EUCA22 Panel Discussion: Differences between lightweight certification schemes

•

0 gefällt mir•21 views

As we all know, Europe is one of the leading players in the world in terms of cybersecurity certification. The main European countries issuing certifications, such as France, the Netherlands, Germany and Spain, have created their own lightweight/Fixed-time methodologies (CPSN, BSPA, BSZ and LINCE). All of them with many similarities, but also with quite a few national differences within them. This panel discussion will open the discussion among the relevant stakeholders for European recognition of these schemes. The panel will also discuss on the future European fixed-time methodology lead by JTC13 WG3, called FITCEM, which aims to unify all European schemes into a single one. The panel will discuss the potential impact that FITCEM will have both technically and in terms of the European market to the different stakeholders (manufacturers, laboratories, certification bodies, institutional agencies, etc.).

Technologie

Panelists
ISO/IEC
19896
José Ruiz (Moderator)
Co-founder and CTO, jtsec Beyond IT Security, Spain
Helge Kreutzmann
Senior Expert Bundesamt für Sicherheit in der Informationstechnik, Germany
Philippe Magnabosco
Policy Advisor for External Standards, ANSSI, France
Maria Christofi
ITSEF COO, Oppida, France
Pablo Franco
Head of Certification Body, CCN, Spain
Petr Kazil
Security Consultant, NLNCSA, Netherlands

❑ CSPN –Certification de Sécurité de Premier Niveau
❑ BSPA –Baseline Security Product Assessment
❑ LINCE –National Essential Security Evaluation
❑ BSZ –Beschleunigte Sicherheitszertifizierung
❑ and possibly more …
❑ … and then came the “Cybersecurity Act” with 3
assurance levels.
❑ … and possible verticals using them (e.g. IACS).
The fixed-time cybersecurity certification landscape in Europe
*Information taken from the presentation INTRODUCING FITCEM (FIXED-TIME CYBERSECURITY EVALUATION
METHODOLOGY FOR ICT PRODUCTS) by Dr. Helge Kreutzmann at EUCA 2021

❑ Flexible application:
❑ All CSA evaluation assurance levels, including self-assessment
❑ Horizontals and verticals
❑ Adaptable by parameters where possible
❑ Bare minimum required by CSA shall be possible
❑ Existing methodologies (LINCE, CSPN, …) should be reproducible
❑ The workload on the developer shall be reduced where possible
❑ This might imply higher work load for evaluators
❑ Evaluator competence is important
❑ This is not a “lightweight” CEM (ISO/IEC 18045)
Design principles of EN 17640 (extract)
*Information taken from the presentation INTRODUCING FITCEM (FIXED-TIME CYBERSECURITY EVALUATION
METHODOLOGY FOR ICT PRODUCTS) by Dr. Helge Kreutzmann at EUCA 2021
EN 17640

Weitere ähnliche Inhalte

Ähnlich wie EUCA22 Panel Discussion: Differences between lightweight certification schemes

create your own Security Management Model using the NIST Special Publication 800-14 and Evaluate and apply NIST SP 800-26. Solution NIST SP800-14, subtitled Generally Accepted Principles and Practices for Securing Information Technology Systems, describes best practices and provides information on commonly accepted information security principles that can direct the security team in the development of a security blueprint. It also describes the philosophical principles that the security team should integrate into the entire information security process, expanding upon the components of SP 800-12. The more significant points made in NIST SP 800-14 are as follows: 1)Security Supports the Mission of the Organization. 2)Security is an Integral Element of Sound Management. 3)Security Should Be Cost-Effective 4)Systems Owners Have Security Responsibilities Outside Their Own Organizations. 5)Security Responsibilities and Accountability Should Be Made Explicit. 6)Security Requires a Comprehensive and Integrated Approach. 7)Security Should Be Periodically Reassessed. 8)Security is Constrained by Societal Factors. It enumerates 33 principles for Securing Information Technology Systems: Principle 1. Establish a sound security policy as the “foundation” for design. Principle 2. Treat security as an integral part of the overall system design. Principle 3. Clearly delineate the physical and logical security boundaries governed by associated security policies. Principle 4. Reduce risk to an acceptable level. Principle 5. Assume that external systems are insecure. Principle 6. Identify potential trade-offs between reducing risk and increased costs and decrease in other aspects of operational effectiveness. Principle 7. Implement layered security (Ensure no single point of vulnerability). Principle 8. Implement tailored system security measures to meet organizational security goals. Principle 9. Strive for simplicity. Principle 10. Design and operate an IT system to limit vulnerability and to be resilient in response. Principle 11. Minimize the system elements to be trusted. Principle 12. Implement security through a combination of measures distributed physically and logically. Principle 13. Provide assurance that the system is, and continues to be, resilient in the face of expected threats. Principle 14. Limit or contain vulnerabilities. Principle 15. Formulate security measures to address multiple overlapping information domains. Principle 16. Isolate public access systems from mission critical resources. Principle 17. Use boundary mechanisms to separate computing systems and network infrastructures. Principle 18. Where possible, base security on open standards for portability and interoperability. Principle 19. Use common language in developing security requirements. Principle 20. Design and implement audit mechanisms to detect unauthorized use and to support incident investigations. Principle 21. Design security to allow for regular adoption of new techno.

