B.3. Common Criteria: Security Environment Assumptions

This section is taken directly from the security target document. This section includes the following:
  • Secure usage assumptions
  • Threats
  • Organizational security policies
This information provides the basis for the security objectives specified in Section B.4, “Common Criteria: Security Objectives” and the security functional requirements for the target of evaluation specified in Section B.5, “Common Criteria: Security Requirements”.

B.3.1. Secure Usage Assumptions

The usage assumptions are organized in three categories: personnel (assumptions about administrators and users of the system as well as any threat agents), physical (assumptions about the physical location of the target of evaluation or any attached peripheral devices), and connectivity (assumptions about other IT systems that are necessary for the secure operation of the target of evaluation).

B.3.1.1. Personnel Assumptions

Auditors Review Audit Logs
Audit logs are required for security-relevant events and must be reviewed by the auditors.
Authentication Data Management
An authentication data management policy is enforced to ensure that users change their authentication data at appropriate intervals and to appropriate values, such as proper lengths, histories, and variations. This assumption is not applicable to biometric authentication data.
Competent Administrators, Operators, Officers, and Auditors
Competent administrators, operators, officers, and auditors will be assigned to manage the target of evaluation and the security of the information it contains.
Certificate Policies and Certification Practices Statements
All administrators, operators, officers, and auditors are familiar with the certificate policy (CP) and certification practices statement (CPS) under which the target of evaluation is operated.
Disposal of Authentication Data
Proper disposal of authentication data and associated privileges is performed after access has been removed, such as for a job termination or a change in responsibility.
Malicious Code Not Signed
Malicious code destined for the target of evaluation is not signed by a trusted entity.
Notify Authorities of Security Issues
Administrators, operators, officers, auditors, and other users notify proper authorities of any security issues that impact their systems to minimize the potential for the loss or compromise of data.
Social Engineering Training
General users, administrators, operators, officers and auditors are trained in techniques to thwart social engineering attacks.
Cooperative Users
Users need to accomplish some task or group of tasks that require a secure IT environment. The users require access to at least some of the information managed by the target of evaluation and are expected to act in a cooperative manner.

B.3.1.2. Physical Assumptions

Communications Protection
The system is adequately physically protected against loss of communications i.e., availability of communications.
Physical Protection
The target of evaluation hardware, software, and firmware critical to security policy enforcement will be protected from unauthorized physical modification.

B.3.1.3. Connectivity Assumptions

Operating System
The operating system has been selected to provide the functions required by this CIMC to counter the perceived threats for the appropriate Security Level identified in this family of PPs.1

B.3.1.4. Threats

The threats are organized in four categories: authorized users, system, cryptography, and external attacks.
B.3.1.4.1. Authorized Users
Administrative Errors of Omission
Administrators, operators, officers, or auditors fail to perform some function essential to security.
User Abuses Authorization to Collect or Send Data
User abuses granted authorizations to improperly collect or send sensitive or security-critical data.
User Error Makes Data Inaccessible
User accidentally deletes user data rendering user data inaccessible.
Administrators, Operators, Officers, or Auditors Commit Errors or Hostile Actions
An administrator, operator, officer, or auditor commits errors that change the intended security policy of the system or application or maliciously modify the system’s configuration to allow security violations to occur.
B.3.1.4.2. System
Critical System Component Fails
Failure of one or more system components results in the loss of system critical functionality.
Malicious Code Exploitation
An authorized user, IT system, or hacker downloads and executes malicious code, which causes abnormal processes that violate the integrity, availability, or confidentiality of the system assets.
Message Content Modification
A hacker modifies information that is intercepted from a communications link between two unsuspecting entities before passing it on to the intended recipient.
Flawed Code
A system or applications developer delivers code that does not perform according to specifications or contains security flaws.
B.3.1.4.3. Cryptography
Disclosure of Private and Secret Keys
A private or secret key is improperly disclosed.
Modification of Private/Secret Keys
A secret/private key is modified.
Sender Denies Sending Information
The sender of a message denies sending the message to avoid accountability for sending the message and for subsequent action or inaction.
B.3.1.4.4. External Attacks
Hacker Gains Access
A hacker masquerades as an authorized user to perform operations that will be attributed to the authorized user or a system process or gains undetected access to a system due to missing, weak, or incorrectly implemented access control causing potential violations of integrity, confidentiality, or availability.
Hacker Gains Physical Access
A hacker physically interacts with the system to exploit vulnerabilities in the physical environment, resulting in arbitrary security compromises.
Social Engineering
A hacker uses social engineering techniques to gain information about system entry, system use, system design, or system operation.