IEEE 2600-series Standards for Hardcopy Device Security

IEEE 2600-series Standards
for Hardcopy Device Security
Brian Smithson
PM, Security Research – Ricoh Americas Corporation
Lead Editor – IEEE P2600 Standards Working Group
17 November, 2010 – Ottawa, ON
Agenda
Overview of hardcopy device security
A very brief introduction to the Common Criteria
The IEEE 2600-series standards
Hardcopy device security and the Common Criteria
How to use the IEEE 2600-series standards
Summary and Q&A
2
Overview of hardcopy device security
Early history of hardcopy device security
Do you remember when copiers were
analog devices, connected only to a
power source, often managed by the
Facilities department ...
… and printers were “write-only” devices?
No security issues,
3
right?
Overview of hardcopy device security
Sniffing data during the Cold War
In 1961, copiers were a target for espionage:
The CIA found Soviet embassies to be inaccessible
to anyone – except to the copier repairman.
The CIA and Xerox fashioned an 8mm movie camera
set to take single frames, triggered by a photocell.
A “Xerox repairman” could install and replenish this
camera in Soviet embassy copiers under the
watchful eye of security guards, because nobody
knew what components should or should not be
inside a copier.
Soviet cipher clerks, secretaries, and KGB agents
photocopied secret orders, decoded messages, and
lists of spies.
Every copy was captured on film.
Details and photos from: http://editinternational.com/read.php?id=47ddf19823b89
For eight years.
4
Overview of hardcopy device security
What can be learned from the CIA?
Q: What do people print, scan, copy, and fax?
A: Their most current, important documents!
Hardcopy devices are often:
–
–
–
–
Shared, “ownerless” devices
Placed in open, common areas
Inadequately monitored
Trusted on the network
If you can:
–
–
–
–
–
install a network sniffer,
redirect fax or scanner output,
steal the hard disk drive,
pwn the whole thing,
or just hang out near the output tray,
an unprotected MFP is still…
An old security awareness poster, source unknown
5
Overview of hardcopy device security
How has industry addressed this?
Initially, manufacturers responded with “data security kits”
Later, manufacturers started to claim “whole MFP” security
However…
“Whole MFP security” may not address all of the threats
9 Typically addressed:
8 Often not addressed:
9 Residual document data
9 Fax-network separation
9 Incoming port filtering
9 Administrator authentication
9 Attacking the HCD from the
network
6
8 Persistent and non-document data
8 Separation and control of all
interfaces
8 Audit logs
8 User authentication
8 Attacking the network from the HCD
Overview of hardcopy device security
What was needed for hardcopy device security
A common agreement on what constitutes baseline security
A standard or specification which describes that baseline
For use by manufacturers:
–
–
–
7
What security functions must
be provided
What additional security is
recommended
A way to independently test
whether the required functions
have been implemented
For use by customers:
– What security functions to
require when procuring HCDs
– Guidance on how to use those
functions
– A way to reference that
baseline and independent
testing in procurement
specifications
Overview of hardcopy device security
Background of the IEEE P2600 Working Group
The IEEE P2600 working group was organized in early 2004:
– Open standards process and international recognition
– Virtually all HCD manufacturers participated
– Face-to-face meetings every 6~8 weeks
Produced five standards:
– IEEE Std. 2600™-2008
(standard for hardcopy device security)
– IEEE Std. 2600.1™-2009
(standard for a Protection Profile)
– IEEE Std. 2600.2™-2009
(standard for a Protection Profile)
– IEEE Std. 2600.3™-2009
(standard for a Protection Profile)
– IEEE Std. 2600.4™-2010
(standard for a Protection Profile)
8
A very brief overview of the Common Criteria
Overview of ISO/IEC 15408 and the
The Common Criteria (CC) is
an internationally recognized
methodology for:
•Manufacturer chooses product(s) to
certify
•Manufacturer prepares a Security Target
document and other evidence to support
Preparation their product’s security claims
– expressing security
requirements for IT products,
– evaluating products to see if
they meet those requirements,
and
– mutually recognizing certified
products among the
participating nations.