create your own Security Management Model using the NIST Special Pub.pdf

FORTUNE2505

The market for IT products is constantly evolving. More and more vendors are developing products and services deployed only in the cloud (Cloud Native). This implies a paradigm shift in the way assessments are carried out, in the methodology to be followed and in the tests to be performed. Today, it is NOT possible to use Common Criteria to evaluate cloud services, despite many administrations are migrating to cloud solutions. This talk will not talk about Cloud programs such as FedRamp, ENS, C5, SecNumCloud or ENISA EUCS scheme. All these schemes, evaluate the clod infrastructure and the controls specified in the respective standards. But in those standards, we cannot find assurance requirements related to the product/service itself. e.g. If your WAF (Web Application Firewall) is cloud native and deployed in the cloud, you could obtain those cloud certifications but it would be NOT possible to obtain a CC certification using NIAP PPs. To solve this problematic, a practical approach has been followed in Spain, evaluating the cloud services using the LINCE methodology but obtaining a qualification mark (instead of a certification). Several vendors such as AWS, Google or Microsoft have already undergone this kind of processes. In this talk, we want to show jtsec’s hands-on experience evaluating cloud services and discuss the main issues that have been faced and the solutions that have been found (TOE definition, Test environment, TOE identification, permission to test, etc…). We would like also to discuss how the experience obtained using the LINCE methodology could be extrapolated (or NOT) to the CC World.

Experiences evaluating cloud services and products

Javier Tallón

20160826_Draft_NISTIR 8072_Eric_Jacks

Eric Jacks

Information Assurance And Security - Chapter 1 - Lesson 4

MLG College of Learning, Inc

MEDINA ESG (Expert Stakeholder Group) presentation

MEDINA

Standards for protection of data on storage device are emerging from both the...

CMG - The Digital Transformation Association

Wp6 public

Privacy Data Protection for Engineering

It secuirty policy guidelines and practices

waruireuben

IoT Security and Privacy Considerations

Kenny Huang Ph.D.

PECB Webinar: ICS Security Management System using ISO 27001 Standard as the ...

PECB

Information Society Programme - Trust & Security

Filipe Mello

Automation-based Certification for Cloud Services in Euro

MEDINA

What Happened to Mathematically Provable Security?

Frances Coronel

How Profisafe and cybersecurity enhance your Profinet/Profibus project - Pete...

PROFIBUS and PROFINET InternationaI - PI UK

Network Security Monitoring - Theory and Practice

Michael Boman

Using the CGC's Fully Automated Vulnerability Detection Tools in Security Eva...

Seungjoo Kim

PCI Compliance NOT for Dummies epb 30MAR2016

Erika Powell-Burson, MSIA, CISSP, CISA

LOUCA23 Yusuf Hadiwinata Linux Security BestPractice

Yusuf Hadiwinata Sutandar

德國TSI公司簡報-2

俠客科技

Having completed this course the participant will be able to understand how security is implemented, deployed and managed in GSM, EGPRS, UMTS, HSPA/HSPA+ and LTE networks, understand security concepts, understand the benefits of new security techniques applied and how they are implemented. Anyone who is interested in an in-depth knowledge of the security in the HSPA/HSPA+ and LTE family of wireless networks. The course is essential for network security & wireless specialists, operators and manufacturers, wireless network researcher, academics, security professionals, researchers and consultants. Audience: Course designed for: Network security & wireless specialists Operators and manufacturers Wireless network researcher Academics Security professionals Researchers and consultants Price: $2,199.00 Course Number: 6032 Length: 3 Days College Credits: 15 Objectives: The goal of this course is to give the participant a strong and intuitive understanding of what security in the wireless systems is and how the security functions are implemented in HSPA/HSPA+ and LTE radio and core network.The course focuses both on the air interface and the enhanced core network. Outline: Overview of security concepts Encryption Overview of Wireless Security Requirements GSM, EGPRS, UMTS/HSPA/HSPA+ and LTE Security Framework UMTS Security Architecture Security in UTRAN Security in UMTS Core Network Authentication and Key Management (AKA) AKA Algorithms LTE (Long Term Evolution) Security LTE Security Procedures HSPA / HSPA+ and LTE Security Training https://www.tonex.com/training-courses/hspa-lte-security/

HSPA / HSPA+ and LTE Security Training

Tonex

Ähnlich wie EUCA22 Panel Discussion: Differences between lightweight certification schemes (20)

create your own Security Management Model using the NIST Special Pub.pdf

Experiences evaluating cloud services and products

20160826_Draft_NISTIR 8072_Eric_Jacks

Information Assurance And Security - Chapter 1 - Lesson 4

MEDINA ESG (Expert Stakeholder Group) presentation

Standards for protection of data on storage device are emerging from both the...

Wp6 public

It secuirty policy guidelines and practices

IoT Security and Privacy Considerations

PECB Webinar: ICS Security Management System using ISO 27001 Standard as the ...

Information Society Programme - Trust & Security

Automation-based Certification for Cloud Services in Euro

What Happened to Mathematically Provable Security?

How Profisafe and cybersecurity enhance your Profinet/Profibus project - Pete...

Network Security Monitoring - Theory and Practice

Using the CGC's Fully Automated Vulnerability Detection Tools in Security Eva...

