Common criteria - salvation for e-mail security

February 2005 Information Security

With the increasing threat of far more sophisticated attacks than just spam and viruses, e-mail security is taking a leap forward. But in implementing new solutions, organisations open up the risk to additional vulnerabilities, because the products they have chosen may not provide an adequate level of security.

E-mail has always been a non-conformer, the maverick of the information security world. Do not talk to strangers is a concept your e-mail server does not understand. It breaks the standard security model by allowing unauthenticated and unidentified connections from an untrusted source to a trusted destination. Furthermore, your firewall does not lift a finger to help secure it.

To operate e-mail needs both inbound and outbound access. The very fact that companies want to receive e-mail from strangers - potential customers - means that asking for authentication, the standard way to verify a connection passing through a firewall to a protected network, simply does not work. So the firewall just passes the responsibility to the mail server. Putting the mail server on the DMZ is not an answer either, this just moves the problem rather than addressing the insecurities of e-mail, and makes it more difficult for internal users to read their e-mail.

Securing e-mail is a complex problem, with denial of service attacks on the increase and the convergence of spamming, viruses and hacking techniques, the new genre of e-mail firewalls that are now available have not come a moment too soon. By upgrading their e-mail infrastructure to include an application specific firewall that is able to protect against known and future exploits as well as spam, viruses and content, organisations will achieve greater and more effective security. But how can they be certain that the product chosen does 'exactly what it says on the box' and not inadvertently expose their networks to further vulnerabilities?

Those organisations that put information security first look to schemes such as the Common Criteria accreditation to provide assurance that a certain level of security is provided. Common Criteria is an internationally recognised certification scheme that requires a thorough definition of the product's functionality and more detailed documentation on how the defined functionality ensures secure operation. The level of documentation required depends on the level of certification and classification and ranges from EAL1 (Evaluation Assurance Level) to EAL7, this being the highest.

EAL4+ certification gives assurance that the solution is not susceptible to holes and vulnerabilities, and that vendor's development and support processes have also been audited. Many government departments, military organisations and an increasing number of commercial organisations require that products installed at the network perimeter hold this level of certification.

To qualify for Common Criteria EAL4+, the developer must provide detailed design documentation to show how the security claims documented are implemented and submit the product to a thorough vulnerability analysis. The vulnerability analysis requires both a detailed written analysis of how the product is designed to protect against identified vulnerabilities appropriate to the product's intended use and extensive independent testing to ensure that the product lives up to its design claims.

Third party vulnerability tests are the only way to ensure that a security product is well-designed and configured, minimising the chance of system compromise through hidden vulnerabilities. Lower levels of Common Criteria certification, such as EAL2 require only developer vulnerability testing. The danger of relying on the developer to carry out these tests is that errors and assumptions made in design and development are likely to be repeated in testing, thereby increasing the risk of overlooking product weaknesses.

Implementing new solutions to protect the network infrastructure will always have hidden dangers if not considered carefully. With cost justification constantly in question, it is only reasonable to mitigate risks to a sensible level, but at least Common Criteria gives organisations reassurance that their decisions will not be a case of out of the frying pan and into the fire.





Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Highest increase in global cyberattacks in two years
Information Security News & Events
Check Point Global Research released new data on Q2 2024 cyber-attack trends, noting a 30% global increase in Q2 2024, with Africa experiencing the highest average weekly per organisation.

Read more...
Cybersecurity a challenge in digitalising OT
Kaspersky Information Security Industrial (Industry)
According to a study by Kaspersky and VDC Research on securing operational technology environments, the primary risks are inadequate security measures, insufficient resources allocated to OT cybersecurity, challenges surrounding regulatory compliance, and the complexities of IT/OT integration.

Read more...
Cybersecurity in South Africa
Information Security
According to the Allianz Risk Barometer 2025, cyber incidents, including ransomware attacks, data breaches and IT outages, are now the top global business risk, marking their fourth year at the top.

Read more...
Are AI agents a game-changer?
Information Security
While AI-powered chatbots have been around for a while, AI agents go beyond simple assistants, functioning as self-learning digital operatives that plan, execute, and adapt in real time. These advancements do not just enhance cybercriminal tactics, they may fundamentally change the battlefield.

Read more...
Disaster recovery vs cyber recovery
Information Security
Disaster recovery centres on restoring IT operations following events like natural disasters, hardware failures or accidents, while cyber recovery is specifically tailored to address intentional cyberthreats such as ransomware and data breaches.

Read more...
Back-up securely and restore in seconds
Betatrac Telematic Solutions Editor's Choice Information Security Infrastructure
Betatrac has a solution that enables companies to back-up up to 8 TB of data onto a device and restore it in 30 seconds in an emergency, called Rapid Access Data Recovery (RADR).

Read more...
The rise of AI-powered cybercrime and defence
Information Security News & Events AI & Data Analytics
Check Point Software Technologies launched its inaugural AI Security Report, offering an in-depth exploration of how cybercriminals are weaponising artificial intelligence (AI), alongside strategic insights defenders need to stay ahead.

Read more...
The deepfake crisis is here and now
Information Security Training & Education
Deepfakes are a growing cybersecurity threat that blur the line between reality and fiction. These AI-generated synthetic media have evolved from technological curiosities to sophisticated weapons of digital deception, costing companies upwards of $600 000 each.

Read more...
What does Agentic AI mean for cybersecurity?
Information Security AI & Data Analytics
AI agents will change how we work by scheduling meetings on our behalf and even managing supply chain items. However, without adequate protection, they become soft targets for criminals.

Read more...
Phishing attacks through SVG image files
Kaspersky News & Events Information Security
Kaspersky has detected a new trend: attackers are distributing phishing emails to individual and corporate users with attachments in SVG (Scalable Vector Graphics) files, a format commonly used for storing images.

Read more...