Common criteria - salvation for e-mail security

February 2005 Information Security

With the increasing threat of far more sophisticated attacks than just spam and viruses, e-mail security is taking a leap forward. But in implementing new solutions, organisations open up the risk to additional vulnerabilities, because the products they have chosen may not provide an adequate level of security.

E-mail has always been a non-conformer, the maverick of the information security world. Do not talk to strangers is a concept your e-mail server does not understand. It breaks the standard security model by allowing unauthenticated and unidentified connections from an untrusted source to a trusted destination. Furthermore, your firewall does not lift a finger to help secure it.

To operate e-mail needs both inbound and outbound access. The very fact that companies want to receive e-mail from strangers - potential customers - means that asking for authentication, the standard way to verify a connection passing through a firewall to a protected network, simply does not work. So the firewall just passes the responsibility to the mail server. Putting the mail server on the DMZ is not an answer either, this just moves the problem rather than addressing the insecurities of e-mail, and makes it more difficult for internal users to read their e-mail.

Securing e-mail is a complex problem, with denial of service attacks on the increase and the convergence of spamming, viruses and hacking techniques, the new genre of e-mail firewalls that are now available have not come a moment too soon. By upgrading their e-mail infrastructure to include an application specific firewall that is able to protect against known and future exploits as well as spam, viruses and content, organisations will achieve greater and more effective security. But how can they be certain that the product chosen does 'exactly what it says on the box' and not inadvertently expose their networks to further vulnerabilities?

Those organisations that put information security first look to schemes such as the Common Criteria accreditation to provide assurance that a certain level of security is provided. Common Criteria is an internationally recognised certification scheme that requires a thorough definition of the product's functionality and more detailed documentation on how the defined functionality ensures secure operation. The level of documentation required depends on the level of certification and classification and ranges from EAL1 (Evaluation Assurance Level) to EAL7, this being the highest.

EAL4+ certification gives assurance that the solution is not susceptible to holes and vulnerabilities, and that vendor's development and support processes have also been audited. Many government departments, military organisations and an increasing number of commercial organisations require that products installed at the network perimeter hold this level of certification.

To qualify for Common Criteria EAL4+, the developer must provide detailed design documentation to show how the security claims documented are implemented and submit the product to a thorough vulnerability analysis. The vulnerability analysis requires both a detailed written analysis of how the product is designed to protect against identified vulnerabilities appropriate to the product's intended use and extensive independent testing to ensure that the product lives up to its design claims.

Third party vulnerability tests are the only way to ensure that a security product is well-designed and configured, minimising the chance of system compromise through hidden vulnerabilities. Lower levels of Common Criteria certification, such as EAL2 require only developer vulnerability testing. The danger of relying on the developer to carry out these tests is that errors and assumptions made in design and development are likely to be repeated in testing, thereby increasing the risk of overlooking product weaknesses.

Implementing new solutions to protect the network infrastructure will always have hidden dangers if not considered carefully. With cost justification constantly in question, it is only reasonable to mitigate risks to a sensible level, but at least Common Criteria gives organisations reassurance that their decisions will not be a case of out of the frying pan and into the fire.





Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Highest increase in global cyberattacks in two years
Information Security News & Events
Check Point Global Research released new data on Q2 2024 cyber-attack trends, noting a 30% global increase in Q2 2024, with Africa experiencing the highest average weekly per organisation.

Read more...
Upgrade your PCs to improve security
Information Security Infrastructure
Truly secure technology today must be designed to detect and address unusual activity as it happens, wherever it happens, right down to the BIOS and silicon levels.

Read more...
Open source code can also be open risk
Information Security Infrastructure
Software development has changed significantly over the years, and today, open-source code increasingly forms the foundation of modern applications, with surveys indicating that 60 – 90% of the average application's code base consists of open-source components.

Read more...
DeepSneak deception
Information Security News & Events
Kaspersky Global Research & Analysis researchers have discovered a new malicious campaign which is distributing a Trojan through a fake DeepSeek-R1 Large Language Model (LLM) app for PCs.

Read more...
SA’s strained, loadshedding-prone grid faces cyberthreats
Power Management Information Security
South Africa’s energy sector, already battered by decades of underinvestment and loadshedding, faces another escalating crisis; a wave of cyberthreats that could turn disruptions into catastrophic failures. Attacks are already happening internationally.

Read more...
Almost 50% of companies choose to pay the ransom
News & Events Information Security
This year’s Sophos State of Ransomware 2025 report found that nearly 50% of companies paid the ransom to get their data back, the second-highest rate of ransom payment for ransom demands in six years.

Read more...
Survey highlights cost of cyberdamage to industrial companies
Kaspersky Information Security News & Events
The majority of industrial organisations estimate their financial losses caused by cyberattacks to be over $1 million, while almost one in four report losses exceeding $5 million, and for some, it surpasses $10 million.

Read more...
Digital economy needs an agile approach to cybersecurity
Information Security News & Events
South Africa is the most targeted country in Africa when it comes to infostealer and ransomware attacks. Being at the forefront of the continent’s digital transformation puts South Africa in the crosshairs for sophisticated cyberattacks

Read more...
SIEM rule threat coverage validation
Information Security News & Events
New AI-detection engineering assistant from Cymulate automates SIEM rule validation for SecOps and blue teams by streamlining threat detection engineering with automated testing, control integrations and enhanced detections.

Read more...
Cybersecurity a challenge in digitalising OT
Kaspersky Information Security Industrial (Industry)
According to a study by Kaspersky and VDC Research on securing operational technology environments, the primary risks are inadequate security measures, insufficient resources allocated to OT cybersecurity, challenges surrounding regulatory compliance, and the complexities of IT/OT integration.

Read more...










While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.




© Technews Publishing (Pty) Ltd. | All Rights Reserved.