PCI Compliance NOT for Dummies epb 30MAR2016

LOUCA23 Yusuf Hadiwinata Linux Security BestPractice

德國TSI公司簡報-2

HSPA / HSPA+ and LTE Security Training

Mehr von Javier Tallón

A ningún fabricante le es ajeno que los requisitos criptográficos a la hora de desarrollar cualquier producto son cada vez mayores. Por ello, CCN ha desarrollado, con el soporte de jtsec, una metodología que incluye pruebas de conformidad, búsqueda de errores comunes en las implementaciones y requisitos de implementación de las primitivas criptográficas aplicados a la metodología LINCE. En esta charla explicaremos las principales novedades introducidas en la Metodología de Evaluación de Mecanismos Criptográficos presentada el año pasado, así como la definición de la nueva Metodología de Evaluación Criptográfica conforme a la CCN STIC-130.

Evolucionando la evaluación criptográfica - Episodio II

Javier Tallón

En la actualidad existe un gran número de soluciones biométricas en el mercado, que se aplican cada vez más en sectores clave como la banca, la administración pública y los seguros. El Ministerio de Asuntos Económicos y Transformación Digital publicó la primera orden ministerial, en el BOE núm. 115, de 14 de mayo de 2021, que regula los métodos de videoidentificación a distancia para la emisión de certificados electrónicos reconocidos. A raíz de esta legislación, el CCN, desarrolló un módulo de evaluación biométrica (MEB), que permite la evaluación de soluciones biométricas tanto para la metodología LINCE como para Common Criteria siguiendo la guía IT-014. Durante la charla se explica cómo se aplica la guía IT-014 y los diferentes tipos de ataques de presentación que contempla; impostor, mediante vídeos, mediante máscaras, mediante herramientas deepfake, etc. La charla es eminentemente técnica y mostrará ejemplos de ataques reales ejecutados durante las evaluaciones. jtsec, con su experiencia en las primeras evaluaciones de soluciones biométricas, ofrecerá una visión general de cómo se han llevado a cabo dichas evaluaciones y los tipos de ataques más difíciles de mitigar para los proveedores. La charla describe las particularidades de las evaluaciones en la nube tanto a nivel técnico como en el proceso. Además, pone de relieve los esfuerzos realizados a nivel nacional para que se puedan evaluar este tipo de soluciones.

Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...

Javier Tallón

As is customary in the last editions of ICCC, the statistics related to Common Criteria provide significant market data. This year, stable data is presented. Data collection is done using CC Scraper, a tool developed by jtsec that automatically analyzes information from the CC and CBs portals using OCR capabilities and other features. Would you like to know the data for the first three quarters of 2023 and the evolution in recent years in terms of the number of certifications? Other data will also be disclosed, such as top labs and vendors, most used assurance levels, or most used protection profiles. This presentation showcases Common Criteria’s data in a year when the market has stabilized after several years of political and health instability.

ICCC2023 Statistics Report, has Common Criteria reached its peak?

Javier Tallón

The use of cryptographic primitives to safeguard sensitive information in hardware, software, and firmware products is witnessing widespread adoption. Recognizing the increasing cryptographic requirements, CCN (Certification Body for National Cryptology) has developed a methodology in collaboration with jtsec. This methodology encompasses conformance testing, identification of common implementation pitfalls, and implementation requirements for cryptographic primitives. The primary objective of this cryptographic methodology is to establish a standardized framework for conducting cryptographic evaluations of Target of Evaluations (TOEs). These evaluations aim to obtain Common Criteria certificates and other certifications. The methodology specifically targets products in which cryptographic mechanisms form a crucial part of their core functionality, such as VPNs, HSMs, ciphers, communication apps, and more. During the talk, the speakers will introduce the new approach to evaluate cryptography in Spain, following the jointly created methodology by CCN and jtsec. They will also demonstrate a tool designed to verify the compliance of cryptographic primitives. This presentation will be particularly beneficial for product developers, as they will learn about the requirements that will be demanded in Spain going forward. It will also be of interest to other Certification Bodies (CBs) who may find this methodology and tool valuable in their own evaluations.

ICCC23 -The new cryptographic evaluation methodology created by CCN

Javier Tallón

Checkpoint Technologies, empresa a la que hemos ayudado a certificar/cualificar varios de sus soluciones con el fin de formar parte del catálogo CPSTIC / CCN STIC-105, nos invitó como ponentes a este webinar en el que tuvimos la oportunidad de explicar lo siguientes puntos: • Introducción al Centro Criptológico Nacional (CC) y el Esquema Nacional de Seguridad (ENS) • En qué consiste el Catálogo de Productos y Servicios de Seguridad de las Tecnologías de la Información y la Comunicación (CPSTIC) • Beneficios de la certificación/cualificación de una solución y el cumplimiento del ENS para tu organización y principales

La ventaja de implementar una solución de ciberseguridad certificada por el C...

