Reasonable or just possible?

by Michael Vogel

A few days ago, I returned from my first business trip in months. I didn’t travel because I had to, but because I decided that it would be better to be on-site instead of handling the project remotely. And we are handling a lot of projects remotely at the moment. But for this project it was a customer we had never audited before, a site that has not been successfully formally audited so far and the requirements to be applied were rather high.

While I was on my way back from the site, I realized that something was new here. While remote testing had been an option in the past, the choice between on-site and remote auditing for a site visit was not common in the past. At least not in my world. I think my choice this time to go on-site was the right one, although the site was half empty. Many developers were still working from home. If I think back 10 years, wasn't secure software development and working from home perceived as 'unthinkable'? Will this status remain or will it revert back to what it was? And is it on us to decide?   

Our (business) world has changed a lot due to the pandemic and we find ourselves more and more in the position of asking ‘what is reasonable’ instead of ‘what is possible’. For years we were flying across the world for some technical meetings while the technology was readily available to sort things out from the desk right in front of us. Today, remote testing and remote auditing work better than ever before. And to be honest, it wasn’t too hard to get from ‘we always have to perform task xyz at our customers’ site to the point where we are today.

For years, presence in the office was a must and the option to work from home was often the exception to the rule. Today, we know that our employees can work efficiently and effectively from home as well – and not only short term. There might be requirements, rules or regulations that force us to work in the office. But where we have the freedom of choice, we should make good use of it.

There are downsides to this new freedom of choice as well, of course. We need to show more discipline regarding communication as the talks at the coffee maker that augment communication take place less frequently than before. Working remotely usually also means being well organized and prepared, and you might need to invest some of the time you are saving by working from home into that. We see employees getting socially a little too distant and, in some cases, even lonely when they constantly work from home. In some families, tensions are on the rise when all family members are working from home all the time. Not all meetings and all audits can be held remotely. And I would really want to get back to on-site conferences today rather than tomorrow.  So, all in all, home office and remote working is not the cure to everything, but it’s much more a viable option than it has been considered for many years in the past.

The real challenge, though, is to fit a subjective ‘reasonable’ measure into formal company-wide regulations based on measurable criteria as 'reasonable' is difficult to quantify. Working for a rather small company like atsec, where we can rely more on guidelines and case-by-case decisions, is therefore quite a privilege these days. Everyone in the company knows about our business and we are the ones deciding about our own rules (as long as they are not determined by customer or accreditation requirements). We are constantly challenging ourselves to decide if we are still doing the right thing and why we are doing what we are doing - and not simply carrying out activities to satisfy a process description or a company regulation. In other words, our aim is that we are performing tasks because they are adding value to our customers and not because they can be done and can be billed. This is what determines our decision making every day. And whether we will be in the office tomorrow, on a business trip or working from home will be dependent on what is the best choice for our business and our customers. But we need to ensure that we are not gradually going back to where we came from. Because I want to be sure also that the next time I am on a business trip, I am on the road because it is reasonable and not only because it is possible.

Life of Module

Please enjoy this year's animation from Yi Mao's opening presentation at the 2021 International Cryptographic Module Conference (ICMC).

We also invite you to watch a recording of Yi Mao's welcome address for the ICMC:

Sample Size in NIST SP800-90B

We invite you to watch this presentation by Richard Fant on Sample Size in SP800-90B.

Introduction to the CMVP and CAVP

We invite you to watch this high-level overview about the CMVP and CAVP.

Do Remote Site Visits Work?

by Rasma Araby

While the home office has become a normality for many IT companies and operations during the pandemic, the requirements for security evaluation, certifications, accreditations, and other approvals have remained constant.

Site visits at the development sites are required to achieve the approval of certification and accreditation. How could this be accomplished when developers, auditors, and certifiers were located in different countries and were working from home?

In addition, there were multiple travel restrictions with varying rules in each country.

How did we do site visits for EAL3+ Common Criteria evaluations and NESAS audits?
How was atsec re-accredited from the national agency, and how did we maintain the level of certification for ISO 9000, ISO 27001, and other accreditation our lab must carry to provide evaluation services when an auditor from these agencies had to be on-site while our atsec colleagues worked from home?
 
