Крючков Фундаменталс оф Нуцлеар Материалс Пхысицал Протецтион 2011
.pdfis permitted to undertake with respect to the given object. For files, for example, the access matrix realizes the following rights: read, write, add, create, delete, rename and execute (for exacutable files).
When a mandate principle of access control is realized, each object and subject is assigned a double attribute. The first part of the attribute should reflect one of five secrecy levels: “unclassified”, “restricted” and so on. The second attribute part should reflect one of topical categories. In this, the following rules should be observed:
∙a subject is granted the right to read information only in the event that the subject secrecy level is higher than or equal to the secrecy level of the object and the category of the object either coincides with or is a subset of the subject category;
∙a subject may get the right to write with respect to an object in the event that the object secrecy level is higher than or equal to the secrecy level of the subject, and the subject category either coincides with or is a complete subset of the category (group) of the object.
More details on access to information based on the discrete principle are given in the “Operating Systems” section.
For data networking, the requirements of Gostekhkomissiya establish that this should involve facilities that prevent transmission of data to an object of a secrecy level lower than that of the data transmitted.
The logging and accounting subsystem should:
∙log output of classified printed documents as hard copies;
∙log attempts of software access to the following secured access objects: networks components and fragments, ports, peripherals and processes;
∙log all errors of network data exchange revealed;
∙automatically account for created secured objects by giving them additional labels used in the access control subsystem;
∙clear (zero, initialize, depersonalize) vacated storage areas in computers and segregated external carriers. Clearing is done by a double random entry into any vacated storage area used to store secured information.
Printout of classified documents requires automatic labeling of sheets by numbers and accounting requisites. Simultaneously, an account card should be made out for the document with specified logging parameters.
Requirements to the integrity and cryptography support subsystems coincide in full with requirements to similar subsystems of Class 3 A&C systems.
Requirements to class 1 A&S systems include all requirements to class 2 and 3 A&C systems.
391
Requirements to access control subsystems include authentication of users during remote access to the server and the workstation using such techniques as are resistant to interception of communications and active influences on networked data. The subject, which is the source of data, should be also authenticated, that is, features should be used that verify the trustworthiness of the data block source by such techniques as are resistant to interception of communications and active influences on networked data.
The logging and accounting subsystem should log changes in the powers of access subjects and in the status of access objects. Subject to logging are also the connections between distant processes and attempted compromise alarms sent to the workstation display and the attacker.
The cryptographic subsystem should encode all classified information written on data carriers shared by various access subjects, in network communication channels, as well as on portable data media. The access of subjects to encoding operations and to respective cryptographic keys should be additionally controlled by the access control subsystem.
The integrity support subsystem should ensure:
∙the integrity of the connection to protect data transmitted over the user network against unauthorized modification, substitution or retrieval of any data using such techniques as are resistant to interception of communications and influences on networked data;
∙proofing of the data source to prevent any sender attempt to deny thereafter the transmission of data;
∙proofing of the data delivery to prevent any receiver attempt to deny thereafter the receipt of data.
Requirements to qualification of the IASS depending on the NM A&C system classes
The whole of the computerized NM A&C system is subject to qualification. Qualification is understood as documented verification of the conformity of the set of organizational and technical arrangements used in operation to requirements of standards and other information security regulations. It involves in-service qualification tests of the secure AS to determine if the measures employed and the ISS meet the required level of information security. Information is further arranged in the same manner as the qualification requirements.
Requirements to class 3 A&C systems are presented hereinafter. Components of any access control system have the following qualification requirement imposed thereon. Personnel access to the information in the
392
A&C system is expected to be effected in accordance with the valid system of user permits of access to classified documents and data.
A logging and accounting subsystem shall:
∙account for all protected data carriers with the aid of any labeling system;
∙log and account for printouts manually as per the requirements to recordkeeping of the respective secrecy level. Documents should be printed out only in accordance with the specified list of output documents indicating their secrecy level.
An integrity support subsystem shall ensure the following functions.
∙The software environment should remain invariable with the integrity of the software environment ensured by the absence of program development and debugging tools in the A&C system.
∙The functions of the IASS should be tested on a periodic basis, with the aid of tests simulating attempts of unauthorized access, any time the software environment or the A&C system personnel change.
∙The IASS recovery tools should be available, which implies operation of two IASS software copies with periodic updates and serviceability checks thereof, as well as online recovery of the IASS functions when equipment fails.