Javier Tallón

The draft of the URWP (Union Rolling Work Programme) of the European commission suggests a European Crypto Scheme as one of the potential schemes to be created under the CSA. The use of cryptographic modules to protect sensitive information in hardware, software and firmware products is becoming increasingly widespread. Until now, there has been a reference methodology for cryptographic evaluation at international level, FIPS 140-3. Nonetheless, at the SOG-IS level, there have been efforts to harmonize evaluations in Europe. The publication of the SOGIS Agreed Cryptographic Mechanisms or the SOGIS Harmonised cryptographic Evaluation Procedures show the efforts conducted in Europe during the last years. However, the pandemic situation has slowed down the progress. This talk will present the new approach to evaluate cryptography in Spain according to the methodology created jointly by CCN (Spanish CB) and jtsec, which could serve as a base for a potential European scheme. In addition, this talk will show the tool created to verify the conformance of cryptographic primitives. This presentation will be especially useful for schemes and government entities to check if the approach could fit their needs.

EUCA23 - Evolution of cryptographic evaluation in Europe.pdf

Javier Tallón

Seguro que has visto cómo cada vez más sectores como la banca o los seguros permiten abrir cuentas legalmente vinculadas sin la intervención (a priori) de un operador humano gracias a procesos de videoidentificación, pero, ¿te has preguntado qué tan seguros son? El Ministerio de Asuntos Económicos y Transformación Digital, en el BOE núm. 115, de 14 de mayo de 2021 y con motivo de la emergencia sanitaria generada por la crisis de la COVID-19, regulaba los métodos de identificación remota por vídeo para la expedición de certificados electrónicos cualificados, lo que obliga a los prestadores de este tipo de servicios a validar sus soluciones en los términos que establece el anexo F11 de la Guía CCN-STIC-140, del Centro Criptológico Nacional. Dicho anexo requiere que un laboratorio acreditado realice ataques de presentación a este tipo de soluciones para verificar su resistencia a técnicas como máscaras hiperrealistas, deepfake o contouring. Durante esta charla ahondaremos en los detalles técnicos de dichos ataques, y te contaremos cómo hemos conseguido inyectar vídeo en muchas de estas soluciones.

Hacking your jeta.pdf

Javier Tallón

El uso de módulos criptográficos para proteger información sensible en productos hardware, software y firmware es cada vez más extendido. Por ello CCN, desarrolló en su Guía de Seguridad de las TIC CCN-STIC 2002 un Módulo de Evaluación Criptográfico (MEC) que se aplica a diferentes soluciones que implementan algoritmos criptográficos. Este módulo sirve de referencia en numerosas evaluaciones bajo la metodología LINCE en las que se aplica de forma adicional. Debido al aumento cada vez mayor de requisitos criptográficos, CCN ha desarrollado, con el soporte de jtsec, una metodología que incluye pruebas de conformidad, búsqueda de errores comunes en las implementaciones y requisitos de implementación de las primitivas criptográficas. El objetivo de la metodología criptográfica es el de establecer un marco común para llevar a cabo las evaluaciones criptográficas de los TOEs que van a ser evaluados para la obtención de un certificado Common Criteria, LINCE con validación criptográfica o STIC con validación Criptográfica. En esta charla se presentará la nueva aproximación para evaluar la criptografía en España según la metodología creada conjuntamente por CCN y jtsec. Además, mostraremos la herramienta creada para verificar la conformidad de las primitivas criptográficas. Esta ponencia será especialmente útil para los desarrolladores de productos que conocerán los requisitos que se pedirán a partir de ahora.

Evolucionado la evaluación Criptográfica

Javier Tallón

El desarrollo de productos creados directamente en la nube (cloud nativo) es una práctica cada vez más extendida en la industria. La administración española no escapa a esa tendencia y es cada vez más habitual las migraciones a la nube. El despliegue y gestionado se realiza en la nube y normalmente son desarrollos en constante evolución, permitiendo a los fabricantes más flexibilidad para la continua mejora de sus productos. Ante el continuo incremento de productos desarrollados en la nube, en febrero de 2020, el CCN publicaba el Anexo G de la “Guía de Seguridad de las TIC CCN-STIC 140” para la Taxonomía de productos de STIC - Servicios en la nube, donde se reflejan los Requisitos Fundamentales de Seguridad (RFS) para este tipo de servicios, considerándose requisitos adicionales que complementan a los requisitos definidos para cada una de las familias de productos. Una guía pionera a nivel internacional para la evaluación de servicios cloud, por lo que cabe destacar que España es el primer país en crear una metodología de evaluación para este tipo de servicios. Normalmente las evaluaciones en la nube, se centran en la gestión e infraestructura del servicio/producto dejando de lado la funcionalidad de seguridad implementada por el mismo. En las evaluaciones de ciberseguridad, existe la particularidad de que estos servicios/productos no pueden ser completamente controlados/instalados en el laboratorio a la hora de realizar la evaluación, por lo que no se puede certificar usando las metodologías LINCE o Common Criteria. Este problema existe a nivel internacional. Para solventar esta casuística, CCN diseño una estrategia de evaluación de servicios en la nube mediante evaluaciones STIC complementarias haciendo uso de la metodología LINCE. Esta vía ha permitido la cualificación en el catálogo CPSTIC / CCN-STIC 105 de servicios en la nube. A día de hoy, hay 6 servicios en la nube incluidos en el catálogo CPSTIC. Todos ellos han sido evaluados por jtsec. En jtsec nos hemos tenido que adaptar tecnológicamente para afrontar este tipo de evaluaciones, puesto que alrededor del 70% de evaluaciones iniciadas en 2022 por jtsec corresponden a servicios en la nube. La charla describirá las particularidades de las evaluaciones en la nube tanto a nivel técnico como en el proceso. Además, pondrá de relieve los esfuerzos realizados a nivel nacional para que se puedan evaluar este tipo de soluciones.