We performed and received these site visits remotely!
 
Special "remote site-visit" rules were provided both by the SOG-IS for CC evaluations and GSMA for NESAS audits to allow remote site visits temporarily.

During the first remote site visits, the developers, auditors, and certifiers were skeptical. The main concern regarded the effectiveness of such an examination method in determining:

• how to examine the development processes
• how to demonstrate the ways records are kept
• how to conduct effective interviews  
• how to perform physical security examinations via video call
  

Going back to our first experience with a remote site visit, it went well, actually almost too well. The developers were able to show development processes and appropriate artifacts remotely. The developers were also better prepared and less nervous.
 
The auditors and certifiers were rested since they could avoid traveling. They were also better prepared since they had access to readily accessible digitally provided documentation on their computers rather than printed documentation. All documentation was examined during the video interview with the developer seamlessly, without any interruptions to the conversation.

Shortly after the first virtual site visit, some Certification Bodies issued updated procedures to state that the site visit oversight should be performed remotely using Information and Communication Technology (ICT), suitable for the purpose of the site visit oversight. They found that the remote site-visit procedures work very well and should be used, among other things, to avoid extensive traveling.

I would not dare to say that a remote site visit can replace an actual site visit. Still, it is possible to examine the majority of the security measures and development processes remotely. It depends on the goals of the site visit and the preparation by the developer, auditor, and certifier. The pandemic has taught us that a full or partial remote site visit should be considered to save time spent on traveling, save costs on travel and accommodation, and enable more sites to be audited cost-effectively.

We had witnessed working both ways: when we did site visits and when we received site visits. We understand that some technical areas, such as hardware evaluations, require on-site visits based on the nature of the analysis.
 
There is a lot of discussion about returning to the office after the pandemic. Most IT companies are considering hybrid solutions, some days in the office and some from home. 

The procedures requiring on-site visits should consider the same approach of a hybrid solution: partly remote and partly on-site. It would help to shorten the on-site audit since the remote portion would help identify the part that requires the auditor's presence on-site. This, in turn, allows the on-site portion to be more focused. It won't reduce the cost and time for traveling but might lessen the permanence of the auditor on-site since the developer will also be prepared for what the auditor is requiring.

atsec China adds PCI CPSA (Logical and Physical) Assessor Qualifications

Beijing, July 23 2021

atsec China has been qualified by PCI SSC (Payment Card Industry Security Standards Council) as a Card Production Security Assessor (CPSA) Company to validate an entity's adherence to the PCI Card Production and Provisioning Logical Security and  Physical Security Requirements (two separate security standards). Currently atsec provides the PCI Card Production Logical Security and Physical Security Standards assessment services in the CEMEA, Canada, Europe, LAC, USA and Asia Pacific markets.

The development, manufacture, transport, and personalization of payment cards and their components have a strong impact on the security structures of the payment systems, issuers, and vendors involved in their issuance. Data security is the primary focus of the standards.

The PCI Card Production and Provisioning Logical Security Requirements (“PCI Card Production Logical Security Standard”) addresses the logical security controls associated with card production and provisioning such as:

•  EMV data preparation
•  Pre-personalization
•  Card embossing
•  IC and magnetic-stripe personalization
•  PIN generation
•  PIN mailers
•  Card carriers
•  Distribution 
  

PCI Card Production and Provisioning Physical Security Requirements (“PCI Card Production Physical Security Standard”) define a comprehensive source of information for entities involved in card production and provisioning, which may include manufacturers, personalizers, pre-personalizers, chip embedders, data-preparation, and fulfillment. The standard specifies the physical security requirements and procedures that entities must follow before, during, and after the following processes:

• Card Manufacturing
• Chip embedding
• Personalization
• Storage
• Packaging
• Mailing
• Shipping or delivery
• Fulfillment

In addition to the card production activities above, the two standards describe the logical and physical security requirements for entities that:

• Perform cloud-based or secure element (SE) provisioning services;
• Manage over-the-air (OTA) personalization, lifecycle management, and preparation of personalization data;
• Manage associated cryptographic keys.

atsec’s CPSA assessors can work with you to confirm the assessment scope, perform the assessment on-site, complete PCI Card Production ROC (Report on Compliance) and AOC (Attestation of Compliance), submit them to applicable payment brands or cooperative entities, and re-validation can be further performed where applicable.