∙Rooms with the A&C system hardware, which includes carriers of classified information, should be fitted with safeguards to ensure the security level meeting the secrecy level of the information stored.
∙Information access security features certified for this A&C system class should be used.
Qualification requirements to class 2 A&C systems differ from those to class 3 A&C systems only as far as the integrity support subsystem is concerned. There should be an information security administrator to be responsible for maintenance, normal operation and online control of the IASS. The administrator should have a workstation of his/her own and the required A&C system online controls and security influence means. Additionally, secure communication lines extending to beyond the areas under control should be used.
Qualification requirements to class 1 A&C systems differ from requirements to class 2 A&C systems in that they include a cryptographic subsystem. Cryptographic facilities certified for class 1 A&C systems should be used. Besides, the integrity support subsystem should use fire walls certified for class 1 A&S systems.
393
8.4.2. Guides of Gostekhkomissiya
Five information access security guides were published by Gostekhkomissiya of Russia (the State Technical Commission of the Russian Federation) in 1992 [4–8]. These documents formed the basis for the requirements to NM A&C systems we have described above. So, now, we shall discuss in brief the most important of these.
Ideologically, these documents are based on the “Co ncept of Information Access Security (IAS)” [4] that contain s the system of Gostekhkomissiya’s views on the problem of information security and guidelines for computer system security. As developers of these documents see it, the key role of security is to make information secured against unauthorized access. No consideration is practically given to support of serviceability of information handling systems. The explanation for this bias towards maintaining secrecy is that these documents were originally developed with a view of using them within information systems of the Russian Federation Defense Ministry and security services, as well as an insufficient maturity of information technologies in the early 1990s against current analogs.
Gostekhkomissya’s guides offer two sets of security criteria: criteria of computer protection against unauthorized access and protection criteria for automated data handling systems. The former makes it possible to evaluate the security of computer system components delivered to the consumer, while the latter is intended for fully functional data handling systems. We shall look at what is provided in the document entitled “Automated Systems. Information Access Security. Classification of Automated Systems and Information Security Requirements”. Thi s document establishes the classification of automated systems in terms of information access security. It makes sense to compare this classification against the classification of automated NM A&C systems.
For automated systems, five classes of information access security are specified in Gostekhkomissya’s guides. Each of the classes is characterized by a specific combination of requirements to security means. In turn, classes are subdivided into three groups with a specific information handling concept each. Automated systems are grouped based on the following features:
∙presence of information of different confidentiality levels in the AS;
∙levels of the AS user authority with respect to the access to confidential information;
∙data processing mode used in the AS (collective or individual).
394
A hierarchy of the AS security classes is established within each group. The class matching the highest security level for the given group is indexed A, the next one being indexed B and so on.
The third group includes automated systems operated by one user with a permit to handle all AS data contained on media of one confidentiality level. The group has two classes: ЗБ and ЗA.
The second group includes automated systems in which users have equal rights of access to all information processed and/or stored in the AS on media of different confidentiality levels. The group has two classes: 2Б and 2A.
The first group includes multi-user automated systems which simultaneously process and/or store information of different confidentiality levels. Not all users have equal rights of access. This group has five classes: 1Д, 1Г, lВ, lБ and lА.
A review of the requirements in question shows that the second class of information access security in computerized NM A&C systems corresponds, by and large, to class 1Б for automated systems. A precedent exists when an automated NM A&C system qualified to information access security class 1Б is used to account for and control NM in environments matching class 2 for NM A&C systems.
The development of the said documents in the early 1990s filled up the gap in the legislative support for information security standards. Being, in fact, the first ever attempt of standardization in so a delicate field, these do have a number of shortcomings. Besides, the time since the adoption of these criteria has seen advances in both the theory of information security and approaches to formulation of information security standards. The approaches taken in the documents are mostly limiting in that the requirements for security classes are ranked only by way of identifying the presence of a set of security tools, which makes these requirements much less flexible and feasible. These documents treat the notion of security policy as the keeping of the regime of secrecy and the absence of unauthorized access. Because of this approach, security tools tend exclusively to counter external threats with no requirements practically imposed on operations of the system and its structure. A note should be made that requirements to computerized NM A&C systems adopted in 1997 are based on the documents listed and involve the same deficiencies.
395
8.4.3. Common Criteria for Technology Security Evaluation
The Common Criteria (the Common Criteria for Information Technology Security Evaluation) was the result of the consistent efforts undertaken to develop IT security evaluation criteria that was subsequently accepted internationally.