Evaluation
•Manufacturer submits product and
documents to a licensed CC laboratory
•Laboratory performs evaluation under
observation of a national CC scheme
•The national CC scheme (e.g. NIAP
CCEVS in US, BSI in Germany, IPA in
Japan) oversees evaluation and reviews
evaluation reports
Certification •CC scheme issues a certificate
CC is not a prescriptive
security standard; it is a
process standard
•Product and certification reports are
listed on web sites (scheme and CC
portal)
•All 26 CCRA member countries recognize
Recognition the product certification
ISO/IEC 15408 is ISO’s
adoption of Common Criteria
– ISO adoption follows CC
– Current version is 3.1 release 3
9
9
A very brief overview of the Common Criteria
Two ways to evaluate products
1.
Without a Protection Profile:
–
–
2.
A manufacturer writes a Security Target document that
describes the security claims of their product.
Evaluation is based solely on the manufacturer’s
claims, not on a standard: it certifies only that the
product fulfills the manufacturer claims.
With a Protection Profile:
–
–
–
Somebody writes a Protection Profile describing the
security requirements for a class of products.
Manufacturers write Security Target documents that
make security claims conforming to those
requirements.
Evaluation ensures that the product fulfills the
manufacturer’s claims, and that the manufacturer’s
claims fulfill those requirements.
You need a Protection Profile to enforce uniform baseline security requirements.
The US and other governments prefer to buy products that have been evaluated based on a Protection Profile (if one exists) for its class of products.
10
The IEEE 2600-series standards
IEEE 2600 standard for hardcopy device security
In 2008, the IEEE published a general standard for HCDs:
IEEE 2600™-2008 Standard for Information Technology: Hardcopy Device
and System Security
–
–
–
–
–
–
Describes hardcopy devices
Defines four typical operational environments
Describes security threats for each environment
Recommends mitigation approaches
Specifies security objectives for compliance
Includes an appendix of best practices
It is mainly a guidance document
It is possible to claim compliance to IEEE 2600
However, there is no requirement for independent verification
11
The IEEE 2600-series standards
IEEE 2600 Operational environments
y
IEEE 2600 operational environments are based on market segments:
A. For use with highly proprietary
or legally regulated documents
B. For general enterprise use
C. For public-facing use
D. For small office / home office
use
The security requirements for
environment are hierarchical:
A is a superset of B,
B is a superset of C,
C is a superset of D.
The main difference between
environments is the level of
accountability for individual
user actions.
12
The IEEE 2600-series standards
IEEE 2600-series Protection Profiles
There are four Common Criteria Protection Profiles, one for each of
the typical operating environments that are defined in IEEE 2600:
– IEEE 2600.1-2009 Protection Profile for Operational Environment A
(published and certified in 2009)
– IEEE 2600.2-2009 Protection Profile Operational Environment B
(published in 2009, certified in 2010)
– IEEE 2600.3-2009 Protection Profile for Operational Environment C
(published in 2010 , not certified)
– IEEE 2600.4-2010 Protection Profile for Operational Environment D
(published in 2010, not certified)
IEEE 2600.1 is was adopted by the US Government as the
U.S. Government Protection Profile for Hardcopy Devices
in Basic Robustness Environments
13
The IEEE 2600-series standards
Comparison of 2600-series Protection Profiles
Protection Profile
Requirement
2600.1
2600.2
2600.3
2600.4
3+
2+
2+
1
Level 2 (Procedural)
Level 2 (Procedural)
Level 1 (Basic)
None
User identification,
authentication,
authorization
Yes
Yes
Optional
None
Administrator
identification,
authentication,
authorization
Yes
Yes
Yes
Yes
User document protection
At rest, in motion,
residual
At rest, residual
Residual
None
Job data protection
At rest, in motion
At rest
None
None
Security data protection
Yes
Yes
Yes
Yes
Managed interfaces
Yes
Yes
Yes
Yes
Software self-verification
Yes
Yes
Yes
Yes
Complete audit
Exception / violation
Exception / violation
None
Print, Scan, Copy,
Fax, Doc Server,
Removable HDD,
Network
Print, Scan, Copy,
Fax, Doc Server,
Removable HDD,
Network
Network
Network
Evaluation assurance level
Additional flaw
remediation assurance
Logging
Additional requirements
packages used when
specific functions are
present
14
Hardcopy device security and the Common Criteria
Evaluation without a Protection Profile
Prior to June 2009, there was no Protection Profile for HCDs.
