TABLE 97.2 NCSC Security Evaluation Ratings Class Name Summary of Salient Features Class Al Formal top-level specification and verification of security features, trusted software distribution, covert channel formal analysis Class amper-proof kernelized security reference monitor(tamper-Proof, analyzable, testable), structured ass B2 Formal security model design, covert channel identification and tracing, mandatory controls for all resources Class Bl Explicit security model, mandatory(Bell-La Padula)access control, labels for internal files and exported files, code analysis and testing lass C2 Single-level protection for important objects, log- in control, auditing features, memory residue erasure Class Cl Controlled discretionary isolation of users from data, authentication, testing No significant security features identified ratings by NCSC, in addition to hardware-software combinations, encryption devices, and network security stems. The basic evaluation determines the degree of confidence that the system will be resistant to external penetration and internal unauthorized actions. The most secure systems known are classified Al and utilize a reference monitor(checking every request for access to every resource), a security kernel(concentration of all security-related functions into a module that facilitates protection and validation), and protection against covert channels. Formal analysis is used to assure that the implementation correctly corresponds to the intended security policy. There is an operational efficiency penalty associated with secure multilevel operating systems. Other classes(in order of progressively fewer security features, which results in decreasing security)are B3. B2, B1, C2, Cl, and D(see Table 97. 2, where security features generally accumulate, reading up from the table bottom) In addition to computer activity directly controlled by personnel, a family of software threats can execute without direct human control. These techniques include the Trojan horse, the virus, the worm, the logic bomb, and the time bomb. The virus and worm(because they copy themselves and spread)are both capable of global spanning attacks over relatively short time frames. Protection against these threats includes limiting user threats through background screening, using expert system software scanners that search for adversarial program haracteristics, comparators, and authenticators or digital signatures that facilitate detection of software tampering. Other software-intensive threats include tra wolve unauthorized actions by authorized people and are most ors, superzapping, browsing, asynchronous attacks, and the salami attack [Cooper, 1989]. These all usually inv effectively counteracted by insider personnel controls(see Section 97.7, Personnel Security) Hardware Security In addition to personal authentication through something known (e.g, passwords or PINs), users can be authenticated through something possessed or by something inherent about the user(or by combinations of the three). Hardware devices that contribute to computer security using the approach of something possessed include tokens and smart cards. Biometric verifiers authenticate bymeasuring human characteristics. Other hardware security devices include encryptor/decryptor units and port protection devices( to make dial-up attacks by hackers more difficult). A generic diagram depicting some of these applied to control of users is shown in Fig. 97.7. The controls can be used individually or in various combinations Tokens are devices that can be hand-carried by authorized computer users and are intended to increase password security by that passwords are used only once, thereby reducing the vulnerability to password compromise. The devices contain an internal algorithm, which either works in synchronization with an identical algorithm in the host computer or transforms an input derived from a computer prompt into a password that matches the computer-transformed result In order to protect against loss, most also require a user password for token access Smart cards are credit-card-sized devices intended to facilitate secure transactions, such as credit card purchases, purchases or cash withdrawals that result in bank account debits, or information interchanges. The most common application uses a card reader/network that exchanges data with the smart card over a serial data bus. User information and security information are stored in encrypted form in the card, and physical c 2000 by CRC Press LLC© 2000 by CRC Press LLC ratings by NCSC, in addition to hardware–software combinations, encryption devices, and network security systems. The basic evaluation determines the degree of confidence that the system will be resistant to external penetration and internal unauthorized actions. The most secure systems known are classified A1 and utilize a reference monitor (checking every request for access to every resource), a security kernel (concentration of all security-related functions into a module that facilitates protection and validation), and protection against covert channels. Formal analysis is used to assure that the implementation correctly corresponds to the intended security policy. There is an operational efficiency penalty associated with secure multilevel operating systems. Other classes (in order of progressively fewer security features, which results in decreasing security) are B3, B2, B1, C2, C1, and D (see Table 97.2, where security features generally accumulate, reading up from the table bottom). In addition to computer activity directly controlled by personnel, a family of software threats can execute without direct human control. These techniques include the Trojan horse, the virus, the worm, the logic bomb, and the time bomb. The virus and worm (because they copy themselves and spread) are both capable of global￾spanning attacks over relatively short time frames. Protection against these threats includes limiting user threats through background screening, using expert system software scanners that search for adversarial program characteristics, comparators, and authenticators or digital signatures that facilitate detection of software tampering. Other software-intensive threats include trapdoors, superzapping, browsing, asynchronous attacks, and the salami attack [Cooper, 1989]. These all usually involve unauthorized actions by authorized people and are most effectively counteracted by insider personnel controls (see Section 97.7, “Personnel Security”). Hardware Security In addition to personal authentication through something known (e.g., passwords or PINs), users can be authenticated through something possessed or by something inherent about the user (or by combinations of the three). Hardware devices that contribute to computer security using the approach of something possessed include tokens and smart cards. Biometric verifiers authenticate bymeasuring human characteristics. Other hardware security devices include encryptor/decryptor units and port protection devices (to make dial-up attacks by hackers more difficult). A generic diagram depicting some of these applied to control of users is shown in Fig. 97.7. The controls can be used individually or in various combinations. Tokens are devices that can be hand-carried by authorized computer users and are intended to increase password security by assuring that passwords are used only once, thereby reducing the vulnerability to password compromise. The devices contain an internal algorithm, which either works in synchronization with an identical algorithm in the host computer or transforms an input derived from a computer prompt into a password that matches the computer-transformed result. In order to protect against loss, most also require a user password for token access. Smart cards are credit-card-sized devices intended to facilitate secure transactions, such as credit card purchases, purchases or cash withdrawals that result in bank account debits, or information interchanges. The most common application uses a card reader/network that exchanges data with the smart card over a serial data bus. User information and security information are stored in encrypted form in the card, and physical TABLE 97.2 NCSC Security Evaluation Ratings Class Name Summary of Salient Features Class A1 Formal top-level specification and verification of security features, trusted software distribution, covert channel formal analysis Class B3 Tamper-proof kernelized security reference monitor (tamper-proof, analyzable, testable), structured implementation Class B2 Formal security model design, covert channel identification and tracing, mandatory controls for all resources (including communication lines) Class B1 Explicit security model, mandatory (Bell–La Padula) access control, labels for internal files and exported files, code analysis and testing Class C2 Single-level protection for important objects, log-in control, auditing features, memory residue erasure Class C1 Controlled discretionary isolation of users from data, authentication, testing Class D No significant security features identified