IEEE 2600-series Standards for Hardcopy Device Security
Transcription
IEEE 2600-series Standards for Hardcopy Device Security
IEEE 2600-series Standards for Hardcopy Device Security Brian Smithson PM, Security Research – Ricoh Americas Corporation Lead Editor – IEEE P2600 Standards Working Group 17 November, 2010 – Ottawa, ON Agenda Overview of hardcopy device security A very brief introduction to the Common Criteria The IEEE 2600-series standards Hardcopy device security and the Common Criteria How to use the IEEE 2600-series standards Summary and Q&A 2 Overview of hardcopy device security Early history of hardcopy device security Do you remember when copiers were analog devices, connected only to a power source, often managed by the Facilities department ... … and printers were “write-only” devices? No security issues, 3 right? Overview of hardcopy device security Sniffing data during the Cold War In 1961, copiers were a target for espionage: The CIA found Soviet embassies to be inaccessible to anyone – except to the copier repairman. The CIA and Xerox fashioned an 8mm movie camera set to take single frames, triggered by a photocell. A “Xerox repairman” could install and replenish this camera in Soviet embassy copiers under the watchful eye of security guards, because nobody knew what components should or should not be inside a copier. Soviet cipher clerks, secretaries, and KGB agents photocopied secret orders, decoded messages, and lists of spies. Every copy was captured on film. Details and photos from: http://editinternational.com/read.php?id=47ddf19823b89 For eight years. 4 Overview of hardcopy device security What can be learned from the CIA? Q: What do people print, scan, copy, and fax? A: Their most current, important documents! Hardcopy devices are often: – – – – Shared, “ownerless” devices Placed in open, common areas Inadequately monitored Trusted on the network If you can: – – – – – install a network sniffer, redirect fax or scanner output, steal the hard disk drive, pwn the whole thing, or just hang out near the output tray, an unprotected MFP is still… An old security awareness poster, source unknown 5 Overview of hardcopy device security How has industry addressed this? Initially, manufacturers responded with “data security kits” Later, manufacturers started to claim “whole MFP” security However… “Whole MFP security” may not address all of the threats 9 Typically addressed: 8 Often not addressed: 9 Residual document data 9 Fax-network separation 9 Incoming port filtering 9 Administrator authentication 9 Attacking the HCD from the network 6 8 Persistent and non-document data 8 Separation and control of all interfaces 8 Audit logs 8 User authentication 8 Attacking the network from the HCD Overview of hardcopy device security What was needed for hardcopy device security A common agreement on what constitutes baseline security A standard or specification which describes that baseline For use by manufacturers: – – – 7 What security functions must be provided What additional security is recommended A way to independently test whether the required functions have been implemented For use by customers: – What security functions to require when procuring HCDs – Guidance on how to use those functions – A way to reference that baseline and independent testing in procurement specifications Overview of hardcopy device security Background of the IEEE P2600 Working Group The IEEE P2600 working group was organized in early 2004: – Open standards process and international recognition – Virtually all HCD manufacturers participated – Face-to-face meetings every 6~8 weeks Produced five standards: – IEEE Std. 2600™-2008 (standard for hardcopy device security) – IEEE Std. 2600.1™-2009 (standard for a Protection Profile) – IEEE Std. 2600.2™-2009 (standard for a Protection Profile) – IEEE Std. 2600.3™-2009 (standard for a Protection Profile) – IEEE Std. 2600.4™-2010 (standard for a Protection Profile) 8 A very brief overview of the Common Criteria Overview of ISO/IEC 15408 and the The Common Criteria (CC) is an internationally recognized methodology for: •Manufacturer chooses product(s) to certify •Manufacturer prepares a Security Target document and other evidence to support Preparation their product’s security claims – expressing security requirements for IT products, – evaluating products to see if they meet those requirements, and – mutually recognizing certified products among the participating nations. Evaluation •Manufacturer submits product and documents to a licensed CC laboratory •Laboratory performs evaluation under observation of a national CC scheme •The national CC scheme (e.g. NIAP CCEVS in US, BSI in Germany, IPA in Japan) oversees evaluation and reviews evaluation reports