The Trusted Computer Systems Evaluation Criteria (TCSEC) was developed in the USA in the early 1980s. In the decade that followed, different countries initiated the development of evaluation criteria that was based on its concepts but offered more flexibility and adaptability in the context of IT evolution.
Thus, in 1991, the European Commission published the Information Technology Security Evaluation Criteria (ITSEC) developed collaboratively by France, Germany, the Netherlands and Great Britain. The Canadian Trusted Computer Product Evaluation Criteria was developed in Canada in early 1993. It was also then that a draft standard, the Federal Criteria for Information Technology Security, was published in the USA.
In 1990, the International Standardization Organization (ISO) began to develop an international standard of generic evaluation criteria. The new criteria were intended to meet the demand for the mutual acceptance of the standardized security evaluation results in the international market of information technologies. In June 1993, the consolidated efforts of the national criteria developers led to the initiation of a joint program on harmonization of varied criteria and establishment of a unified collection of security criteria.
The early version of the Common Criteria was finalized in January 1996 and approved in April 1996 for circulation as the committee’s draft criteria. A number of experimental evaluations followed with steps undertaken to have the document broadly discussed in public. Later on, the document was revised extensively, as part of the Common Criteria project, based on the experience of its experimental application. The later version was released in May 1998. Version 2.1 of this standard was approved in 1999 by the ISO as an international information security standard (ISO/IEC 15408). Some countries nowadays require their information systems, critical in terms of national security, to be certified to the CC.
On 27 March 2003, the State Technical Commission under the President of Russia unveiled a program to introduce the international information security standard. Russia began introducing the standard practically unaltered, having divided this into three State Standards (GOST) indexed
396
collectively as ISO/IEC 15408–2002. The new GOST se ries was put into operation in Russia on 1 January 2004.
Let us familiarize in brief with the new standard. The standard as such is complex and bulky. It consists of three parts with the overall volume of about 600 pages.
Part 1 of the standard contains the IT security evaluation methodology and defines the types of security requirements (both functional and confidence ones) and the basic formats (protection profile, security job) to present security requirements in the interests of three user categories: consumers, developers and appraisers of IT products and systems. The evaluation object (EO) security requirements under the Common Criteria methodology are defined depending on security objectives, which, in turn, are based on analyzing secured information resources, and the EO function and application environment (threats, statements, security policy).
Part 2 of the standard contains a versatile specifically arranged catalog of functional security requirements and enables regulated detailing and expansion thereof.
Part 3 of the standard contains a systemized catalog of confidence requirements that define the measures to be taken at all lifecycle stages of an IT product or system to make sure that these satisfy to the functional security requirements imposed thereon. This part also contains evaluation levels of confidence representing standardized collections of requirements that enable an increasingly complete and stringent evaluation of design, testing and operating documentation, and correctness of the security complex operation, as well as assessment of the IT product or system vulnerability and the stability of security features.
As its content suggests, the Common Criteria is a methodological document that contains a well arranged and structured collection of requirements, their presentation forms and the definition methodology. Using these criteria, security for different IT products is evaluated not as stringently and uniformly as Gostekhkomissiya’s effective documents require, but given the functions, types and application environments of IT products and systems with a flexible approach to generation of respective security requirements in protection profiles enabled. The CC-based security profiles may additionally include any other valid requirements needed to ensure security of a particular IT product type.
As evidenced by information security expert estimates, the Common Criteria excels other current standards in the systematization, completeness and detailing level of requirements, as well as in versatility and flexibility of applications.
397
It should be noted that the International Agreement applies only to the acceptance of evaluation results for IT products and systems intended to process confidential information (up to the confidence level of EAL 4 inclusively) and does not deal with issues of evaluating products and systems designed to handle national security information in the member countries of the International Agreement. Still, the methodology of the Common Criteria can be used by and for the sake of the parties concerned.
Since January 2001 the USA has been evaluating IT security exclusively based on the Common Criteria, while the leading European countries (Germany, Finland and others) have some 40% of their recently developed IT products evaluated also under the Common Criteria with only CC-based evaluations applied to newly emerging products.
A directive, No. 140-23, was issued in May 2000 by the US National Security Agency, which made it mandatory for the US Department of Defense and its public and private contractors to use only CC-certified IT products and systems for handling classified information.
The directive also applies to privately owned nuclear power plants in the USA where special roles are assigned to the Common Criteria in evaluating security of information technologies employed in critical systems.
