Reading through the Security Target, the following assumption immediately jumped out at me (ok, it's a few pages in so immediately is a bit of an overstatement):
"The threat agents are assumed to:
- have public knowledge of how the TOE operates
- possess a low skill level
- have limited resources to alter TOE configuration settings
- have no physical access to the TOE
- possess a low level of motivation
- have a low attack potential"
Now let's pretend I'm working for a Government client with Foreign Intelligence Services as an attack source - low skill level? Low level of motivation? Low attack potential? I should be so lucky... Oh well, at least the evaluation included some penetration testing - let's take a look at the certification report:
"The evaluator conducted a port scan of the VMware® ESX Server and VirtualCenter. Only the ports required for operation of the TOE were found to be open. The evaluator used a publicly available tool to scan the VMware® ESX Server and VirtualCenter for generic vulnerabilities, and none were found. In addition, the evaluator performed direct attacks on the VMware® ESX Server and VirtualCenter, attempting to bypass or break the TOE’s access control security mechanisms."
Is it me, or is that a little light for a penetration test? I'm not particularly re-assured.
Of course, the big problem is this: organisations (private and public sector) looking to deploy EAL4+ certified products are usually those with highly skilled, highly motivated threat actors. If some EAL4+ certifications do not cater for these threat actors what is the real value of those certifications?
(At least here in the UK, HMG organisations can turn to the CTAS process for assurance of specific technical barriers.)
No comments:
Post a Comment