España y CCN como referentes en la evaluación de ciberseguridad de soluciones...

Javier Tallón

Harmonization on the competence of the different labs/evaluators have been always a topic for discussion in the Cybersecurity Certification community. At ISO level, a new standard has been approved aiming to support this goal: ISO 19896. ISO/IEC 19896 orders the requirements for information security testers and evaluators, including a set of concepts and relationships to understand the competency for individuals performing Common Criteria evaluations. The requirements of this new ISO standard allows verifying that laboratories and personnel have sufficient capacity to handle a Common Criteria evaluation. However, there are some controversial points regarding this ISOs and how to apply it in Common Criteria, which will be explained during the talk. Other topics to be addressed during the talk will be how EUCC, the first European cybersecurity scheme for ICT products, will cover the requirements of this ISO and other related standards.

EUCA 22 - Let's harmonize labs competence ISO 19896

Javier Tallón

Common Criteria is the most used international standard for cybersecurity certification for ICT products. CC has lights and shadows and for most of the stakeholders the main drawback might be the assurance continuity process. The application of CC for re-certifications of updates or security-patched products is very slow and not adapted to the time to market of new versions of products. EUCC includes patch management as an activity that may be assessed as part of the evaluation process. ISO SC27 WG3 have been working hard in the last years to prepare the technical specification that could be used to evaluate the TOE‚Äôs patching functionality and the developer‚Äôs patch management by adding new modules that can be integrated into PPs and STs. This talk will explain the current status and news of the ISO Technical Specification, and explain how it address the patch management problem taking into account the Cyber Security Act requirements. The speakers will be Javier Tallon and Sebastian Fritsch, co-editors of the ISO/IEC TS 9565.

EUCA22 - Patch Management ISO_IEC 15408 & 18045

Javier Tallón

The proliferation of new cybersecurity standards/schemes shows the interest of all the stakeholders to require cybersecurity for ICT products. On the other hand, a need for harmonization/recognition between standards/schemes is needed. Otherwise, there could be too many standards that become non-cost-effective for developers certifying their products. For instance, almost every IoT vertical has its own set of cybersecurity standards. But IoT devices and it‚Äôs supply chain is not limited within a single vertical. In fact the contrary holds, that building blocks of an IoT device find appliance in a couple of other verticals. Assuming that these building blocks demonstrated cybersecurity compliance of some form, say for a particular vertical, it will be key for the economy to not repeat those proofs of compliance but instead accept across standards and schemes where applicable. This talk will highlight the importance of the acceptance of certification and standard compliance results across different schemes or security standards. We will show examples (e.g., smart metering in France with de-facto acceptance of underlying CC results, SESIP to IEC62443-4-2) where this has been applied successfully, but will also look at existing standards or schemes where this would be possible (e.g. EUCC, FITCEM, etc‚) or proposals on how to apply this for Industrial IoT (IACS ERNCIP recommendations to the EU commission). The talk will be given from the developer perspective (Georg Stütz from NXP) and lab perspective (Jose Ruiz from jtsec)

Cross standard and scheme composition - A needed cornerstone for the European...

Javier Tallón

Incluir productos y servicios en el catálogo de ciberseguridad de referencia para la Administración Pública no resulta sencillo. Se ha de superar una evaluación LINCE o Common Criteria para poder acceder a dicho catálogo. En el catálogo CPSTIC se pueden incluir tanto para soluciones on premise como en la nube, siendo una gran ventaja para aquellos desarrolladores cloud native. En esta presentación explicamos las diferentes maneras de incluir una solución en el catálogo CPSTIC, así como los pasos a seguir.

¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?

Javier Tallón

The use of different automation tools in Common Criteria is a reality. In recent years, it has been demonstrated that the capacity to take on a large number of Common Criteria evaluations, both by laboratories and by the Certification Bodies, is limited. The automation of certain processes through the use of tools created specifically for this purpose is seen as the only possible way to speed up the process, both in terms of time and workload. How will the use of tools affect the immediate future of the different stakeholders in Common Criteria? Will automation lead to an increase in the number of certifications and the possibility that more companies will be able to become certified?

Is Automation Necessary for the CC Survival?

Javier Tallón

CCCAB (Common Criteria Conformity Assessment Body) Tool is a unique framework that will allow Common Criteria CABs to smooth the certification process for ICT products, reducing the cost and time required in each single certification process. CCCAB will be developed to support NCCAs (National Cybersecurity Certification Authorities) when acting as CABs for level high and CABs (Conformity Assessment Bodies) for level substantial operating under the EUCC (Common Criteria based European candidate cybersecurity certification scheme) scheme. CCCAB has been selected by the European Commission under the Connecting Europe Facility (CEF) programme as a granted project. Two European NCCAs are also supporting CCCAB: CCN (Spain) and OCSI (Italy), reflecting the magnitude of the project. CCCAB will be released as an open source product and will be free to use allowing the community to improve the tool in the future. This tool was presented at last ICCC. In this year presentation, we will be able to show the specifications that have been defined to interact with the tool. We will be able to present the current status of the development showing the first operational version of CCCAB. Finally, we will discuss the challenges to make the tool accessible widely.

