The importance of cybersecurity assessments and certifications to compare the real guarantees offered by a product or solution.
By now, everyone takes it for granted that by the time a product reaches a consumer, it will already have passed the necessary controls to ensure that it meets the required quality and security standards. The current pandemic has even accustomed us to hearing about marks and certifications - when buying face masks, for example.
In the world of cybersecurity, solution manufacturers and cyber experts go out of their way to demand that organizations increase their budgets and investments in cybersecurity, and review and optimize their architectures to better protect them. Yet every day we continue to see organizations' infrastructures being compromised and hacked by cybercriminals, mainly because they do not have sufficient and adequate cybersecurity measures in place.
When CISOs (Chief Information Security Officers) hire cybersecurity services, they will demand that the professionals doing the work demonstrate their knowledge and certifications beforehand, as well as university training specific to the service they are going to provide. But what about the solutions or products that will be deployed in the infrastructure(s)?
Before selecting a solution to improve accessibility and/or protect assets and infrastructures, it is both normal and advisable to carry out a proper analysis of the different solutions on the market. The quadrants and experts should be consulted and pilots carried out to check which solution best meets the needs of the organization.
But what is less common is to question the integrity of the solution itself – it's a security solution, it has to be secure, right?
We may have selected a product because its functionalities allow us to achieve the security level we have set, but are we sure that we are not going to introduce into our architecture a device or solution that may have development flaws or vulnerabilities to specific attacks? Has an independent third party evaluated this solution?
It may be that instead of improving security as we intended, what we have introduced is a new security hole in our architecture, of which we have no knowledge and which has cost us, in many cases, a considerable amount of money. Can we imagine the CISO of that company explaining a security incident suffered because of this situation?
So, we agree on the need to guarantee, in some way, that the integrity and security of the solutions offered by the different developers have been reviewed by a third party that provides us with sufficient evidence. But which mark, evaluation or certification is the most appropriate or recognized? How can you know the scope of a security certification? Do two products with the same security certification offer the same guarantees?
There are different alternatives on the market, from self-assessment, or private certifications, to certifications under an international standard and a public-private certification scheme. Of the latter, perhaps the most popular and internationally recognized is Common Criteria. There are other local certifications, such as the LINCE certification, valid to enter the Spanish catalog of IT products for public administration, the CPSTIC. More detailed information on both certifications can be found on our website.
But, if we are analyzing two similar security solutions in terms of functionalities and both have a Common Criteria certification does it mean that both guarantee to have passed the same security controls? This depends.
Common Criteria certification is very flexible, which allows developers to decide which functionalities they want to evaluate and certify. For this reason, it is very important not to assume that, just because a developer has a Common Criteria mark, the solution meets our security requirements or that it meets the same security requirements of a competing product with similar functionality.
It is necessary to review all the information on the scope of the certification, product, version, functionalities evaluated, validity of the certificate, etc. This information is public and accessible to anyone interested, it can be found on the Common Criteria website and on the different websites of the certification bodies in each country, in the case of Spain, on the OC-CCN website.
For someone who is not used to analyzing this type of information, this may be a somewhat complicated or tedious task, but as the security of our infrastructures and digital assets is at stake, it is necessary.
The Common Criteria standard has different approaches, one of the best known is the EAL (Evaluation Assurance Level). Seven cumulative levels, each representing a higher evaluation and assurance effort. With this approach, it is the developer who defines the objectives and scope of the evaluation (TOE). As a result, it is possible to find high-level assessments, but with a very reduced scope and vice versa. This makes it difficult to compare two EAL certificates without going into the more technical details of the assessment performed.
In order, among other things, to facilitate the recognition of a Common Criteria certification of a specific type of solution, what are known as Protection Profiles are created. These are documents which gather a series of minimum requirements to be evaluated for a certification for a specific product family, making it possible to compare products with certificates of the same assurance level (EAL) with the same evaluated scope.
The Protection Profiles are generated by international technical working groups, which can be composed of manufacturers, evaluation laboratories, public bodies, etc. They are then reviewed and certified by a recognized Common Criteria Certification Body, which publishes them on its website.
In this way, when we find that two products have obtained the Common Criteria certificate, meeting the requirements of a specific protection profile, we have the guarantee that both products have passed the same security tests and we do not need to spend much more time analyzing the certification documents in depth.
One of the most commonly used protection profiles is for the Network Devices family, which applies to most networked solutions on the market. It is also possible that a solution has been certified on the basis of several protection profiles concurrently, as may be the case for a Firewall solution, which could complete the certification with a more specific protection profile. All information on protection profiles can be found on the Common Criteria website.
In summary, in order to make informed decisions when deciding on a cybersecurity solution or network device, ensuring that the solution has been evaluated by an independent third party is absolutely vital. And, furthermore, we must understand the level of demand and scope of that evaluation to be able to compare two similar products. Otherwise, we will be choosing the solution based on the confidence that the manufacturer inspires in us.