5.2. Defining Security Baselines

One of the first steps in developing a secure environment is to develop a baseline of the minimum security needs of your organization. A security baseline defines the level of security that will be implemented and maintained. You can choose to set a low baseline by implementing next to no security or a high baseline that doesn't allow users to make any changes at all to the network or their systems. In practice, most implementations fall between the two extremes; you must determine what is best for your organization.

The security baseline, which can also be called a performance baseline, provides the input needed to design, implement, and support a secure network. Developing the baseline includes gathering data on the specific security implementation of the systems with which you'll be working.

One of the newest standards for security is Common Criteria (CC). (As of this writing, the latest version of the standard is 3.1, and it's available for viewing at http://www.commoncriteriaportal.org. The website also maintains a registry of products certified by CC.) This document is a joint effort between Canada, France, Germany, the Netherlands, the United Kingdom, and the United States. The standard outlines a comprehensive set of evaluation criteria, broken down into seven Evaluation Assurance Levels (EALs). EAL 1 to EAL 7 are discussed here:

EAL 1

EAL 1 is primarily used when the user wants assurance that the system will operate correctly but threats to security aren't viewed as serious.

EAL 2

EAL 2 requires product developers to use good design practices. Security isn't considered a high priority in EAL 2 certification.

EAL 3

EAL 3 requires conscientious development efforts to provide moderate levels of security.

EAL 4

EAL 4 requires positive security engineering based on good commercial development practices. It is anticipated that EAL 4 will be the common benchmark for commercial systems.

EAL 5

EAL 5 is intended to ensure that security engineering has been implemented in a product from the early design phases. It's intended for high levels of security assurance. The EAL documentation indicates that special design considerations will most likely be required to achieve this level of certification.

EAL 6

EAL 6 provides high levels of assurance of specialized security engineering. This certification indicates high levels of protection against significant risks. Systems with EAL 6 certification will be highly secure from penetration attackers.

EAL 7

EAL 7 is intended for extremely high levels of security. The certification requires extensive testing, measurement, and complete independent testing of every component.

EAL certification has replaced the Trusted Computer Systems Evaluation Criteria (TCSEC) system for certification. The recommended level of certification for commercial systems is EAL 4.

Currently, only a few operating systems have been approved at the EAL 4 level, and even though an operating system straight out of the box may be, that doesn't mean your own individual implementation of it is functioning at that level. If your implementation doesn't use the available security measures, then you're operating below that level.

As an administrator, you should know and thoroughly understand that just because the operating system you have is capable of being certified at a high level of security doesn't mean that your implementation is at that level.