Certification •CC scheme issues a certificate CC is not a prescriptive security standard; it is a process standard •Product and certification reports are listed on web sites (scheme and CC portal) •All 26 CCRA member countries recognize Recognition the product certification ISO/IEC 15408 is ISO’s adoption of Common Criteria – ISO adoption follows CC – Current version is 3.1 release 3 9 9 A very brief overview of the Common Criteria Two ways to evaluate products 1. Without a Protection Profile: – – 2. A manufacturer writes a Security Target document that describes the security claims of their product. Evaluation is based solely on the manufacturer’s claims, not on a standard: it certifies only that the product fulfills the manufacturer claims. With a Protection Profile: – – – Somebody writes a Protection Profile describing the security requirements for a class of products. Manufacturers write Security Target documents that make security claims conforming to those requirements. Evaluation ensures that the product fulfills the manufacturer’s claims, and that the manufacturer’s claims fulfill those requirements. You need a Protection Profile to enforce uniform baseline security requirements. The US and other governments prefer to buy products that have been evaluated based on a Protection Profile (if one exists) for its class of products. 10 The IEEE 2600-series standards IEEE 2600 standard for hardcopy device security In 2008, the IEEE published a general standard for HCDs: IEEE 2600™-2008 Standard for Information Technology: Hardcopy Device and System Security – – – – – – Describes hardcopy devices Defines four typical operational environments Describes security threats for each environment Recommends mitigation approaches Specifies security objectives for compliance Includes an appendix of best practices It is mainly a guidance document It is possible to claim compliance to IEEE 2600 However, there is no requirement for independent verification 11 The IEEE 2600-series standards IEEE 2600 Operational environments y IEEE 2600 operational environments are based on market segments: A. For use with highly proprietary or legally regulated documents B. For general enterprise use C. For public-facing use D. For small office / home office use The security requirements for environment are hierarchical: A is a superset of B, B is a superset of C, C is a superset of D. The main difference between environments is the level of accountability for individual user actions. 12 The IEEE 2600-series standards IEEE 2600-series Protection Profiles There are four Common Criteria Protection Profiles, one for each of the typical operating environments that are defined in IEEE 2600: – IEEE 2600.1-2009 Protection Profile for Operational Environment A (published and certified in 2009) – IEEE 2600.2-2009 Protection Profile Operational Environment B (published in 2009, certified in 2010) – IEEE 2600.3-2009 Protection Profile for Operational Environment C (published in 2010 , not certified) – IEEE 2600.4-2010 Protection Profile for Operational Environment D (published in 2010, not certified) IEEE 2600.1 is was adopted by the US Government as the U.S. Government Protection Profile for Hardcopy Devices in Basic Robustness Environments 13 The IEEE 2600-series standards Comparison of 2600-series Protection Profiles Protection Profile Requirement 2600.1 2600.2 2600.3 2600.4 3+ 2+ 2+ 1 Level 2 (Procedural) Level 2 (Procedural) Level 1 (Basic) None User identification, authentication, authorization Yes Yes Optional None Administrator identification, authentication, authorization Yes Yes Yes Yes User document protection At rest, in motion, residual At rest, residual Residual None Job data protection At rest, in motion At rest None None Security data protection Yes Yes Yes Yes Managed interfaces Yes Yes Yes Yes Software self-verification Yes Yes Yes Yes Complete audit Exception / violation Exception / violation None Print, Scan, Copy, Fax, Doc Server, Removable HDD, Network Print, Scan, Copy, Fax, Doc Server, Removable HDD, Network Network Network Evaluation assurance level Additional flaw remediation assurance Logging Additional requirements packages used when specific functions are present 14 Hardcopy device security and the Common Criteria Evaluation without a Protection Profile Prior to June 2009, there was no Protection Profile for HCDs. Manufacturers certified products using “data security kits”, with very specific security claims such as HDD overwrite or faxnetwork separation, or “whole MFPs” that did not address all of an MFP’s security issues. Most evaluations were performed at Evaluation Assurance Level (EAL) 2 to 3+. It is worth noting that: – EAL does not indicate depth of security – EAL indicates only the depth of evaluation In other words: – Products that are evaluated without a Protection Profile only provide security that a manufacturer claims. – “Whole MFP” may not address all of your security concerns. – One manufacturer’s “whole MFP” may not be equivalent to another manufacturer’s “whole MFP”. – Higher EAL does not equal higher security, it only means that security has been evaluated somewhat more rigorously. 