CCCAB tool - Making CABs life easy - Chapter 2

Javier Tallón

CC Scraper is a tool developed by jtsec 5 years ago that that analyses automatically the information from the CC and CBs portals using OCR capabilities and other features. Including detailed insights about Common Criteria like certification per assurance level, trends by Protection Profile, ranking of manufacturer, among others. We have published free annually reports regarding. In last year’s edition, we presented the statistics for 2021, the year with the most Common Criteria certifications in history. Would you like to know the data of the first three quarters of 2022? Will this year beat last year’s record number of certifications? Which labs and vendors will be in the top? This presentation will show Common Criteria’s data in a year that has taken place against a context of global uncertainty and instability.

2022 CC Statistics report: will this year beat last year's record number of c...

Javier Tallón

Artículo publicado en la edición nº 148 de la Revista SIC, donde presentamos la herramientas que estamos desarrollando, pionera en el mercado. CCCAB es un proyecto financiado por la Comisión Europea en el marco del programa Connecting Europe Faciclity (CEF), que permite ahorrar tiempo y esfuerzo a los CABs (Certification Assessments Bodies), aligerando su carga de trabajo para optimizar la fase de certificación.

CCCAB, la apuesta europea por la automatización de los Organismos de Certific...

Javier Tallón

Automating Common Criteria

Javier Tallón

CCCAB (Common Criteria Conformity Assessment Body) Tool is a unique framework that will allow Common Criteria CABs to smooth the certification process for ICT products, reducing the cost and time required in each single certification process. CCCAB will be developed to support NCCAs (National Cybersecurity Certification Authorities) when acting as CABs for level high and CABs (Conformity Assessment Bodies) for level substantial operating under the EUCC (Common Criteria based European candidate cybersecurity certification scheme) scheme. CCCAB has been selected by the European Commission under the Connecting Europe Facility (CEF) programme as a granted project. Two European NCCAs are also supporting CCCAB: CCN (Spain) and OCSI (Italy), reflecting the magnitude of the project. CCCAB will be released as an open source product and will be free to use allowing the community to improve the tool in the future. The presentation will show the objectives, status of the development and the potential of the tool and what it will mean for the different stakeholders involved in a Common Criteria certification process.

CCCAB - Making CABs life easy

Javier Tallón

CC Scraper is a tool developed by jtsec four years ago that that analyses automatically the information from the CC portal using OCR capabilities and other features. Including detailed insights about Common Criteria from Certification Bodies web sites, trends by Protection Profile, ranking of manufacturer, among others. We have published free annually reports for the CC community, since we have received a great feedback from several stakeholders. In last year's edition, we presented the statistics for 2020, an unusual year due to the pandemic, nevertheless, was the second year with the highest number of Common Criteria assessments carried out. But, what are the data for 2021 and how is the market performing this year? This presentation will show, describe and talk about the last version of the CC Statistics report with particular emphasis on how the industry is facing a general economic recovery process overcoming the pandemic and how it is impacting on cybersecurity certifications.

ICCC21 2021 statistics report

Javier Tallón

Mehr von Javier Tallón (20)

Evolucionando la evaluación criptográfica - Episodio II

Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...

ICCC2023 Statistics Report, has Common Criteria reached its peak?

ICCC23 -The new cryptographic evaluation methodology created by CCN

La ventaja de implementar una solución de ciberseguridad certificada por el C...

EUCA23 - Evolution of cryptographic evaluation in Europe.pdf

Hacking your jeta.pdf

Evolucionado la evaluación Criptográfica

España y CCN como referentes en la evaluación de ciberseguridad de soluciones...

EUCA 22 - Let's harmonize labs competence ISO 19896

EUCA22 - Patch Management ISO_IEC 15408 & 18045

Cross standard and scheme composition - A needed cornerstone for the European...

¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?

Is Automation Necessary for the CC Survival?

CCCAB tool - Making CABs life easy - Chapter 2

2022 CC Statistics report: will this year beat last year's record number of c...

CCCAB, la apuesta europea por la automatización de los Organismos de Certific...

Automating Common Criteria

CCCAB - Making CABs life easy

ICCC21 2021 statistics report

Kürzlich hochgeladen

BooK Now Call us at +918448380779 to hire a gorgeous and seductive call girl for sex. Take a Delhi Escort Service. The help of our escort agency is mostly meant for men who want sexual Indian Escorts In Delhi NCR. It should be noted that any impersonator will get 100 attention from our Young Girls Escorts in Delhi. They will assume the position of reliable allies. VIP Call Girl With Original Photos Book Tonight +918448380779 Our Cheap Price 1 Hour not available 2 Hours 5000 Full Night 8000 TAG: Call Girls in Delhi, Noida, Gurgaon, Ghaziabad, Connaught Place, Greater Kailash Delhi, Lajpat Nagar Delhi, Mayur Vihar Delhi, Chanakyapuri Delhi, New Friends Colony Delhi, Majnu Ka Tilla, Karol Bagh, Malviya Nagar, Saket, Khan Market, Noida Sector 18, Noida Sector 76, Noida Sector 51, Gurgaon Mg Road, Iffco Chowk Gurgaon, Rajiv Chowk Gurgaon All Delhi Ncr Free Home Deliver