In addition to the assessment service, atsec offers a full range of consulting services to support your organization in achieving compliance with the PCI Card Production Logical and/or Physical Security Standards. atsec consultants have experience in each of the requirement areas (e.g. data security, network security, system security hardening and management, user management, key management, PIN distribution, personal security management, premises security protection, production procedures security control, security audit, secure packaging and delivery), and can help you develop appropriate measures in order to achieve your compliance.

The CPSA Assessors list can be found on the official website of PCI SSC, and atsec’s qualification is shown below: 

In addition to CPSA assessor, as an accredited PCI QSA, ASV, QPA, PA QSA, P2PE, 3DS assessor, SSF assessor and PFI, atsec offers a full range of services to support organizations in achieving PCI compliance.

For more information about atsec’s PCI services, please visit:
http://www.atsec.cn/it-security-services/pci/en/index.html

atsec has become an official GSMA member

atsec has become an official GSMA member. The GSMA represents the interests of mobile operators worldwide, uniting more than 750 operators with almost 400 companies in the broader mobile ecosystem, including handset and device makers, software companies, equipment providers and internet companies, as well as organizations in adjacent industry sectors.

atsec is a GSMA appointed laboratory to provide Network Equipment Security Assurance Scheme (NESAS) security audits and network product evaluations against NESAS Security Assurance Specifications (SCAS). atsec has been involved with and made significant contributions to the NESAS scheme development. Standardization and future development of the NESAS scheme will strengthen the level of security in 5G and LTE networks.

”As an official GSMA member atsec will be able to form long lasting relationships with other members in the GSMA community, contribute to standardization and boost our presence in the telecommunication ecosystem”, says Mrs Rasma Araby, COO and Laboratory Director at atsec information security AB. Mr. Staffan Persson, one of the founders of atsec, also states that “The GSMA membership only proves our global commitment to information security and assurance, and allows our new and existing Common Criteria, FIPS, and O-TTPS customers to rely on atsec for NESAS too.”

atsec offers NESAS related services to all our customers through atsec AB in Stockholm, Sweden. Together with our offices in the US, Germany, China and Italy atsec offers a range of security assessment, testing and evaluation services. Information about our services is available in our service portfolio.

Reflections on Security Assurance

by Staffan Persson

Some reflections on security assurance, how it can be achieved and verified, from the view of an evaluation lab.

Security assurance is usually hard to grasp and sometimes we have seen there is the misconception how it can be achieved. One of the early milestones in understanding assurance came with the vulnerability analysis of Multics operating system:

The internal controls of current computers repeatedly have been shown insecure though numerous penetration exercises on such systems as […]. This insecurity is a fundamental weakness of contemporary operating systems and cannot be corrected by “patches”, “fix-ups”, or “add-ons” to those systems.
Rather, a fundamental re-implementation using an integrated hardware/software design which considers security as a fundamental requirement is necessary. In particular, steps must be taken to ensure the correctness of the security related portions of the operating system.
It is not sufficient to use a team of experts to “test” the security controls of a system. Such a “tiger team” can only show the existence of vulnerabilities but cannot prove their non-existence.

– Paul Karger in the Multics Vulnerability Analysis 1974

It identified the need for secure development to achieve assurance and a systematic approach to very assurance. But what does secure development means approach and what would such an evaluation method look like? Of course these methods have to be practical, which means cost effective. They should also be mutually supportive, meaning that they should have the same interpretation of what assurance and security is and actually contribute so that any developer assurance measures are recognized and used when doing the evaluations. It sounds obvious, but not always the case when looking into the methods used today.

Secure development
We need to be able to specify what we mean with security, so that we know what type of security the product should provided. Products usually only protect against certain threats, under certain conditions and when using the product in a certain way.

A system without requirements cannot fail; it merely presents surprises.

– Young,  Boebert and Kain, “Proving a computer system secure”.
Scientific Honeyweller, 6(2):18–27, July 1985.