15 Hardcopy device security and the Common Criteria Why Protection Profiles are important Security objective Security functional requirements IEEE 2600.1 Protection Profile requirements A “whole MFP” certified without protection profile Document protection Documents should not be disclosed or altered by anyone except the owner, administrator, or authorized delegate. Deleted data is inaccessible. Deleted data is inaccessible for most kinds of data; data on networks is protected by SSL; protection of persistent data on the MFP is not evaluated. Security data protection Depending on the data, security data should not be disclosed or altered by anyone except administrators. Alteration of security data is evaluated (by controlling access to management functions), but disclosure of security data is not evaluated. HDD data protection Data on hard disks is protected from disclosure and alteration if the disk is removed from the MFP. Only data that has been deleted is protected from disclosure (by overwriting). HDD data encryption is not evaluated. User authorization All users are identified and authorized before being allowed to use the MFP. Authentication failures result in lockout. Inactive sessions are terminated. User identification and authorization is provided for network scanning, scan-to-email, and network faxing. User identification and authentication for network printing and any non-network operation is not evaluated. Administrator authorization All administrators are identified and authorized before being allowed to manage the MFP. Authentication failures result in lockout. Inactive sessions are terminated. All administrators are identified and authorized before being allowed to manage the MFP. Authentication failures result in lockout. Termination of inactive sessions is not evaluated. Interface management Data cannot pass from any interface to a network interface without being managed by the MFP. The MFP can perform IP filtering to limit communication between the MFP and network devices. PSTN-Network data flow is controlled, but control of other interfaces is not evaluated. Software verification Software integrity is verified Verification of software integrity is not evaluated. Audit logging Records are kept and protected for startup / shutdown, all job completion, identification / authentication, use of management functions, administrator role changes, time / date changes, session locking, and trusted channel failure. Records are kept for startup / shutdown, and job completion only for print, network scan, network fax, and email. Other 2600.1 audit requirements are not evaluated. 16 Hardcopy device security and the Common Criteria Evaluations with a Protection Profile Now that the IEEE 2600.1-2009 Protection Profile for hardcopy devices has been published, manufacturers can submit products for evaluation based on a Protection Profile. For manufacturers, Protection Profiles create a level competitive playing field. For customers, the create a uniform baseline of security expectations for hardcopy devices that can be referenced by name in procurement specifications. For all, they reduce confusion over what constitutes better security, more security coverage or higher EAL: – They define what security claims must be made in every evaluation. – They define the assurance level that must be used for every evaluation. 17 How to use the IEEE 2600-series standards Interpreting manufacturers’ security claims The primary use of these standards is that manufacturers can claim product certification conforming to IEEE Std. 2600.1 (or 2600.2) – Conformance to IEEE 2600.1 implies “operational environment A” – Conformance to IEEE 2600.2 implies “operational environment B” – Certified products will be listed on the “Common Criteria Portal” web site Manufacturers can also claim product compliance to IEEE Std. 26002008 – They must specify one or more of the four operational environments – Such claims do not require independent testing and verification At present, manufacturers should not claim conformance to IEEE Std. 2600.3-2009 or 2600.4-2010 Links to test labs, CC schemes, and the CC portal, are listed on the last page of this presentation 18 How to use the IEEE 2600-series standards Procuring secure hardcopy devices Customers can use the IEEE 2600-series standards to help streamline the process of procuring appropriately secure HCDs: 1. 