|
Guys-- It’s
assumptions like A.NO_EVIL that highlight the fact that in the real world there
is no 100% security. Even EAL7 doesn’t assure 100% security. And
certainly what we write or don’t write in the Security Target is not
going to make a TOE more or less secure. No amount of academic hair-splitting
is going to provide 100% security. Underlying all the explicit
TOE assumptions is an implicit assumption that people in the organization with
authority and capability are going to at least try to do their jobs properly.
In the real world, some will try but screw up just the same, some won’t
even try, and some will deliberately undermine and sabotage. As long as
everybody (Security Target writers, evaluators, customers, admins and user,
etc.) understands that this is the environment we all live and work in, the TOE
can provide the level of security it’s designed to provide and that the
evaluation has “proved” (at some level of assurance) to indeed
provide, under the right circumstances. And it’s up to the organization
to minimize the risks, with policies and procedures and hiring practices etc. So what should we
do, not assume A.NO_EVIL? Then we might as well all close up shop. How can you
possibly design a security product that doesn’t require somebody
somewhere to use it correctly? — Alex =================== Alex Ragen, CISSP,
ISSA =================== From: cc-cmt@nist.gov
[mailto:cc-cmt@nist.gov] On Behalf Of John
Boone Ms. Ruppel, I both agree and disagree (and am
sometimes neutral), depending on where I start reading ... J If the proposed Guidance and corrective
action are as you describe (second handedly), then it is a huge non sequitur.
There is nothing in the assumption A.NO_EVIL that is really all that relevant
to specific privilege level, given that all administrators have some elevation
of privilege. So you make some good points that its removal isn’t really
justified, at least not for the stated reasons. And I agree that its removal
might be counterproductive. On the other hand, A.NO_EVIL is a bit of a
heavy-weight assumption, although it does seem to accurately describe some of
the more relevant, real-world assumptions about administrators. I think a
better action would be to break up A.NO_EVIL and, better yet, provide concrete
objectives for the Environment to support it. However, in the end, it is just a
convention - and there are multiple different ways to say the same thing in an
ST. So it is difficult to find particular fault, especially without first-hand
knowledge of all the reasoning. Threats may be perceived as having greater
weight, although I think this is more a result of common CC usage rather than
by design of the CC. Also, Assumptions can only be addressed by the
Environment, whereas Threats can be addressed either by the TOE or Environment
(or by both). So maybe that is part of the reasoning … Finally, I think the point about holding
administrators accountable overstates the role of an ST in the operational
environment. It is the operational organization that chooses to comply with the
ST environment (or not). In the latter case, the organization has to accept the
risk implied. It’s not the other way around. In other words, I
can’t imagine an administrator saving his or her job because there was a
missing assumption about being non-hostile. John Boone Principal Engineer Ashton Security Labs From:
cc-cmt@nist.gov [mailto:cc-cmt@nist.gov] On
Behalf Of Michelle Ruppel Again, I would like to get input
from the members of the CC-CMT on the following issue. ;) Issue: For TOEs that do not have an
all powerful, root-like user, can the standard A.NO_EVIL (Administrators are
non-hostile, appropriately trained and follow all administrator
guidance…) assumption be used? I have been told that the new
Guidance for writing Medium Robustness PPs implies that A.NO_EVIL is no longer
allowed or needed. Instead a threat should be used about having an all powerful
user and the TOE can mitigate this threat by using privileges or limited
administrative users/roles. In my opinion, this assumption is
useful when accompanying such a threat. Even if the TOE does not have an all
powerful, root-like user, I still believe this is an important
assumption. I know there are many organizations who have had breaches
that would agree with me; I think this is a real world issue. Regardless of the
aspects of access control, privilege control and role-based control enforced by
the TOE, each individual administrator still has the obligation to follow the
administrative guidance supplied for their part in the administration of the
TOE and to be trustworthy/non-hostile. An assumption defined in the ST
documents that there is an expectation that they do so, and provides the
employer and end user with the responsibility and ability to hold them individually
accountable. Why would we want to take the capability to hold the
administrative users accountable away from the employer and end user? I look forward to reading your
opinions/experiences. Thanks, - Michelle Michelle Ruppel Saffire Systems maruppel@saffiresys.com |