There are few standards for specifying security. The best known are the Protection Profiles and Security Targets in the CC. This has to do that CC cannot work without an ST since the CC standard by itself doesn’t state the specific requirements for a certain evaluation in the CC ISO/IEC 15408. It’s not easy do do, but there are also guides for this.

Even a big standard like ISO/IEC 15408 is not a substitute for thinking, and complex matters like IT security cannot be reduced to one sentence descriptions, no matter how hard you try.

– Mike Nash, “Guide for the production of Protection Profiles and Security Targets”
ISO/IEC TR 15446:2009(E)

So what are the secure development principles? There are design and architecture principles, such as those described as the Saltzer-Schroeder principles from 1975 that also grew directly out of the Multics experience. These and other principles are documented by Peter G. Neumann in his report “Principled Assuredly Trustworthy Composable Architectures” from 2004.

However, there is also a Technical Report from ISO ISO/IEC PDTS 19249 providing a good overview of Architectural Principle and Design Principles, stating:

Building a secure product, system, or application requires not only the implementation of functional requirements but also an architecture that allows for the effective enforcement of specific security properties the product, system, or application is supposed to enforce. The ability to withstand attacks the product, system, or application may be face in its intended operational environment is highly dependent on an architecture that prohibits those attacks or – if they cannot be prohibited – allows for detection of such attacks and/or limitation of the damage such an attack can cause.

– Helmut Kurth, Technical Report from ISO, ISO/IEC PDTS 19249

But there is more to secure development than just design principles. The importance of development processes, both for the initial development as well as for the maintenance is getting more attention. There are many different security standards that focuses on that such as GSMA NESAS and OpenSAMM (but not CC).

Note: There is a change in focus that largely has to do with the complexity of modern products, the frequent updates made to them (new features, bug fixes and security fixes) and of course the cost of evaluating the products.

Security evaluations
What about evaluations? What should an evaluation do to demonstrate that a product meets its security requirements? On a high level, there are two aspects that could (or should) be looked at. Assessment of the (1) secure development processes and (2) the assessment of the product itself, i.e. the result of these processes. The assessment of a product, may include a review of design (documentation), security (functional) testing and vulnerability analysis followed by penetration testing. It may give very high confidence for a certain version of the product, but may say very little about the future releases. On the other hand, the assessment of processes gives confidence that the developer has the security development processes under control, also for future products, but may say less about a specific product.

Then we have the aspect of security analysis vs compliance testing. Some standards, such as FIPS 140 used for crypto modules is focused on compliance testing, while other standard such as Common Criteria relies more on open-ended security analysis and search for potential vulnerabilities. All Common Criteria evaluations done in the US uses NIAP approved Protection Profiles that are more or less require to perform compliance testing only. Compliance testing is usually more objective than an open-ended analysis because of its nature. But this means that it is less flexible when it comes to product types and functionality. On the other hand, the open-ended analysis can also verify the absence of exploitable vulnerabilities, i.e. an active search for vulnerabilities and an analysis if they could be exploited. This approach provides more flexibility, but also requires more evidence from the vendor and more skills from the evaluator. There is just no no simple answers.

For every complex problem, there is a simple solution. And it’s always wrong.

– H.L. Mencken, US author and journalist

In summary, there is always a mixture between process and product assessment, and also between compliance and analysis. Unfortunately, many security assessment standards today have very little to do with secure development and almost none of them takes secure design principles into considerations. NESAS is here one exception.

atsec is an evaluation lab for FIPS-140 (with NIST), Common Criteria (in Germany, US, Sweden, Italy, Singapore). We are also NESAS auditors and a SCAS test lab. We are involved with national accreditation in Europe and have done audits according to OpenSAMM. We have seen benefits and drawbacks with all these different approaches, but we think that the assurance measures of developers should be better recognized and so assessments should promote development assurance.

