pairwise, los de verificar los algoritmos dedicados a verificar la integridad de firmware en una actualización y los algoritmos relacionados con funciones críticas