All this gives evidence of the emphasis placed internationally on information security issues and of the CC approaches and methods becoming increasingly attractive as a tool to resolve these.
In the run-up to the introduction of the new standard in Russia, the Comments on the Russian Standards were developed by “Atomzashchitainform” Center, TsNIIatominform and t he Information Security Center (ISC). These had the purpose of giving Russian experts a more in-depth understanding of the objective, basic concepts, methodology and terminology of the Common Criteria as well as clarifying discrepancies between the standard’s terminology and the terminology accepted in Russia and the effective regulatory documents.
The underlying associated document issued to support the Common Criteria, which is mandatory for use in the framework of the above International Agreement, is the General Methodology for Evaluating Security of Information Technologies currently being revised by an expert team of a number of the member-countries to the International Agreement. At present time, based on an authentic translation of the relevant General Methodology version by an expert team of the ISC, “Atomzashchitainform” and TsNIIatominform, involvin g the CC international work unit, the methodology for evaluation of IT products and systems is developed.
398
The standard introduction program also stipulates:
∙development of the concept to ensure security of information technologies (the draft was prepared by the ISC and submitted to Gostekhkomissiya of Russia);
∙development of the guide to develop protection profiles and security jobs (the draft was prepared by the ISC and submitted to Gostekhkomissiya of Russia);
∙development of the guide to register protection profiles based on the ISO/IEC 15292 international standard (the draft was prepared by the ISC and submitted to Gostekhkomissya of Russia);
∙creation of a system of tools for automated development of protection profiles and security jobs (presently developed by the ISC);
∙development of protection profiles for the basic types of IT products and systems: operating systems, database management systems, fire walls, virtual private networks and others (some organizations, including the ISC, TsNIIAtominform and MEPhI, develop security profiles for IT products and systems for various applications; one example is a protection profile of security class II developed by TsNIIatominform for automated NM A&C systems);
∙development of model techniques for certification tests of IT products and systems based on the General Methodology of Evaluation;
∙certification tests of some IT products and systems, including operating systems (specifically, the Windows family).
The said activities have the purpose of not only introducing the GOST State Standard R ISO/EMC 15408–2002 “Information Te chnologies Security Evaluation Criteria”, but also taking Russ ia closer to joining the International Agreement as a country with a CC-based certification system.
As mentioned hereinabove, Rosatom of Russia is also considering evaluation and certification of software products used in NM A&C systems based on the Common Criteria requirements. This obviously requires development of a protection profile for systems of security class III and the security jobs to which the software products chosen for these functions to be certified. The solution of these issues will determine the perfection of effective and development of new NM A&C systems, as well as the operation of the Federal Nuclear Material Accounting and Control Information System.
It is a belief with Russian experts involved in implementing the Common Criteria methodology that, if put into operation, the Russian standard, the General Methodology of Evaluation and other regulatory and
399
methodological documents to support these, as well as practical use of the Common Criteria methodology will make it possible to:
∙reach the state of the art in the criteria and procedural framework for evaluation of information technologies;
∙create a new generation of interagency and departmental regulatory and procedural documents to evaluate IT security on a uniform basis;
∙provide users and developers of IT products with a highly efficient tool for formulating requirements to IT security and building information protection systems;
∙enable users to assess objectively the capability of information security IT products;
∙give users and developers of computerized systems of various levels and functions the capability to provide, accordingly, more valid formulation and implementation of information security requirements for these systems;
∙take Russia closer to joining the International Agreement, which will, in turn, enable:
–users and developers of IT systems to cut product certification costs;
–consumers to expand the market of certified produ cts;
–testing laboratories to attract extra inflows of orders for certification from abroad;
–Russian makers of high-tech products to obtain in ternational certificates in Russia, which will give them a share in the earlier inaccessible foreign markets.
For all that, Russia (as well as other parties to the mutual certificate acceptance agreement) retains the right to make allowances for its national requirements in certification of IT products and systems, primarily, those for protection of national security information.
This, however, entails a great deal of efforts to take for the Common Criteria and the General Evaluation Methodology to be put into practice of requirement formulation and IT security evaluation, as well as for Russian IT security terminology and standards to be harmonized with international standards, specifically the ISO/IEC 15408–99 standa rd, with a view to the entry of Russian testing laboratories (centers) and certification authorities, as well as of Russian products certified to the Common Criteria methodology, to the international market of products and services.
This requires the solution of the whole range of technical, organizational and financial issues relating:
400