References

1. Paul Karger in the Multics Vulnerability Analysis 1974.
   https://www.acsac.org/2002/papers/classic-multics-orig.pdf
2. J.H. Saltzer, M.D. Schroederer, “The Protection of Information in Computer Systems”, Proc. IEEE, vol. 63, no. 9, 1975, pp. 1278–1308. https://www.cs.virginia.edu/~evans/cs551/saltzer/
3. Young,  Boebert and Kain, “Proving a computer system secure”,
   Scientific Honeyweller, 6(2):18–27, July 1985.
4. ISO/IEC TR 15446:2009(E)
   “Guide for the production of Protection Profiles and Security Targets”.
5. Peter G. Neumann, “Principled Assuredly Trustworthy Composable Architectures”, 2004.
6. ISO ISO/IEC PDTS 19249, “Catalogue of architectural and design principles for secure products, systems, and applications”, Technical Specification, 2017.

The genesis of atsec’s name, logo, and websites

When atsec was about to be founded, one of the first questions the founders (a German, an Italian, and a Swede) had was which name would best represent the company's approach to information security, but more importantly, whether the domain would be available. 
   
Here is the list of all the available domain names in December 1999 that were possible candidates:

• attento
• atsec
• atcert
• atcrypto
  

atsec, atcert, and atcrypto were considered along with attento, which means "watch out" in Italian; attento was eliminated since it had meaning in Italian only and not much in the large Anglo-Saxon market where the company was about to appear.

Even though we bought the domains atcert.com and atcrypto.com, we decided that atcert and atcrypto did not fit our service portfolio because one would limit the perception of the company to a certificate authority and the other to cryptography.

The decision landed on atsec, which is a short version of "atsecurity." The choice of the "@" in the logo seemed the most logical thing to do at the time. In particular, the “@” sign would signal the company’s core commitment to IT security. Also, atsec was a new word that did not exist before then.

The first logo was plain and simple.

The color red symbolizes passion for the subject, and the italic font portrays speed and movement, like a Formula 1 race car.

The red line on the left represents the four guiding principles to be consistently followed.

- Know the business.	- Act with integrity.
- Stay focused.	- Be independent.

Finally, the reversal of the word "atsec" is the word "cesta," which means "basket" in Italian, and it is always associated with a basket of goodies.

Passion, speed, and a basket of goodies: atsec was born. It was January 11th, 2000. A brand-new word, logo, concept, and a basket of good IT Security experts.  We had a winner!

The second logo was a bit catchier but did not last long.

The word "key" was somehow limiting atsec to cryptography.

In 2001, during a consulting engagement at a prominent Internet Service Provider (ISP) in Germany, the motto was formed by playing with the acronymous “ISP” to make "atsec: the information security provider." 
The expression completely defines atsec's mission, dedication, and commitment to "Information Security."

The first full logo with the motto was born sometime in early 2001.

 

In 2005, the logo was restyled and has remained the same to this day.

This logo has been trademarked and copyrighted since 2006. The website design has changed several times but has always been kept simple, with no flash or pop-up windows.

For atsec, information security is a science. However, the cultural components were never to be underestimated.

Our first two websites were just plain and simple with the logo and language options.

The first relevant version of the atsec website came later in 2001. It was a simple design focused on content and news from our projects.

The first website’s transformation came in 2003 and stayed the same until 2010.

Teamwork and expansion were emphasized in the message by choosing a sailing boat as a symbol. Incidentally, from 2003 to 2010, atsec expanded in the US by establishing a branch in Austin, TX in 2003. This was followed, a few years later, by Stockholm, Sweden, and then Beijing, China.

It is worth noting that ours was probably among the first information security websites that was translated into 10 languages, one of them even being Latin!

By the way, the sailing boat theme is still used in some of our marketing material.

In 2010, the website changed and moved to a futuristic design.  Futurism was an artistic movement that originated in Italy in the early 20th century. Its emphasis was on action, speed, and technology.

The website would underline the "looking-forward" concept, as many changes were happening during that time in the Common Criteria standard used for security evaluations.

At the same time, atsec was slowly building its FIPS reputation as the founder of the International Cryptographic Module Conference (ICMC), and several other initiatives in the standards and technical communities.  

Surprisingly, the website's design confused many customers and visitors, so it was changed after five years.