08448380779 Call Girls In Friends Colony Women Seeking Men

Delhi Call girls

As privacy and data protection regulations evolve rapidly, organizations operating in multiple jurisdictions face mounting challenges to ensure compliance and safeguard customer data. With state-specific privacy laws coming up in multiple states this year, it is essential to understand what their unique data protection regulations will require clearly. How will data privacy evolve in the US in 2024? How to stay compliant? Our panellists will guide you through the intricacies of these states' specific data privacy laws, clarifying complex legal frameworks and compliance requirements. This webinar will review: - The essential aspects of each state's privacy landscape and the latest updates - Common compliance challenges faced by organizations operating in multiple states and best practices to achieve regulatory adherence - Valuable insights into potential changes to existing regulations and prepare your organization for the evolving landscape

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

TrustArc

08448380779 Call Girls In Civil Lines Women Seeking Men

Delhi Call girls

What is a good lead in your organisation? Which leads are priority? What happens to leads? When sales and marketing give different answers to these questions, or perhaps aren't sure of the answers at all, frustrations build and opportunities are left on the table. Join us for an illuminating session with Cian McLoughlin, HubSpot Principal Customer Success Manager, as we look at that crucial piece of the customer journey in which leads are transferred from marketing to sales.

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx

HampshireHUG

A Domino Admins Adventures (Engage 2024)

Gabriella Davis

Evaluating the top large language models.pdf

ChristopherTHyatt

This presentations targets students or working professionals. You may know Google for search, YouTube, Android, Chrome, and Gmail, but did you know Google has many developer tools, platforms & APIs? This comprehensive yet still high-level overview outlines the most impactful tools for where to run your code, store & analyze your data. It will also inspire you as to what's possible. This talk is 50 minutes in length.

Powerful Google developer tools for immediate impact! (2023-24 C)

wesley chun

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men

Delhi Call girls

The 7 Things I Know About Cyber Security After 25 Years | April 2024

Rafal Los

Heather Hedden, Senior Consultant at Enterprise Knowledge, presented “The Role of Taxonomy and Ontology in Semantic Layers” at a webinar hosted by Progress Semaphore on April 16, 2024. Taxonomies at their core enable effective tagging and retrieval of content, and combined with ontologies they extend to the management and understanding of related data. There are even greater benefits of taxonomies and ontologies to enhance your enterprise information architecture when applying them to a semantic layer. A survey by DBP-Institute found that enterprises using a semantic layer see their business outcomes improve by four times, while reducing their data and analytics costs. Extending taxonomies to a semantic layer can be a game-changing solution, allowing you to connect information silos, alleviate knowledge gaps, and derive new insights. Hedden, who specializes in taxonomy design and implementation, presented how the value of taxonomies shouldn’t reside in silos but be integrated with ontologies into a semantic layer. Learn about: - The essence and purpose of taxonomies and ontologies in information and knowledge management; - Advantages of semantic layers leveraging organizational taxonomies; and - Components and approaches to creating a semantic layer, including the integration of taxonomies and ontologies

The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf

Enterprise Knowledge

Boost Fertility New Invention Ups Success Rates.pdf

sudhanshuwaghmare1

Three things you will take away from the session: • How to run an effective tenant-to-tenant migration • Best practices for before, during, and after migration • Tips for using migration as a springboard to prepare for Copilot in Microsoft 365 Main ideas: Migration Overview: The presentation covers the current reality of cross-tenant migrations, the triggers, phases, best practices, and benefits of a successful tenant migration Considerations: When considering a migration, it is important to consider the migration scope, performance, customization, flexibility, user-friendly interface, automation, monitoring, support, training, scalability, data integrity, data security, cost, and licensing structure Next Wave: The next wave of change includes the launch of Copilot, which requires businesses to be prepared for upcoming changes related to Copilot and the cloud, and to consolidate data and tighten governance ShareGate: ShareGate can help with pre-migration analysis, configurable migration tool, and automated, end-user driven collaborative governance

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

sammart93

With more memory available, system performance of three Dell devices increased, which can translate to a better user experience Conclusion When your system has plenty of RAM to meet your needs, you can efficiently access the applications and data you need to finish projects and to-do lists without sacrificing time and focus. Our test results show that with more memory available, three Dell PCs delivered better performance and took less time to complete the Procyon Office Productivity benchmark. These advantages translate to users being able to complete workflows more quickly and multitask more easily. Whether you need the mobility of the Latitude 5440, the creative capabilities of the Precision 3470, or the high performance of the OptiPlex Tower Plus 7010, configuring your system with more RAM can help keep processes running smoothly, enabling you to do more without compromising performance.

Boost PC performance: How more available memory can improve productivity

Principled Technologies

MySQL Webinar, presented on the 25th of April, 2024. Summary: MySQL solutions enable the deployment of diverse Database Architectures tailored to specific needs, including High Availability, Disaster Recovery, and Read Scale-Out. With MySQL Shell's AdminAPI, administrators can seamlessly set up, manage, and monitor these solutions, ensuring efficiency and ease of use in their administration. MySQL Router, on the other hand, provides transparent routing from the application traffic to the backend servers in the architectures, requiring minimal configuration. Completely built in-house and supported by Oracle, these solutions have been adopted by enterprises of all sizes for their business-critical applications. In this presentation, we'll delve into various database architecture solutions to help you choose the right one based on your business requirements. Focusing on technical details and the latest features to maximize the potential of these solutions.

