State of Art vs Security Guaranteed

In cyberspace, the bad guys are not too concerned about using hardware or software certified by a reliable third party. They simply take the latest product in the market and test it. If it works for their malicious purposes, good; if not, they rule it out and try another one. This tactic ensures maximum efficiency.

On the other side of the story are the IT security departments of companies, states, or multinationals alliances that have to protect the information, information systems, and computers networks with reliable security hardware and software. The “trial and error” method is not acceptable since testing the efficiency of security products entails putting at risk the state or alliance information and the information infrastructure.

Security is a great investment. Authorities want to have some guarantees that the money invested in security ensures the protection of the information and IT up to a predefined level x.

There are two ways to study the efficiency of a specific group of security mechanisms or products:

Trial and error in real environment: This refers to the implementation of security products and applications in a real IT infrastructure and the subsequent observation of the damages in the case of cyber threat materialization.

PROS:

- No extra money spent in security evaluation certification costs.

- No extra time spent in security evaluation certification process. So, the latest in technology could be used immediately.

CONS:

- No guarantee of efficiency of implementation. - No indicator of return on investment.

- High risk of significant impact on the IT infrastructure.

Security evaluation and certification: This refers to the implementation of security products and applications that have been previously studied, analyzed, and tested in a controlled environment or lab by a reliable organization according to criteria defined and agreed to by the international community.

[109]

Security Certificate

Security Certificate

the acquisition process Prevents

the use of "state of art" Worsens

information superiority

- Official guarantee of the efficiency of implemented products. The value of guarantee is relative due to the following factors: a) it is related to known threats in the moment of the evaluation; b) it is related to isolated products or systems not to whole interconnected systems; and c) Security certifications are based on common international criteria except the purely cryptographic matters, which lies within the national security agencies. Return on investment can be somehow slightly identified.

- Low risk of significant impact in the IT infrastructure. CONS:

- Extra money spent on security evaluation certification.

- Extra time spent on security evaluation certification process. Thus, the latest in technology cannot be immediately used. Considering that IT technology evolves very fast, if the evaluation certification process takes too long, this will present a significant competitive disadvantage compared to competitors who used the trial and error method.

Security certifications so far have been the accepted method to indicate with confidence that a specific product or system has a certain level of security.

[110]

First, TCSEC (Trusted Computer System Evaluation Criteria), frequently referred to as the Orange Book, was developed in 1983 by US Department of Defence to set the basic requirements for assessing the effectiveness of computer security controls built into a computer system.

Later, in 1990 ITSEC (Information Technology Security Evaluation Criteria), which was developed in Europe, aimed with a wider vision than TCSEC at independently testing the security features of a product to identify logical vulnerabilities.

After that, in 1993, CTCPEC, the Canadian standard that followed from the TCSEC, avoided several problems and was used jointly by the US and Canada.

Finally, the Common Criteria for Information Technology Security Evaluation (CC), created from the previous three standards, has now been accepted as the international certification method for computer security.

The CC provide a guarantee that the products have been developed in a secure process and that they have considered security threats. However, for selection processes it is also necessary to take into account the specific threats of the operational environment where the system will be used.

In many cases certification is not enough to guarantee the adequate security level required for a specific operational theater. As a result, it is necessary to carry out a vulnerability assessment process that complements, and in some cases replaces, the certification of the product.

The accreditation process will also continue to be a requirement for guaranteeing a specific level of security when a system is going to manage classified information and when systems and networks will be interconnected or federated. This is the principal mechanism to reach the necessary level of trust for interconnections. Nevertheless, so far the evaluation and certification process are too slow compared with the speed of the IT revolution.

The mission of NECCS should be to find a point of balance between the need of a guarantee accuracy and appropriateness of security products and the need to use the latest technology in a rapidly changing technological environment.

In addition, NECCS demonstrates the need of a security evaluation system that is agreed upon internationally, is faster and more efficient, and is more consistent with current speed of the IT evolution.

[111]