In 2015, the website featured motifs echoing elements of Art Deco, a visual art, architecture, and design style of the early 20th century, which highlights a sleeker form style, curving shapes, and simple lines. As one of the first truly international styles, Art Deco could appropriately represent atsec's global status and service offerings.

 

The current website features a modern design, with simple forms and colors that add a sense of space and positive energy.  The blue sky represents the boundaries (the sky is the limit, pun intended), the golden globe represents the value of our services to customers worldwide.

 

The new web design continues to reflect atsec's dynamic team.  We continue to evolve, constantly searching, adapting, and creating opportunities for our colleagues, customers, and suppliers.

We remain one of the prominent validation and testing laboratories. Our services are appreciated by our customers, agencies, and even competitors.  After more than 21 years, atsec is a significant and independent player in the validation business.

It is a good story to tell.

As we launch the new website today, on the US operation’s 18th birthday, I encourage the new management team to continue the legacy imprinted in the four founding principles.
 

I want to thank all our colleagues within atsec today, and whoever has contributed to making this company a successful, independent, and enabling platform that allows information security and assurance practitioners to grow and prosper.

Once more.

...sal.

atsec scholarship connects logic and cryptography

 by Dr. Yi Mao

    

The two most repeated terms at the NIST Entropy Workshop held on April 27-29 are “mathematical model” and “justification.” That brought me back to my college days at Peking University where I first studied Mathematical Logic.

 

Logic is all about valid rules of inference. Mathematical logic applies the techniques of formal logic to mathematics and mathematical reasoning, and applies mathematical techniques to the representation and analysis of formal logic. It has four pillars: model theory, proof theory, set theory, and computability theory. While logic can be traced back to ancient Greek philosopher Aristotle, mathematical logic made great progress in the period from the 1930s through the 1970s. The exciting developments in mathematical logic in this period set the foundation for computer science. Alan Turing and John von Neumann are both world-renowned mathematical logicians and computer scientists. The strong connection between the two fields has continued with no sign of slowing down, which is demonstrated in the NIST Entropy Workshop last week.

 

The book “Foundations of Logic and Mathematics: Applications to Computer Science and Cryptography,” and its newer edition “Logic, Mathematics, and Computer Science: Modern Foundations with Practical Applications,” elaborate their interconnections through model theory, proof theory, set theory, and computability theory. My professor at UT-Austin, Robert L. Causey, explains Why Logic is Important for Computer Science and Mathematics on his class webpage (https://www.cs.utexas.edu/~rlc/whylog.htm) as follows.

 

“Logic is concerned with forms of reasoning. Since reasoning is involved in most intellectual activities, logic is relevant to a broad range of pursuits. The study of logic is essential for students of computer science. It is also very valuable for mathematics students, and others who make use of mathematical proofs, for instance, linguistics students.”

 

Holding a Ph.D. in mathematical logic from UT-Austin and being a lab director at atsec, I felt an enormous duty and responsibility to promote the tie between logic and computer science, which can be narrowed down to cryptography in particular or even just entropy source assessment in our daily work. atsec has been recruiting crypto experts with strong mathematical logic and computer science backgrounds. atsec has also established a scholarship at Peking University in memory of professor Song Wenjian to reward students who excel in logic.

 

Professor Song dedicated his entire life to teaching and researching logic till his passing in 2020. One of his biggest achievements is the creation of a logic major for undergraduates at Peking University in 1987. I was one of the first class of students who majored in logic and found this program had a profound influence on my pursuit of doctoral study and the security profession. 

 

The establishment of a scholarship in the name of Professor Song through the atsec donation is highly appreciated by Peking University and Professor Song’s family. The scholarship will inspire more students to study logic and its interconnected areas of Mathematics and Computer Science.

 

Peking University, nicknamed “Harvard of China,” is a prestigious university in Beijing that celebrated its 123rd birthday on the 4th of May. Adding to the celebration, Peking University held a scholarship launching ceremony on that memorable day. My colleagues Haiwei and Yan from our atsec China office attended the ceremony (first and third from the right in the front row of the picture below). 

 

For more information about this event in Chinese, see the news posted by Peking University at http://www.phil.pku.edu.cn/xwgg/xnxw/514154.htm