2. 3. 4. 19 Review IEEE Std. 2600-2008 to determine which of the four operational environments most closely matches your needs. You may find that you have different environments in different parts of your organization. For independently tested and verified products, specify products that have been Common Criteria certified conforming to IEEE Std. 2600.1-2009 (environment A) or IEEE Std. 2600.2-2009 (environment B). If no suitable certified products are available for your environment, then you can specify products that comply with IEEE Std. 2600-2008 for your operational environment. If no suitable products comply with IEEE Std. 2600-2008 for your environment, then use the security objectives and other guidance in IEEE Std. 2600-2008 to help you identify products or specify requirements. How to use the IEEE 2600-series standards Secure configuration and operation HCD administrators and other security professionals can use the IEEE 2600-series to help securely configure and operate HCDs: Follow the guidance in IEEE Std. 2600 – Clause 7 contains mitigation techniques for IT professionals – Clause 8.2 contains compliance security objectives for IT professionals – Annex A contains security best practices Uphold the assumptions and fulfill the security objectives for the IT and non-IT environment defined in IEEE Std. 2600.1 (environment A) or IEEE Std. 2600.2 (environment B) – This is important if you are using Common Criteria certified products and want to operate them in the “certified configuration” 20 How to use the IEEE 2600-series standards Conforming products • One MFP has already been Common Criteria certified to be in conformance to IEEE Std. 2600.1 • • At least four manufacturers have multiple products in evaluation In the next six to nine months, an estimated eight to ten Common Criteria certificates will be issued certifying 30-40 product models that conform to the IEEE 2600.1 protection profile • Refer to the links on the last page of this presentation to find products that have been certified or that are in evaluation – Certified products are listed on the Common Criteria Portal – Products in evaluation may be listed by national CC schemes (it is the manufacturers’ option) • 21 Contact individual manufacturers for details Summary / Q&A Summary Hardcopy devices need to be secured! The IEEE P2600 working group created a baseline security standard for hardcopy devices: IEEE Std. 2600-2008, and two Protection Profiles which are certified for evaluating hardcopy devices: IEEE Std. 2600.1-2009 and IEEE Std. 2600.2-2009 Common Criteria certification provides a method for independent testing and verification of manufacturers’ security claims A Protection Profile provides a minimum set of security claims so that all conforming hardcopy devices can be compared Manufacturers can get their products certified as conforming to one of the two Protection Profiles, or they can self-claim that their products comply with the baseline standard IEEE 2600-2008 Customers have several options for how to use the IEEE 2600series of standards to help procure secure hardcopy devices Administrators and other IT professionals can use the standards to securely configure and operate hardcopy devices 22 Summary / Q&A Questions? For more information: IEEE IEEE IEEE IEEE IEEE IEEE P2600 web site: http://grouper.ieee.org/groups/2600 Std. 2600-2008: http://standards.ieee.org/, click on Shop, and search for “2600-2008” Std. 2600.1-2009: http://standards.ieee.org/getieee/2600/ (free download) Std. 2600.2-2009: http://standards.ieee.org/getieee/2600/ (free download) Std. 2600.3-2009: http://standards.ieee.org/, click on Shop, and search for “2600.3-2009” Std. 2600.4-2010: http://standards.ieee.org/, click on Shop, and search for “2600.4-2010” Sponsor’s certified products: http://grouper.ieee.org/groups/2600/conforming_products.html All Common Criteria certified products: http://www.commoncriteriaportal.org Common Criteria testing labs: http://www.commoncriteriaportal.org/labs/ Common Criteria national schemes: http://www.commoncriteriaportal.org/schemes/ Contact information: brian.smithson@ieee.org brian.smithson@ricoh-usa.com +1 408 346 4435 23 Thank you
Similar documents
Hardcopy Device Certificates - IEEE-SA
http://grouper.ieee.org/groups/2600/presentations/12iccc/smithson-slides.pdf. The updated paper for this presentation may be found on http://grouper.ieee.org/groups/2600/presentations/12iccc/smiths...
More informationthe Ieee 2600 Series
then each print job may need to be fully auditable to record who printed what. If it is in a more general enterprise office environment (“B”), then who printed what may not matter, but user identit...
More information