Manufacturers certified products using “data security kits”, with
very specific security claims such as HDD overwrite or faxnetwork separation, or “whole MFPs” that did not address all of an
MFP’s security issues.
Most evaluations were performed at Evaluation Assurance Level
(EAL) 2 to 3+. It is worth noting that:
– EAL does not indicate depth of security
– EAL indicates only the depth of evaluation
In other words:
– Products that are evaluated without a Protection Profile only provide
security that a manufacturer claims.
– “Whole MFP” may not address all of your security concerns.
– One manufacturer’s “whole MFP” may not be equivalent to another
manufacturer’s “whole MFP”.
– Higher EAL does not equal higher security, it only means that security
has been evaluated somewhat more rigorously.
15
Hardcopy device security and the Common Criteria
Why Protection Profiles are important
Security
objective
Security functional requirements
IEEE 2600.1 Protection Profile requirements
A “whole MFP” certified without protection profile
Document
protection
Documents should not be disclosed or altered by
anyone except the owner, administrator, or
authorized delegate. Deleted data is inaccessible.
Deleted data is inaccessible for most kinds of data; data
on networks is protected by SSL; protection of persistent
data on the MFP is not evaluated.
Security data
protection
Depending on the data, security data should not be
disclosed or altered by anyone except
administrators.
Alteration of security data is evaluated (by controlling access
to management functions), but disclosure of security data
is not evaluated.
HDD data
protection
Data on hard disks is protected from disclosure and
alteration if the disk is removed from the MFP.
Only data that has been deleted is protected from
disclosure (by overwriting). HDD data encryption is
not evaluated.
User
authorization
All users are identified and authorized before being
allowed to use the MFP. Authentication failures
result in lockout. Inactive sessions are terminated.
User identification and authorization is provided for network
scanning, scan-to-email, and network faxing. User
identification and authentication for network printing
and any non-network operation is not evaluated.
Administrator
authorization
All administrators are identified and authorized
before being allowed to manage the MFP.
Authentication failures result in lockout. Inactive
sessions are terminated.
All administrators are identified and authorized before being
allowed to manage the MFP. Authentication failures result in
lockout. Termination of inactive sessions is not
evaluated.
Interface
management
Data cannot pass from any interface to a network
interface without being managed by the MFP.
The MFP can perform IP filtering to limit communication
between the MFP and network devices. PSTN-Network data
flow is controlled, but control of other interfaces is not
evaluated.
Software
verification
Software integrity is verified
Verification of software integrity is not evaluated.
Audit logging
Records are kept and protected for startup /
shutdown, all job completion, identification /
authentication, use of management functions,
administrator role changes, time / date changes,
session locking, and trusted channel failure.
Records are kept for startup / shutdown, and job completion
only for print, network scan, network fax, and email.
Other 2600.1 audit requirements are not evaluated.
16
Hardcopy device security and the Common Criteria
Evaluations with a Protection Profile
Now that the IEEE 2600.1-2009 Protection Profile for hardcopy
devices has been published, manufacturers can submit products
for evaluation based on a Protection Profile.
For manufacturers, Protection Profiles create a level competitive
playing field.
For customers, the create a uniform baseline of security
expectations for hardcopy devices that can be referenced by name
in procurement specifications.
For all, they reduce confusion over what constitutes better
security, more security coverage or higher EAL:
– They define what security claims must be made in every evaluation.
– They define the assurance level that must be used for every evaluation.
17
How to use the IEEE 2600-series standards
Interpreting manufacturers’ security claims
The primary use of these standards is that manufacturers can claim
product certification conforming to IEEE Std. 2600.1 (or 2600.2)
– Conformance to IEEE 2600.1 implies “operational environment A”
– Conformance to IEEE 2600.2 implies “operational environment B”
– Certified products will be listed on the “Common Criteria Portal” web site
Manufacturers can also claim product compliance to IEEE Std. 26002008
– They must specify one or more of the four operational environments
– Such claims do not require independent testing and verification
At present, manufacturers should not claim conformance to IEEE
Std. 2600.3-2009 or 2600.4-2010
Links to test labs, CC schemes, and the CC portal, are listed on the last page of this presentation
18
How to use the IEEE 2600-series standards
Procuring secure hardcopy devices
Customers can use the IEEE 2600-series standards to help
streamline the process of procuring appropriately secure HCDs:
1.