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

Miguel Araújo

Axa Assurance Maroc - Insurer Innovation Award 2024

The Digital Insurer

Partners Life - Insurer Innovation Award 2024

The Digital Insurer

How to Troubleshoot Apps for the Modern Connected Worker

ThousandEyes

What are drone anti-jamming systems? The drone anti-jamming systems and anti-spoof technology protect against interference, jamming, and spoofing of the UAVs. To protect their security, countries are beginning to research drone anti-jamming systems, also known as drone strike weapons. The anti-jam and anti-spoof technology protects against interference, jamming and spoofing. A drone strike weapon is a drone attack weapon that can attack and destroy enemy drones. So what is so unique about this amazing system?

What Are The Drone Anti-jamming Systems Technology?

Antenna Manufacturer Coco

Strategies for Landing an Oracle DBA Job as a Fresher

Remote DBA Services

Building Digital Trust in a Digital Economy Veronica Tan, Director - Cyber Security Agency of Singapore Apidays Singapore 2024: Connecting Customers, Business and Technology (April 17 & 18, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...

apidays

Kürzlich hochgeladen (20)

08448380779 Call Girls In Friends Colony Women Seeking Men

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

08448380779 Call Girls In Civil Lines Women Seeking Men

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx

A Domino Admins Adventures (Engage 2024)

Evaluating the top large language models.pdf

Powerful Google developer tools for immediate impact! (2023-24 C)

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men

The 7 Things I Know About Cyber Security After 25 Years | April 2024

The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf

Boost Fertility New Invention Ups Success Rates.pdf

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

Boost PC performance: How more available memory can improve productivity

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

Axa Assurance Maroc - Insurer Innovation Award 2024

Partners Life - Insurer Innovation Award 2024

How to Troubleshoot Apps for the Modern Connected Worker

What Are The Drone Anti-jamming Systems Technology?

Strategies for Landing an Oracle DBA Job as a Fresher

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...

EUCA22 Panel Discussion: Differences between lightweight certification schemes

2. Panelists ISO/IEC 19896 José Ruiz (Moderator) Co-founder and CTO, jtsec Beyond IT Security, Spain Helge Kreutzmann Senior Expert Bundesamt für Sicherheit in der Informationstechnik, Germany Philippe Magnabosco Policy Advisor for External Standards, ANSSI, France Maria Christofi ITSEF COO, Oppida, France Pablo Franco Head of Certification Body, CCN, Spain Petr Kazil Security Consultant, NLNCSA, Netherlands

3. ❑ CSPN –Certification de Sécurité de Premier Niveau ❑ BSPA –Baseline Security Product Assessment ❑ LINCE –National Essential Security Evaluation ❑ BSZ –Beschleunigte Sicherheitszertifizierung ❑ and possibly more … ❑ … and then came the “Cybersecurity Act” with 3 assurance levels. ❑ … and possible verticals using them (e.g. IACS). The fixed-time cybersecurity certification landscape in Europe *Information taken from the presentation INTRODUCING FITCEM (FIXED-TIME CYBERSECURITY EVALUATION METHODOLOGY FOR ICT PRODUCTS) by Dr. Helge Kreutzmann at EUCA 2021

4. ❑ Flexible application: ❑ All CSA evaluation assurance levels, including self-assessment ❑ Horizontals and verticals ❑ Adaptable by parameters where possible ❑ Bare minimum required by CSA shall be possible ❑ Existing methodologies (LINCE, CSPN, …) should be reproducible ❑ The workload on the developer shall be reduced where possible ❑ This might imply higher work load for evaluators ❑ Evaluator competence is important ❑ This is not a “lightweight” CEM (ISO/IEC 18045) Design principles of EN 17640 (extract) *Information taken from the presentation INTRODUCING FITCEM (FIXED-TIME CYBERSECURITY EVALUATION METHODOLOGY FOR ICT PRODUCTS) by Dr. Helge Kreutzmann at EUCA 2021 EN 17640

5. ❑ Completeness check ❑ Protection Profile / Security Target evaluation / Review of security functionalities ❑ Development documentation ❑ Evaluation of the TOE installation ❑ Conformance testing ❑ Vulnerability review ❑ Vulnerability testing ❑ Penetration testing ❑ (Basic) crypto analysis ❑ Extended crypto analysis Evaluation Tasks *Information taken from the presentation INTRODUCING FITCEM (FIXED-TIME CYBERSECURITY EVALUATION METHODOLOGY FOR ICT PRODUCTS) by Dr. Helge Kreutzmann at EUCA 2021

6. That’s all folks!

EUCA22 Panel Discussion: Differences between lightweight certification schemes

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Ähnlich wie EUCA22 Panel Discussion: Differences between lightweight certification schemes

Ähnlich wie EUCA22 Panel Discussion: Differences between lightweight certification schemes (20)

Mehr von Javier Tallón

Mehr von Javier Tallón (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

EUCA22 Panel Discussion: Differences between lightweight certification schemes