Common criteria - salvation for e-mail security

February 2005 Cyber Security

With the increasing threat of far more sophisticated attacks than just spam and viruses, e-mail security is taking a leap forward. But in implementing new solutions, organisations open up the risk to additional vulnerabilities, because the products they have chosen may not provide an adequate level of security.

E-mail has always been a non-conformer, the maverick of the information security world. Do not talk to strangers is a concept your e-mail server does not understand. It breaks the standard security model by allowing unauthenticated and unidentified connections from an untrusted source to a trusted destination. Furthermore, your firewall does not lift a finger to help secure it.

To operate e-mail needs both inbound and outbound access. The very fact that companies want to receive e-mail from strangers - potential customers - means that asking for authentication, the standard way to verify a connection passing through a firewall to a protected network, simply does not work. So the firewall just passes the responsibility to the mail server. Putting the mail server on the DMZ is not an answer either, this just moves the problem rather than addressing the insecurities of e-mail, and makes it more difficult for internal users to read their e-mail.

Securing e-mail is a complex problem, with denial of service attacks on the increase and the convergence of spamming, viruses and hacking techniques, the new genre of e-mail firewalls that are now available have not come a moment too soon. By upgrading their e-mail infrastructure to include an application specific firewall that is able to protect against known and future exploits as well as spam, viruses and content, organisations will achieve greater and more effective security. But how can they be certain that the product chosen does 'exactly what it says on the box' and not inadvertently expose their networks to further vulnerabilities?

Those organisations that put information security first look to schemes such as the Common Criteria accreditation to provide assurance that a certain level of security is provided. Common Criteria is an internationally recognised certification scheme that requires a thorough definition of the product's functionality and more detailed documentation on how the defined functionality ensures secure operation. The level of documentation required depends on the level of certification and classification and ranges from EAL1 (Evaluation Assurance Level) to EAL7, this being the highest.

EAL4+ certification gives assurance that the solution is not susceptible to holes and vulnerabilities, and that vendor's development and support processes have also been audited. Many government departments, military organisations and an increasing number of commercial organisations require that products installed at the network perimeter hold this level of certification.

To qualify for Common Criteria EAL4+, the developer must provide detailed design documentation to show how the security claims documented are implemented and submit the product to a thorough vulnerability analysis. The vulnerability analysis requires both a detailed written analysis of how the product is designed to protect against identified vulnerabilities appropriate to the product's intended use and extensive independent testing to ensure that the product lives up to its design claims.

Third party vulnerability tests are the only way to ensure that a security product is well-designed and configured, minimising the chance of system compromise through hidden vulnerabilities. Lower levels of Common Criteria certification, such as EAL2 require only developer vulnerability testing. The danger of relying on the developer to carry out these tests is that errors and assumptions made in design and development are likely to be repeated in testing, thereby increasing the risk of overlooking product weaknesses.

Implementing new solutions to protect the network infrastructure will always have hidden dangers if not considered carefully. With cost justification constantly in question, it is only reasonable to mitigate risks to a sensible level, but at least Common Criteria gives organisations reassurance that their decisions will not be a case of out of the frying pan and into the fire.





Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Exploiting the global pandemic
Issue 7 2020 , Cyber Security
Cyber criminals targeting remote work to gain access to enterprise networks and critical data reports FortiGuard Labs.

Read more...
Integrated security is key to Huawei Mobile Services
Issue 7 2020 , Cyber Security
To ensure sufficient mobile device security, the technology giant incorporates security into its chip, device and cloud capabilities.

Read more...
Cybersecurity becomes key enabler of sustainable business growth
Issue 7 2020 , Cyber Security
The adoption of rushed digital transformation strategies has left many facing unintended complexities and challenges.

Read more...
Challenges healthcare is facing
Issue 6 2020 , Cyber Security
The healthcare industry has been forever changed by digital transformation, but cybercriminals are targeting the healthcare sector now more than ever.

Read more...
Secure IoT devices and networks
Issue 6 2020, Technews Publishing , Cyber Security
Check Point Software’s IoT Protect solution secures IoT devices and networks against the most advanced cyber-attacks.

Read more...
SentinelOne Protects the AA
Issue 6 2020 , Cyber Security
National provider of 24-hour motorist assistance stays on the road thanks to accelerated, AI-powered threat prevention, detection and response.

Read more...
Protecting database information
Issue 6 2020 , Cyber Security
SearchInform has officially released Database Monitor, a solution for the protection of information stored in databases.

Read more...
Work from home securely
Issue 5 2020 , Cyber Security
First Consulting provides enterprise-level IT security to working-from-home employees at more than 40 South African organisations.

Read more...
Agility, meticulous alignment and testing
Issue 5 2020 , Cyber Security
Data loss can put the nails in the coffin for unprepared businesses. Investing in cyber resilience is key to succeed in the age of digital transformation.

Read more...
Cybersecurity comment: A holistic approach to threat vulnerability
Issue 5 2020 , Cyber Security
Any organisation, whether large or small, public or private, should follow an established framework in order to protect itself against cyber threats.

Read more...