2.
3.
4.
19
Review IEEE Std. 2600-2008 to determine which of the four operational
environments most closely matches your needs. You may find that you
have different environments in different parts of your organization.
For independently tested and verified products, specify products that have
been Common Criteria certified conforming to IEEE Std. 2600.1-2009
(environment A) or IEEE Std. 2600.2-2009 (environment B).
If no suitable certified products are available for your environment, then
you can specify products that comply with IEEE Std. 2600-2008 for your
operational environment.
If no suitable products comply with IEEE Std. 2600-2008 for your
environment, then use the security objectives and other guidance in IEEE
Std. 2600-2008 to help you identify products or specify requirements.
How to use the IEEE 2600-series standards
Secure configuration and operation
HCD administrators and other security professionals can use the IEEE
2600-series to help securely configure and operate HCDs:
Follow the guidance in IEEE Std. 2600
– Clause 7 contains mitigation techniques for IT professionals
– Clause 8.2 contains compliance security objectives for IT professionals
– Annex A contains security best practices
Uphold the assumptions and fulfill the security objectives for the
IT and non-IT environment defined in IEEE Std. 2600.1
(environment A) or IEEE Std. 2600.2 (environment B)
– This is important if you are using Common Criteria certified products
and want to operate them in the “certified configuration”
20
How to use the IEEE 2600-series standards
Conforming products
•
One MFP has already been Common Criteria certified to be in
conformance to IEEE Std. 2600.1
•
•
At least four manufacturers have multiple products in evaluation
In the next six to nine months, an estimated eight to ten
Common Criteria certificates will be issued certifying 30-40
product models that conform to the IEEE 2600.1 protection
profile
•
Refer to the links on the last page of this presentation to find
products that have been certified or that are in evaluation
– Certified products are listed on the Common Criteria Portal
– Products in evaluation may be listed by national CC schemes
(it is the manufacturers’ option)
•
21
Contact individual manufacturers for details
Summary / Q&A
Summary
Hardcopy devices need to be secured!
The IEEE P2600 working group created a baseline security standard
for hardcopy devices: IEEE Std. 2600-2008, and two Protection
Profiles which are certified for evaluating hardcopy devices:
IEEE Std. 2600.1-2009 and IEEE Std. 2600.2-2009
Common Criteria certification provides a method for independent
testing and verification of manufacturers’ security claims
A Protection Profile provides a minimum set of security claims so
that all conforming hardcopy devices can be compared
Manufacturers can get their products certified as conforming to one
of the two Protection Profiles, or they can self-claim that their
products comply with the baseline standard IEEE 2600-2008
Customers have several options for how to use the IEEE 2600series of standards to help procure secure hardcopy devices
Administrators and other IT professionals can use the standards to
securely configure and operate hardcopy devices
22
Summary / Q&A
Questions?
For more information:
IEEE
IEEE
IEEE
IEEE
IEEE
IEEE
P2600 web site: http://grouper.ieee.org/groups/2600
Std. 2600-2008: http://standards.ieee.org/, click on Shop, and search for “2600-2008”
Std. 2600.1-2009: http://standards.ieee.org/getieee/2600/ (free download)
Std. 2600.2-2009: http://standards.ieee.org/getieee/2600/ (free download)
Std. 2600.3-2009: http://standards.ieee.org/, click on Shop, and search for “2600.3-2009”
Std. 2600.4-2010: http://standards.ieee.org/, click on Shop, and search for “2600.4-2010”
Sponsor’s certified products: http://grouper.ieee.org/groups/2600/conforming_products.html
All Common Criteria certified products: http://www.commoncriteriaportal.org
Common Criteria testing labs: http://www.commoncriteriaportal.org/labs/
Common Criteria national schemes: http://www.commoncriteriaportal.org/schemes/
Contact information:
[email protected]
[email protected]
+1 408 346 4435
23
Thank you